In this introductory module,

I will introduce the course and examine the importance of cyber security, a topic that has
become familiar to just about everyone in recent years. Hardly a day goes by without news
media reporting on the latest cyber attack, whether it's conducted by criminal or
government organizations. Cyber security is the name we give to the study of methods we
can use to reduce the likelihood of such attacks, however they originate and whatever their
motivation. This course is intended to introduce you to the basics of cyber security, what it
is, how we can define it, and how we can go about trying to improve the security properties
of organizations, as well as our personal lives. We will consider how we might formally
define cyber security in the next module. But, for the moment, we can think of it as trying
to address any threat deriving from our use of, and dependence on, information and
communications technology. If you think about it for a moment, this not only includes using
the smart phones, tablets, and desktop computers that we use for work, personal, business,
or leisure, but all the aspects of everyday life that depend on the use of information
technology. The pervasiveness of information technology means that cyber security issues
affect all Internet-connected systems and devices that we use. This includes vehicles for
private and public transport, the infrastructure delivering power and water into our homes,
and almost every aspect of our working lives, including the operation of factories, transport,
and offices worldwide. We depend on information and communications technologies in
almost every aspect of our lives, so cyber security has become a fundamental necessity for
us all. At the same time, we know that our information processing systems are vulnerable
to attack in a huge variety of ways. It is tempting to suggest that the Internet-connected
world is the problem, and we should reconsider how we engage with this highly
interconnected world. But, in the main, it's impossible to go back, and in reality, we almost
certainly don't want to. Modern information and communication technologies bring huge
benefits in increasing efficiency, enabling home working, and providing us with many
previously undreamt of forms of communication and interpersonal interaction. If we accept
that information and communications is here to stay, what are we going to do about the
major security threats we all face? In this course, we will introduce some of the techniques
that can be used to reduce these threats. It is important to realize that providing security is
not just about more and better technology. The ways in which this technology is used, and
the skills and knowledge of the people using it, is at least, if not more important. Ultimately,
it is all about people. If it wasn't for people, we wouldn't be using the technology that gives
rise to the cyber threat. Without involving these same people, we can't hope to achieve the
level of cyber security that we wish to have. Finally, we have to be aware that this is a war
we will never win. Technology evolves, and so does the cyber threat. We must continue to
develop our responses to the threats as they evolve to try to stay one step ahead, or at
least not fall too far behind.
Key ideas in the literature
There has been a huge amount written about cyber security, ranging from scholarly articles
looking at very specialised aspects of security technology to articles in the popular media
describing yet another successful cyber attack on a major company. Use your favourite
internet search tool to look for examples of recent cyber attacks on commercial
organisations. Can you see any trends? Make a note of these in your study journal. The
Information Commissioner’s Office in the UK was set up to help protect the information
privacy rights of UK citizens and is involved in helping to enforce data privacy law in the UK.
As part of its activities, it investigates potential breaches of privacy law. It provides public
reports of the investigations it conducts and of prosecutions made. Often privacy law
breaches arise because of poorly implemented cyber security, and so the work of the ICO
provides an interesting view of the current cyber security landscape.
Go to the ICO website and look at the information there on data security incident trends.
You may also be interested in looking at reports on specific cases, such as major legal
actions taken against Facebook and British Airways.
Governments and government agencies worldwide publish annual reports on the state of
cybersecurity, which you are recommended to read to gain a broader understanding of
current trends and issues in cyber security.
The UK Government Department for Digital, Culture, Media and Sport (DCMS) publishes a
well-respected annual survey of cyber security breaches. The 2021 survey is available at:
 Department for Digital, Culture, Media & Sport ‘Cyber security breaches survey
2021’, GOV.UK (2021).
In 2022 the UK National Cyber Security Centre (NCSC) published a review of the UK cyber
security industry – it is available here:
 Department for Digital, Culture, Media & Sport ‘Cyber security sectoral analysis
2022’, GOV.UK (2022).
If these links are broken, please let us know via the Student Portal.
What do you want from this course?
Cyber security is undoubtedly a subject of importance to almost all of us. Unless we live
completely off-grid, producing our own food and not relying on basic services such as mains
water, drainage, and electricity, we are at risk of a cyber attack. We therefore all need to
have some basic awareness of cyber risks, so that we can reduce the chances that we are
mistakenly victims of such an attack.
More than is, there is an ever-increasing need for cyber security expertise in commerce and
industry. Very few jobs today don’t involve interacting with the cyber world in some way,
and knowledge and understanding of cyber security issues may very well enhance your
chances of getting a new position, as well as enabling you to do your current job more
effectively and with less risk.
What level of knowledge are you looking to gain from this course? Do you want to learn
more about cyber security for your career – if so, perhaps you might be interested in
studying further online?
Take a few minutes to express in the discussion forum what you hope to gain from this
course, and take the opportunity to engage with your fellow students.

