ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > A simple definition of cybersecurity

A simple definition of cybersecurity

| Posted at 3:28 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (2)

Menny Barzilay

To understand the term cybersecurity we must first define the term cyberrisk.

Cyberrisk is not one specific risk. It is a group of risks, which differ in technology, attack vectors, means, etc. We address these risks as a group largely due to two similar characteristics: A) they all have a potential great impact B) they were all once considered improbable.

To understand this we start with a visual representation of the traditional risk curve:

Figure 1 is a simple graph that shows the correlation between the probability of a risk occurrence and its potential impact. As we move to the right, risk’s potential impact increases. At the far right of the risk curve we see a “long tail”—a group of very high impact risks with a very low probability of occurrence. (Naturally, organizations have resource constraints and focus their efforts on addressing the risks with high probability of occurrence and potentially significant impact.)

Figure 1
Figure 1

Next, let us define focus zone (depicted in Figure 2 below) as the area containing the risks to which the organization directs its mitigation efforts. The size of the focus zone is determined by factors such as risk appetite, cost effectiveness, the CISO’s attitude, organizational culture, availability of resources and relative threat landscape.

As illustrated below, the efforts invested in addressing risks within the focus zone are commonly referred to as information security. Those risks include traditional malwares (viruses, trojans, spyware, adware, etc.), standard phishing attacks, standard distributed denial of service (DDoS) attacks, standard hacking activities, etc.

Figure 2
Figure 2

Of course, something has changed recently. The threat landscape evolved to the point that risks that were once considered unlikely began occurring with regularity. The increased probability of very-high-impact risk occurrences is illustrated in Figure 3 below as Item 1.

This trend can be attributed to higher maturity of attack tools and methods, increased exposure, increased motivation of attackers, and better detection tools enabling more visibility. With that said, we must accept that some of this shift is a result of our increased awareness to this new, highly focused group of risks.

The change to the threat landscape forces us to expand an organization’s focus zone to include these previously excluded risks—illustrated below as Item 2.

Figure 3
Figure 3

This new group of very-high-impact risks that now requires our attention is commonly referred to as cyberrisk. As illustrated in Figure 4 below, efforts invested in addressing cyberrisks are known, naturally, as cybersecurity.

This group of risks includes all sorts of strange scenarios: organization-specific, specially designed malwares; manipulated hardware and firmware; the usage of stolen certifications; spies and informants; exploiting vulnerabilities in archaic hardware; attacking third-party service providers; etc. This list also includes what are known as advanced persistent threats.

Figure 4
Figure 4

Some might consider information security and cybersecurity as two different disciplines, but I would argue that cybersecurity is a subdiscipline of information security (see Figure 5).

Figure 5
Figure 5

Cybersecurity is the sum of efforts invested in addressing cyberrisk, much of which was, until recently, considered so improbable that it hardly required our attention.

We must remember that the shift of the risk curve represents an ongoing trend. Very-high-impact risks will become increasingly frequent, forcing us to become better at protecting assets and devising creative solutions to mitigate risks.

To understand the term cybersecurity we must first define the term cyberrisk.

Menny Barzilay
Head of IT Audit, Bank Hapoalim

Continue the conversation…engage with your peers in the Cyberecurity topic in ISACA’s Knowledge Center.

Comments

Re: A simple definition of cybersecurity

Menny_B at 5/8/2013 4:11 PM

Re: A simple definition of cybersecurity

I agree that cybersecurity is a part of information security because cybersecurity is related to threats that come from globally connected networks like internet and information security is related to overall protection of information system. However, I do not agree that cybersecurity contributes only to high-impact risk with low probability. Openness to internet makes cyber threats very probable and cybersecurity has the task to mitigate cyberrisk to the acceptable level and limit the impact.
BerniK at 11/27/2013 2:07 AM
You must be logged in and a member to post a comment to this blog.
Email