What is cyber security
Cyber security is the practice of protecting information, systems and people from digital harm. AICS leads on accredited courses, chartered membership designations and forensic-grounded standards for the profession.
The etymology of cyber security
The word “cyber” entered the security vocabulary through an unlikely path. In 1948, the American mathematician Norbert Wiener published “Cybernetics: Or Control and Communication in the Animal and the Machine,” drawing on the Greek “kybernetes” (meaning steersman or governor) to describe the science of feedback and control in both machines and living organisms. When computing networks began connecting institutions in the 1970s and then the public in the 1990s, the prefix “cyber” attached itself to nearly everything touching digital systems: cyberspace, cybercrime, and eventually cybersecurity. The field that now goes by that name, however, predates the word by several decades.
The origins of computer security
The first computers were physically enormous, institutionally controlled, and logically simple. Security, in the mainframe era of the 1950s and 1960s, was primarily a physical problem: who could enter the building, who could approach the terminal. The computing environment was centralised, air-gapped from external networks, and access was restricted by procedure and proximity. The idea that a remote, anonymous actor could interfere with a computer system was not yet a practical concern.
That changed with ARPANET. Commissioned by the United States Department of Defense in 1969, ARPANET was the first operational packet-switching network and the direct ancestor of the modern internet. Its designers prioritised resilience and openness over security, a choice that reflected the cooperative academic environment in which the network grew. By the mid-1970s, researchers were already noting that this architecture created significant risks. The distributed structure that made the network robust also made it difficult to control who could send what to whom.
The first serious formal attempt to define and evaluate computer security came from the United States Department of Defense in 1983. The Trusted Computer System Evaluation Criteria, known informally as the “Orange Book” because of its cover, established a hierarchical set of security divisions against which computer systems handling classified information could be assessed. It was the first published government standard for what the security of a computer system should mean, and it drew on years of work in access control, data integrity, and audit. The Orange Book shaped how computer security was understood institutionally for more than two decades.
The internet era and the emergence of network security
The public internet of the 1990s transformed both the scope and the nature of the security problem. As commercial activity moved online, and as organisations connected their internal systems to a global network, the attack surface expanded dramatically. The Morris Worm of 1988, written by a Cornell University graduate student and released onto the ARPANET, was a forewarning of what was coming. It exploited known vulnerabilities in Unix systems and infected roughly six thousand machines, causing widespread disruption. The United States Computer Emergency Response Team (CERT/CC) was established at Carnegie Mellon University the same year, partly in direct response.
Through the 1990s, the field of network security developed rapidly. Firewalls, intrusion detection systems, and encryption protocols became standard infrastructure. Netscape introduced the Secure Sockets Layer (SSL) protocol in 1995 to protect commercial transactions over the web, establishing an architecture for encrypted communications that remains foundational today. The viruses and worms of this period were mostly disruptive rather than financially motivated, but they established a pattern of adversarial technical competition between attackers and defenders that has continued ever since.
The British Standards Institution published BS 7799 in 1995, a code of practice for information security management that covered not just technical controls but organisational procedures, personnel policies, and physical access measures. This recognised that protecting information systems required more than technical solutions, and it laid the groundwork for what eventually became ISO/IEC 27001, the international standard for information security management systems, first published in 2005. The standard defines information security in terms of the preservation of confidentiality, integrity, and availability of information, a formulation that remains the dominant framework in organisational security practice.
From information security to cyber security: the policy shift
The turn of the century brought a significant change in how security was framed at the national level. Following the September 2001 attacks in the United States, governments began treating digital infrastructure as a national security matter rather than a technical or commercial one. Critical systems, including power grids, financial networks, water systems, and communications infrastructure, were increasingly networked and therefore increasingly vulnerable to disruption by adversaries. The term “cyber security” gained traction in this context, partly because it emphasised the strategic dimension of the problem and was broad enough to cover not just information theft but sabotage, espionage, and attacks on physical infrastructure controlled by digital systems.