We probably all have experience of how serious the impact of the loss of cyber security can
be. Perhaps you or a close friend have been the victim of identity fraud, or you've fallen
victim to a phishing attack, or maybe you just clicked on a link in an email and found your
computer infected with malicious software. Such sad events are commonplace and can be
serious for an individual. However, when it happens to a large organization which is not
well-protected, the results can be truly devastating, for example, resulting in loss of
business and possible huge fines by regulators. Of course, fraud by criminals is hardly a new
thing, and many cyber attacks use the same kinds of techniques as more traditional fraud.
In a way, there is little difference between deception through a phone call and deception in
an email or other electronic message. A large part of ensuring cyber security, both for an
individual and for an organization, involves many of the same approaches that we use to try
to reduce the risk of conventional fraud, including education and the raising of awareness.
Nonetheless, there are also important differences. There are a wide range of technical tools
that can be used to reduce risk and increase resilience to attack. It's also important to be
aware that cyber security must address a number of different types of threat actor,
including criminals, organized crime, activists of various types, and nation-states. The old
days when the most common threat was merely from curious computer experts wanting to
show off their capabilities are long behind us. While the techniques used to conduct attacks
may be very similar regardless of the actor, the motivations are likely to be very different.
Hence, understanding what assets are most at risk requires thinking about the reasons for,
and objectives of, a possible attack.
For example, criminals may well focus on valuable information assets, for example, large
sets of personal data that can be used for further criminal activities, such as fraudulent
payments, identity theft, and so on. Criminals may also seek to hold companies to ransom
by encrypting valuable corporate data and then withholding the means to decrypt the data
until the ransom is paid. A further possibility would be to blackmail an organization which
has suffered a security breach by threatening to reveal the breach to the media. Of course,
this would only be an issue in a case where the organization wishes to keep the breach
secret to prevent embarrassment. Hostile nation-states are likely to target somewhat
different aspects of information processing. There are many well-publicized cases where so-
called cyber warfare has accompanied physical warfare. Cyber warfare typically focuses on
the denial of legitimate access to information and communications resources, with the
goals of crippling the operation of organizations and governments. Political activists may
have rather different targets, such as organizations conducting activities of which they
disapprove. In this case, they're likely to either disrupt operations, deny access, or try to
gain access to sensitive information, which they can then release to embarrass the
organization. We can learn a lot about current trends in cyber security and the underlying
cyber threat from the popular media. While attacked organizations are often reluctant to
reveal full details of what has been compromised and how, the broad-brush details of the
goals of the attack are likely to be made public. By looking at reported events over a period,
you can begin to get an idea of the typical goals of cyber attacks. This leads naturally to
thinking about how cyber attacks are conducted. Typical sources of cyber threats include
weaknesses in technology, implementation, design and configuration issues, as well as our
own vulnerabilities as human beings. As we've just discussed, many cyber attacks exploit
the same human frailties that non-IT frauds exploit, including our willingness to trust
superficially reliable information, such as the source of an email, and the fact that when
under pressure, we often make decisions without being as careful as we might be. When a
single click on a link in a fraudulent yet apparently genuine email can bring disaster, it is
hardly surprising that cyber attacks are so commonplace. It's also important to think about
the sorts of damage a cyber attack causes. In general, and we will discuss this further in the
next lesson, there are three main types of damage that can be caused. Of course, in some
cases, attacks can cause damage of more than one type. Stop the video for a moment and
take a few minutes to think about the types of damage that can be caused by a cyber
attack.
Play video starting at :6:45 and follow transcript6:45
Welcome back. A wide range of damage can be caused. I next want to explore three general
categories. First, a cyber attack can cause loss of availability of data and systems, either
temporarily or permanently. This could occur in a wide variety of ways. For example,
malicious software could be deployed, which either overwrites data or software or causes
hardware to stop functioning, for example, by preventing a computer from rebooting.
Alternatively, distributed denial of service attacks are very common. These are where very
large numbers of requests are sent to a server which cause it to become unavailable while it
tries to deal with these requests. Second, an attack could result in the loss of confidentiality
of important data, including personal data. Again, such attacks can come about in a wide
variety of ways, including via vulnerabilities in software and human error, for example,
resulting from a phishing attack. Third and perhaps least obviously, an attack can give rise to
a loss of integrity of information with the effect that important corporate or personal data
are modified in an unauthorized way. As a result, information critical to the operation of an
organization will no longer be reliable.
Play video starting at :8:36 and follow transcript8:36
The final part of the cyber security big picture, and perhaps the most important part, is
what we do to prevent these attacks and hence minimize the risk that the damage occurs.
In an organizational context, measures that are put in place to enhance cyber security are
commonly referred to as security controls. There are many different types of security
control. Controls include both the technical, such as installing firewalls of gateways to
computer networks, using encryption to protect data in transit or when stored, or setting
up individual user accounts and passwords, and the procedural, such as having defined
vetting requirements for staff recruitment, requiring certain key tasks to be logged, and
using internal and external audits to monitor the effectiveness of other controls. We often
refer to the set of all the systems, procedures, and processes we set up to provide security
as the Information Security Management System, or ISMS. One key, almost universally
agreed, the principle is that the selection of security controls within the ISMS should be
based on a risk assessment, that is a detailed understanding of the risks that an
organization faces and their significance. This then enables security controls to be selected
and implemented in a rational way, meaning that always limited resources are used to
address the most significant risks. Finally, and this is a key issue, do you think it is possible
to be absolutely secure so that no attacks are possible? That is, if you have an unlimited
budget, can you prevent all attacks? Clearly, that would be ideal. Stop the video for a
moment and take a few minutes to think about this question.
Play video starting at :11:13 and follow transcript11:13
Hello again. It is absolutely key to realize that achieving 100 per cent security is
impossible. Even the best-run organizations with the largest security budgets will suffer
security breaches. Using risk management language, the security controls we implement
will reduce security risks, but some residual level of risk will remain. That is, in the words
of the proverb, to err is human. We cannot eliminate errors; we can only minimize the
impact of an error. This can at least partly be achieved by the notion of defence in depth,
where two or more layers of protection are applied so that even if one fails, a serious
breach can be avoided. The other key conclusion is that we need to monitor what's going
on so that if a breach does occur, we can detect it early and rectify the problem. It goes
without saying that this is all easier said than done. We will return to all these themes later
in this course.
serious the impact of the loss of cyber security can be.: Added to Selection. Press [CTRL + S]
to save as a note

