c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6

Available online at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

From information security to cyber security

Rossouw von Solms*, Johan van Niekerk

School of ICT, Nelson Mandela Metropolitan University, Port Elizabeth 6031, South Africa

article info abstract

Article history: The term cyber security is often used interchangeably with the term information security. This
Received 26 November 2012 paper argues that, although there is a substantial overlap between cyber security and in-
Received in revised form formation security, these two concepts are not totally analogous. Moreover, the paper
10 April 2013 posits that cyber security goes beyond the boundaries of traditional information security to
Accepted 11 April 2013 include not only the protection of information resources, but also that of other assets,
including the person him/herself. In information security, reference to the human factor
Keywords: usually relates to the role(s) of humans in the security process. In cyber security this factor
Information security has an additional dimension, namely, the humans as potential targets of cyber attacks or
Cyber security even unknowingly participating in a cyber attack. This additional dimension has ethical
Cybersecurity implications for society as a whole, since the protection of certain vulnerable groups, for
Cyber-Security example children, could be seen as a societal responsibility.
Computer security ª 2013 Elsevier Ltd. All rights reserved.
Risk
Threat
Vulnerability

1. Introduction In most literature, cyber security is used as an all-inclusive

term. Definitions of this term vary, for example the Merriam
Cyber security has become a matter of global interest and Webster dictionary defines it as “measures taken to protect a
importance. Already more than 50 nations have officially computer or computer system (as on the Internet) against
published some form of strategy document outlining their unauthorized access or attack”. The International Telecom-
official stance on cyberspace, cyber crime, and/or cyber security munications Union (ITU) defines cyber security as follows:
(Klimburg, 2012). The Whitehouse (2011) has outlined a cyber
strategy that provides the stance of the United States of Cybersecurity is the collection of tools, policies, security
America (USA) on cyber-related issues and outlines a unified concepts, security safeguards, guidelines, risk manage-
approach to the USA’s engagement with other countries on ment approaches, actions, training, best practices, assur-
cyber issues. The United Kingdom (UK) lists cyber security as a ance and technologies that can be used to protect the cyber
top priority and has committed £650 million over four years environment and organization and user’s assets. Organi-
for a transformative National Cyber Security Programme zation and user’s assets include connected computing de-
(Minister for the Cabinet Office and Paymaster General, 2011). vices, personnel, infrastructure, applications, services,
However, very few of these sources seem to make a distinc- telecommunications systems, and the totality of trans-
tion between the concepts of cyber security and information mitted and/or stored information in the cyber environment.
security or the relationship between them. Cybersecurity strives to ensure the attainment and

* Corresponding author. Tel.: þ27 41 504 3604; fax: þ27 41 504 9604.
E-mail addresses: [email protected], [email protected] (R. von Solms), [email protected] (J. van
Niekerk).
0167-4048/$ e see front matter ª 2013 Elsevier Ltd. All rights reserved.
http://dx.doi.org/10.1016/j.cose.2013.04.004

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004
2 c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6

