Since I am relatively new to the area of "security", I decided to look up the definitions of the terms that I often read or hear in the community. I took the definitions from CSRC-NIST, SANS, and ACM.
Information Security (INFOSEC)
- "The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability."[1]
- "Information Security refers to the processes and methodologies which are designed and implemented to protect print, electronic, or any other form of confidential, private and sensitive information or data from unauthorized access, use, misuse, disclosure, destruction, modification, or disruption."[2]
Cybersecurity (CYBERSEC)
- "Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and non-repudiation."[1]
- (Aside: Cyber/Cyberspace - "The interdependent network of information technology infrastructures, and includes the Internet, telecommunications networks, computer systems, and embedded processors and controllers in critical industries."[1]. Cyberspace can be considered a "realm" or "domain" like land, sea, air, and space where war can happen.)
- "Computer and network security, or cybersecurity.."[8]
- In Education - “computing-based discipline involving technology, people, information, and processes to enable assured operations. It involves the creation, operation, analysis, and testing of secure computer systems. It is an interdisciplinary course of study, including aspects of law, policy, human factors, ethics, and risk management in the context of adversaries.”[7]
- "technological discipline concerned with ensuring that IT systems perform as expected and do nothing more; that information is provided adequate protection for confidentiality; that system, data and software integrity is maintained; and that information and system resources are protected against unplanned disruptions of processing that could seriously impact mission accomplishment. Synonymous with Automated Information System Security, Computer Security and Information Systems Security."[1]
- (Aside: Information Technology - computing and/or communications hardware and/or software components and related resources that can collect, store, process, maintain, share, transmit, or dispose of data. IT components include computers and associated peripheral devices, computer operating systems, utility/support software, and communications hardware and software."[1])
- "Information Technology Security also known as, IT Security is the process of implementing measures and systems designed to securely protect and safeguard information (business and personal data, voice conversations, still images, motion pictures, multimedia presentations, including those not yet conceived) utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use and its ability to perform their permitted critical functions."[5]
- "Computer Security is concerned with the risks related to computer use, and ensures the availability, integrity and confidentiality of information managed by the computer system, permitting authorized users to carry out legitimate and useful tasks within a secure computing environment."[3]
- "Measures and controls that ensure confidentiality, integrity, and availability of the information processed and stored by a computer. Rationale: Term has been replaced by the term “cybersecurity”". [1]
- (Aside: probably used in the days when computer networks were not yet ubiquitous)
- "Network Security is the process of taking physical and software preventative measures to protect the underlying networking infrastructure from unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby creating a secure platform for computers, users and programs to perform their permitted critical functions within a secure environment."[4]
- "Application security describes security measures at the application level that aim to prevent data or code within the app from being stolen or hijacked. It encompasses the security considerations that happen during application development and design, but it also involves systems and approaches to protect apps after they get deployed. "[6]
- (Aside: any activity designed to protect the usability and integrity of your applications [desktop, web, mobile, cloud, software in general?] and data)
To conclude, what term should we use? I've decided to use a different term depending on the context of the conversation or communication. I will use cybersecurity when the context is national security or education. For enterprise, business, or industry contexts, information security seems to be appropriate and accepted in the community. The other terms will be used in more specific technical contexts in education and in practice.
References:
[1] https://csrc.nist.gov/glossary