Goals of security
As was discussed in the previous lesson, cyber security is the name we give to the study of
methods we can use to reduce the likelihood of cyber attacks, however they originate and
whatever their motivation. Cyber attacks are directed at damaging information assets, i.e.
information and information processing resources. Again as we described in the first lesson,
this damage can take three main forms: unauthorized disclosure of data, unauthorized
modification of data, and loss of availability of data or data processing resources. In this
lesson, we turn our attention to trying to capture the goals of cyber security. Before
proceeding further, it's worth exploring a little more the notions of attacks and attackers.
Cyber security is typically concerned with addressing damage to information assets arising
from malicious behavior rather than from other causes such as accidents, natural disasters,
etc. This is why we refer to cyber attacks, i.e. acts carried out by malicious parties with the
goal of causing some damage to information assets. Of course, the borderline between
deliberate and accidental damage is sometimes a little fuzzy. The measures we need to put
in place to mitigate threats often address both. An obvious example is the use of backups of
data to protect against both deliberate or accidental deletion of, or damage to, data. Our
discussion of the types of damage that can be caused raises an important question. Since
we refer to unauthorized access to data, what do we mean by authorized? For an individual,
this is clear. We will have our own purposes for storing and processing data. Typically these
don't need to be formally specified; we will know what we want to happen to the data.
However, at least in an organization of any size, the notion of authorisation needs to be
made more formal. We conventionally say that actions are authorized if they're in
accordance with the security policy in force, i.e. the agreed set of rules governing security
for that organization. Please stop the video for a moment and think about how such a
security policy might be expressed.
Play video starting at :3:26 and follow transcript3:26
An organization will typically have a high level security policy, signed by a member of the
senior management team, setting out the overall rules and principles governing cyber
security for the organization. This relatively brief document should be accessible to
everyone in the organization. Beneath this, there will typically be a number of more
detailed policies setting out rules for handling various aspects of how cyber security is
managed within the organization. Of course, the very detailed implications of policies
should be reflected in the configuration of computer systems, such as the access control
settings for data. As a result, we could define the goal of cyber security as being to do
whatever possible to ensure that the security policies of the organization are maintained.
Of course, this is a rather abstract and high level definition. To make things more specific,
we need to think about the threats to the correct application of our security policies. This
then leads naturally to the subject of risk management, briefly mentioned in the previous
module. Risk management involves understanding the value of the assets we wish to
protect, and the magnitude of the various threats these assets face. The process of
cataloging these risks and understanding their seriousness is known as risk assessment, a
key part of risk management. Risk assessment enables prioritization so that an organization
can make informed choices about how to spend an inevitably limited security budget on
security controls. Please stop the video again for a moment or two and think about how you
might decide -which risks should be given the highest priority.
Play video starting at :5:52 and follow transcript5:52
There are two aspects of a risk that need to be assessed. Firstly, how likely is the risk to
occur? Some risks, such as the risk of a user clicking on a link in a phishing email and
thereby causing damage are likely to be high. Other risks, such as a terrorist incident
causing damage to systems are, we might hope, much lower. All else being equal, we
should prioritize those risks which are more likely to occur. However, all else is not equal.
It's necessary to consider the amount of damage that can be caused if a risk is realized. This
could, for example, be quantified in financial terms or simply rated qualitatively, e.g., high,
medium, or low. That is risks with higher impact, are clearly higher priority than those with
a lower impact. Thus we need to combine both aspects of a risk in order to obtain an overall
assessment of its seriousness. This notion of risk assessment and the use of this assessment
to help the selection of security controls, suggests another more practice- focused
definition for the goal of cybersecurity. That is, the goal is to select an appropriate set of
security controls to minimize the risks facing our information assets.
Play video starting at :7:41 and follow transcript7:41
However we choose to define our goals, it's important to appreciate that managing
cybersecurity is a job that never ends. New threats and risks are constantly emerging, both
because of newly devised methods of attack and newly discovered vulnerabilities in existing
systems, and because our systems change and evolve over time. We cannot afford to relax
if we wish to maintain our cyber security goals. This means we need to continuously
monitor both the effectiveness of our security controls in preventing security breaches and
the changing security landscape and update our risk assessment and our security controls
as appropriate. This monitoring includes a range of types of auditing, ranging from formal
paper-based audits to penetration tests, where authorized security experts attempt to
breach cyber security using the methods employed by hackers.

