Further Reading: What Is Cybersecurity?

Curated, annotated resources to deepen this chapter. Each entry notes which learning path it serves most (🛡️ SOC, 🏗️ Engineer, 📋 GRC, 📜 Cert) and its citation tier. Start with the suggested order below; you do not need to read everything before Chapter 2.

Suggested order

  1. Skim the NIST Cybersecurity Framework 2.0 introduction to see the field's shape (Govern, Identify, Protect, Detect, Respond, Recover).
  2. Read one accessible essay on security as risk management (Schneier).
  3. Browse the Verizon DBIR executive summary to ground "everything is under attack" in data.
  4. Keep the CISSP or Security+ glossary nearby as a reference, not a read-through.

Standards & primary documents (Tier 1)

  • NIST, Cybersecurity Framework (CSF) 2.0 (2024). 📋📜 The single most useful free map of what a security program contains; its six Functions structure the rest of your career. Read the Core overview.
  • NIST SP 800-30, Guide for Conducting Risk Assessments. 📋 The authoritative treatment of the risk vocabulary and process this chapter introduced informally; we return to it in Chapter 27.
  • Verizon, Data Breach Investigations Report (DBIR) (annual). 🛡️📋 An evidence-based snapshot of how breaches actually happen — overwhelmingly via stolen credentials, phishing, and known vulnerabilities. Confirms that the boring causes dominate the exotic ones.
  • CISA, Known Exploited Vulnerabilities (KEV) Catalog and alerts. 🛡️🏗️ A live feed of what is being exploited right now; a concrete antidote to treating all vulnerabilities as equal (Chapter 23).

Books (Tier 1)

  • Schneier, B., Secrets and Lies: Digital Security in a Networked World. 📋🏗️ The classic argument that "security is a process, not a product," and that people and incentives matter as much as math. Dated in specifics, timeless in mindset.
  • Chapple, M., & Seidl, D., CompTIA Security+ Study Guide. 📜 A thorough, exam-aligned tour of the whole field at an approachable depth; an excellent companion to this book for certification candidates.
  • Harris, S., & Maymí, F., CISSP All-in-One Exam Guide. 📜📋 Broader and deeper, for those aiming at CISSP or a management track; use the risk-management and security-concepts chapters alongside Part I.
  • Anderson, R., Security Engineering (3rd ed.). 🏗️ A deep, opinionated survey of how real systems fail and how to engineer them not to; dip into early chapters now, return throughout your career.

Free online & talks (Tier 1 / Tier 2)

  • OWASP (owasp.org). 🏗️ The open-source home of application-security knowledge; you will live here in Chapters 12–13. Browse the Top 10 to preview.
  • MITRE ATT&CK (attack.mitre.org). 🛡️ The shared language for describing attacker behavior; skim it now, master it in Chapter 2 and Part V.
  • The history of the Morris Worm (1988). 📋 Any reputable retrospective. The first internet-scale incident illustrates how exposure plus a single weakness scales — the §1.3 lesson, decades early. (Tier 2: read a well-sourced account; the specifics vary by retelling.)

Tools to explore (in your own lab only)

  • A personal threat-model worksheet. 🏗️📋 Practice the §1.2 vocabulary on your own digital life: list assets, threats, vulnerabilities, and the controls you already have. The best first lab needs no software.
  • A password-strength / breach-check habit (e.g., a reputable have-I-been-pwned-style service). 🛡️ Previews the credential-attack defenses of Chapter 16; we build the k-anonymity version of this in code.

⚖️ Authorization & Ethics reminder: Several later resources describe offensive techniques. Study them to defend; apply them only to systems you own or are explicitly authorized to test (Chapter 39).