What Is Information Security? Really??
In the current issue of IEEE Security and Privacy, Silver Bullet Editor Gary McGraw, CTO of Cigital, asks an interesting question: “What is security?” His interviewee, Gunnar Peterson, Founder of Artec Group, mentions Dan Geer’s statement that security is “risk management.” Later in the interview, McGraw asks whether security is “a thing”. Peterson says it’s a “set of services”. Also, security is defined by Butler Lampson as authentication, authorization, and auditing (“A-u — the Gold Standard” – ha ha). All of this mumbling about security illustrates an essential problem with the profession and the intellectual domain of information security: there is no good definition of information security that is generally accepted. For years, I have proposed that a better definition of information security than “CIA” is
a well-informed sense of assurance that
information risks and controls are in balance.