Types of Cybersecurity

Cybersecurity is not a single discipline but a structured collection of overlapping domains, each addressing distinct attack surfaces, threat actors, and regulatory obligations. This page maps the primary classification frameworks used by federal agencies, standards bodies, and compliance programs across the United States. Understanding how these categories differ — and where they converge — is foundational to evaluating risk posture, allocating controls, and satisfying requirements imposed by frameworks such as NIST SP 800-53 and CISA's Cybersecurity Performance Goals. The full scope of the cybersecurity landscape begins with recognizing that no single domain operates in isolation.

Primary Categories

The broadest classification of cybersecurity divides the field into five functional domains, as reflected in the NIST Cybersecurity Framework (CSF) 2.0: Govern, Identify, Protect, Detect, Respond, and Recover. These six functions replace the original five from CSF 1.1 and establish the highest-level taxonomy for organizing security activities across sectors.

A parallel categorical structure appears in the disciplines recognized by professional bodies. (ISC)² identifies eight domains in its CISSP Common Body of Knowledge, including Security and Risk Management, Asset Security, Security Architecture, Communication and Network Security, Identity and Access Management, Security Assessment and Testing, Security Operations, and Software Development Security. These domains map closely to the technology and process divisions used throughout this network.

For a grounding in how each category functions mechanically, the conceptual overview of how cybersecurity works explains the underlying control logic across each major domain.

The five primary category types recognized across this network are:

1. Network Security — controls governing data transmission, perimeter defense, intrusion detection, and protocol hardening
2. Application Security — secure development lifecycles, vulnerability scanning, and runtime protection for software
3. Endpoint Security — protection of individual devices including workstations, mobile endpoints, and IoT nodes
4. Data Security — encryption, access control, classification, and retention governance
5. Identity and Access Management (IAM) — authentication, authorization, privileged access, and federation protocols

Networksecurityauthority.com covers the architecture and control frameworks specific to network-layer defense, including firewall policy, zero-trust segmentation, and intrusion prevention systems. Applicationsecurityauthority.com addresses the full SDLC security model from threat modeling through post-deployment monitoring.

Jurisdictional Types

Cybersecurity obligations in the United States differ substantially across federal, state, and sector-specific jurisdictions. At the federal level, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. § 3551 et seq., requires civilian agencies to implement NIST-based controls and report annually to the Office of Management and Budget. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, administered by HHS at 45 C.F.R. Part 164, imposes technical safeguards on covered entities handling protected health information.

At the state level, requirements vary considerably. California's Consumer Privacy Act (CCPA) and its amendment, the California Privacy Rights Act (CPRA), set data protection standards enforced by the California Privacy Protection Agency. New York's SHIELD Act and the Department of Financial Services' 23 NYCRR 500 impose cybersecurity program requirements on financial institutions operating in the state. Texas enacted the Texas Privacy Protection Act creating breach notification timelines aligned with a 60-day reporting window.

Californiasecurityauthority.com documents the specific technical and administrative controls required under CCPA/CPRA for California-regulated entities. Newyorksecurityauthority.com covers 23 NYCRR 500 compliance requirements including penetration testing mandates, encryption standards, and CISO designation obligations. Texassecurityauthority.com maps Texas-specific breach notification and data governance requirements for organizations operating in that state. Floridasecurityauthority.com covers Florida's Digital Bill of Rights and breach notification statutes under Florida Statute § 501.171.

The regulatory context for cybersecurity page provides a cross-jurisdictional mapping of these frameworks and their applicability thresholds.

For organizations operating across multiple states, Nationalprivacyauthority.com aggregates the privacy law requirements across jurisdictions, while Nationaldataprotectionauthority.com focuses specifically on data classification and retention obligations under federal and state law. Globalsecurityauthority.com extends the scope to international frameworks including GDPR Article 32 technical measures and ISO/IEC 27001:2022 certification requirements.

Substantive Types

Substantive cybersecurity types are defined by the technical domain or threat class they address, independent of jurisdictional context. The process framework for cybersecurity outlines how each substantive type maps onto a structured lifecycle of planning, implementation, testing, and response.

Cloud Security encompasses identity federation, shared responsibility models, misconfiguration management, and data residency controls. The Cloud Security Alliance (CSA) Cloud Controls Matrix v4 defines 197 control specifications across 17 domains applicable to cloud environments. Cloudsecurityauthority.com covers the full CSA CCM control set and its mapping to SOC 2 Type II audit criteria. Clouddefenseauthority.com addresses active threat defense within cloud-native architectures, including container security and serverless attack surfaces. Cloudcomplianceauthority.com focuses on regulatory compliance for cloud deployments under FedRAMP, HIPAA, and PCI DSS frameworks.

Encryption is the mathematical foundation of data confidentiality across every other domain. NIST SP 800-175B Rev. 1 governs the use of cryptographic standards for federal systems, mandating AES-256 for symmetric encryption and requiring migration away from SHA-1. Encryptionauthority.com covers cryptographic protocol selection, key management lifecycle, and post-quantum cryptography standards under NIST's FIPS 203, 204, and 205 finalized in 2024.

Endpoint Security addresses the attack surface created by the 17.08 billion connected IoT devices projected by IoT Analytics for 2024. Endpointsecurityauthority.com examines EDR/XDR platform capabilities, device compliance policies, and mobile device management frameworks aligned with NIST SP 800-124.

Identity Security sits at the intersection of access control and fraud prevention. The CISA Zero Trust Maturity Model v2.0 designates identity as one of five pillars, with identity verification controls required at every access boundary. Identitysecurityauthority.com documents MFA enforcement standards, federated identity protocols (SAML, OAuth 2.0, OpenID Connect), and privileged access management architectures. Identityprotectionauthority.com addresses consumer-facing identity theft defense and the FTC's Identity Theft Program requirements under 16 C.F.R. Part 603.

Ransomware represents a distinct threat class that cuts across every other domain. The FBI Internet Crime Complaint Center (IC3) reported $59.6 million in ransomware losses in 2023 (IC3 2023 Internet Crime Report), though this figure reflects only reported incidents. Ransomwareauthority.com covers attack chain anatomy, CISA's Stop Ransomware guidance, and the technical controls mapped to pre-encryption detection.

AI-Driven Cybersecurity has emerged as both an offensive and defensive category. NIST's AI Risk Management Framework (AI RMF 1.0), published in January 2023, provides governance structure for AI systems in security contexts. Aicyberauthority.com examines adversarial machine learning, AI-assisted threat detection, and the governance obligations emerging under EO 14110 on Safe, Secure, and Trustworthy AI.

Penetration Testing is a structured adversarial validation discipline separate from vulnerability scanning. The PTES (Penetration Testing Execution Standard) defines seven phases from pre-engagement through reporting. Penetrationtestingauthority.com covers methodology selection, scope definition, rules of engagement, and the reporting formats required under PCI DSS Requirement 11.4.

Information Security as a category predates cybersecurity as a term and encompasses physical, procedural, and technical controls governing information assets. ISO/IEC 27001:2022 Annex A organizes 93 controls across four themes: organizational, people, physical, and technological. Informationsecurityauthority.com covers the full ISO 27001 control set and its alignment with NIST SP 800-53 Rev. 5 control families. [Infosecauthority.com](https://infosecauthor