Cybersecurity Fundamentals Vocabulary

Cybersecurity Fundamentals

• Discipline concerned with protecting the assets of computer/information systems.
• Core questions this lecture answers:
  • What is cybersecurity and what are we trying to protect?
  • What kinds of harm are possible and how can we avoid it?
  • How do risk, threats, vulnerabilities, and controls fit together?
• Foundational triad: Confidentiality, Integrity, Availability (C-I-A).
  • Frequently supplemented with Authentication & Non-repudiation.
• Central, recurring idea: All security measures exist to reduce risk by protecting assets against threats that exploit vulnerabilities.

Assets: What Needs Protection?

• Hardware
  • End-user computers (desktops, laptops, tablets, phones)
  • Medical devices, automobiles, industrial controllers, security systems
  • Household appliances (IoT), scientific equipment, tracking/location devices
• Software / Network Resources
  • Operating systems, applications, network services
  • Access-control mechanisms, physical-access systems
  • Location services, network traffic, device identity, user actions
• Data (most intangible, often highest value)
  • Conventional files (photos, music, databases)
  • Sensitive personal data: geolocation, activity logs, network identity
  • Access lists, payment information, monitoring/status reports

Glossary of Basic Terms

• Vulnerability – Any weakness that can be exploited to cause harm.
  • Total collection of vulnerabilities often called the "attack surface".
• Threat – Any circumstance or event with the potential to cause harm.
• Attack – Realisation of a threat via exploitation of a vulnerability.
• Countermeasure / Control – An action, device, or process that removes or reduces a vulnerability or otherwise mitigates a threat.

The C-I-A Triad & Extended Properties

• Confidentiality
  • Limit access to data and to metadata to authorised entities only.
  • Distinguish between full vs. partial access.
  • Typical confidentiality breaches involve viewing or copying rather than modification.
  • Personally Identifiable Information (PII), intellectual-property documents, and national-security data are high-value targets.
• Integrity
  • Ensure data remain accurate, complete, and uncorrupted.
  • All alterations must be authorised, intentional, and occur under controlled circumstances.
  • Historical failures: the Microsoft Word “\not” macro prank, 1990s Intel Pentium floating-point flaw.
  • Business examples: falsifying accounting or payroll values.
• Availability
  • Information/system must be accessible when needed.
  • Extends into operations: backups, recovery strategies, RAID, cloud replication, redundant personnel/training, business-continuity & disaster-recovery (BC/DR) planning, uptime guarantees, handling “normal” hardware failures.
• Authentication (often grouped with C-I-A)
  • Validation that an entity is who/what it claims to be.
• Non-repudiation
  • Assurance that a party cannot deny an action it performed (e.g.
    digitally signed email).

Harm: What Can Go Wrong?

• Negative consequence of an attack; magnitude depends on asset value.
• Typical harms
  • Theft (identity, financial, intellectual property)
  • Loss of privacy or confidential info exposure
  • Destruction or loss of asset (data deletion, hardware damage)
  • Disruption of organisational operations, downtime, business loss
  • Reputational damage, loss of stakeholder trust

Risk Concept

• Working definition: Risk = Likelihood \times Impact
  • Likelihood → probability that a threat will successfully exploit a vulnerability.
  • Impact → the quantified or qualified amount of harm that would result.
• Components considered in risk analysis
  • Value of asset
  • Severity of harm
  • Cost & effectiveness of countermeasures
  • Possibility of transferring risk (e.g.
    cyber-insurance)
• Practical issues
  • Hard to estimate asset value (some data are priceless).
  • Hard to quantify harm (especially reputational).
  • Difficult to enumerate all threats or to calculate their likelihood.

Threat Classification & Likelihood Biases

• Non-human threats: natural disasters, hardware failure, fire, earthquake.
• Human threats: accidental (spilled coffee, fat-finger data entry) or intentional (hackers, insiders, saboteurs).
  • Malicious vs. non-malicious.
  • Random (non-targeted) vs. directed (targeted).
• Harm types specific to human threats (Parkerian variations):
  • Interception (unauthorised access)
  • Interruption (availability loss)
  • Modification (unauthorised change)
  • Fabrication (insertion of false data)
• Cognitive bias note: People over-estimate rare catastrophic risks and under-estimate common mundane ones (e.g.
  fear of air crashes vs.
  complacency about automobile accidents).

