Home - mccright/FCCSCybersecurityInput GitHub Wiki

In the context of your course about foundational concepts of computer science, these notes about cybersecurity are an attempt to introduce some highlights that may be integrated into the rest of your computer science curriculum.

Cybersecurity is Global

For example: [網絡安全, الأمن السيبراني, Onlinesicherheit, साइबर सुरक्षा, sicurezza informatica, 사이버 보안, keselamatan siber, Cybersecurity, د سایبرسنیت, кибер-безопасности, shabakada internetka, சைபர்], an ninh mạng, ukuphepha kwe-cyber]
[Trad Chinese, Arabic, German, Hindi, Italian, Korean, Malay, Norwegian, Pashto, Russian, Somali, Tamil, Vietnamese, and Zulu]

'Cybersecurity' - What is it?

[A 'state,' 'quality,' or 'condition']

Cybersecurity is associated with our global connectivity.
[...that does not negate the fact that it extends to the hyper-local as well. Physical security is a foundational component of cybersecurity defenses.]
Cybersecurity aids in the
safe-enough use of internet-connected systems,
including people, processes, hardware, software and data,
in the face of cyberattack.
Hostile actors try to exploit weaknesses in organization's infrastructure and operations.
Cybersecurity is a quality that resists negative outcomes associated with active and/or passive attacks and attackers.
Traditional quality assurance practices generally do not address many relevant hostile behaviors.

'Cybersecurity' - What is it?

[A 'process,' 'a way of engineering and managing,' or a 'culture']

Cybersecurity is about managing software, hardware, and operations vulnerabilities,
resisting, detecting & responding to attacks,
remaining resilient under attack, and
maintaining processes that deliver desired capabilities, as well as
effectively communicating current posture to all those who need to know.
This is different than "security technology" (like a firewall, or antivirus, or some crypto protocol). A security feature can be one way to tackle a given cybersecurity risk in technology & operations, but security technology is materially insufficient in our interconnected world.
Security is one of the qualities of our technology-enabled world today -- one of many essential qualities -- delivered via risk-appropriate prioritization and operations.
Attackers attack.
All facets of every system are candidates for attack -- with special attention to weaknesses.
Cybersecurity qualities resist active and passive attackers.

'Cybersecurity' - What is it to you?

Use these resources to frame a quick discussion about the breadth of this topic: https://intelligence.weforum.org/topics/a1Gb00000015LbsEAE?tab=publications, https://en.wikipedia.org/wiki/Computer_security and https://en.wikipedia.org/wiki/Category:Computer_security. Or use them to help frame your thinking and teaching about this complex topic.

Effective cybersecurity is bound up in a complex technical, social, ethical, and legal ecosystem.

Why is it important to manage cybersecurity risk well?

• Our customers rely on it.
• Our shareholders expect it.
• Regulators demand it.
• Rating agencies look for it.
• In some contexts,
  • Individual health and safety depend upon it.
  • Societal cohesion is supported by it.
  • Science & technological evolution depend upon it.
  • The administration and enforcement of laws...
  • Democracy itself...

Material Index: FCCS Cybersecurity Resources

Note about Security

Greg Wilson's 'idea' page reminded me of the adage about the correctness of analyses:

Physicists worry about decimal places, astronomers worry about exponents, and economists are happy if they've got the sign right.

Every discipline uses its own heuristics to identify what is 'good enough.'xkcd

I believe that information security doesn’t yet have a shared set of heuristics for determining what is 'safe enough.' If we put a dozen formal risk analyses in front of a couple dozen information security practitioners and ask them which ones seem OK and which ones seem weak or suspect, we are relatively certain to get a wide range of responses. In addition, my experience suggests that the reasons underlying agreements and disagreements would likely share little to moderate consistency (on any level). As a result, I think that 'Information security' in the context of corporate-America remains an immature field and its practitioners have wildly varying backgrounds.

---

In your teaching about information and application security, & cybersecurity, it is sometimes useful to be relatively explicit about the context of any given usage of the term "security."

Here are some various ways to think about the concept of "security" (not an exhaustive list):

1. Safety, or a given means and/or source of security (problem with circularity here).
2. Safety, or a guarantee or security (problem with circularity here).
3. Safety, or safety and/or security of the interests of a given organization, individual, thing etc. security (problem with circularity here).
4. To be safe, or to provide for one's own safety via rescue, deliverance, or escape from a threat or harm.
5. Stability, or the absence of change or movement, sometimes expressed as a condition of being firmly fixed.
6. Wholeness, or a condition of an organization's, individual's, or thing's entirety being well bound and/or firmly fixed.
7. Protection/defense, or a given means of protection and/or defense.
8. Resistance to compromise or ill effects in the presence of attack.
9. Resilience in the presence of attack.
10. Preservation from injury.
11. Preservation from destruction.
12. Care about preservation from injury or destruction.
13. Vigilance in the form of monitoring, watching, guarding, or otherwise observing a target environment.
14. Rescue or deliverance from threat and/or harm.
15. Escape from threat and/or harm.
16. Belief, or an absence of doubt and confidence in a state of security (problem with circularity here).
17. Expectation, or a confidence, hope, and/or trust in a given state of security (problem with circularity here).
18. Pleasure, or the freedom from trouble, care, and/or sorrow about a given state of security (problem with circularity here).
19. Assertion, or a pledge about a given state of security (problem with circularity here).
20. Compliance, with mandated security controls (problem with circularity here).
21. Guarantee, or a promise by a bondsman or other guarantor to retain a given state of security (problem with circularity here).
22. Obligation, or a requirement granting a given state of legal security (problem with circularity here).
23. Management of assets (often money), or a pledge, promise, and/or requirement to maintain a stated level of solvency (often incorporated into security discussions at financial services organizations).