What is cyber security?

The origins of a term that defines our industry.

Andrew Bycroft, Security Consultant (andrew.bycroft@fortian.com.au | Oct 05, 2021

Given that cybercrime continues to rise despite more budget being allocated to thwarting it every year, it does pose the question – is cyber security effective? Could it be that it is not as effective as we hope because psychologically, deep down it is not something that can ever be achieved?

Firstly we’ll break up the term cyber security into its two distinct words “cyber” and security” and consult dictionaries for definitions.

The security part is fairly straightforward. Let’s take a look at the definition of security from two reputable sources. The Oxford dictionary defines "security" as "the state of being free from danger or threat". Merriam-Webster suggests that "security: means 'freedom from danger'".

Cyber on the other hand is a bit more interesting.

In 1996, New York Magazine stated that "Cyber is such a perfect prefix. Because nobody has any idea what it means, it can be grafted onto any old word to make it seem new, cool and therefore strange, spooky". Perhaps we have all been guilty of this too, so let’s make it real by bringing cyber back to not so cool but easy to understand everyday language.

Over time, it has been used in various contexts. In the 1940s cyber meant "cybernetics", a term coined by mathematician Norbert Weiner who took an interest in communications and control systems in human beings and machines. In the 1960s pop culture the BBC produced Doctor Who included "cybermen". In 1982, author William Gibson used the term "Cyberspace" in his sci-fi novel "Burning Chrome". As we moved into the Internet era in the later part of the 20th century "cyber" started being used to describe anything that was technology related. To do it justice, we need a current definition.

The Oxford dictionary defines "cyber" as "relating to or characteristic of the culture of computers, information technology, and virtual reality". Meriam-Webster, similarly, defines "cyber" as "of, relating to, or involving computers or computer networks (such as the Internet)".

Putting "cyber" and "security" together would suggest that "cyber security" is "the state of computers or information technology being free from danger or threats".

Is it possible for computers to ever be completely free from danger or threats though? Security is very much a binary concept – it is something you either have or you don’t. Just like pregnancy – have you ever met someone who was three-quarters pregnant? A prison is no longer said to be "secure" the moment a prisoner escapes from it. A bank vault is no longer said to be secure if just one person from the seven billion on the planet can break into it. To achieve the state of "cyber security", humans would have to write code that was flawless and people would have to be completely alert to those of malicious intent trying to trick them into divulging information or allowing access to the information. In other words humans would need to be absolved of all of their flaws. Assuming that we can’t re-engineer human behaviours for perfection, it would seem that cyber security is asymptotic – a term borrowed from mathematics to say that whilst we can define what it is, it can not be reached.

What if we consider the word "resilience". We tend to think of it as "bouncing back" – a term synonymous with business continuity or disaster recovery, but could it be far more than that? Naturally, we use the word "resilience" to describe not only the concept of taking antibiotics to fight off an infection and recover. Of interest is that we also use the word "resilience" when talking about resisting infection through balanced diet, exercise and adequate sleep. This implies that resilience is not just about reactionary measures but also taking proactive measures to reduce the likelihood of danger or threats.

Turning to the dictionary helps us validate this idea. Oxford suggests that "resilience" means "capable of withstanding shock without permanent deformation or rupture". Merriam-Webster has a similar definition with "able to endure strain without being permanently injured". In other words, "resilience" implies that we cannot eradicate the danger but we can resist it, but if for some reason we are under strain and lose the ability to resist danger, we can endure it and recover from it. Whilst security is binary and we are more or less operating in the state of not having it, resilience has varying degrees which can be achieved.

Should it be that we drop the idea of practicing cyber security, and adopt the practice of cyber resilience? It may be arguable that changing a word can make a big difference, but a profound psychological shift in one’s performance occurs when they cease working on a demoralising task which can never be achieved to one that is within their grasp.