Key Takeaways: What Is Cybersecurity?
A one-page reference. Reread this before an exam or before moving on. Dense by design.
The core vocabulary (memorize cold)
| Term | One-line definition | Example (Meridian) |
|---|---|---|
| Asset | Anything of value you protect | Customer data, the core database, reputation |
| Vulnerability | A weakness in an asset or its safeguards | Password-only login; an orphaned account |
| Threat | A potential cause of harm (often a threat actor) | A phishing crew; ransomware group |
| Exploit | The technique that turns a vulnerability into harm | The fake login portal that harvests credentials |
| Control | A measure that breaks the risk chain | Phishing-resistant MFA; segmentation |
| Risk | Likelihood × impact of harm to an asset | Credential attack succeeds → 4 × 5 = 20 |
| Residual risk | Risk remaining after controls (never zero) | Insider misuse after MFA is deployed |
| Attack surface | All points an attacker could try to enter | Every exposed service, account, API, person |
The risk chain: a threat actor uses an exploit to abuse a vulnerability in an asset → harm. A control breaks one of those arrows.
Risk = Likelihood × Impact
$$\text{Risk} = \text{Likelihood} \times \text{Impact} \quad (\text{each } 1\text{–}5,\ \text{score } 1\text{–}25)$$
| Score | Band | Action |
|---|---|---|
| 15–25 | CRITICAL | Fix now |
| 8–14 | HIGH | Fix this quarter |
| 4–7 | MEDIUM | Plan it |
| 1–3 | LOW | Accept / monitor |
- Multiply, don't add — a risk needs both a real chance and a real consequence (anything × 0 = 0).
- Prioritize by risk, not by vulnerability count. 1,400 findings → a ranked top ten.
- The model's value is the honest conversation needed to justify each rating; its limit is that it can understate risks that interact with everything else (e.g., untested backups). Richer methods: Chapters 23 (EPSS/KEV) and 27 (ALE).
The CIA triad
| Property | Protects | Attacked by | Served by |
|---|---|---|---|
| Confidentiality | Secrecy of data | Data theft / disclosure | Encryption, access control, authN |
| Integrity | Accuracy, unaltered state | Tampering, fraud | Hashing, signatures, change control |
| Availability | Access when needed | Ransomware, DoS | Backups, redundancy, DoS defense |
Different attacks hit different legs. Phishing-for-access → confidentiality; ransomware → availability; silent data alteration → integrity. Always ask which leg a threat targets and which a control protects.
The defining ideas
- Offense/defense asymmetry: attackers need to be right once; defenders, every time. Justifies defense in depth (independent layers), assume breach (an attacker is already inside), and heavy detection & response.
- Defender's advantages: home terrain, instrumentation (attacker actions generate evidence), and the option to be a harder target than the next organization.
- People, process, technology: a control is only as strong as its weakest leg. A tool with no process or people is near-useless. Buying a product rarely fixes a process problem.
The five recurring themes
- Security is a process, not a product.
- Attackers need to be right once; defenders every time.
- The human is the weakest link and the strongest asset.
- Defense in depth assumes each layer fails.
- Compliance is the floor, not the ceiling.
Certification crosswalk
| Concept | CompTIA Security+ | (ISC)² CISSP domain |
|---|---|---|
| Threat/vuln/risk vocabulary | 1.0 General Security Concepts; 2.0 Threats | Security & Risk Management |
| CIA triad | 1.0 General Security Concepts | Security & Risk Management |
| Risk = L × I, risk register | 5.0 Governance, Risk & Compliance | Security & Risk Management |
| Defense in depth / control types | 1.0; 3.0 Security Architecture | Security Architecture & Engineering |
| Attack surface / threat actors | 2.0 Threats, Vulnerabilities & Mitigations | Asset Security; Security Operations |
Project additions this chapter
- Meridian program: scope statement + asset inventory + first risk-register rows.
bluekittoolkit:riskcalc.py—risk_score(likelihood, impact)andband(score).
Common pitfalls
- Treating every vulnerability as urgent (ignoring likelihood and impact).
- Saying "hackers" instead of naming a specific threat actor and exploit path.
- Equating "low-value data" with "low risk" (impact may be safety, uptime, or trust).
- Buying a tool to solve a process or people problem.
- Believing compliance equals security, or that any program reaches zero risk.