If a TV news reporter stopped me on the street and asked me to describe information security in 6 words or less, this is what I would say:
Information Security is about keeping secrets
This usually gets people thinking in the right direction.
So for example, the conversation flows like this:
- What's "infosec"??
- Infosec is about keeping secrets!
- What the heck are you talking about? That's stupid...
- OK, then give me your email password / bank card PIN
- Uh, no
- Because, you could like, do bad things to my email / bank account / neighbour's WiFi!
- Exactly! That information needs to be kept secret! Information security ensures only those who have permission can get to that information.
From there, I gauge if they’re evaluating their life choices and how they ended up discussing infosec with me. If I still have their attention I go on to explain the 3 legs of security that keep you safe online – and which are the basis of Information Security:
Confidentiality, Integrity, Availability
Also known as the CIA triad. Which in my mind, brings up images of Secret Service ninjas trying to overthrow governments in Central America (yes, yes, I know J4vv4d already made the joke, but I couldn’t pass up).
Let’s use your bank card PIN as an example to demonstrate how the CIA triad defend your digital presence:
C – The PIN is a secret that should be known ONLY to you. If anyone else knows your PIN, that breaks the confidentiality leg, and allows them to access your account. C for Confidentiality means only those authorized to access the data are allowed to get to it. Controls must be put in place to prevent unauthorized access.
I – What if you typed your PIN, only to find out that it isn’t working? For whatever reason, the stored PIN became corrupted, and now you lost access to your account because the PIN you’re typing is not the one the system recognizes. That’s data corruption, and it means that I for Integrity has just been broken. Integrity maintains the accuracy and consistency of data on the system.
A – Availability means that the system is there for you when you need it. What good is it if Confidentiality and Integrity are guaranteed, if my data is not also guaranteed to be there when I need it? That’s like you buying me a pie but not giving it to me. That just makes me sad and confused. Sadfused. It’s not a good thing.
To wrap up: in the Information Age, there is information that would hurt you if it got in the wrong hands. Information Security is about keeping it secret!