What's in a name: Cybersecurity vs.

InfoSecurity
It was a deceptively innocent but, to me, intractable at the time- question: what is the
difference between Information Security and Cybersecurity? After more than twenty
years in the computer/information/cyber security business -and more than half of those in
consulting- I was under the fallacy that I could argue intelligently about the nature of the
major areas that make up this industry - or so I thought until that question came up
The terms Cybersecurity and Information Security are to me quasi-synonymous but a
gut feeling immediately protests the existence of subtle, but important, differences. The
fact that I could not pinpoint those immediately and off the top of my head was initially
attributed to a gap in my knowledge and understanding (although, admittedly, it had to be
a big gap if such a fundamental question cannot be answered), so I set out to rectify the
shortcoming. A casual Google search, however, only managed to muddle things more, as
the terms seemed to be used interchangeably; a more diligent search was required which
in turn did not shed more light on the issue.
According to the US Committee on National Security Systems National Information
Assurance Glossary (CNSS Instruction No. 4009, 26/4/2010), Information Security is the
protection of information and information systems from unauthorized access, use,
disclosure, disruption, modification, or destruction in order to provide confidentiality,
integrity, and availability, whereas as per the ISO/IEC 27001, it is the preservation of
confidentiality, integrity and availability of information; in addition, other properties such
as authenticity, accountability, non-repudiation and reliability can also be involved.
What about Cybersecurity? ISO/IEC 27032 defines Cybersecurity as the preservation of
confidentiality, integrity and availability of information in the Cyberspace whereas
CNSS Instruction No. 4009 defines it as The ability to protect or defend the use of
cyberspace from cyber attacks.
Although the definitions are self-explanatory, the domains of definition (in a
mathematical sense) are different and disjoint, as they have no common elements
Information Security is defined in terms of Confidentiality, Integrity and Availability
whereas Cybersecurity in terms of Cyberspace and cyber attacks So how can we find

the fundamental differences? In other words, if we consider each one as a set of activities,
are they the same set? And if they are not, which are those elements that belong to one set
but are not members of the other? In the absence of any clear and widely accepted
distinction between the two, I will attempt to enumerate those differences in part by
querying this gut feeling. After some thought (and some more focused search) I
concluded that the differences between the terms ultimately have their roots in four areas:

1. Different domains of applicability

Information Security, to me at least, relates mostly to individuals and companies, whereas
Cybersecurity relates more to entire economies and society as a whole. A virus outbreak
in an organisation is an Information Security matter; the same virus outbreak, affecting a
country or the Air Traffic Control systems of a continent, is a Cybersecurity problem;
keeping children safe online is a Cybersecurity-related initiative.

2. Sovereignty connotations
Cybersecurity has sovereignty aspects and connotations (national security, intelligence,
defence/military, etc.). A power outage caused by a successful cyber attack, the ability to
conduct or defend against cyber espionage and the self-sufficiency of a country in terms
of security technology and competent human capital are clearly Cybersecurity
considerations.

3. Intentional vs. accidental

Cybersecurity focuses on intentional threats and does not place any particular emphasis
on accidental threats, which fall within the remit of Information Security. Flooding a
network connection after of a routing misconfiguration or an application failing unsafely
due to a coding error are Information Security concerns; a Distributed Denial of Service
(DDoS) attack or a low and slow, stealthy exfiltration breach fall squarely in the realm
of Cybersecurity.

4. Not only defence

In contrast to Information Security, which clearly is concerned solely with the protection
of information, Cybersecurity might encompass offensive capabilities in order to enable
an entity to wage cyberwarfare or retaliate against an adversary. Enough said
Do you agree with the above? Do you also feel that there still is confusion surrounding
the two terms?
Graph: Trends in search items - "Information Security" vs. "Cybersecurity" or "cyber
security"

source: Google Trends - (don't ask me why "cyber security" peaked in Nov. 2009)

P.S. By the way, if you agree that Information Security and Cybersecurity are partially
overlapping, dont we need a term to describe all the elements and activities that make up
both of them (the union of the two sets - InfoSec CyberSec)? What would we call
that, then?