In this article, we would like to explore the question of what can be understood by the term “information security”.

In very abstract terms, information security describes the efforts to protect information by reducing, avoiding, transferring or accepting risks. Let us start with a fundamental question.

What is information?

A frequently used model is the so-called “DIKW pyramid”. DIKW stands for Data, Information, Knowledge and Wisdom.

             _                     
            / \
           /   \
          /     \
         /       \
        / wisdom  \
       /___________\
      /  knowledge  \
     /_______________\
    /   information   \
   /___________________\
  /        data         \
 /_______________________\

It is a model that describes how information can arise from data, knowledge can arise from information and wisdom can arise from knowledge.

Perhaps it is less abstract if you imagine a language as an example. Words can be formed from a set of characters, such as an alphabet. Data becomes information. These words can in turn be used to form sentences. Information becomes knowledge. Sentences can be turned into books, essays or poems. Knowledge becomes something “more” again. This “more” is described in the model as wisdom.

In everyday life, information can be complex data exchange procedures between two trading partners, notes on “scribbles” or a database with cooking recipes.

Where is information?

In the context of information security, the aim is to protect information. We now have an initial understanding of information. The next step is to find out where this information is located.

Over the course of time, we have changed from a society with few scribes and the associated few centralized recording locations to a society with a considerable number of people who read and write. Technology has also changed the means and methods of communication. In the past, records had to be pressed into clay tablets and today almost any amount of information in various forms (writing, sound, image) can be multiplied at the touch of a button and distributed across the entire planet at breakneck speed.

The digital organization

Information can be found in electronic and physical form in various places within an organization. In the course of digitalization, information is now not only hidden in paper-based file folders but primarily in application systems - often referred to as “IT systems”, i.e. “information technology systems”. Information can also be stored in the heads of employees or hidden implicitly in processes. Perhaps a certain sequence of activities is required in a process in order to achieve a correct result. If this process is not formally described, it is implicit information that is hidden in the ongoing process (“implicit process knowledge”).

Of course, the information in an organization is not only stored. It is collected, processed, disclosed to third parties, changed or even deleted. If you think about it, access to information, or rather the regulation of access to information, is very important for the protection of information. After all, not every person in an organization should have read or even write access to payroll information.

What is information security?

In essence, information security is about protecting the availability, confidentiality and integrity of information in an organization. The aim is to find out what information is located where in the organization and to what extent risks exist with regard to this information. These risks must be assessed and dealt with. In most cases, measures will be taken to improve the protection of the information, i.e. to reduce the risks associated with the information to a manageable level.

Here, too, structured procedures for achieving this goal exist. You may be familiar with the ISO 27000 family of standards. These standards deal with management systems for information security.