1. COMP.SEC.100
  2. 2. Introduction
  3. 2.1 Definition of cyber security

Definition of cyber security

Traditionally, matters related to cyber security were understood as the responsibility of those responsible for ICT. Since then, society has transformed into an information society and become dependent on the functioning of information systems and networks, and thus vulnerable to disruptions affecting them. The digital operating environment is now an integral part of everyday life, and cyber security has become everyone’s concern.

Security

In several languages there is only one word that matches the English words safety and security (turvallisuus in Finnish, Sicherheit in German, seguridad in Spanish, 安全 in Chinese). In everyday language, safety is more associated with unintentional events and security with intentional actions, such that safety protects against accidents (occupational, fire, traffic safety) and security against deliberate harm (sec. personnel, sec. screening, sec. policy, Sec. Council). In addition, when considering different protection measures, safety is more often linked to devices and security to actors. The distinction becomes apparent, for example, in the context of cyber-physical systems.

Even when we are (more) on the side of security, there are still two concepts that are difficult to distinguish: cyber security and information security. Their usage is not always consistent; depending on the situation and context, one must understand which is meant. They have much in common, but both also have their own “domains”, as will become clear below.

Areas of information security

Information security has traditionally been defined as ensuring three properties related to information: confidentiality, integrity, and availability. Together, these form the CIA model of information security.

Information security

Refers to arrangements aimed at ensuring the confidentiality, integrity and availability of information.

Confidentiality means that information is not accessible to anyone other than those authorised to use it. Examples of implementing confidentiality include encrypting network traffic, applying security classifications to official documents, and ensuring that not all healthcare staff have access to all patients’ records.

Integrity means that information is what it is supposed to be. This does not mean that the information is true or otherwise “good”, but that nothing and no one has altered it, intentionally or accidentally. When information is first created, its integrity is also born and perfect, but as soon as it is stored, transmitted, or processed, its integrity can be compromised. Checking the recipient’s payment details before settling an invoice is also an example of ensuring the integrity of information.

Availability means that information is accessible when it is needed. For example, the functioning of data communication connections is a significant part of achieving this goal.

Answer the questions.

Which area of information security is document version control related to?
Which area of information security is file backup related to?
Which area of information security is verifying payment details before processing an invoice related to?
Which area of information security is related to speaking loudly on a train about a company’s client contract information?

Cyber security

The course is titled and focused on cyber security because information security alone is no longer sufficient. Any information security breach may be part of an attack that affects critical infrastructure or is even directly targeted at it. Critical infrastructure is traditionally understood to include these seven sectors: energy, water supply, healthcare, transport, banking, financial markets, and networks (cf. NIS2 Directive). There are also other targets of cyber impact, such as political decision-making.

Cyber security therefore extends further into the physical world than information security. On the other hand, information security concerns “all information”, whereas the “core” of cyber security lies in the functioning of the digital world. The objectives and methods of information security are also important in cyber security, but cyber security is often not perceived as being as concrete as information security; rather, it is seen as a somewhat abstract target state, perhaps only a matter for authorities. After this course, you will understand what the cyber impact of your own information security can be, and why some cyber security measures may affect your data.

Cyber security

Refers to a target state in which an electricity-dependent and highly networked digital operating environment can be trusted.

There are also other ways to structure the key concepts. A broader concept, digital security, has been proposed, consisting of five areas: cyber security, risk management, business continuity and preparedness, information security, and data protection. Digital security can be useful in some contexts, but it is important to note that in this course material, cyber security largely encompasses the other four areas.

Choose one or more options.

Which area does each example mainly represent? Through the feedback, you will see how the course staff have interpreted the matter. Your own view of the boundaries between the concepts may differ.

”A data breach exercise is organised for public administration employees.”
”The Cyber Security Centre issues a notice concerning scam messages spreading via mobile phones.”
”A company’s IT department warns about phishing messages.”
”A hospital updates the firmware of insulin pumps.”
Posting submission...