Method–Opportunity–Motive (M-O-M) Triangle

• A threat actor typically needs all three:
  1. Method – Skills/tools/techniques.
  2. Opportunity – Time & access.
  3. Motive – Reason/incentive (financial gain, ideology, thrill, revenge).
• Controls often work by removing at least one side of the triangle.

Common Vulnerabilities (Partial List)

• Untrained users; social-engineering susceptibility.
• Insider sabotage/abuse.
• Weak authentication/poor password practices.
• Misconfiguration (default passwords, open ports).
• Lack of physical security.
• Inadequate network segmentation or traffic isolation.

Controls / Countermeasures: Overarching Categories

• Preventive – Block threats from exploiting the vulnerability.
  • Firewalls, encryption, strong access controls, locked doors.
• Detective – Identify or alert when exploitation occurs.
  • IDS/IPS, system logs, CCTV, audit trails.
• Deterrent – Discourage attacker by increasing perceived cost/risk.
  • Policies, legal banners, user training, visible guards.
• Corrective – Lessen impact after exploitation.
  • Backups, data recovery, fail-over clusters, BC/DR plans.
• Expanded “5-D” security verbs
  1. Prevent (eliminate vulnerability)
  2. Deter (make attack harder/costlier)
  3. Deflect (lure to less valuable decoy, e.g.
     honeypot)
  4. Detect (discover the attack)
  5. Recover (restore operations/assets)

Physical Controls

• Locks, security guards, mantraps, fences.
• Environmental protections: fire suppression, earthquake bracing, sealed data-center floors.
• Backup copies stored off-site or in the cloud.
• Emphasis: attackers look for weakest point → even simple physical controls can be highly effective.

Technical Controls

• Software (logical) controls
  • OS permissions, Role-Based Access Control (RBAC), Mandatory Access Control (MAC).
  • Password policies, Multi-Factor Authentication (MFA).
  • Cryptographic functions: encryption, hashing, digital signatures.
  • Dedicated security applications (anti-malware, EDR, DLP).
• Development-time controls – secure coding practices, code reviews, automated testing, DevSecOps.
• Hardware controls
  • Smart cards, hardware security modules (HSM), Trusted Platform Module (TPM).
  • Biometric readers (fingerprint, facial recognition).
• Network controls
  • Firewalls (stateful, next-gen), routers with ACLs, segmentation & VLANs.
  • VPNs, intrusion-detection/prevention systems, zero-trust architectures.

Procedural (Administrative) Controls

• Policies, Standards, Procedures, Guidelines – formal documents that tell humans what is allowed, required, or prohibited.
• Training & security-awareness programs – often cited as most important control because humans remain weakest link.
• Example policy topics
  • Password composition & rotation.
  • Prohibition on sharing credentials.
  • Acceptable-use policy, BYOD rules.
  • Confidentiality & Non-Disclosure Agreements (NDAs).
• Legal mechanisms
  • Statutory protections (state/federal), industry regulations (HIPAA, PCI-DSS).
  • Contractual obligations, service-level agreements (SLAs).

Practical & Ethical Considerations

• No system can ever be made 100 % secure → aim is acceptable risk level.
• Ethical imperative to safeguard user privacy & prevent misuse of data.
• Balancing security with usability & cost:
  • Over-protection can stifle productivity; under-protection invites catastrophe.
• Reputation as an intangible asset: breach disclosure laws mean reputational harm often exceeds direct financial loss.

Study Tips & Connections

• Tie C-I-A concepts to every real-world security story you hear.
• When analysing any security scenario, explicitly list Asset → Threat → Vulnerability → Control.
• Map human-threat actions (interception, interruption, etc.) onto triad impacts.
• Quantitative risk analysis often uses Risk = \text{Probability} \times \text{Loss}—try simple mock calculations to build intuition.
• Revisit foundational networking, operating-system, and cryptography knowledge; each provides context for controls listed here.