Is there a difference between Information Security and Information Systems Security?

Certainly different businesses and authorities may define these two terms differently. When they are presented together in this question, I believe that our natural reaction is to say, “Yes, there is a difference.” This makes me think, “Okay, what’s the difference?”

First an illuminating digression: one interesting difference between the thinking of Information Systems (IS) professionals and Information Technology (IT) professionals is that IS professionals are interested in information before it enters the IT infrastructure and after it leaves the IT infrastructure. Employees carry information with them or become living archives of institutional knowledge. IS professionals may seek to transform that knowledge into electronic form in order to preserve it beyond the date of last employment of the actual employee (or beyond the date that the employee can remember it). IS professionals view people as (possibly fragile) parts of the information system.

Information Security would seem to be the broader of the two terms and may include the following concerns (and likely others), that I have ordered from “closer to the machine” to “closer to the user”:

(closer to the machine)

  • security of the physical computing infrastructure
  • security of the encryption algorithms and communication protocols that run on the networks
  • security of the operating systems and applications that are hosted on the system hardware
  • security related to user privileges
  • security of the information stored or transmitted in the system
  • training of employees
  • preserving employee knowledge

(closer to the user)

Now since Information Systems is the discipline that emphasizes information, I would suggest that Information Systems is primarily about the last three concerns: security of the information stored or transmitted in the system, training of employees, and preserving employee knowledge.

Certainly, the other concerns are important to the IS-Security professional such as the security of the operating systems, applications, and user privileges, since these can have an impact on the security of the information. But as we move closer to the top of the list of concerns, they seem to me to be more IT-security related and less IS-Security related. It would make sense that the entire list should be the concern of the “Information Security” professional, but it is my belief that in practice when we say “information security” we are being ambiguous. Each computing discipline has it’s own approach to the topic of security. Computer science (CS) is concerned primarily with the algorithms and formal proof of the security of a system. IT is concerned primarily with the security of the physical infrastructure, the operating systems, and applications. Software Engineers (SE) are concerned primarily with the application of proven or best practices in the design of software, and computer engineers (CE) are concerned primarily with the design and fault-tolerance of the actual machines.