maintenance of the security properties of the organization characteristics include the confidentiality, integrity and
and user’s assets against relevant security risks in the cyber availability of information, as mentioned in the definition
environment. The general security objectives comprise the provided in ISO/IEC 27002 (2005), but are not limited to these
following: three characteristics only. According to Whitman and Mattord
(2009, p. 8), ensuring the confidentiality, integrity and avail-
 Availability ability of information, also known in information security as
the CIA triangle, has traditionally been the industry standard.
 Integrity, which may include authenticity and non- “The security of these three characteristics of information is
repudiation as important today as it has always been, but the CIA triangle
model no longer adequately addresses the constantly chang-
 Confidentiality ITU, 2008. ing environment of the computer industry” (Whitman and
Mattord, 2009, p. 8). Accordingly, Whitman and Mattord
These definitions are very similar to that of information (2009) add accuracy, authenticity, utility and possession to
security. This paper will explore the definition of information the list of information characteristics that needs to be
security in depth and then argue that the boundaries of cyber protected.
security as a concept are wider than those of information A few concepts in the above definitions need closer ex-
security in terms of how it is formally defined. This view- amination. Firstly, it should be clear that information security
point is supported by the international standard ISO/IEC is not a product or a technology, but a process (Mitnick and
27032:2012(E). Simon, 2002, p. 4). According to Wood (2004) information se-
This paper will specifically focus on the underlying nature curity used to be a strictly technical issue. However, as the use
of security in general and will attempt to show, by means of of computers and networks evolved, the process of securing
examples, that the assets cyber security aims to protect these computers and networks also had to evolve to extend
include an additional dimension which extends beyond the beyond only the technical. The process of information secu-
formal boundaries of information security. Further, this paper rity may require the use of certain products, but is not
asserts that both humans in their personal capacity and so- something that can be bought off the shelf.
ciety at large can be directly harmed or affected by cyber se- The second important factor to note about the above defi-
curity attacks, whereas this is not necessarily the case with nitions is that information security is commonly defined in
information security where harm is always indirect. The au- terms of the properties or characteristics that secure infor-
thors view such a disambiguation as an important contribu- mation should have. These usually include the confidentiality,
tion to the common body of knowledge for the field of integrity and availability of information, but can include
information and cyber security. Such a body of knowledge additional characteristics.
provides a “basis for understanding terms and concepts” in It is important to note that there is a difference between
the subject area and thus acts as a “taxonomy of topics rele- information security and information technology (or infor-
vant to professionals around the world” (Theoharidou and mation and communication technology) security.
Gritzalis, 2007).
2.2. Information and communication technology
security defined
2. Information security
Information and communication technology (ICT) security
The aim of information security is to ensure business conti- deals with the protection of the actual technology-based
nuity and minimise business damage by limiting the impact of systems on which information is commonly stored and/or
security incidents (Von Solms, 1998). Information security can transmitted. The international standard ISO/IEC 13335-1
be defined in a number of ways, as highlighted below. (2004) defines ICT security as all aspects relating to defining,
achieving and maintaining the confidentiality, integrity,
2.1. Information security defined availability, non-repudiation, accountability, authenticity,
and reliability of information resources (ISO/IEC 13335-1, 2004,
The international standard, ISO/IEC 27002 (2005), defines in- p. 3). Since information security includes the protection of the
formation security as the preservation of the confidentiality, underlying information resources, it can be argued that ICT
integrity and availability of information (ISO/IEC 27002, 2005, security is a sub-component of information security.
p. 1). In the context of ISO/IEC 27002 (2005), information can The definition of ICT security is thus very similar to that of
take on many forms. It can be printed or written on paper, information security. However, additional characteristics,
stored electronically, transmitted by post or electronic means, which in this context could be better described as services that
shown on films, conveyed in conversation, and so forth (ISO/ should be provided by secure information resources, are
IEC 27002, 2005, p. 1). added to the definition. These include non-repudiation,
Whitman and Mattord (2009) define information security accountability, authenticity and reliability. Dhillon (2007, p.
as “the protection of information and its critical elements, 19) also refers to the concept of data security as denoting the
including the systems and hardware that use, store, and protection of the actual data in an information system. Since
transmit that information” (Whitman and Mattord, 2009, p. 8). the definition given in Dhillon (2007, p. 19) includes most of
These authors (2009) also identify several critical character- the characteristics in the definition for information technol-
istics of information that give it value in organisations. These ogy security, and because the security of underlying data is to

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004
 c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6 3

a large extent reliant on the overall security of the information

Threats Vulnerabilities Assets
system on which the data resides, it can be argued that the _______ _______ _______
term data security is in fact used in Dhillon (2007) to refer to the Various Various ICT