Addressing threats
Providing cyber security involves implementing security controls to prevent damage to
information assets. In this video I describe how security controls can address the wide range
of cyber threats we all face.
As briefly mentioned at the beginning of this lesson, security controls should be chosen to
address the risks identified as being most serious in a risk assessment.
Part of conducting a risk assessment involves cataloging all the security risks that threaten
the information assets.
This catalog of risks is often referred to as a risk register and once the risk assessment is
complete, each of the risks in the risk register will have an associated estimation of its
seriousness.
Having identified the risks and prioritized them, it's necessary to decide how to treat them,
i.e. to do something about them.
There are four main ways to approach a risk. First and perhaps most obviously we can
implement security controls to try to reduce the level of risk; this is called risk modification.
We also often talk about mitigation of risks when we're implementing ways of reducing
them.
For example, if the risk is that sensitive data in a database will be disclosed to unauthorized
parties, we could decide to keep all the data encrypted to make it unreadable even if it falls
into the wrong hands.
Another approach which could be used in combination with encryption is that we could
require all users accessing the sensitive data to be authenticated using both a password and
a security token,
an example of dual-factor authentication where the identity of a user is verified in two
independent ways.
Implementing both of these example controls would be an example of defense in depth, i.e.
where multiple controls are put in place to ensure that even if one is breached, the cyber
security goals are upheld.
Second, for some risks a decision can be made to live with the risk in unmodified form; this
is known as risk acceptance.
For example the asset at risk may be of low value so that the impact of the risk being
realized is small or the likelihood of the risk is very small.
If the cost of implementing a security control to reduce the risk is greater than the cost of
damage if the risk occurs then it's unlikely it will be worth the bother. Before proceeding,
pause the video for a moment and see if you can think of two more ways in which we can
deal with an identified risk.
The other two possibilities come to mind less immediately.
A third possibility is risk sharing, where one or more 3rd parties bear some of the risk.
This could, for example, involve an insurance policy where an organization pays an annual
fee to an insurance company who will reimburse the organization if the risk is realized. We
use this approach in our everyday lives to share serious risks, e.g. by taking out insurance in
case our house burns down or we're involved in a car accident.
Another approach would be to subcontract some operations to a 3rd party such as a cloud
provider, and, depending on the contract, the cloud provider may have to pay
compensation if, for example, the level of service is below the agreed level, which might
occur because of a cyber-attack.
The final possibility is known as risk avoidance.
In this case it may be decided that the risk is significant, but yet the value of the asset to the
organization is not high.
In such a case, the organization could decide to stop engaging in the activity that bears the
risk.
For example, if the risk relates to a database of personal data and the legal penalties for
security breaches to this database are high, but yet the value to the organization is small,
then the organization could decide to delete the database altogether.
It's important to note that this is different to risk modification where the risk still exists but
has been reduced. In the case of risk avoidance, the risk disappears altogether.
Whatever approach is taken after the risk treatment decision, there will still be a residual
risk, i.e. the burden of risk that remains after the treatment has been applied.
Of course, if risk avoidance is adopted, this residual risk will be zero, but otherwise, there
will still be some positive level of risk.
No security control is perfect,
so after risk modification, a level of risk will remain, albeit hopefully smaller than before
implementing the control.
Similarly, if the risk is shared, then some level of risk will remain, for example that the 3rd
party with whom the risk is being shared, defaults on their obligations.
This residual risk will need to be made explicit and formally accepted by the responsible
person.
There are many ways to modify risks, that is, there are many types of security controls.
In the last lesson in this module, we'll look in greater detail at a range of types of security
control.
For the moment, we'll just observe that there are two main categories of security control,
namely preventive controls and reactive controls.
Preventive controls are probably the ones we think of first.
These are measures designed to prevent cyber security breaches or at least make them
less likely to occur.
For example: using a password manager enables us to set up a unique, strong password for
every website we engage with, thereby reducing the risk of password compromise and
unauthorized access to our resources; setting up our phone or tablet so that after a short
period of inactivity it will require unlocking; using a fingerprint scan or facial recognition
reduces the risks arising from a lost or stolen device; and performing regular backups
protects against the case where data is deliberately or accidentally corrupted or deleted.
Reactive controls are perhaps a little less obvious.
Such controls are designed to deal with the situation after a security breach has occurred.
There are many types of reactive controls, such as intrusion detection systems that are
designed to detect unauthorized activity within a system.
A network intrusion detection system will monitor network traffic to look for unusual
patterns which may indicate an ongoing attack, and a host intrusion detection system will
look for unusual behavior within a system.
Incident management systems enable users to report possible cyber security breaches and
for them to be handled in a timely and organized way with key actions logged for later
auditing and learning of lessons.
Predefined reporting procedures enable an organization to make a coherent response to an
incident, including notifying regulatory and law enforcement bodies in a timely and
appropriate way.
The exact nature of the reporting required will depend on the nature of the breach. Stop
the video again to think about which types of control are more important: preventive or
reactive? Also, if we do a good enough job by implementing enough preventive controls, do
we need to bother with reactive controls because cyber security breaches will never occur?
The simple answer to the first question is that both are vital. Of course we need to try to
prevent security breaches, but in an organization it's also vital to be able to detect security
breaches when they occur so that problems can be rectified.
An undetected breach can lead to long-term compromise for an organization, with secret
information being stolen over a long period of time.
For the second question, the answer is that, as briefly discussed in the first lesson, 100%
security is not possible. No matter how much resource is invested in preventive security
controls, security breaches will occur.
Of course, we want to try to minimize the number and seriousness of breaches, but we
need to be prepared for them. Thus we cannot only invest in preventive controls.

We need to find the right balance between the two categories.