The United States established the National Cyber Security Division within the Department of Homeland Security in 2003. The 2009 Cyberspace Policy Review, commissioned by the Obama administration, recommended a coordinated national cyber security effort and led directly to the creation of US Cyber Command. Similar bodies followed in allied countries.
In Australia, the Australian Signals Directorate (ASD) had long been responsible for signals intelligence and the protection of government communications. As cyber threats grew in scale and sophistication, ASD’s remit expanded to cover the protection of critical infrastructure and support for both government and private sector organisations. The Australian Cyber Security Centre (ACSC) was established in November 2014, consolidating capabilities from across defence, intelligence, and law enforcement agencies. In 2018, the ACSC became a division of ASD, which itself became a statutory agency under the Intelligence Services Act. Today, the ACSC is Australia’s national authority on cyber security, providing technical advice and operational support through its cyber.gov.au platform.
The 2023-2030 Australian Cyber Security Strategy, released by the Australian Government in November 2023, defines Australia’s ambition to become a world leader in cyber security. It is built around six protective shields and commits over $586 million in new funding alongside substantial existing investment across government and critical sectors.
What the field encompasses
Cyber security today is not a single discipline but a cluster of related fields, each with its own body of knowledge, professional communities, and regulatory frameworks.
At the technical level, the field covers the security of systems, networks, and applications. Systems security concerns the integrity and access controls of individual computers and servers. Network security addresses the protection of data in transit and the management of communications infrastructure, including firewalls, encrypted protocols, and network monitoring. Application security focuses on the design and testing of software to ensure that vulnerabilities cannot be exploited by attackers, a concern that has grown more pressing as software has become central to nearly every aspect of commerce, government, and daily life.
Organisational security, sometimes called information security governance, addresses how institutions manage risk across their technology environments. This covers risk assessment, security policies, incident response planning, staff awareness, and supply chain security. Standards such as ISO/IEC 27001 and the Australian Government’s Information Security Manual (ISM), published by ASD, provide structured frameworks for this work. The ISM applies to all Australian government agencies and serves as best-practice guidance for private sector organisations handling sensitive information.
Legal and regulatory considerations form a third dimension. Privacy legislation, breach notification requirements, and sector-specific regulations impose obligations on organisations to protect personal information and to disclose failures when they occur. In Australia, the Privacy Act 1988 and the Notifiable Data Breaches scheme (introduced in 2018) define the legal baseline for data protection. The Security of Critical Infrastructure Act 2018, significantly expanded in 2021 and 2022, imposes specific obligations on operators across sectors including energy, communications, finance, and health.
Defence and national security represent a distinct domain within cyber security, concerning the protection of military systems, intelligence infrastructure, and the conduct of offensive and defensive operations in cyberspace as part of national defence. This area operates under different authorities and legal frameworks from civilian cyber security, and involves capabilities that are not publicly disclosed. ASD is the primary Australian agency in this domain.
Human factors and social engineering address the reality that most successful attacks do not break encryption or exploit software vulnerabilities: they manipulate people. Phishing, pretexting, and business email compromise succeed because humans make decisions under uncertainty and can be deceived. Understanding why people make insecure decisions, and how to design systems and training programmes that reduce that risk, draws on psychology, communication research, and organisational behaviour as much as on technical disciplines.
What the term actually means
The Australian Signals Directorate describes cyber security as encompassing the technologies, processes, and practices designed to protect networks, computers, and data from attack, damage, or unauthorised access. The international standard ISO/IEC 27032:2023, published by the International Organisation for Standardisation, defines cybersecurity as “the preservation of confidentiality, integrity and availability of information in the Cyberspace”, where Cyberspace is “the complex environment resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it.”
These definitions reflect how far the field has moved from its origins in physical access control and mainframe security. What began as a question of who could enter a room has become a question of how to protect every networked system, every connected device, and every exchange of information in a global digital environment that encompasses nearly every aspect of modern life.
