Information security, cybersecurity, IT security, and computer security are all terms that we

often use interchangeably. I know that I do.

I’ve written a lot about those areas for the past several years. I notice that sometimes I switch
between the terms in an article simply to avoid repeating the same phrases over and over again
in my prose.
Very often, it’s legitimate to use the terms interchangeably. Computers deal with information. IT
security is a facet of information technology, which usually applies to computers. Computer
security… ditto. Cybersecurity is defined as protecting systems from cyber threats. “Cyber” is
defined by Merriam-Webster as something “of, related to, or involving computers or computer
networks.”
So, I’m talking about a few different terms that generally mean the same thing. It might be
useful to examine the origins of those terms to appreciate their meanings better.
I believe military communications and pre-digital ciphers marked the genesis of information
security as a whole. One of the saddest facets of the history of humanity is that war has always
been with us. Even way back in the B.C. times when brontosauruses worked as dishwashers in
cavemen kitchens, tribes, civilizations, clans, and nations have wanted to kill others in the quest
for power. (Okay, I’m an InfoSec writer, not an anthropologist. Maybe wooly mammoths worked
in cavemen kitchens instead. I only have the Hanna Barbara historical record to go by, I’m
afraid.)
One of the keys to success in war is to make sure that the enemy doesn’t know where or how
you’re going to strike and to figure out what the enemy plans to do. So, cryptography predates
electronic computers by thousands of years. Cryptography is a key component of information
security. Cryptography’s aim is to keep data only accessible by the intended recipient. That
applies to the monoalphabetic substitution ciphers used around 600 to 500 B.C. as much as it
does to the AES ciphers used today.
What we usually think of as cryptography, digital cryptography, dates back to innovations made
during World War II. The cipher machines of that era weren’t really digital. They were electro-
mechanical. The Enigma series of machines were amongst the earliest, invented by German
engineer Arthur Scherbius toward the end of the first World War and used commercially
throughout the 1920s. It was the primary cryptographic technology that was used by Nazi
Germany in World War II, so the Allied powers worked very hard to crack it.
Predating World War II, there was already progress in the cryptanalysis of Enigma. In 1929, the
Polish Cipher Bureau started to employ mathematicians by inviting students at Poznan
University to take a class on cryptology. By 1932, Poznan graduates Marian Rejewski, Henryk
Zygalski and Jerzy Rozycki were working for the Polish Cipher Bureau on a full-time basis.
Concurrently, a French spy, Hans-Thilo Schmidt, had infiltrated Germany’s Cipher Office in
Berlin.
That reminds me of how social engineering is always a major information security risk. It’s often
overlooked by laypeople who think “hacking” is typing commands in a terminal at 300 words
per minute as depicted by Hollywood. “That hacker is out-hacking that other hacker! His typing
is so much faster than his enemy’s, and he looks much suaver in a hoodie!”
Cracking Enigma required some technical and mathematical brilliance, but fooling Nazi Germany
into thinking that a spy was on their side was instrumental. Schmidt’s espionage helped the
Polish Cipher Bureau acquire key Enigma documentation from the Germans. Rejewski used
those documents and commenced his cryptanalysis of Enigma with a couple of hours of work
each day near the end of 1932.
During World War II, Britain’s military cryptanalysis effort was headquartered at Bletchley Park.
Alan Turing, the famous computer science pioneer, was employed by the UK’s Government
Code and Cypher School by 1938 just before the War. He worked under Dilly Knox, a senior
codebreaker. The day after Britain declared war on Germany in September 1939, Turing, Knox,
and GC & CS operations in general moved to Bletchley Park.
Britain was focused on cracking Enigma from that base, and Polish Cipher Bureau breakthroughs
from the early 1930s were essential to those efforts. Cracking German electro mechanic Enigma
and Lorenz ciphers may have been a key factor in the Allied powers winning the War by 1945.
ENIAC’s debut in 1946 heralded the advent of digital computing. PDP mainframe computers
drove MIT innovation in the 50s and 60s. By the early 1970s, many large corporations were
customers of IBM mainframe technology. Data on corporate mainframes often constituted
industry trade secrets and sensitive data pertaining to client transactions. Also, the U.S.
government identified a need to keep unclassified but sensitive data secure. The work of
cryptographer Horst Feistel addressed both realms. His Lucifer cipher for IBM was an essential
precursor to the development of DES for the National Security Agency.
So, information security predates digital computers, but computer security and cybersecurity
were born from computer science innovations that started just after World War II.
Keeping information secure for the history of data predating electronic computers (such as
ancient cryptography) to this very day falls under the banner of information security. Computer
security and cybersecurity are completely interchangeable terms, and require digital computer
technology from 1946’s ENIAC to now. Computer security and cybersecurity are both children of
information security.
IT security is information security as it pertains to information technology. Information
technology is a child of computer science. IT is the application of computer science for practical
purposes, largely for industry (mainframes, supercomputers, datacenters, servers, PCs and
mobile devices as endpoints for worker interaction) and consumers (PCs, mobile devices, IoT
devices, and video game console endpoints for end-user lifestyles.) IT security can probably be
used interchangeably with cybersecurity, computer security and information security if it
pertains to business.
For example, that paper shredder is an information security measure but it’s not really a device
for cybersecurity or computer security. The paper shredder can be considered a factor in IT
security if a corporation’s information security policy mandates its use.
Ensuring proper HTTPS implementation for an e-commerce website or mobile app falls under
cybersecurity and computer security, so it’s information security, as well. And a corporation’s IT
department works on the e-commerce website’s HTTPS implementation, so it’s IT security, as
well.
In the 21st century, information security, cybersecurity, computer security, and IT security are
often, but not always, interchangeable terms.

About the Author: Kim Crawley spent years working in general tier two consumer tech support,
most of which as a representative of Windstream, a secondary American ISP. Malware-related
tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of
client PCs. Her curiosity led her to research malware as a hobby, which grew into an interest in
all things information security related. By 2011, she was already ghostwriting study material for
the InfoSec Institute’s CISSP and CEH certification exam preparation programs. Ever since, she’s
contributed articles on a variety of information security topics to CIO, CSO, Computerworld, SC
Magazine, and 2600 Magazine. Her first solo developed PC game, Hackers Versus Banksters, had
a successful Kickstarter and was featured at the Toronto Comic Arts Festival in May 2016. This
October, she gave her first talk at an InfoSec convention, a penetration testing presentation at
BSides Toronto.
Editor’s Note: The opinions expressed in this guest author article are solely those of the
contributor, and do not necessarily reflect those of Tripwire, Inc.