Information & Computer Security

Cyber security and information security – what goes where?

Basie Von Solms, Rossouw von Solms,
Article information:
To cite this document:
Basie Von Solms, Rossouw von Solms, "Cyber security and information security – what goes where?", Information &
Computer Security, https://doi.org/10.1108/ICS-04-2017-0025
Permanent link to this document:
https://doi.org/10.1108/ICS-04-2017-0025
Downloaded on: 03 February 2018, At: 00:16 (PT)
References: this document contains references to 0 other documents.
To copy this document: permissions@emeraldinsight.com
The fulltext of this document has been downloaded 5 times since 2018*
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Access to this document was granted through an Emerald subscription provided by emerald-srm:320271 []
For Authors
If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service
information about how to choose which publication to write for and submission guidelines are available for all. Please
visit www.emeraldinsight.com/authors for more information.
About Emerald www.emeraldinsight.com
Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of
more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online
products and additional customer resources and services.
Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication
Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

 Cyber Security and Information Security – What goes where?

Abstract:

Purpose – To define Cyber Security and Cyber Security Governance in simplified terms – in order to
explain to the Boards of Directors and Executive Management their responsibilities and accountabilities
in this regard.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Design/Methodology/Approach – The primary research methodology utilized in this paper is Desk

Research. A literature study is followed by some discussion in terms of the contribution made.

Originality/Value – The simplification of terminology to be used in the governance of Cyber Security,

together with assistance to the guiding of Boards of Directors regarding their duties and responsibilities
as far as Cyber Security is concerned.

Keywords – Cyber Security, Cyber Security Governance, Information Security, Information Security
Governance, ISO 27032, Boards of Directors, Executive Management

Paper type – Viewpoint

1. Introduction

It is clear from newspaper reports, academic articles, security-related conference proceedings and many
other studies that Cyber Space, and specifically Cyber Security, is a topic currently attracting
considerable interest and attention over a wide spectrum of stakeholders. It is a topic growing in
importance and significance month by month, with ever-expanding consequences and impacts. The
stakeholders cover the full spectrum – from the ordinary citizen accessing his or her online banking site
– to the Boards of Directors of companies. Such Boards are realizing more and more that protecting
their respective companies in Cyber Space is a definite Corporate Governance responsibility; and
consequently they are accountable for the related cyber risks in their companies, together with the
associated subsequent legal implications for possible negligence and/or ignorance.

These concerns about cyber-related risks have, however, resulted in many people, including the
suppliers of security solutions, who want to sell their solutions, to make Cyber Security a hype term. In
doing so, they use it as an all-inclusive term for all the aspects related to security, often riding on the
‘cyber fears’ of users and Executive Management. Different definitions and explanations for cyber
security are given, as the situation requires; and statements like the following are used widely in relation
to the cyber field:

(a) Cyber Security is actually the same as Information Security;

(b) Information Security is a part of Cyber Security;
(c) Some Cyber Security attacks have nothing to do with information and/or the data;
 (d) Information Security is actually obsolete; and Cyber Security is now the all-inclusive term,
replacing Information Security.

Taking the abovementioned into account, various different interpretations, as seen below, exist about
precisely what Cyber Security includes, or does not include.

According to Martin and Rice (2011), several recent studies have found that technology is increasingly
used to “cause embarrassment, to invoke harassment and violence, and to inflict psychological harm”.
Based on this supposition, Von Solms and Van Niekerk (2013) argued that, where technology uses Cyber
Space, consequential harm forms an inescapable part of Cyber Security. Thus, Information Security and
Cyber Security overlap partially, with the consequential harm forming part of Cyber Security, but not
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Information Security. More recently, Cyber Harm has been established as a separate, independent field
of study, which is not classified as a component of Cyber Security.

Eva Ignatuschtschenko (2016) states the following, in relation to Cyber Harm: 1) Cyber Harm is the
damaging consequences of cyber events; 2) Cyber Harm can result in physical, psychological, economic,
reputational and/or social consequences; and 3) Cyber Harm can affect the following: individuals,
organizations, infrastructure or national interests. Therefore, according to the new schools of thought,
the consequences of Cyber Space are seen as separate from Cyber Security, rather than part of it.