same concept as that which ISO/IEC TR 13335-1 (2004) calls ICT

security. Fig. 1 e Information and communication technology
From the definitions discussed in Sections 2.1 and 2.2 it security.
should be clear that there is a difference between securing
information resources and securing ICT resources. A secure
information resource could include any entity from which communication technology can in this case be classified as,
information is received or to which information is sent. A among other things, a vulnerability that is targeted by various
secure information technology resource is a secure informa- threats in an attempt to compromise the asset, that is,
tion resource that happens to reside on an information technology information.
system. It is also important to note that, in terms of ICT-based Thus, it is important to note that, in the case of information
systems, the information alone cannot be deemed to be security, information is the asset that is to be secured.
secure unless all resources and processes dealing with that The following sections will argue that, in cyber security,
information are secure as well. the nature of the threats, vulnerabilities and assets differs
As mentioned earlier, the first three characteristics, confi- from that of information security.
dentiality, integrity and availability, are commonly known as
the CIA triangle model, which has been considered the in-
dustry standard for computer security since the development 3. Cyber security
of the mainframe (Whitman and Mattord, 2009, p. 8). The
additional characteristics have been added to the definition to As mentioned earlier, many current publications dealing with
address organisations’ additional security needs in today’s cyber security use the term cyber security interchangeably with
inter-networked business environment. A clear understand- the term information security. If cyber security is synonymous
ing of the meaning of all the above-mentioned characteristics with information security it would be reasonable to assume
(and/or services) is essential to an understanding of infor- that cyber security incidents could also be described in terms
mation and ICT security, as without the confidentiality, of the characteristics used to define information security.
integrity, availability, non-repudiation, accountability, Thus, a cyber security incident would, for example, also lead
authenticity and reliability of information resources, infor- to a breach in the confidentiality, integrity or availability of
mation cannot be deemed secure. All of the above (including information.
the accuracy, utility and possession of information) play an This is true for the majority of cyber security related
integral role in information security and should be deemed threats a user and/or organisation might be exposed to.
equally important. It is, however, possible for one or more of However, it is the contention of this paper that there are cyber
these characteristics or services to be more applicable in security threats that do not form part of the formally defined
specific scenarios than others, depending on the nature of the scope of information security. This section will briefly present
information itself. For example, the integrity of inflationary a few scenarios as examples:
statistics is of obvious importance for economists, whilst the
confidentiality of the same data appears to be unimportant 3.1. Scenario 1 e cyber bullying
because everyone would probably be allowed to have access to
such information. However, by definition, a breach of confi- Cyber bullying has become a major concern to modern society
dentiality only occurs if an unauthorised entity obtains the (Martin and Rice, 2011). According to Martin and Rice (2011),
information. Since everyone would be an authorised user of several recent studies have found that technology is increas-
inflationary statistics, in this case, the confidentiality of the ingly used to bully, “cause embarrassment, invoke harass-
information would actually be maintained. In an organisa- ment and violence, and inflict psychological harm”. This could
tional context, ensuring the security of the organisation’s in- lead to “severe and negative impacts on those victimized”.
formation is thus not a case of deciding which characteristics The need to address cyber bullying has become widely
or services are applicable, but rather of defining the author- acknowledged as a cyber security problem and is even
ised entities, as well as other parameters for any given piece of mentioned specifically in the UK Cyber Security Strategy
information, correctly. (Minister for the Cabinet Office and Paymaster General, 2011,
When analysing ICT security, as described above, it is clear p. 26). However, being bullied in cyberspace does not consti-
that various threats are targeting related vulnerabilities and, tute a loss of confidentiality, integrity or availability of infor-
eventually, have a negative impact on ICT infrastructure. In mation. Instead, the target of such activities is the user him/
this case it is clear that the technological infrastructure is herself. Accordingly, cyber bullying results in direct harm to
deemed to be the asset that needs protection. Accordingly, in the person being bullied.
ICT security the ICT is the asset that is secured. Fig. 1 depicts
this relationship.
Threats Vulnerabilities Assets
In the case of information security, ICT is the infrastructure _______ _______ _______
Various ICT, etc. Information
that processes, stores and communicates information. In this
case it is information that is deemed to be the asset that re-
quires protection, as depicted in Fig. 2. Information and Fig. 2 e Information security.

