What does information security really mean?

Security is defined by Meriam-Webster Dictionary  [1] as  the quality or state of being secure. 

Secure itself is defined as :  free from danger  or free from risk of loss



If we have one million dollars and live in a utopian world, we will not be worried about the dangers that could exist to our money. We may leave our money in the street and label them with our name; no one will take them. Thus, the security and even trust concepts are not relevant in this world because we are sure that everyone is good and has good intentions.



In a dystopian world, we are almost sure that dangers exist. Therefore, almost everyone is interested in our assets. In this world, Security is critical as it is the only way that allows us to survive. Trust is relevant also but should be used much less frequently than Security.

 

In the real world, we are between the utopia and dystopia worlds. We are not sure about the existence or absence of dangers, and yet we need to make decisions about protecting our assets. We need thus to learn how to use Security and Trust. 


Trust has no cost, efficient, and makes trusted people happy

Security is expensive, complex and makes controlled people unhappy


Our role is always to find the best trade-off between security and trust. Trust has no cost and is efficient; we should use it whenever possible. So we should always build some justification before deciding to use security. The reason should come from the fact that there are essential indicators that entities from which we want to protect ourselves can betray our trust. The justification should also be elaborated to define the convenient security mechanisms so that we will not over-secure or under-secure our assets. This is part of a formal process called risk management. 


Based on the Security definition given by Meriam-Webster Dictionary, we can define Information Security as 


The absence of dangers or risk of loss to the information 


The dangers are the threat entities interested in accessing our information without authorization. The risk of loss in the context of information security represents the probability that we can estimate some bad events that could affect our information. Therefore, we need always to be able to define the risks to our data to determine the required security mechanisms to help reduce the risk (probability) of information loss.


Information security is the ultimate objective we want to achieve, but we need to be more specific about the term "information security." What are the characteristics of the information that we want to protect? We should, in general, do our best to avoid the usage of the term "information security" by trying to be more specific, whether we want to protect the Confidentiality, Integrity, or Availability of the information. Sometimes, securing the data can be done only by preserving one of the characteristics, and sometimes we need all of them. The type of information defines what the required security objectives are. For example, I want to ensure my private key's confidentiality and integrity. Still, I need only to protect the integrity of my public key to ensure that no one can link my identity to his public key. The availability security objective is about the intentional attacks that prevent us from accessing our information (e.g., Ransomware). We don't study the problems that can unintentionally affect the access to our information, which is usually referred to as reliability which is generally considered out of the security's scope.


It is essential to ensure that the security objectives defined for one information (e.g., private keys) are respected during the different information states. The information can be stored (e.g., using cryptocurrency wallets), transferred (e.g., using HTTPS protocol), or processed (e.g., using TEE environment or Yubikey).



Information security is thus definitely based on the security of other elements or tools that are used to manage the information: such as computers, networks, internet, mobile, software, etc. However, humans are also important to consider as many attacks happen because of human vulnerabilities (e.g., phishing attacks) and not always because of technological tools' vulnerabilities. 


From the viewpoint of attackers, accessing users' information illegally consists of finding vulnerabilities in any of the tools used to manage the users' information. As we all know, all the tools used to manage users' information have never been proven secure. All vendors know that their tools can have some vulnerabilities, and they hope to find them before the attackers and help their clients close these vulnerabilities before attackers can find them. So, we need today to find another definition of information security, the one that we can apply. We can give the following practical definition of information security as follows:


The ability of information tools vendors to find vulnerabilities before the attackers and to help their clients close them before they are exploited by attackers.


Vendors always do their best to find the vulnerabilities before the attackers by using different methods such as bounty programs. But unfortunately, attackers can often find the vulnerabilities before the vendors (e.g., zero-day vulnerability), and clients are not constantly updating their systems on time. So this should explain why we should always expect attacks in the future and why there is nothing secure 100%.



References

  1. https://www.merriam-webster.com/dictionary/secure


Comments

Popular posts from this blog

ChatGPT or CheatGPT? The impact of ChatGPT on education

Abstract Mathematical Explanation with Examples for Neural Networks