Furthermore, the evaluation by ENISA, called: ‘Definition of Cybersecurity – Gaps and overlaps in
standardisation’ concludes that ‘There does not need to be a definition for Cybersecurity, in the
conventional sense that we tend to apply to definitions for simple things, like the authentication of an
identity (a security mechanism allowing the verification of the provided identity). The problem is that
Cybersecurity is an enveloping term; and it is not possible to make a definition to cover the extent of the
things Cybersecurity covers.’

This conclusion by ENISA probably summarizes the uncertainly amongst the many role-players in this
field on what Cyber Security exactly entails. This interpretation of Cyber Security as an ‘enveloping term’
together with the many diverse definitions and interpretations, such as those in (a) to (d) above, does
not make it easy to explain to Boards of Directors (BoDs) of companies precisely what their
accountability and responsibility towards Cyber Security entails. It has been found to be very difficult to
convince such BoDs that Cyber Security is important and part of their governing mandate – without
being able to give a clear and comprehensive definition or explanation of the concept. These different
and diverse interpretations, definitions and conclusions tend to cause confusion in many cases; and they
do not serve the challenge to explain Cyber Security and Cyber Security Governance to Executive
Management; and how these issues form part of their governance mandate.

In this paper, we attempt to provide a clear and simple approach to explain Cyber Security and Cyber
Security Governance, in order to get Executive Management’s buy in – without confusing them with
complex definitions, explanations, interpretations and/or various statements.

In our approach, we attempt to explain clearly the relationship between Cyber Security and Information
Security. Consequently, we will also differentiate clearly between Information Security Governance and
Cyber Security Governance. This, hopefully richer, understanding of Cyber Security Governance will
 provide more clarity for Executive Management and to Boards of Directors (BoDs) to understand their
Cyber Security Governance mandate, with the related accountabilities and responsibilities. Our
approach may be viewed as an oversimplification; but we are of the opinion that it will assist in
positively influencing Executive Management and Boards of Directors.

The core message of this paper is to make a case that Cyber Security is a subset of Information Security;
and therefore, Cyber Security Governance is a subset of Information Security Governance. It is accepted
that many people will not agree with this message. However, it is not the purpose of this paper to
provide a ‘right or wrong’ answer; but merely to devise an understanding of Cyber Security and Cyber
Security Governance that can be used when dealing with BoDs and Executive Management.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Consequently, we will endeavor to motivate our message by using internationally accepted and
trustworthy supporting documentation.

The primary source of the documents we will be using, on which to base our arguments are:

• ISO/IEC 27032:2012 (Information technology — Security techniques — Guidelines for

cybersecurity) (ISO, 2012), which is an international standard; and
• the ISACA CSx Cybersecurity Fundamentals Study Guide, which forms the basis of the ISACA
Cybersecurity Fundamentals Certificate.

The international standing and recognition of these documents provides an academically stable
platform, on which to base our argument; and on which to construct our stance. A further reason for
using these two documents is that both of them are focusing on Cyber Security, alongside Information
Security – and not merely using Cyber Security as a synonym for Information Security.

The rest of this paper is structured as follows:

In Section 2, we position Cyber Security as fully contained in Information Security; and we provide our
definition for Cyber Security. We continue, in Section 3, to use this definition of Cyber Security to
position Cyber Security Governance, as being fully contained in Information Security Governance; and
we provide our definition for Cyber Security Governance. In Section 4, we explain why our simplified
approach could benefit Executive Management and BoDs in better understanding their accountabilities
and responsibilities in this regard. A brief message to BoDs follows as Section 5; and some concluding
remarks follow in Section 6.

