Types of Cybersecurity

Cybersecurity encompasses a broad set of disciplines, tools, and regulatory frameworks designed to protect digital systems, networks, and data from unauthorized access, damage, or disruption. Understanding how these disciplines are classified matters because different sectors face distinct threat profiles and are subject to different federal and state mandates. This page maps the primary categories of cybersecurity, examines how organizational context shifts classification boundaries, and identifies jurisdictional distinctions that affect compliance obligations across the United States.

Edge Cases and Boundary Conditions

Classification in cybersecurity is rarely clean. A firewall protecting a hospital's billing system sits at the intersection of network security and healthcare data protection — governed simultaneously by NIST SP 800-66 (the HIPAA Security Rule implementation guide) and by the HIPAA Security Rule itself (45 CFR Part 164). That overlap is not an exception; it is the norm.

Operational technology (OT) security illustrates a sharper boundary problem. Industrial control systems (ICS) and SCADA networks are physically distinct from enterprise IT infrastructure, yet a breach in one can cascade into the other. The Cybersecurity and Infrastructure Security Agency (CISA) publishes ICS-specific advisories under its Industrial Control Systems program, treating OT as a separate classification — yet the NIST Cybersecurity Framework (CSF), version 2.0 released February 2024, applies to both domains under a unified five-function model (Identify, Protect, Detect, Respond, Recover).

Supply chain cybersecurity presents another boundary condition. An organization may have hardened internal systems while remaining exposed through third-party software dependencies. NIST SP 800-161 Rev. 1 addresses this as a distinct discipline — Cyber Supply Chain Risk Management (C-SCRM) — rather than a subset of network or application security. The distinction matters for audit scoping: an assessor evaluating only perimeter controls would miss vendor-introduced vulnerabilities entirely.

How Context Changes Classification

The same technical control can fall under different cybersecurity categories depending on the environment in which it operates. Encryption of data at rest is classified as data security in a commercial cloud environment; in a Department of Defense context, the same control is evaluated against CMMC (Cybersecurity Maturity Model Certification) Level 2 or Level 3 requirements under 32 CFR Part 170, which maps to NIST SP 800-171 controls.

Sector affiliation is the primary context variable. Financial institutions are subject to the Gramm-Leach-Bliley Act (GLBA) Safeguards Rule (16 CFR Part 314), which mandates specific information security program elements that overlap with but do not duplicate HIPAA requirements for healthcare entities. The regulatory context for cybersecurity across these sectors produces layered obligations that change how disciplines like identity management or incident response are scoped and prioritized.

Organization size also shifts classification weight. The FTC's Safeguards Rule exempts financial institutions with fewer than 5,000 customer records from certain written information security plan requirements — making company scale a direct determinant of which controls are legally required versus operationally recommended.

Primary Categories

Cybersecurity is commonly organized into eight functional domains, each with distinct mechanisms and threat models:

1. Network Security — Protection of data in transit and infrastructure integrity. Governed by controls in NIST SP 800-53 Rev. 5, specifically the SC (System and Communications Protection) family.
2. Application Security — Securing software at the code, configuration, and runtime layers. The OWASP Top 10 is the most cited reference for web application vulnerability classification.
3. Cloud Security — Managing risk in shared-responsibility cloud environments. The Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM) v4 provides a 197-control framework specifically for cloud deployments.
4. Endpoint Security — Protecting individual devices (laptops, mobile devices, servers) through antivirus, EDR (Endpoint Detection and Response), and device management policies.
5. Identity and Access Management (IAM) — Controlling who and what can access systems. NIST SP 800-63 Rev. 3 defines three levels of digital identity assurance (IAL1, IAL2, IAL3).
6. Data Security — Protecting data at rest, in transit, and in use. Classification schemes often follow FIPS 199, which defines Low, Moderate, and High impact levels for federal information.
7. Operational Technology (OT) / Industrial Control Systems Security — Protecting physical-process control environments. CISA and NIST jointly publish ICS security guidance under SP 800-82 Rev. 3.
8. Incident Response and Forensics — Structured processes for detecting, containing, and recovering from breaches. NIST SP 800-61 Rev. 2 is the foundational federal reference; cybersecurity incident response procedures elaborate on the procedural framework.

Network security versus application security is the most commonly conflated boundary. Network controls operate at layers 3–4 of the OSI model (network and transport), while application security addresses layers 6–7 (presentation and application). A web application firewall (WAF) spans both categories, which is why NIST SP 800-44 and OWASP treat it as a hybrid control requiring evaluation under both frameworks.

Jurisdictional Types

Federal law establishes baseline cybersecurity obligations for specific sectors, but state law independently creates a parallel compliance layer that affects classification priorities.

At the federal level, three statutes define the primary sector-specific frameworks:

• FISMA (Federal Information Security Modernization Act, 2014) — Applies to all federal agencies and contractors handling federal data, mandating NIST-based risk management programs.
• HIPAA Security Rule — Covers covered entities and business associates handling protected health information (PHI), with the HHS Office for Civil Rights as the enforcement body.
• GLBA Safeguards Rule — Covers financial institutions under FTC or prudential regulator jurisdiction, requiring written information security plans updated to reflect 2023 amendments.

At the state level, 47 states have enacted data breach notification laws as of the most recent National Conference of State Legislatures (NCSL) tally, each with different definitions of "personal information," different notification windows, and different covered-entity thresholds. California's CCPA/CPRA adds a substantive data rights layer beyond breach notification. New York's SHIELD Act imposes affirmative security program requirements on any business holding New York residents' private information, regardless of where the business is incorporated.

The interaction between federal sector mandates and state-level security requirements means that a single organization may simultaneously hold obligations under HIPAA, GLBA, CCPA, and the SHIELD Act — each of which frames cybersecurity classification differently. Cybersecurity compliance requirements by sector maps these overlapping obligations in greater operational detail.