Practical Infosec Framework

In this material we take a practical and critical look at some contemporary Information Security issues. Information Security is of interest to many higher education learners, because it is so much discussed these days. A while ago I had a group of learners anwer to a questionnaire, which posed a question to the learners about what are they interested about studying related to ICT themes. Many learners answered, that they are interested about Information Security and several wanted to work in Information Security related jobs in the future. However, as I work with the learners as their studies progress, I see that there might be a misconception about what Information Security is and what does it mean to work in an Information Security job. Sure, there are a few policy development, communication, awareness and training related Information Security adjacent jobs, but the bulk of Information Security work is always in Technical Information Security, which leans on General ICT Skills (network management, system administration, etc.).

It is General ICT Skills that are of importance to the learners, because everything else hinges on those. It is easy to get confused with cyber hype, because the cyber terminology is taking more and more space in marketing speech and the meanings are ever shifting. I recently checked an Information Security adjacent bachelor’s thesis, and counted 30+ “cyber” terms and 100+ instances where word “cyber” was used. Cyber terminology was used a lot and definitions of terms sometimes escaped the author, but the lexicon certainly left the less-in-the-know readers drifting in the cybersea of ambiguity. I jokingly concluded, that the only term missing was kyber crystal, which is a fictious crystal that defines the color of the force user’s lightsaber. The issue with cyber terminology is, that it muddies the water, because for all cyber terminology there is an accessible common Technical Information Security concept available, which is more closely linked to what the issue actually is about. After all, Cybersecurity is just a subset of Technical Information Security. Mastering the fluctuating cyber lexicon is not exactly what the learners should be focusing on, if they want to become true Information Security professionals. The focus should be firmly rooted to building General ICT Skills.

So this material focuses on Technical Information Security, but why underscore this specifically? Well, it is because Information Security is such a broad topic that the learners may underestimate the importance of applying General ICT Skills to setup ICT System and achieve Technical Infosec as opposed to other less impactfull Information Security areas. What? Are there many Information Security areas? Yes, yes indeed. Keep in mind, that Information Security is much more about hands-on technical ICT work than general hand-waving! Real Information Security impact happens when the technical groundwork is done properly. I have formulated what I call the Practical Information Security Framework for us to help to address Information Security topic from a practical ICT system context.

We can observe the relevant areas of Information Security from the Practical Information Security Framework in the illustration above. These broad categories collectively represent the entirety of Information Security. Out of the six key areas, Technical Information Security is the most crucial, contributing an estimated 50% to 80% to overall Information Security. In comparison, the other areas rarely contribute more than 0% to 15% individually and can be either Incidental (happening by chance) or Intentional (focused on deliberately) with no significant negative impact on Information Security. Of course, in larger organizations, more resources may be allocated to intentionally addressing supportive or enhancing areas of Information Security. However, these supportive areas should not be the core focus, especially for the learners who are building their foundational ICT skills.