2. Cyber Security is fully contained in Information Security

As stated, the basis of our argument stems from the following two reputable sources:

• ISO/IEC 27032:2012 (briefly discussed in 2.1);

• The ISACA CSx Cybersecurity Fundamentals Study Guide (discussed in 2.2)
 2.1 ISO/IEC 27032:2012

This document, as an international standard, was created by the International Organization for
Standardization and the International Electrotechnical Commission in 2012.

This document defines Cyber Security as the ‘preservation of the confidentiality, integrity and availability
of information in Cyberspace’. On the other hand, ISO/IEC 27000 defines Information Security as the
preservation of the confidentiality, integrity and availability of information’. Thus, the difference
between Cyber Security and Information Security is that Cyber Security is restricted to the information
in Cyber Space; whereas Information Security is the protection of information ‘everywhere’.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Figure 1, as found on page 11 of this document, is replicated below; and it provides the basis of our
interpretation.

This diagram clearly indicates that Cyber Security is fully contained in Information Security. It is also
clear that the effects, due to a lack of Cyber Security, like cybercrime and cyber safety or cyber harm (as
referred to earlier), are positioned outside the realm of either Information Security or Cyber Security.
We will not elaborate on the document’s definitions of the other components presented in Figure 1.
Those definitions can be found in the standard itself.

2.2 The ISACA CSx Cybersecurity Fundamentals Study Guide

ISACA (2016) has created the Cybersecurity Fundamentals Certificate, as an entry-level professional
certificate in the field of Cyber Security. According to ISACA, the Certificate is aligned with the National
Institute of Standards and Technology’s (NIST) National Initiative for Cybersecurity Education (NICE)
(2016), which is compatible with global Cyber Security issues, activities and job roles. The Certificate is
also aligned with the Skills Framework for the Information Age (SFIA).
 The Certificate is supported by the Cybersecurity Fundamentals Study Guide, an extensive document of
nearly 200 pages.

The Study Guide states (on page 5):

‘… but in reality cybersecurity is a part of information security’.

It continues on page 9:

‘Information security deals with information, regardless of its format—it encompasses paper
documents, digital and intellectual property in people’s minds, and verbal or visual
communications. Cybersecurity, on the other hand, is concerned with protecting digital assets—
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

everything from networks to hardware and information that is processed, stored or transported
by internetworked information systems. Additionally, concepts such as nation-state-sponsored
attacks and advanced persistent threats (APTs) belong almost exclusively to cybersecurity. It is
helpful to think of cybersecurity as a component of information security [our emphasis in this
paper]’.

This Study Guide defines Cyber Security ‘as protecting information assets by addressing the threats to
information processed, stored and transported by internetworked information systems.’

This document, therefore, also clearly classifies ‘cybersecurity as a component of information security’,
as indicated above.

2.3 A Definition for Cyber Security

From the discussions in subsections 2.1 and 2.2 above, we now define Cyber Security as that part of
Information Security which specifically focuses on protecting the Confidentiality, Integrity and
Availability (CIA) of digital information assets against any threats, which may arise from such assets
being compromised via (using) the Internet.

Clarifying some aspects regarding our definition:

• Cyber Security is contained in Information Security;

• Cyber Security has everything to do with protecting the CIA of digital-information assets against
threats and attacks that use the Internet in some manner; and
• We identify the Internet as the main domain where Cyber Security applies. Some definitions
refer to ‘internetworked information systems’; but we specifically link Cyber Security to the
Internet and vice versa.

An example may assist in explaining our definition further.

Suppose an employee copies some sensitive company information onto a USB drive and sells
the USB drive to an unauthorized party. This is surely a breach of Information Security, but not
of Cyber Security; as the Internet is not involved.
 However, if the employee sends the information from inside the company to some cloud-based
storage (via the Internet) and the unauthorized party is given access to this cloud storage; then
this is a breach of Information Security, as well as of Cyber Security.

As stated, there may be different opinions about our definition (and example); but kindly remember one
of our main goals is to simplify the concept of Cyber Security to Executive Management and BoDs.

