The nine-month-long Sunburst hack of 2020 opened many people's eyes to the severity of modern cyber threats. The incident cost each impacted institute an average of $12 million (for-profit companies lost, on average, 11 percent of their revenues), according to an IronNet report. The hack also impacted the Pentagon, US Treasury, Department of Homeland Security, and other federal agencies. SolarWinds, the company that markets Sunburst, reported spending nearly $20 million on remediation in the first quarter of 2021 alone. It was a costly failure, to put it mildly.
Large-scale attacks like Sunburst reveal our vulnerability at the individual and state level. With a few keystrokes, determined enemy agents, organizations, and nations can infiltrate and command the computer systems and infrastructure powering our lives.
The good news is there's an entire class of professionals responsible for identifying, preventing, and—if all else fails—responding to cyber threats. You can become one of them: a bachelor's degree in computer science or cyber security is all you need to launch a career in this field. A master's degree can help you advance more quickly and earn more money.
The Master of Science in Cyber Security is the obvious choice, but it's not the only choice. You can also pursue a graduate degree in information security, or infosec. Some schools lump cyber security and infosec together and call it information assurance. Other programs treat information security as a subdomain of cyber security. The field just isn't old enough for standardized degree naming conventions to have evolved, making it hard to choose between academic pathways.
In this article, we examine cyber security vs. information security master's degrees. We discuss the difference as we cover the following:
Answering this question conclusively is impossible. Many schools, professionals, and employers use the terms cyber security and infosec—as well as network security, information assurance, and IT security—interchangeably. Some sources treat cyber security as a subset of information security. Others do the opposite.
"That is how my career has rolled out," writes one Reddit commenter on a thread about the potential differences between these disciplines. "I have a degree in information assurance, that is now renamed information security, and I'm studying for a graduate degree in cyber security from the same university, several years later. My jobs have had 'information security' something or other in the title, and I've seen the same jobs with different companies be 'cyber engineer,' or something similar."
According to the National Institute of Standards and Technology, cyber security is concerned with the ability to protect or defend the use of cyberspace from cyber attacks, while information security is concerned with the "protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction to provide confidentiality, integrity, and availability."
The difference comes down to opinion. Other sources say:
First, let's look at degree titles. The Master of Science in Cyber Security is just one possible degree of many. You might also pursue a:
Meanwhile, on the infosec side, there is the Master of Science in Information Security along with the:
Some colleges and universities don't distinguish between these academic pathways. They combine them into programs granting degrees like the:
Be aware course lists differ more from school to school than from program to program. There are highly technical infosec master's programs and business-focused cyber security programs, and vice versa.
Cyber security degree programs, as University of Tulsa puts it in its online master's in cyber security program guide, consist of classes designed to prepare students to "master the theory, concepts and techniques of information assurance and network defense in real-world environments."
Core courses and elective courses in UT's program include:
The master's in information security, according to Carnegie Mellon University, prepares students to "manage the emerging complexities associated with securing data, networks, and systems"—which sounds a lot like cyber security.
Core courses and elective options in the school's Master of Science in Information Security program include:
Very few cybersec or infosec master's programs include concentration tracks. Cyber security programs are more likely to offer them, in which case students may choose from among concentrations like:
It's unlikely you'll find a master of information security program with specializations. Infosec is more likely to be a specialization in computer science, information technology, and MBA programs.
Master's programs across disciplines typically take two years of full-time study to complete—where 'full-time study' means taking a full graduate course load (usually three courses per semester). Part-time programs can take up to five years. There are some accelerated cyber security and infosec master's programs that last just one year, but most are part of 4+1 degree programs that bundle a bachelor's and a master's.
Most highly ranked on-campus and online master's in cyber security programs take two years to complete. If your goal is to graduate as quickly as possible, check out the accelerated programs at:
Like cybersec programs, information security master's programs usually require that students complete 30-to-50 credit hours of work to be eligible for graduation, and most programs are designed to last two years. You can graduate more quickly from the 4+1 program at George Mason University.
What sets the top master's programs apart is the same whether you're looking at cybersec or infosec degrees:
These schools host excellent information security master's programs:
You might not need a master's to work in cyber security or information assurance, but having one can open doors and increase your earning potential. Think of tuition as an investment.
You'll probably pay between $20,000 for affordable cyber security master's programs and $50,000 for more expensive ones. In either case, it's an investment that pays off. Most bachelor's degree holders earn about $76,000 while master's degree holders can earn $93,000 or more.
The average cost of a master's in information security is about $30,000. The least expensive programs cost between $10,000 and $20,000, and tuition for the most expensive programs is over $80,000. You'll get an even bigger salary boost with this degree, though. Infosec bachelor's holders earn about $78,000 while master's degree holders earn about $102,000.
According to the (ISC)2, the cyber and information security workforce gap will hit 3.4 million in 2023. Enroll in a program now, and you'll graduate into a sellers' market with plenty of computer security jobs in private industry and the government. Be aware, however, that technologies like artificial intelligence and automation may change the hardware, software, and data protection landscapes in the future.
There's a notable shortage of qualified cyber security professionals, and demand is likely to go up as more businesses digitize and automate their operations. There isn't zero percent unemployment in the field anymore, but "if you know cyber security, then you have a job for life," as Herjavec Group CEO Robert Herjavec put it in one interview.
The US Bureau of Labor Statistics (BLS) doesn't track employment data for infosec as a field, but it does track job growth in information security analysis. Positions for infosec analysts will be created much faster than the average for all occupations, according to the BLS, with average salaries abov\ve $100,000.
Data suggests you'll earn close to $10,000 more with an information security master's than you will with a cyber security master's, but salaries are more closely tied to job titles than to degrees.
Common titles associated with cyber security jobs include:
Common roles in information security include:
Keep in mind that the above titles aren't degree-specific. Either degree can help you advance into most data security and system security roles.
As more data goes digital, more of it moves to the cloud, and more businesses embrace automation, cyber criminals will find new weaknesses to exploit. You can do your part to keep the bad guys at bay with either degree. Both can lead to cyber security careers and infosec careers.
There's no downside to having a cyber security master's on your resume, and it may not be long before this discipline sees an influx of professionals with advanced degrees and the master's becomes the entry-level degree in the field. Until then, a cyber security master's can help you stand out when job hunting and negotiate for better benefits packages when you receive offers.
The infosec talent gap is real. Based on salary data, employers may value information security expertise over cyber security skills. Organizations collect, store, and look for insights in massive amounts of sensitive data, and that data has to be secured. Big paychecks and job security are the norms in this discipline.
However, the bottom line is both degrees are worth it because employers tend not to differentiate between them—and that means you are free to choose whichever cybersec or infosec program seems to be the best fit.
Questions or feedback? Email firstname.lastname@example.org