Информационная безопасность как вызов современному обществу

Information security is a very ordinary thing but also a highly professional specialty. In organizations, information security [16] is one of the managerial knowledge areas, which also has become a significant basis for the reliable economic and social operation of the whole society, and hence, it also strongly influences the lives of individuals. It applies to the business information of the organizations, the privateness-related facts of individuals, and versatile information within the complex cyberspace [18] products, processes, systems, and infrastructures of society.

Organizations and societies are formed of people, and hence, the human aspects have the most important role also in implementing and perceiving information security [4] but also in causing the related uncertainty, insecurity, and threats [10]. Theoretical concepts and models, rules and practices, and technological, managerial, and societal solutions created by the human thinking process have a big influence on how information security is perceived, recognized, managed, evaluated, and how it will be developed. Very often technical aspects of the solutions of information and communication technology (ICT) are overly emphasized in information security discussions.

This article refers to the international information security management standards [17] as important references for organizational information security considerations. In addition to the management standards, there are a large number of specialized technical standards, the usefulness of which is based on the knowledge and skills of experts and management decisions. Unfortunately, the key principles and concepts are not handled consistently in the general information security management standards, and their linkages to recognized managerial models and practices are brought up inadequately. A problem is that the main ideas of the information security management standards, which (for instance ISO/IEC 27001 [17]) are widely used in organizations, are dating back decades. Hence, proactive innovative solutions for modern business and societal environments, which are characterized by the speed, changes, agility, and complexity originating from digitalization, have not enough been brought up in the standards.

Conceptual ambiguousness and fragmented management

Information security comes a lot to the fore in scientific, political, and everyday writings and speeches today. In addition, the topic has a large and growing practical significance in the activities of people, organizations, and whole societies. However, we have recognized that information security is conceptually unclear, and information security management is fragmented. For instance, the technical and organizational/managerial perspectives are far apart, and human or social aspects are not sufficiently regarded.

Information security [19] is a broad and multidimensional concept, it includes privacy information [20] and cyber security [7] aspects, which often are dealt with separately. Hence, the basic related concepts, terms, and definitions are not considered consistently or logically even in the professional contexts. This situation is espe- cially originated from the vague meanings of the words “information” and “security”, which are used by many different disciplines and practical fields.

Terms secure and security can characterize a particular property, ability, or state of any object. Etymologically [14] they are positive features of the object: In Latin: securus - being without worry , including parts se- [prefix] -without, and cur(a) - worry + -us [adjective suffix]. Actually, some international standards define security according to this general understanding, as follows:

• •    State of being free from danger or threats where procedures are followed or after taking appropriate measures [15].

• •    Condition of being protected against hazards, threats, risks, or loss [23].

• •    Quality or state of being protected from unauthorized access or uncontrolled losses or effects [22, 25].

Another difficult part of the information security concept is information , which is a general everyday word but also has a philosophical background. The general dictionary explanation [27] is that information means facts provided or learned about something or someone . However, there also are many definitions, which bring up many aspects that relate to information, for instance, fact, data, information, knowledge, and wisdom. Information security also can be considered in relation to all of these. The information is not only alphanumeric but consists of a wide variety of human intellectual products. Information security can even be examined in the connection with human thoughts and mind [11], particularly due to modern technological means. The genetic information [2, 26] of humans and organisms, which is stored in genes in paired DNA (deoxyribonucleic acid) molecules in cells, and which is the essence of all life, may also be dealt with as a specific subject and concern of information security.

All real-world things and phenomena include many different kinds of facts. Through measuring those phenomena, we can get data. Analyzing data, we get contextually significant information. Information is a basis for reflecting on the situation and making decisions. When combining measurement-based information with explicit knowledge (articulated, documented, and shared information), tacit knowledge (personal implicit skills, ideas, and experiences), and wisdom (myths and values), one can consistently carry out the plans, acts, and interventions to control and improve the situation [24].

General information security management standards [16, 17] and experts have the main focus on ICT and often highlight problems, risks, hazards, threats, vulnerabilities, hostile actors, and reactive countermeasures against them. The search for proactive opportunities to prepare for future challenges has been left to those applying the standards. The standards [1, 17] refer to an old traditional way to deal with information security with an open list of concepts to preserve confidentiality (C), integrity (I), and availability (A) of information, and, in addition, to take into account also other pertinent concepts, such as authenticity, accountability, non-repudiation, and reliability. This is a reductionist way to define a concept and causes difficulties with the issues that do not seem to be on the list. Also, it is unclear in the standard approach, whether here information security is understood as a concept of feature or activity (preservation). These by the experts defined concepts of information security are often difficult concepts to understand within business situations and even among information security experts.