Having now agued towards an explanation of Cyber Security, we can now move on in Section 3 to define
Cyber Security Governance.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

3. Cyber Security Governance is fully contained in Information Security Governance

The ISACA Study Guide, referred to in Section 2, states: ‘Information security deals with information,
regardless of its format—it encompasses paper documents, digital and intellectual property in people’s
minds, and verbal or visual communications’.

The international standard; ISO/IEC 27014:2013, states that the Governance of Information Security is
a ‘system by which an organisation's information security activities are directed and controlled’
(ISO/IEC 27014, 2013).

Together these two statements indicate that Information Security Governance is the governance of
Information Security, regardless of its format.

On the other hand, as motivated in Section 2, Cyber Security is ‘restricted’ to the (digital) information
assets, which might possibly be compromised via (using) the Internet. Therefore, Cyber Security
Governance can be seen as the governance of (digital) information, which could possibly be
compromised via (using) the Internet.

Therefore, our explanation for Cyber Security Governance is:

Cyber Security Governance, as part of Information Security Governance, is the process of directing and
controlling the protection of a company’s digital information assets from the risks that are related to
using the Internet.

Based on this, it can be argued that Cyber Security Governance is a subset of Information Security
Governance, which is in line with Figure 1 in subsection 2.1.

In the next section we will expand on why this definition, or explanation, will help Executive
Management and BoDs in understanding their Cyber Security accountabilities and responsibilities.

4. Cyber Security Accountabilities and Responsibilities

The definitions and explanations of Cyber Security and Cyber Security Governance argued above allow
us to present Cyber Security to Executive Management from the following point of view:
 Cyber Security aims to protect against the risks which arise; because one’s organization is connected to
the Internet in some way or another. The more one is dependent on the Internet, i.e. the more services
one’s company provides via and using the Internet, the bigger the cyber threat and the more
comprehensive one’s Cyber Security efforts and commitments should be.

Relating Cyber Security and Cyber Security Governance directly to their enterprise’s exposure to Cyber
Space, and explaining that this exposure, widens the potential attack from cyber criminals, should
simplify matters. It would furnish Executive Management and BoDs with a clearer understanding of why
Cyber Security Governance has become such an important aspect lately, requiring their direct and
dedicated attention.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

Information Security and the Governance thereof, used to be, and still is, very important in every
modern-day enterprise; but Cyber Security and Cyber Security Governance have grown to become
critical issues today, calling for the direct attention and oversight of BoDs and Executive Management.

Information Security, through the activity referred to as Information Security Governance, was and still
is an important responsibility of the BoDs; and it forms part of their general governance mandate. In the
light of the recent proliferation of business activities and processes utilizing Cyber Space (the Internet),
the extent of the cyber-related risks has increased to such an extent that the BoDs and Executive
Management must pay more attention to the potential (negative) effects thereof. It would certainly be
negligent not to do so. For this reason, understanding what Cyber Security entails has become very
important to BoDs, in order to properly govern Cyber Security in this time and age. This is certainly non-
negotiable to any modern BoD.

BoDs must demand to be informed and made aware of the enterprise’s involvement in and exposure to
Cyber Space. Once the BoD realizes the extent of the enterprise’s exposure to Cyber Space, they should
ensure that they understand the associated risks of this exposure. Once the BoD has understood
(evaluated) the situation, it must demand (direct) that a plan of action to address these risks is put in
place. Subsequently, the Board must ensure that it regularly gets updated on (monitor) the risk status.
These aspects should feature as a permanent BoD agenda item; and they would assist BoDs in properly
governing Cyber Security.

5. Re-directing the message to Boards of Directors

The message to CIOs and Information Security Managers is, therefore, as follows:

When confronting your Boards with Information Security risks to the enterprise, concentrate primarily
on the risks resulting because of the enterprise’s activities in Cyber Space and the consequences in not
addressing those risks from a legal and brand-name angle. Emphasize these risks for any new systems;
since this would increase the enterprise’s presence in Cyber Space.