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004
4 c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6

3.2. Scenario 2 e home automation the case of attacks against such critical infrastructure, the loss
entails not only of that of the integrity or availability of in-
Advances in ICT, as well as advances in the field of electronics, formation resources, but also that of access to such critical
have given rise to a multitude of home automation applica- services. In this case, it is neither the information itself nor the
tions (Jiménez et al., 2011). Many of these allow home owners individual information user that is at risk, but rather the
to integrate home security systems, hot water geysers, fridges, wellbeing of society as a whole. A good example of such at-
stoves, televisions and other appliances with web-based tacks is the attacks on Estonia in April/May of 2007.
management systems. Unfortunately, the increased conve- These scenarios deal with a specific aspect of cyber secu-
nience of managing one’s home via the web is accompanied rity where the interests of a person, society or nation,
by the increased risk that someone might gain unauthorised including their non-information based assets, need to be
access to such systems and cause harm. This harm could protected from risks stemming from interaction with cyber-
range from “pranks” like turning off the hot water, to serious space. This serves to highlight the difference between infor-
crimes like turning off the security system in order to burgle mation security and cyber security.
the home.
Once again, in this case one can argue that the victim’s
information is not necessarily negatively affected. Instead, 4. From information security to cyber
other assets of the victim are the target of the cybercrime. security

3.3. Scenario 3 e digital media All security is about the protection of assets from the various
threats posed by certain inherent vulnerabilities. Security
One of the industries that have been directly affected by the processes usually deal with the selection and implementation
improved sharing of information is the entertainment in- of security controls (also called countermeasures) which help
dustry. Every year enormous amounts of potential revenue to reduce the risk posed by these vulnerabilities (ISO/IEC
are lost to the sharing of illegal movies, music and other forms 27002, 2005; Farn et al., 2004; Gerber and Von Solms, 2005).
of digital media. This illegal sharing does not necessarily In the case of ICT security, the asset(s) that need to be
affect the confidentiality, integrity or availability of the shared protected are the underlying information technology infra-
media; however, it does directly affect the financial wellbeing structure (see Fig. 1). Information security, on the other hand,
of the legal owner of the rights to the specific media. Self- extends this definition of the assets to be protected to include
justification of illegal activities, like copying media illegally, all aspects of the information itself. It thus includes the pro-
could even act as a catalyst that makes it easier to perform tection of the underlying ICT assets, and then goes beyond
other illegal acts in future (Ariely, 2012). just the technology to include information that is not stored or
In this case it could be argued that the victim of the communicated directly using ICT (see Fig. 2).
cybercrime is more than just the party whose intellectual However, as demonstrated in the scenarios above, in cyber
property is being compromised. It even extends to an attack security the assets that need to be protected can range from
on the value system (both ownerships rights and the under- the person him/herself to common household appliances, to
pinning ethics of the perpetrators) that is being negatively the interests of society at large, including critical national
affected. infrastructure. In fact, such assets include absolutely anyone
or anything that can be reached via cyberspace.
3.4. Scenario 4 e cyber terrorism It is thus the assertion of this paper that the term cyber
security is related, but not analogous, to the term information
In the USA critical infrastructure is defined as “the assets, security. In cyber security, information and ICT are the un-
systems, and networks, whether physical or virtual, so vital to derlying cause of the vulnerability. It is still possible for the
the United States that their incapacitation or destruction assets dealt with in security to include information itself, or
would have a debilitating effect on security, national eco- even information and communication infrastructure. How-
nomic security, public health or safety, or any combination ever, the single most defining characteristic of cyber security
thereof” (Department of Homeland Security, 2011). Infra- is the fact that all assets that should be protected need to be
structure that delivers electricity and water, controls air protected because of the vulnerabilities that exist as a result of
traffic, or supports financial transactions is seen as “critical the use of the ICT that forms the basis of cyberspace.
life sustaining infrastructures” and all directly depend on These vulnerabilities can even affect intangible assets. For
underlying communications and network infrastructure (The example, cyber security adds an important ethical dimension,
Whitehouse, 2011, p. 3). The protection of such critical infra- because problems such as cyber bullying extend beyond the
structure forms an important part of cyber security and is law and present an ethical issue that society, in general, needs
included as an important national imperative in national to deal with. This ethical dimension extends to problems like
cyber security strategies (Minister for the Cabinet Office and botnets. Being part of a botnet does not always mean that the
Paymaster General, 2011, p. 39; The Whitehouse, 2011, p. 13). confidentiality, integrity, availability or other characteristics
Cyber terrorists or enemy specialists may target a coun- of one’s information resources have been directly affected; it
try’s critical infrastructure via cyberspace. This could either be is quite possible that a botnet may only “steal” clock cycles on
indirectly, for example by influencing the availability of in- a computer while it would otherwise be inactive. However, if
formation services using denial-of-service attacks or, more such a botnet is used to commit a crime, the owner of the
directly, through an attack on the national electricity grid. In computer in question might be an unknowing accomplice.

