For someone working in (broadly speaking) Cyber Security for a long time, gathering its different meanings and nuances was an interesting mission. Not too surprisingly, the definition of Security is only consensual to a limited degree. It should be noted that we reviewed this concept in the wider context of TIPS: Trust, Identity, Privacy, Security.
In order to find a definition of Security, we did a brief and informal survey of online material. We broke down stakeholders in
- standards organisations, technical guidance communities and national agencies
- professional publications and news agencies
- academic publications
Perhaps the common element is around the notion of attack: it’s about protecting the organisation against cyber-attacks.
ITU1 provides a lenghty definition which, summarised, essentially brings an operational definition: it is the collection of measures to protect against a cyber-attack. This notion is supported by the UK’s national agency, NCSC2, and USA’s standards body NIST3. ISO, in its ISO 270014, provides a definition of Information Security in line with the publication.
News agencies, such as TechTarget5, and even household dictionaries such as Merriam-Webster6, use definitions that revolve around protection against attacks.
Businesses and related channels, such as Cisco7 or Kaspersky8, also focus on protection against attacks from assets.
Turning to academic publications, two deserve a special mention. Craigen et al9 propose that Cybersecurity is the organization and collection of resources, processes, and structures used to protect cyberspace and cyberspace-enabled systems from occurrences that misalign de jure from de facto property rights. Schatz et al10 did a survey of literature in finding the commonalities of a definition to essentially find that it conflates around the idea that it is the set of measures to protect digital assets against cyber attacks, either by technology or human practices.
Overall, there is a pattern:
- cyber security seems to focus on property or assets; security is to protect from attacks to those assets
- it seems to be a concept essentially owned by businesses — similar to classic crime, the threat is that valuables are stolen or business continuity gets disrupted
We do not challenge this set of definitions but it gives us a feeling that it is only partial:
- individuals and communities seem to not be addressed
- it does not see security as a right or expectation, such as when a home gadget has a vulnerability — similarly to the thoughts of Bruce Schneier on the liability of vulnerable software11
- the notion of safety (which should be, we argue, a default/passive setting) is not embedded which is particularly important for medical devices
We’d welcome your views. What could be missing from this definition? Or is it fairly complete as other aspects fall under the other elements of Trust, Identity or Privacy?
- ITU-T X.1205, https://www.itu.int/en/ITU-T/studygroups/com17/Pages/cybersecurity.aspx
- SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
- ISO/IEC 27001, Information security management
- Dan Craigen, Nadia Diakun-Thibault, Randy Purse, Defining Cybersecurity, TIM Review, October 2014 — online: https://timreview.ca/article/835
- Schatz, Daniel, Bashroush, R. and Wall, J. 2017. Towards a More Representative Definition of Cyber Security. Journal of Digital Forensics, Security and Law. 12 (2), pp. 53-74. Online: https://doi.org/10.15394/jdfsl.2017.1476