Privacy protection is a central and significant area of information security. Its role is, however, vague in the standards-based information security examinations. Nevertheless, privacy may be seen as a core issue of all other information security concepts and even been considered as the “archetype” of the whole information security discipline, from which the other concepts may be led [20].

Often today, people use the term cybersecurity instead of information security. This means information security in cyberspace, which is a complex environment resulting from the interaction of people, software, and services on the Internet by means of technology devices and networks connected to it. According to the CIA model, cybersecurity [21] implies the preservation of confidentiality, integrity, and availability of information in cyberspace.

The proper implementation of information security in organizations requires this issue to be taken into account in all activities and management of the organization. Accordingly, the concept of information security management can be formally defined as management with regard to information security . The means to do so are then set out in more detail for instance in the relevant standards [13].

Information security from individuals to society

Information security can be viewed from the perspective of people, organizations, and society as a whole. People play a key role because organizations and society are also made up of human individuals. In society, information security develops through diffusion by the activities and results of organizations and individuals. Each organization or individual has its own priorities regarding relevant information and the importance of information security. They also have their own vulnerabilities and risks and procedures for these.

In practice, information security is realized by doing the right thing, in particular, in organizations through business processes. In this context, too, the risks [20] may also materialize. Processes include people and various technical systems as resources. Persons interact within their working processes according to their skills, individual character traits, moral standards, and behavioral style. In human activities, information security is based on awareness, competence, and learning.

Practically all technical systems include ICT modules and software applications today. For technical solutions, information security solutions are the results of the design process. Communication protocols have an important role in information security as they define the rules, how different systems and system units share operational information. In addition to the operational information, also key system facts and settings are essential issues for information security and the vulnerability of the system.

People are both implementers and perceivers of information security but they are also subject to information security threats. In today’s information society, people cannot cope without the access or skills to access society’s information services.

There are international standard requirements for the protection of personal identity and privacy that should also be respected by organizations and administrations. They deal with the personally identifiable information (PII) [12], which consists of any information, (a) which can be used to identify the person to whom such information pertains, (b) from which such information can be derived, or (c) that is or might be directly or indirectly linked to a natural person. The EU’s General Data Protection Regulation (GDPR) [23] is a serious challenge in protecting privacy and identity in all organizations operating in Europe or marketing products to EU residents. The GDPR has defined significant financial consequences for businesses that are not in compliance.

Information security challenges, threats, and grievances of the digital society

The modern information society poses difficulties and threats to many areas of people's lives, for instance regarding:

• •    Disadvantages in everyday activity, and behavioral, mental, and economic development.

• •    Privacy and security.

• •    Data overloading, misinformation, false news, or alternative facts.

The strong impact of digitalization requires increasing demands for new competencies, skills, and operations by organizations and individuals in job and private life in responding to the changing challenges of society. That should be taken into account also in education, research, and societal activities. Particular needs include a) innovative and adaptive thinking, b) virtual collaboration and social intelligence, c) ability to work across disciplines, d) literacy in different types of media, and e) computational thinking and analytics [14, 29].

Many existing global megatrends, including urbanization, geopolitical contradictions, refugee migrating, multicultural encountering, and economic uncertainty and crises, which have caused societal grievances and threats, are all closely linked with digital information and communication, and hence, also with information security. Modern wars and terrorism [3] are especially information-intensive – in practice, there is talk of information wars – and are filled with false or misleading narratives and conspiracy theories.

As large-scale examples, where information security violations and even criminal measures have currently existed, we can mention here the Covid-19 pandemic, climate change, as well as a global power play to control wealth, humanity, and humans [5, 8, 9, 28]. These global issues are very broad and have serious implications for societal operations. In these cases, a lot of deliberately manipulated, incorrect, or incomplete information has been shared, and correct information has been suppressed for ensuring spreading a certain kind of perception of things widely among the people. There are also scientific references for such approaches [6].

Conclusions

Information security is everyone's business and a relevant issue in all areas of life. It applies to people, organizations, and society as a whole.

Especially in a modern digital society and in times of crisis, its importance is emphasized.

Information security is a demanding issue. The phenomena associated with it are complex and intricate. Measures for information security are difficult because they today require multidisciplinary solutions incorporating humans and technology. In addition to expertise, decisions and measures are needed at the individual and organizational levels with competence, awareness, and the right attitude. The issue is hampered that the concepts of information security are – perhaps paradoxically – vague and ambiguous although based on international standards.

Also, criminal activity exists in the area of information security, as in all areas of human activity. However, detecting it and preparing for it is demanding. Expertise, examinations, and juridical solutions are needed for countermeasures, which, however, are available in society and should be used and exploited, too.

Widely used digitalization and information technology increase information security threats and vulnerabilities, but on other hand, its many solutions also provide help for challenging incidents and find solutions to problems. However, people always have the ultimate responsibility.