Of course, some security controls are both preventive and reactive.
For example, enhancing the security knowledge and awareness of staff members should
help to reduce the likelihood of security breaches as well as enhance the effectiveness of
responses to breaches.
In conclusion, addressing cyber threats is not simply a matter of implementing a few
randomly selected security measures. Organizations which depend on information and
information processing, and there are very few that don't, need to manage cyber security.
This includes understanding the risks they face and systematically deciding how to treat
these risks, whether it's implementing security controls to reduce the level of risk to an
acceptable level, or sharing the risk with a 3rd party.
The good news is that there are many organizations and standards out there to help. Links
to key websites and documents are provided in the reading material. [MUSIC].
What is cyber security?
Cyber security is how individuals and organisations reduce the risk of cyber attack.
Cyber security's core function is to protect the devices we all use (smartphones, laptops,
tablets and computers), and the services we access - both online and at work - from theft or
damage.
It's also about preventing unauthorised access to the vast amounts
of personal information we store on these devices, and online.
Why is it important?
Cyber security is important because smartphones, computers and the internet are now such
a fundamental part of modern life, that it's difficult to imagine how we'd function without
them. From online banking and shopping, to email and social media, it's more important
than ever to take steps that can prevent cyber criminals getting hold of our accounts, data,
and devices. 
In the previous lesson, we looked at the goals of cyber security and we described how the
main objective of cyber security is to address threats to information assets. These threats
can be thought of as either allowing unauthorized access to data or denying authorized
access to information and information processing systems. Access to data can lead to either
disclosure or modification or both. This leads to a possible way of defining cyber security in
terms of preventing three main types of threat: unauthorized disclosure of data
(unauthorized reading), unauthorized modification of data (unauthorized writing), and loss
of authorized access to data or processing resources. Observing that we've discussed the
meaning of the term authorized in the previous lesson, these ideas lead us to a classic way
of formulating a definition of security. In doing so, we reverse the wording a little so that
instead of referring to the prevention of undesirable acts, we describe the positive goals
of cyber security. That is, we define cyber security as maintaining the confidentiality,
integrity, and availability of information where confidentiality, integrity, and availability
equate to preventing unauthorized disclosure, preventing unauthorized modification, and
preventing loss of authorized access, respectively. This then leads to the three-letter
abbreviation CIA, which is very widely used as a shorthand for this simple definition of
cyber security. Over the years, some experts have criticized this definition as not
capturing all the objectives of security. Pause the video for just a moment and see if you
can write down a possible cyber security objective that is not captured by CIA.
Welcome back. Perhaps the most commonly quoted shortcoming of CIA is that it doesn't
address accountability, named the ability to hold individuals responsible for their actions in
relation to information assets. For example, we may wish to reliably know which user was
responsible for deleting a particular file. This requirement doesn't obviously fall under any
of C, I or A. However, it could be counter-argued that this is a functionality, not a security
requirement. That is, if we wish to have accountability, then we should build the necessary
functionality into the system, and security is only relevant if it is possible to damage the
integrity or availability of this function. That is, ensuring reliable availability comes down to
components of CIA. Another issue that potentially comes outside of CIA is that of non-
repudiation, i.e., the provision of robust evidence that a particular event occurred. This is
likely to be useful in the case of a dispute or where an attack has occurred and it is
important to collect evidence for use in disciplinary or criminal proceedings. Again, it's not
clear whether this is a fundamental requirement, since it is mostly only relevant if CIA is not
maintained. That is, perhaps accountability and non-repudiation are objectives that take
into account that sometimes we will not succeed in maintaining CIA 100 percent, and we
wish to have ways to both resolve the issues that arise and also investigate how the breach
occurred and who's responsible. In any event, for the purposes of this course, and in most
cases more generally, the CIA triad provides a good and usable definition of cyber security.
Having a definition of cyber security is useful in many ways. One reason for having a
definition is that it enables us to distinguish between matters that are security-related and
those that aren't. For example, a threat to the welfare of a member of staff is clearly
important and something that should be addressed, but it isn't a cyber security matter since
it doesn't threaten the CIA of information assets. At this point, you might be tempted to
raise an objection and say, "But what if the member of staff is forced to provide access to
data at gunpoint?" This is clearly a staff welfare issue and a cyber security issue. You would
be right, but I hope the general point remains clear. When trying to decide where the
boundaries of cyber security lie, we also need to consider the difference between
deliberate hostile acts and accidental events. Clearly, a deliberate act by a hacker to delete
our data is a cyber security matter, but what about an earthquake or a fire causing damage
to a data center? Pause the video again for a moment and ask yourself the question, are
natural disasters and accidents threats to cybersecurity?
Hello again. Well, I'm sure that you will have observed that the effects of a natural disaster
and a malicious hack could be very similar. It's also true that the measures we put in place
to deal with these risks are often similar. For example, data backup is key to mitigating the
threat of destruction of a data center regardless of how it occurs. However, the details may
vary. For example, physical separation of copies of data is vital to address the threat of
destruction of a site, although less significant for a malicious attack. On the other hand,
keeping backup copies offline is key for their use against hackers, whereas not significant
for accidental destruction.
While natural disasters and major accidents are arguably not security risks since there is no
malicious intent, there's a very close relationship between how these risks and cyber
security risks should be handled. Indeed, this supports the well-accepted idea that the
management of risks of all types, including cyber security risks, should be integrated.
Certainly when assessing the level of risk associated with loss of availability of a major site,
all factors that could give rise to this risk need to be included in the assessment.
Cybersecurity Governance and Compliance.
This is the first of three courses that make up the introduction to cybersecurity and risk
management certificate program. The goal of this certificate program is to introduce you to
the bigger picture of what cybersecurity is, how it's related to risk management and the
methods of strategizing that emerge from this relationship. This course is the first step in
that introduction. Over the next four weeks, you'll be learning about a variety of topics that
are fundamental to security governance and compliance that include; the fundamental
goals of cybersecurity, the process of cybersecurity governance, the importance of legal and
regulatory compliance, and finally, best practices for cybersecurity policies and procedures.
But before we dive into all of these topics, we need to find ourselves on the map, if you will.
Cybersecurity is a very broad term that has come to mean a lot of different things to a lot of
different people in a very short period of time. If you were to tell someone that you work in
security, it doesn't really give them very much contexts for what it is that you do. For
instance, private security guards work in security nowadays, just like software engineers
work in security. Our first step is to split security into two large categories, physical
security and cybersecurity. However, we'll see in a moment that there are a dizzying
number of specialties and sub-fields within this term, cybersecurity. Our second step is to
further break cybersecurity into two fundamental domains. The first is information
security, and the second is application security. The domain of information security
generally involves topics related to networks and Internet working. Here you should think of
firewalls, routers, network architecture, switches, and things like that. Whereas application
security, generally involves security topics that are related to the development and the
integration of software applications. These are simplistic distinctions. But they're helpful for
our understanding of the broader picture of security because in reality the lines between
information security, application security, and even between cybersecurity and physical
security are becoming increasingly blurry. These domains and the various disciplines that
relate to them are converging more and more every day to the point where now even the
domain of privacy, which historically has been considered completely separate from
security, is beginning to converge with security and security conversations to the point
which if you decide to pursue any of the mini cybersecurity certifications that exists, you'll
notice that many of them cover both physical security and privacy extensively. When we
zoom in on the idea of cybersecurity itself and the landscape of the domains and the
disciplines that are related to it, it expands dramatically. This mind map was created by
Henry Jiang. It's a popular model for the various specialties and sub-specialties in
cybersecurity. People can spend their entire career specializing in just one of the nodes on
this map and there are likely many more nodes that we could add to this diagram. But the
reason that we're looking at this map is to ask the question, why is the landscape of
cybersecurity so complex here? Why is it that there are all of these distinctive specialties in
sub-specialties? The answer really lies in the fact that cybersecurity activities are a
byproduct of technological change and the rate at which technology changes introduces a
slew of potential problems that we'll learn more about in our next lesson. But for now, just
understand that wherever people and processes and technology all meet, there will be
cybersecurity implications and therefore, lots of work to be done, as you can see on this
diagram. It's perfectly understandable to be overwhelmed by even this relatively simple
diagram on the screen. When we consider all of the places that cybersecurity might pop up.
Let's imagine that we're trying to run a business or some other type of organization, how
might we begin to wrap our minds around, how to manage this huge ecosystem of potential
problems and things that we need to do? After all, we're probably not in the business of
doing any number of these things specifically, so how are we going to align each of these
rabbit holes with what we are actually in the business of dealing? The answer to that
question really is governance. The governance of these various disciplines and sub-
specialities is what's going to bring coherence to how we're going to approach, how we're
going to strategize and make sense of this world of cybersecurity in relation to our business
or organization. We're going to cover that much more in our next lecture.