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004
 c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6 5

Nonetheless, this ethical dimension of cyber security is not Information

the only intangible asset which needs to be protected. For Based
Information Non-Information
Assets
example, a review of 19 different national cyber security Based Based
Stored or Transmitted
Assets Assets
strategy documents has shown that the protection of the trust Stored or Transmitted
using ICT
that are VULNERABLE
that citizens have in using cyberspace for commercial pur- NOT using ICT to Threats via ICT
poses is seen as vital by all the nations whose policies were
covered by this review (Klimburg, 2012).
Taking the above-mentioned discussion and scenarios into
account, it is clear that in cyber security the asset that needs to
be protected extends beyond the boundaries of the informa-
Information and
tion per se as defined for information security. Firstly, from
Information Communication Cyber
the first and second scenarios it should be clear that, in cyber Security Technology Security
security, assets include the personal or physical aspects, both Security

tangible and intangible, of a human being. In addition to this,

as can be seen in the third and fourth scenarios, cyber security
also includes the protection of societal values (intangible) and
national infrastructure (tangible). In cyber security the assets
Fig. 4 e The relationship between information and
thus include both tangible and intangible assets relating to the
communication security, information security, and cyber
wellbeing of either the individual or society at large. In the
security.
case of cyber security, the information itself can be classified
as a vulnerability. In all the above scenarios, the compro-
mising of information leads directly to an impact on the asset,
in this case possibly a human in his/her personal capacity, or societies have grown to become part of the assets that need to
society in general, as depicted in Fig. 3. be protected. Although humans are still deemed to be both a
Just as information security expanded on the concepts of threat and a vulnerability, nowadays they are also deemed to
ICT security in order to protect the information itself, irre- be an asset that needs to be protected in cyberspace.
spective of its current form and/or location, cyber security In light of the above, cyber security can be defined as the
needs to be seen as an expansion of information security. protection of cyberspace itself, the electronic information, the
Cyber security should be about protecting more than just the ICTs that support cyberspace, and the users of cyberspace in
information, or information systems resources, of a person/ their personal, societal and national capacity, including any of
organisation. Cyber security is also about the protection of the their interests, either tangible or intangible, that are vulner-
person(s) using resources in a cyber environment and about able to attacks originating in cyberspace.
the protection of any other assets, including those belonging From the definition above it is clear that cyber security is
to society in general, that have been exposed to risk as a result far more extensive than any of the information and/or ICT
of vulnerabilities stemming from the use of ICT. The rela- security that it encompasses. The human element, including
tionship between these three overlapping concepts is illus- national interests, is playing an ever-increasing role in cyber
trated in Fig. 4. security and certainly the current set of international stan-
It is clear from the discussion above that in information dards and best practices is not comprehensive enough to
and communication security the asset to be secured is the secure cyberspace.
underlying technology. In the case of information security, the
asset(s) to be secured is the information together with the
underlying technologies. However, in the case of cyber secu- 5. Conclusion
rity, the goal is clearly not to secure cyberspace but rather to
secure those that function in cyberspace, whether individuals, This paper explored the definitions of both information se-
organisations or nations. curity and ICT security. The paper then argued that cyber
As the role of ICT becomes increasingly ubiquitous in so- security, despite often being used as an analogous term for
ciety, the roles that humans play in the underlying informa- information security, differs from information security. In-
tion and ICT-related security processes will continually formation security is the protection of information, which is
expand. In ICT security, the role of humans has been largely an asset, from possible harm resulting from various threats
restricted to that of a threat. In information security this role and vulnerabilities. Cyber security, on the other hand, is not
has grown to become an increasingly integral part of the necessarily only the protection of cyberspace itself, but also
supporting systems and thus humans have become a the protection of those that function in cyberspace and any of
vulnerability. Today, in cyber security, humans and human their assets that can be reached via cyberspace.

