Exercises: What Is Cybersecurity?

These exercises move from vocabulary to judgment. Difficulty is marked ⭐ (recall/application), ⭐⭐ (analysis), and ⭐⭐⭐ (synthesis/open-ended). A dagger (†) marks problems with a full worked solution in Appendix: Answers to Selected Exercises — try every problem before you read one.

Work in your own notebook or a private repository. Where an exercise asks you to "score" or "rank," there is rarely one perfect answer; the reasoning matters more than the number.

Part A — Core vocabulary ⭐

1.† In one sentence each, define threat, vulnerability, exploit, and risk, then write a single sentence that uses all four correctly in the context of a stolen laptop.

2. Classify each item as asset, vulnerability, threat, exploit, or control: (a) a customer database; (b) a ransomware group; (c) an unpatched web server; (d) a phishing email that harvests credentials; (e) multi-factor authentication; (f) the bank's reputation; (g) a hard-coded password in source code; (h) an automated script that sprays that password across login pages.

3. Explain the difference between a vulnerability and a risk using an example where the vulnerability is real but the risk is low. Then change one fact so the risk becomes high.

4.† Define residual risk and explain why a security program can never reduce it to zero. Give one business reason an organization might choose to accept a non-trivial residual risk.

5. Map each of the following to the leg(s) of the CIA triad it primarily protects: (a) full-disk encryption; (b) database backups; (c) a digital signature on a software update; (d) a DDoS-mitigation service; (e) role-based access control.

Part B — Risk scoring and prioritization ⭐⭐

6.† Using the 1–5 likelihood × impact model, score and rank these Meridian findings. Justify each likelihood and impact rating in one phrase. - (a) The guest WiFi shares a network segment with the teller workstations. - (b) A marketing intern's account has read access to a public brochure folder only. - (c) The online-banking portal does not enforce account lockout after repeated failed logins. - (d) Backups of the core-banking database have never been tested for restoration.

7. Two findings each score 12. One is likelihood 3 × impact 4; the other is likelihood 4 × impact 3. Are they equally urgent? Argue for treating one before the other, and name what extra information would settle it.

8. A vulnerability scanner reports 1,400 findings on Meridian's network. Your manager asks for "the top ten to fix this week." Describe, in steps, how you would turn 1,400 findings into a defensible top ten. Which factors beyond the raw scanner severity would you fold in?

9.† Explain why risk is modeled as likelihood × impact rather than likelihood + impact. Give a concrete pair of findings where addition would give a misleading ranking that multiplication fixes.

Part C — Analyze this (telemetry & scenarios) ⭐⭐

10.† You are handed this (illustrative) excerpt from an authentication log for the online-banking portal. All times are UTC; the source IP is in the documentation range 203.0.113.0/24.

12:01:02  user=jlopez   src=203.0.113.45  result=FAIL  reason=bad_password
12:01:03  user=asmith   src=203.0.113.45  result=FAIL  reason=bad_password
12:01:03  user=bchen    src=203.0.113.45  result=FAIL  reason=bad_password
12:01:04  user=dokafor  src=203.0.113.45  result=FAIL  reason=bad_password
12:01:05  user=ewhite   src=203.0.113.45  result=FAIL  reason=bad_password

(a) What kind of activity is this most likely to be? (b) Which single field is the strongest indicator? (c) Is this a threat, a vulnerability, or an exploit — or some combination? (d) Name one control that would reduce the risk this represents.

11. A new server is connected to the public internet at 9:00 a.m. with no firewall, "just for a quick test." Predict what its logs will show by noon and explain why, referencing the automation of attack. What does this tell you about the safety of "temporary" exposures?

12.† A board member says: "We spent a fortune on security and we still got phished. The money was wasted." Using the Meridian near-miss and the people/process/technology framing, write a three-sentence response that reframes what "working security" actually looked like in that incident.

Part D — Write it / design it ⭐⭐–⭐⭐⭐

13. Draft a one-paragraph scope statement for Meridian's security program: what it covers, who owns it, and what success looks like in plain language a board could read.

14.† Write the first three rows of a risk register for Meridian. For each row include: a risk description, the affected asset, likelihood (1–5), impact (1–5), the resulting score and band, and a one-line proposed treatment. Use distinct risks from those in Exercise 6.

15. Design it. Sketch (in words or a simple diagram) how you would justify a budget request for phishing-resistant authentication keys before an incident, using the language of risk rather than fear. What likelihood and impact would you cite, and what residual risk remains after the control?

16. ⭐⭐⭐ Pick any organization you know well (your school, employer, or a public company). List its five most valuable assets and, for each, the single threat you would worry about most and one control you would prioritize. Defend your choices in a page.

Part E — CTF-style challenge ⭐⭐⭐

17.† The mislabeled finding. A junior analyst files this ticket: "CRITICAL vulnerability: the CEO's calendar is visible to all employees. Threat actor: the entire company. Recommend immediate remediation." Identify everything wrong with how this ticket uses the vocabulary of risk, rewrite it correctly, and assign a defensible risk score with justification. (There may be little real risk here — part of the challenge is deciding that and saying so.)

Part F — Interleaved & forward-looking ⭐⭐

18. Of the five recurring themes introduced in this chapter, which two do you find least intuitive right now? Write a sentence predicting how you expect each to show up later in the book. (Revisit this note after Part V.)

19. This chapter claims "identity is the perimeter" is a theme of Part IV. Based only on the Meridian near-miss, write two sentences explaining what that phrase might mean and why an attacker who has a valid password but not a second factor is still locked out.

20. ⭐⭐⭐ Open reflection. Re-read the offense/defense asymmetry in §1.3. Write half a page on a domain outside computing (public health, aviation safety, fraud prevention, sports defense) that faces the same "attacker needs one success, defender must cover everything" structure. What does that field do that security could learn from?

Solutions to daggered (†) problems are in the Answers appendix. The remaining problems are deliberately open — bring them to a study group or your instructor.