CS: What is Cybersecrurity

Cybersecurity as a holistic discipline focused on protecting people, systems, and data by understanding threats, technology, and human behavior together.

Why Cybersecurity Exists

Cybersecurity exists to protect information, systems, and people in a world where technology is deeply interconnected and constantly exposed to misuse. At its core, cybersecurity ensures confidentiality, integrity, and availability, which together form the foundation of all security decisions and defenses.

Cybersecurity is the practice of ensuring confidentiality, integrity, and availability of information by protecting networks, devices, people and data from unauthorized access of criminal exploitation.

CIA Triad

A foundation model that helps inform how organizations consider risk when setting up systems and security policies.

  • Confidentiality ensures that information is accessible only to authorized individuals
  • Integrity ensures that data remains accurate and unaltered
  • Availability ensures that systems and data are accessible when needed

Every cybersecurity discipline ultimately serves one or more of these principles, regardless of the technology or environment involved.

Maintaining an acceptable level of risk and ensuring systems and policies are designed with these elements in mind helps establish a successful security posture

Security posture is an organization’s ability to manage its defense of critical assets and data and react to change. A strong security posture leads to lower risk for the organization.

Security, Compliance, and Risk

Because organizations operate under laws, regulations, and industry standards, cybersecurity is often discussed alongside compliance. Compliance refers to adhering to internal policies and external regulations in order to avoid fines, legal consequences, and baseline security failures.

  • Compliance focuses on meeting documented requirements
  • Security focuses on reducing real-world risk
  • A compliant system can still be insecure
**Compliance** is the process of adhering to internal standards and external regulations and enables organizations to avoid fines and security breaches.

Understanding this distinction is critical, because attackers do not target compliance documents — they target weaknesses.

Who Attacks and Why

Once we understand why systems need protection, the next question is who threatens them. Threat actors are individuals or groups that pose a security risk to computers, applications, networks, and data. Their motivations vary widely, but their actions can lead to data theft, disruption, or long-term compromise.

  • Threat actors can be external attackers or insiders
  • They may be financially motivated, politically motivated, or opportunistic
  • Many attacks exploit human behavior rather than technical flaws
A **threat actor**, or malicious attacker, is any person or group who presents a security risk. This risk can relate to computers, applications, networks, and data.

Defensive security begins by understanding attackers, not tools.

What Attackers Target

Threat actors do not attack systems randomly.

They target areas where access:

  • Data, or
  • Control can be gained with the least resistance.

Data

This data can be used to identify individuals and is frequently targeted by attackers.

  • Personal identifiable information (PII): is any information used to infer an individual's identity includes:
  • full name
  • date of birth
  • physical address
  • phone number
  • email address
  • IP address and similar information.
  • Sensitive personal identifiable Information (SPII): a specific type of PII that falls under stricter handling guidelines includes:
  • social security number
  • medical
  • financial information
  • biometric data, like facial recognition.

Exposure of this information can cause long-term harm to individuals and irreversible damage to organizational trust.

Control

Two of the most common technical targets are networks and cloud environments.

Network security focuses on protecting the infrastructure that connects systems, users, and services. Because networks act as the digital highways of an organization, a single weakness can expose many systems at once.

  • Networks carry critical data and services
  • Unauthorized access enables lateral movement
  • Network weaknesses often lead to full compromise
**Network security** is the practice of keeping an organization's network infrastructure secure from unauthorized access. This includes data, services, systems, and devices that are stored in an organization’s network.

As organizations move workloads online, cloud environments become equally important targets.

Cloud security applies the same cybersecurity principles to data and systems hosted in remote data centers and accessed over the internet. While the cloud provides flexibility and scalability, it introduces new risks related to configuration and access control.

  • Cloud assets must be correctly configured
  • Access must be restricted to authorized users
  • Misconfiguration is one of the most common cloud security failures
**Cloud security** is the process of ensuring that assets stored in the cloud are properly configured, or set up correctly, and access to those assets is limited to authorized users.

Cloud security is a growing subfield of cybersecurity, not a replacement for it.

How Attacks Are Executed

To understand defense, it is necessary to understand how attacks actually work. One common method attackers use is malicious software. Early examples such as the Brain virus and the Morris worm demonstrated how software could spread automatically and disrupt large numbers of systems.