In our first class, we introduced the mind-map of cybersecurity to give everyone a sense of
the breadth of specializations in the field of cybersecurity. In this lecture, we're going to
focus on the first topic, the fundamental goals of cybersecurity. Ultimately, all of the efforts
that you see mapped out on the mind-map diagram are working towards the same general
goals, which are referred to as the CIA Triad. What CIA stands for Confidentiality, Integrity,
and Availability, and in this lesson, we'll review each of these concepts and how they each
play a guiding role in the design of an effective cyber-security strategy. Our first goal is
confidentiality, which means preserving restrictions on information disclosure so that
access is limited only to authorized users and services. We only want the people who are
authorized to see certain information, only have certain access. For example, personal
health information, which is sometimes referred to as PHI, or personally identifiable
information, sometimes referred to as PII. This would be things like social security numbers
and various identifying information, birthdays, addresses, and stuff like that, as well as
various types of sensitive government or classified information, are all concerned with
maintaining the confidentiality of sensitive data. All those various forms of data are
sensitive for different reasons, and, therefore, the confidentiality of that information is of
primary importance. Many of these categories of sensitive information are the result of
extensive regulation, which we are going to cover in an additional lecture coming up. The
second goal of the triad is integrity, which addresses the concern that sensitive data has
not been modified or deleted in an unauthorized or undetected manner, so databases are
a good example here. Databases are a key technology that our hyper-connected world
depends on, and tampering with database information for fun or for profit has been a
common attack technique for decades. It's also common for integrity issues to arise by
mistake, which leads to principals concerned with not over-scoping access levels or
privilege levels, not letting users be administrators because then they could delete and
change and modify files however they see fit. The final goal is availability, which addresses
ensuring timely and reliable access to and the use of information. We all know that today's
world runs on interconnecting technology, yet most people don't know, and they are
unaware of how that interconnectivity actually works. This isn't any different from other
technologies that we have come to depend on, for example, electricity or clean tap water.
However, the Internet is able to function as a result of numerous underlying protocols that
have to work in tandem with each other. When availability issues arise in those underlying
technologies, it can be equally as disruptive as a business system or a website just being
taken offline. That is an overview of the CIA Triad as it is traditionally drawn. However, with
the rise of IoT or Internet of Things devices, the CIA Triad has begun to be modified in
popular representations as a CIAS triad. So the three original goals are still just as important
when it comes to technologies like smart TVs, doorbell cameras, Internet-enabled baby
monitors and toys, things like that. However, many IoT devices control machinery or
manufacturing equipment. So when issues arise with these new technologies, there is a
distinct and very real concern for human safety, and safety addresses reducing risks
associated with embedded technologies or IoT technologies that could fail or somehow be
manipulated by nefarious actors. Some industries and some use cases are going to be more
concerned with certain aspects of confidentiality, integrity, availability, and or safety.
However, there's a lot of overlap, a significant amount of overlap between all of them.
When we think back to the mind-map of cybersecurity that we talked about in our very first
lecture, it becomes clear that aligning these overarching goals across that dizzying number
of special activities and technologies in the landscape of cybersecurity is going to be
critically important if we have any shot of trying to reach these goals that we originally set
out for.

Threats, Vulnerabilities, Risks, & Countermeasures

Okay, this is lecture three. This is concepts we went intro goals and now concepts. [COUGH]
In our last lecture we discussed the fundamental goals of cybersecurity, and we
represented the goals of cybersecurity in something known as the C-I-A Triad. And we
included the somewhat new consideration for safety that has arisen as a result of IOT and
embedded technologies that control parts of our physical world. And we've also established
that these goals underpin the vast landscape of cybersecurity disciplines and specialties that
we saw in the mind map from our very first lecture. But that's really only part of the overall
picture about how the goals and all of these specialties are actually related. And the idea
here is that cybersecurity attempts to protect confidentiality, integrity and or availability.
And that idea is predicated on the existence of someone attempting to undermine those
goals. And in this lesson, we're going to discuss the iterations of what that looks like. And
that will include a discussion of threats, vulnerabilities, risks, countermeasures, what those
things mean and how they are interrelated. And so the first step is to understand threats.
Threats are sometimes referred to as threat actors and these threat actors are motivated
for various reasons to attack and take advantage of data and information systems. And you
might recall from our mind map of cybersecurity, that there is an entire domain of expertise
that's specifically dedicated just to something called threat intelligence. Just to evaluate the
landscape of threats that's constantly changing and all the various ways and reasons why
people are interested in taking advantage of people and systems and data. So the full
treatment of the threat landscape or the concept of threat intelligence is far beyond the
scope of this course but there are two broad categories of threats that are going to be
useful to us. The first category is cybercrime. And the top priority for cyber criminals is to
make money. And every year cyber criminals are making more and more money. And cyber
criminals historically used to only target data that was inherently valuable. And this would
be things like personal identity information or financial information. This would include
things like social security numbers or credit card numbers. However, the rise of viable
cryptocurrencies, as well as the ease of access to commodified encryption has allowed
cyber criminals to hold essentially any data for ransom. And as a result, they're able to
capitalize on data that would otherwise have been worthless. The second category of
threats that's useful to understand are the nation states. And for most people, espionage,
national secrets, and geo-political tensions, they might as well exist in a different
universe. However, while technology and interconnectivity have made our world much
smaller and much faster, that doesn't mean that these timeless issues of espionage or
fraud and crime have somehow gone away. If anything, the advancements and
developments in technology and interconnectivity have only enabled those things to
happen at a faster rate and embolden the actors behind those types of actions. And so
there can be quite a bit of overlap between these different sets of threat actors between
criminals and nation states, and the details of which are usually a common topic in threat
intelligence reports. So if we take a step back, we have data and information systems and
business enterprises, colliding with motivated threat actors for whatever reason, but that
doesn't necessarily guarantee that anything is going to go wrong or that the threat actors
will even succeed. The threats have to find a way in and they need to therefore take
advantage of some type of vulnerability and vulnerability is a weakness or a lack of
countermeasures. We're going to cover countermeasures in a moment. And vulnerabilities
can exist in software and applications, they can exist in hardware and firmware, they can
exist in the business processes, or they can even exist within human beings in terms of our
assumptions that we use to go about our daily lives. And the pace of technological change
means that there are constantly new features and configurations that are being introduced
into this ecosystem. But that also means that bugs and flaws and therefore potential
vulnerabilities are also introduced at an equal piece. And the constant change in technology
means that there's really know end of state of cybersecurity. We can only ever attempt to
manage the risks that emerge over time. And in a larger sense, risk is the degree to which
the threats and the vulnerabilities start to intersect. And so that's how we would evaluate
how serious the potential vulnerabilities are in relation to how presence or motivated the
various threats are that could take advantage of those vulnerabilities. And like we said
before, countermeasures, mitigate vulnerabilities and these can range from patches and
updates to security devices and services. Countermeasures are often referred to as security
controls, which we'll see much more of when we discuss governance frameworks in an
upcoming lecture. So to say that the world of cybersecurity is complex is a bit of an
understatement. However, we have established that the underlying goals of cybersecurity
and the surrounding cat and mouse game of threats, vulnerabilities, risks, counter measures
are all intertwined. They're all dependent on each other, they're all based on the fact that
the others exist. And this broad perspective of the C-I-A Triad threats vulnerabilities, risks
countermeasures in conjunction with the mind map this sort of 30,000 foot view will be
very helpful as we discuss aligning a governance strategy for the goals of a business or
organization in an upcoming lecture.

