Abstract
This article proposes a new definition of information security, the ‘Appropriate Access’ definition. Apart from providing the basic criteria for a definition—correct demarcation and meaning concerning the state of security—it also aims at being a definition suitable for any information security perspective. As such, it bridges the conceptual divide between so-called ‘soft issues’ of information security (those including, e.g., humans, organizations, culture, ethics, policies, and law) and more technical issues. Because of this it is also suitable for various analytical purposes, such as analysing possible security breaches, or for studying conflicting attitudes on security in an organization. The need for a new definition is demonstrated by pointing to a number of problems for the standard definition type of information security—the so-called CIA definition. Besides being too broad as well as too narrow, it cannot properly handle the soft issues of information security, nor recognize the contextual and normative nature of security.
Highlights
What is information security? This is the question that this article will attempt to answer, by proposing, and arguing for, a definition of said subject
It has been demonstrated that the CIA definition is susceptible to certain counterexamples, which shows that its supposed necessary properties aren’t necessary, that it does not sufficiently recognize that security needs vary with the context, that it incorrectly conflates security breaches with its consequences, and that the CIA definition doesn’t match up with the proper analyses of security breaches and incidents
The CIA definition is not flexible enough to deal with every situation and the varied requirements from different information, systems or organizations
Summary
What is information security? This is the question that this article will attempt to answer, by proposing, and arguing for, a definition of said subject. Such a definition of security should fulfil at least three conditions It should supply necessary and sufficient conditions for the state of security of any information (system). These conditions should capture the meaning, or sense, of the concept ( matching a suitable understanding of the term to be defined). These two conditions encapsulate what Anil Gupta calls ‘‘three grades of descriptive adequacy of a definition: extensional, intensional, and sense’’.2. Supposing a definition has captured the adequate sense of the concept there is a third condition; that it should be helpful in an analysis of security breaches, incidents, and security related value conflicts. This third condition is especially important for increasing the value of the definition beyond pure demarcation issues (as will be clear from the examples in the ‘‘Further Arguments for the AA Definition’’ section, the proposed definition may be helpful in analysing, e.g., security/privacy conflicts)
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