Assets references
Threats Vulnerabilities _______
_______ _______
Various ICT, Information, etc. Humans and their
interests
Ariely D. The (honest) truth about dishonesty: how we lie to
Fig. 3 e Cyber security. everyone e especially ourselves. HarperCollins; 2012.

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004
6 c o m p u t e r s & s e c u r i t y x x x ( 2 0 1 3 ) 1 e6

Department of Homeland Security. Critical infrastructure. http://www.cabinetoffice.gov.uk/sites/default/files/resources/

Washington, DC: Department of Homeland Security. Cited WMS_The_UK_Cyber_Security_Strategy.pdf; 2011.
23 November 2012. Retrieved from: http://www.dhs.gov/files/ Mitnick K, Simon W. The art of deception: controlling the human
programs/gc_1189168948944.shtm; 2011. element of security. Wiley Publishing; 2002.
Dhillon G. Principles of information systems security. John Wiley The Whitehouse. International strategy for cyberspace:
& Sons; 2007. prosperity, security, and openness in a networked world.
Farn K-J, Lin S-K, Fung AR-W. A study on information security Cited 12 February 2012. Retrieved from: http://www.
management system evaluation: assets, threat and whitehouse.gov/sites/default/files/rss_viewer/international_
vulnerability. Computer Standards & Interfaces strategy_for_cyberspace.pdf; 2011.
2004;26(6):501e13. http://dx.doi.org/10.1016/j.csi.2004.03.012. Theoharidou M, Gritzalis D. Common body of knowledge for
Gerber M, Von Solms R. Management of risk in the information information security. Security & privacy. IEEE. Retrieved
age. Computers & Security 2005;24(1):16e30. http://dx.doi.org/ from: http://ieeexplore.ieee.org/xpls/abs_all.jsp?
10.1016/j.cose.2004.11.002. arnumber¼4140992; 2007.
ISO/IEC. ISO/IEC TR 13335-1:2004 information technology security Von Solms R. Information security management (3): the code of
techniques management of information and communications practice for information security management (BS 7799).
technology security part 1: concepts and models for Information Management & Computer Security
information and communications technology security 1998;6(5):224e5.
management. ISO/IEC, JTC 1, SC27, WG 1 2004. Whitman ME, Mattord HJ. Principles of information security.
ISO/IEC. ISO/IEC 27002: code of practice for information security 3rd ed. Thompson Course Technology; 2009.
management 2005. Wood CC. Why information security is now multi-disciplinary,
ISO/IEC. ISO/IEC 27032:2012(E) information technology e security multi-departmental, and multi-organizational in nature.
techniques e guidelines for cybersecurity. Geneva, Computer Fraud & Security 2004;2004(1):16e7.
Switzerland: ISO/IEC; 2012.
International Telecommunications Union (ITU). ITU-TX.1205:
Rossouw von Solms is the Director of the Institute for ICT
series X: data networks, open system communications and
Advancement at the NMMU. Rossouw has published and pre-
security: telecommunication security: overview of
sented in excess of one hundred and fifty academic papers in
cybersecurity 2008.
journals and conferences, both internationally and nationally.
Jiménez M, Sánchez P, Rosique F, Álvarez B, Iborra A. A tool
Most of these papers were published and presented in the field of
for facilitating the teaching of smart home applications.
Information Security.
Computing Applications in Engineering Education 2011.
http://dx.doi.org/10.1002/cae.20521.
Klimburg A, editor. National cyber security framework manual. Johan van Niekerk is a member of faculty in the Department of
NATO CCD COE Publications; 2012. December. Information Technology at the Nelson Mandela Metropolitan
Martin N, Rice J. Cybercrime: understanding and addressing the University. He holds a PhD in Information Technology. His
concerns of stakeholders. Computers & Security research focus is the human factors in information security and
2011;30:803e14. he has been publishing regarding this topic for the past decade. He
Minister for the Cabinet Office and Paymaster General. The UK actively participates in many cyber security awareness campaigns
cyber security strategy: protecting and promoting the UK and is a member of several professional bodies and associations
in a digital world. Cited 12 February 2012. Retrieved from: involved in this field.

Please cite this article in press as: von Solms R, van Niekerk J, From information security to cyber security, Computers & Security
(2013), http://dx.doi.org/10.1016/j.cose.2013.04.004