Welcome to module 1 activity! In each module of this course, we will be diving into a case
study to understand how the concepts and tools introduced in the video lectures apply to
cybersecurity practitioners in the real world. 
Carefully read the instructions below before completing the reading. One you have
completed the comprehension questions and case study prompt, advance to the next
section where your responses will be peer-reviewed and you will review responses from
other students in the course community. Remember to follow the Coursera Honor Code
and to only submit work you have written on your own.
Step-By-Step Assignment Instructions
less 
Reading Instructions
For this assignment, you only need to read the “Overview” section of the article. As you are
reading you may come across cybersecurity terms that you will need to look up such as
"botnet", "SSH brute-force", and “distributed denial-of-service attack.”
Reading: N. Kim, T. Herr, and B. Schneier, (2020). The reverse cascade: Enforcing security on
the global IoT supply chain.
Reading Comprehension Questions 
As you read, answer the following comprehension questions:
1. What is the primary reason why IoT devices have such poor security? 
2. “Why is there a sudden increase in attacks against IoT devices? 
You will not be required to submit your answers to the above comprehension questions,
however, answering these questions will help you answer the graded case study prompt
below.
Case Study Prompt 
Recall the following excerpt from the reading: 
 “Much more recently, the US Defense Department’s Cybersecurity Maturity Model
Certification (CMMC) program adopted a requirement for prime vendors—large
firms with many subsidiary suppliers—to be responsible for the adoption of good
supply-chain security practices by their suppliers. In the CMMC model, rather than
force the DoD to map complex supply chains two or three steps removed from the
end product, prime vendors are leveraged to enforce standards directly on their
supply chains.”
For this case study, you will play the role of a cybersecurity contractor who has been hired
to work on the US Defense Department’s Cybersecurity Maturity Model Certification
(CMMC) program. Your first job is to articulate the goals the CMMC program will set out to
achieve.
Instructions: Carefully follow the steps below to complete the case study. You will be
prompted to write and submit your response for each step when you continue to the "My
submission" tab.
Step 1 
Choose one IoT device mentioned in the readings, for example: 
 Medical devices
 Toys
 Small and large appliances
 Home thermostats
 Traffic signals
Step 2 
Pick two of the following CIAS goals: 
 Confidentiality 
 Integrity 
 Availability 
 Safety 
If you are having trouble remembering the relevant considerations of each of these goals,
you can go back and review the video lecture in the last module. 
Step 3
Explain how the two goals you chose from the CIAS goals (for example: Confidentiality &
Safety) relate to the security consideration for the IoT device you chose (for example:
medical devices). 
Given that this is the first week of the course we are not looking for an overly technical
answer. You should not need to do additional research to come up with your response.
Focus on the novel risk IoT devices pose in the field of cybersecurity (i.e. bringing
cybersecurity risk into the physical world) and how this increased risk relates to the goals of
cybersecurity outlined by the CIAS goals.
Step 4
Peer-review: Continue to the next section and review the responses of other students in the
course community.
Example Submissions
less 
Case Study Prompt
Step 1 
Choose one IoT device mentioned in the readings, for example: 
 Medical devices*
 Toys
 Small and large appliances
 Home thermostats
 Traffic signals
*We chose medical devices for this response, but you could have chosen any item from
this list.
Step 2 
Pick two of the following fundamental goals outlined by CIAS: 
 Confidentiality*
 Integrity 
 Availability 
 Safety*
*We chose Confidentiality and Safety as our CIAS goals, but you could have chosen any
two goals from this list.
Step 3
Explain how the two goals you chose from the CIAS framework (for example: Confidentiality
& Safety) relate to the security consideration for the IoT device you chose (for example:
medical devices). 
Answer: We chose medical devices as our IoT device category. We also decided to
demonstrate how the CIAS goals of Confidentiality and Safety relate to the unique security
risks posed by security compromised medical devices:
 Confidentiality: Medical devices pose a unique threat to the CIAS goal of
confidentiality given the immense importance of maintaining the privacy of
protected health information (PHI). The standards of security mandated by the
Health Insurance Portability and Accountability Act (HIPAA), which includes
maintaining the confidentiality of personal health information, are usually ensured
by and enforced on stakeholders such as health care providers, insurance providers,
 and business associates. IoT devices, especially those that are low-cost and used
outside of these controlled environments, are much more vulnerable to attacks
which could lead to the loss of this protected health information to malicious actors.
 Safety: The line between the goals of confidentiality and safety become blurred
given the prevalence of IoT technology. Protected information obtained without
consent is a violation of the goal of confidentiality, however, in the context of
medical devices, this confidentiality risk becomes a physical health risk. The goal of
integrity is also interconnected with the goal of safety when discussing medical
devices because the data stored on such devices can inform and determine decisions
related to medication, diagnostics, and other sensitive health considerations. For
example, if this data is corrupted, this can in turn directly influence how this medical
information is used by the targeted person and their health providers.
Step 4
Continue to the next module and compare your responses with the example answer
provided by the course instructor.

An Improved CIA Triad: The CIAS Triad

As we connect more & more things to the internet, physical safety is

an increasing concern that needs to be addressed by the InfoSec
industry.