By re-directing the ‘security message’ to Boards, and basing it firmly on the activities in Cyber Space, and
not necessarily ignoring the systems ‘not linked to Cyber Space’, the time available to interact with BoDs
can be used more productively – to get the support and the involvement of such Boards.
 Without the clear positioning of Cyber Security and Cyber Security Governance made in the previous
paragraphs, in many cases, BoDs would still be confronted with the confusing statements, as listed in
paragraphs 1(a) to (d); and this would oblige such Boards to be confronted with the full scope of
Information Security-related aspects. This would include aspects like: physical information security,
employee identification and authentication, logical access control and many other aspects, such as for
example, those defined by ISO 27001.

Many of these aspects have stabilized over the years, and are perfectly well handled by lower
management levels. Having to digest all these aspects as part of their Information Security Governance
responsibilities, would definitely reduce the attention that Boards are increasingly expected to give to
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

cyber risks.

The rationale of this paper is, therefore, as indicated above, to direct the Board’s primary attention to
modern, everyday cyber risks, which are part of the Internet-oriented systems rolled out by their
enterprise, realizing that every new system being rolled out is exposed to a new set of cyber risks, for
example, hacking risks from outside directed towards their customers’ data and information. This does
not mean that the other aspects of the wider Information Security menu are now suddenly not
important any more – of course these are still important – but this should not allow the Board to miss
the cyber-related risks of hacking attacks, phishing attacks, BYOD risks and others.

By highlighting and focusing on these cyber security risks, as opposed to the more comprehensive and
general information security risks, would definitely make it easier for Boards to evaluate their
accountabilities and responsibilities in these areas.

The goal of this paper is to argue for a ‘simpler’ definition of Cyber Security to be utilized to mobilise
BoDs and Executive Management for the effective governance of Cyber Security, as part of their
mandate to oversee the wellbeing of the enterprise, especially from a Cyber Security perspective.

6. Conclusion

Boards of Directors and Executive Management are responsible and accountable for the wellbeing of
any modern organization. Since most, if not all, organizations are totally dependent on the
confidentiality, integrity and availability of their information assets, Information Security plays a critical
role in the wellbeing of such an organization; and therefore, Information Security Governance has grown
to become a definite mandate of BoDs. Currently, most organizations utilize Cyber Space for critical
business processes; and the Internet has become an integral link in modern information systems.

The hype around Cyber Space, Cyber Security and the related risks, has made BoDs and the Executive
Management of organizations uncomfortable about their organizations’ utilization and dependence on
Cyber Space and the Internet. It is important that these parties understand what Cyber Security is, how
it relates to Information Security; and that the governing of Cyber Security is key to their general
governance mandate. Against this backdrop, the authors have argued for a simple definition for Cyber
Security and Cyber Security Governance.
 References

ENISA (2016), Definition of Cybersecurity – Gaps and overlaps in standardisation,

https://www.enisa.europa.eu/publications/definition-of-cybersecurity, Cited 3 September 2016.

Eva Ignatuschtschenko (2016), Developing a Cyber Harm Model,

https://www.sbs.ox.ac.uk/cybersecurity-
capacity/system/files/EIgnatuschtschenko_GCSCC_presentation_160112_0.pdf. Cited 3 September
2016.
Downloaded by UNIVERSITY OF NEW ENGLAND (AUS) At 00:16 03 February 2018 (PT)

ISACA (2016), ISACA CSx Cybersecurity Fundamentals, https://www.sbs.ox.ac.uk/cybersecurity-

capacity/system/files/EIgnatuschtschenko_GCSCC_presentation_160112_0.pdf. Cited 3 September
2016.

ISO/IEC 27014 (2013), ISO/IEC 27014:2013 (Information technology – Security techniques – Governance
of Information Security).

ISO (2012), ISO/IEC 27032:2012 (Information technology — Security techniques — Guidelines for
cybersecurity).

NICE (2016), National Initiative for Cybersecurity Education, http://csrc.nist.gov/nice/. Cited 3

September 2016.

SIFA, Skills Framework for the Information Age, https://www.sfia-online.org/en/reference-guide. Cited

3 September 2016.