We can frequently hear or read the terms information security and privacy being used interchangeably.

However, are these indeed synonyms or do they denote slightly different concepts?

We will briefly touch on both their similarities and differences in this post. We will also see how one of them cannot exist without the other, while the opposite is not true.

Can you guess what the dependency is?

Security, cybersecurity and information security

Oxford dictionary defines security as the activities involved in protecting a country, building or person against attack, danger, etc.

It is also protection against something bad that might happen in the future.

When it comes to cybersecurity (i.e. computer, digital), we can agree that it refers to protective measures that we put in place to protect our digital assets from harmful events such as human and technical errors, malicious individuals and unauthorized users.

However, for the sake of completeness, we have to admit that even in this day and age not all information is digital.

We still deal with numerous paper documents, which in turn hold very valuable information worth protecting.

This is exactly where the term information security comes in handy, denoting the practice of preventing unauthorized access, use, disclosure, modification or destruction of information in whatever form.

data privacy
The three pillars upon which information security is built are:
  • Confidentiality – prevents sensitive information from reaching wrong people, while making sure that the right people can use it;
  • Integrity – maintains the consistency, accuracy, and trustworthiness of information over its lifecycle; and
  • Availability – ensures that the information is available when it is needed.

These are very often referred to as the C-I-A triad, and they all have to be addressed in order to achieve a satisfactory level of information security.

Like many things in life where nothing is perfect, the same goes for security; there is no such thing as a 100% secure system.

There are only acceptable levels of risk.

This means that in order to secure information an organization must first conduct a formal risk assessment.

The risk assessment will then be cross-referenced with the organization’s risk acceptance criteria (these are developed in line with the organization’s risk appetite, i.e. their willingness to accept a predefined level of risk) and consequently, a risk treatment plan can be developed.

Only then security controls will be chosen with the aim to mitigate specific residual risks. In information security, this is known as a risk-based approach to security.

When you think about it, it makes sense – it would be very difficult to justify spending 100 euros to protect an asset that only costs 10 euros.

Download our e-book Solution for GDPR Compliant Personal Data Removal.

Privacy

Privacy is an individual’s right to freedom from intrusion and prying eyes.

It is guaranteed under the constitution in many developed countries, which makes it a fundamental human right and one of the core principles of human dignity, the idea most people will agree about.

Privacy is all about the rights of individuals with respect to their personal information.

Any risk assessment conducted for the purpose of enhancing the privacy of individuals’ personal data is performed from the perspective of protecting the rights and freedoms of those individuals.

Similarities and differences between information security and privacy

Security is the state of personal freedom or being free from potential threats, whereas privacy refers to the state of being free from unwanted attention.

However, privacy cannot exist without security is first established.

Think for example of a window on a building; without it being in place an intruder can sneak in and violate both the privacy and security of the occupants. Once the window is mounted it will perform a pretty decent job in keeping unwanted parties from getting into the building. It will however not prevent them from peeking in, interfering thus with the occupants’ privacy. At least not without a curtain.

In this (oversimplified) example the window is a security control, while the curtain is privacy control.

The former can exist without the latter, but not vice versa (have you guessed it correctly?). Security is a prerequisite to privacy. And information security is the main prerequisite to data privacy.

representation of data privacy vs. data security fieldsWhat about data protection?

Assuming that we have done a decent job explaining what information security and data privacy are, you might be wondering about the term data protection and how it fits in the whole picture.

Data protection is essentially amalgamated security and privacy.

With each of the two dealing with their own set of challenges, when combined it delivers protected usable data as the result.

Solution for GDPR Compliant Data Removal