The traditional CIA Triad has been an amazing representation of three

main areas of concern to InfoSec personnel (Confidentiality, Integrity
and Availability). It’s proved, and continues to prove, to be very useful
in a variety of ways.
The CIA Triad

One area, though, where the triad begins to fall short is

in physical security. This is not the triad’s fault, as physical security
has only become a recent issue of concern to the InfoSec industry.
Historically, the basic assumption (and correct) assumption has been
that no matter how bad the breach, at the end of the day it’s just data
and won’t physically harm or kill anyone (at least directly).

The rise of IoT, however, now makes that assumption incorrect. A

increasing plethora of IoT devices leads to physical issues like:
  Thermostats not heating homes

 Cars being hacked

 An oven overheating on in the middle of the night

 Door locks being broken into

 And more

In today’s world, InfoSec personnel now need to worry

about data and peoples’ physical safety. To address this new issue, in
this Article I propose an update CIA Triad (note: I’ve conducted a basic
literature review and couldn’t find anything on this topic. As far as I
know, this idea hasn’t been presented before like this).

The CIAS Triad

CIAS stands for:

CIAS Triad

 Confidentiality
  Integrity

 Availability

 Safety

Where the CIA Triad addresses the privacy, adequate access and
correctness of data, the CIAS Triad addresses those concerns plus both
individual & public safety.

I provide some examples of individual & public safety issues here,

some of which have already happened:

Individual Safety Issues

 Cars

 Thermostats

 Medical devices (both implanted & at facilities, like life

support)

 Drones

 Fire-prevention systems

 Physical destruction of devices (e.g., Samsung Note 7

battery fires — this wasn’t a hack, but imagine if it had been
intentional)

Public Safety Issues

Utilities

 Electric

 Gas

 Water

 Nuclear

 etc.

Medical Systems

 Hospitals

 Supplies (vaccines, morphine, etc.)

 CDC/WHO (false warnings)

 Pharmacy

Transportation System

 Automobiles

 Aviation

 Shipping (on water)

 Space

 etc.
  Military

 Supply chain (if portions of it are shut down, there could be

food & water shortages)

 Elections

 PR for Nations (imagine if government officials’ Twitter

accounts were hacked)

Conclusion

These are issues that we can successfully address. A new focus on

safety provides InfoSec personnel & developers with a reminder to
protect IoT devices.

Suggestions

If you have ways that this can be improved, please let me know. This is
meant to be beneficial to the public, and I’d love to see it improved.

IoT

Cybersecurity

Security

Technology

Security Governance
The process of cybersecurity governance and give an overall explanation and viewpoint of
what cybersecurity governance is and how it's organized. Stephen Covey has a famous
quote and in it he says, "The main thing is to keep the main thing the main thing." What
does that mean? In this context at the end of the day most businesses are not in the
business of assessing cybersecurity risk, of evaluating threats, of evaluating vulnerabilities,
and they're not in the business of selecting, implementing or tracking controls and security
countermeasures. However, these activities are critically important to whatever the main
thing of the business happens to be, and thus they have to be aligned in a complementary
fashion, they have to support whatever the main thing of the business is. Despite a constant
stream of security breaches and lawsuits, FTC rulings and headlines, it is still the case that
the market just does not inherently reward security for security’s sake. Every decision to
spend money on security is a decision to not invest money in other areas of the business
that ultimately drive the bottom line.
his alignment occurs through several key processes that you'll recognize from our
cybersecurity mind-map in an earlier lecture, and that includes things like risk management,
configuration, identity management, access control, vulnerability and supply chain
management, and incident response, disaster recovery. These are all clearly ideas that
complement the main thing of the business, but if you were to spend too much time doing
them or they were not closely aligned with the overall purpose and structure and main
thing of the business, then we can quickly spin off into a rabbit hole that is wasting time and
money and resources and not helping to drive the governance of the organization. Broadly,
governance is a top-down approach to managing a business. There's various forms of
governance of a business. As a result, cybersecurity governance is the top-down approach
of managing security activities and ensuring that they're all aligned to the business. To recall
from previous lectures, just how easy it is to fall down the numerous rabbit holes in this
vast landscape of cybersecurity disciplines. Without that strategic alignment and
management security programs with otherwise good intentions can easily miss the mark in
terms of supporting the overall goals of an organization. Also recall that cybersecurity
vulnerabilities are essentially a function of rapidly changing technology and business
landscapes, and today the reality is that businesses are essentially inseparable from their IT
infrastructure, from their IT solutions and architecture, and cybersecurity as a result is an
inherent aspect of IT and its integration into the business. Therefore, the top-down
structure of aligning IT efforts with the overall goal the business would encompass and
subsume cybersecurity governance as well. They all have to be integrated and aligned with
whatever the main thing of the business happens to be. A good mental model that I like to
use for helping people understand this idea is the difference between precision and
accuracy. Not only are there many exciting rabbit holes to explore within cybersecurity but
they are very expensive and time consuming. As a result, investing time and resources into
cybersecurity capabilities that are not aligned with the business can result in amazing
capabilities, but they don't necessarily provide value to the business. They're very precise,
like you might see on the left-hand side of the diagram here. All the efforts are very close
together, so they're very consistent, very coherent, they are very precise. Doesn't
necessarily mean that they are on target like the group of dots on the right here, even
though it is a less precise group of dots it is overall much closer to the goal, much closer to
the main thing that we're going for by trying to be on the center of the target. The goal of
security governance is to drive not only the precision of time and investments, we want to
be as precise as possible, but to fundamentally ensure that those efforts are as accurate as
possible and aligned with the main thing of the business. This is a big domain and in some
ways it is the least technical of any domain across cybersecurity. However, just to give some
context to its importance, both of the premier cybersecurity management and governance
certifications that exist on the market, CISSP from (ISC)_2 and CISM from ISACA, both
include governance as the very first domain that you have to understand in their study
guides, in their material, in their testing domains. Both of them start with this idea at the
very beginning before they get into other advanced topics. In the next lecture we'll take a
closer look at the frameworks that emerge from the need of cybersecurity governance and
how we can start to see taking this large top-down idea and actually applying it to the
business and it's operations.