  • A computer virus attaches itself to programs or documents
  • It spreads by infecting other systems
  • Modern attacks use the broader category known as malware

The impact of the Morris worm was so severe that it led to the creation of Computer Emergency Response Teams (CERTs), establishing incident response as a formal discipline.

Once attackers gain access, they often maintain control using a structure known as command, control, and communications.

The Three C's:

  • Command refers to issuing instructions
  • Control refers to maintaining persistence
  • Communications refers to covert data exchange

This structure explains how botnets and long-term compromises operate.

Attacking People Instead of Systems

Not all attacks rely on technical vulnerabilities. Social engineering focuses on manipulating people rather than software, exploiting trust, fear, authority, or curiosity.

  • Social engineering targets human decision-making
  • It bypasses technical defenses entirely
  • A famous example is the LoveLetter attack
Phishing is the use of digital communication to trick people into revealing sensitive data or deploying malicious software.

Phishing is one of the most common forms of social engineering and remains highly effective because it scales easily and relies on human assumptions.

  • Business Email Compromise (BEC): A threat actor sends an email message that seems to be from a known source to make a seemingly legitimate request for information, in order to obtain a financial advantage.
  • Spear phishing: A malicious email attack that targets a specific user or group of users. The email seems to originate from a trusted source
  • Whaling: A form of spear phishing. Threat actors target company executives to gain access to sensitive data.
  • Vishing: The exploitation of electronic voice communication to obtain sensitive information or to impersonate a known source.
  • Smishing: The use of text messages to trick users, in order to obtain sensitive information or to impersonate a known source.

Many major breaches begin with a single successful phishing message.

Defending at Scale with Programming

Because attacks occur at scale, defense must also scale. Programming plays a critical role in modern cybersecurity by enabling automation, detection, and faster response.

  • Automating repetitive security tasks
  • Reviewing web and network traffic
  • Alerting on suspicious activity

Languages such as Python and SQL are commonly used to interact with logs, databases, and security tools. Without automation, security teams quickly become overwhelmed.

To communicate effectively and avoid ambiguity, cybersecurity relies on standardized terminology. Authoritative references such as the glossary maintained by the National Institute of Standards and Technology provide shared definitions that help teams align on concepts and expectations.

The Role of Security Teams

Cybersecurity is not just a technical function, it is a business-critical one. Security teams exist to protect organizations from both external and internal threats while enabling operations to continue safely.

  • Protecting systems and data
  • Meeting regulatory and legal requirements
  • Reducing financial and operational losses
  • Preserving customer and brand trust

Strong security enables business growth rather than blocking it.

To explore a variety of cybersecurity terms, visit the National Institute of Standards and Technology glossary

Security teams job titles:

  • Security analyst or specialist
  • Cybersecurity analyst or specialist
  • Security Operations Center (SOC) analyst
  • Information security analyst.
  • Digital Forensics and Incident Response. (DFIR)

Security Analyst or Security Specialist

The security analyst or security specialist is often the most general and widely used role within a security team. This role focuses on monitoring systems, identifying potential threats, and ensuring that security controls are correctly implemented and maintained. Security analysts are typically involved in both preventive and detective security activities.

  • Monitoring systems, logs, and alerts
  • Identifying suspicious behavior and potential vulnerabilities
  • Maintaining and tuning security controls and tools
  • Supporting secure software and hardware development
  • Proactively working to prevent incidents before they occur

This role requires a strong understanding of systems and the ability to prioritize risks based on real-world impact.

Security Operations Center (SOC) Analyst

As organizations scale, security monitoring and response are centralized within a Security Operations Center. SOC analysts focus on real-time detection and incident handling, operating in high-tempo environments where rapid decision-making is critical.

  • Continuous monitoring of security events
  • Triage and validation of alerts
  • Distinguishing real threats from false positives
  • Escalating confirmed incidents
  • Documenting incidents and observed attack patterns

SOC analysts are often the first to detect active attacks and play a crucial role in minimizing damage through early response.

Cybersecurity Analyst

The cybersecurity analyst role is sometimes used interchangeably with security analyst, but in many organizations it implies a broader and more strategic perspective. Cybersecurity analysts focus on understanding trends, attacker behavior, and systemic weaknesses rather than individual alerts alone.

  • Analyzing attack patterns across multiple systems
  • Assessing organizational exposure to emerging threats
  • Improving detection and response strategies
  • Supporting threat modeling and security architecture
  • Translating technical findings into business risk

This role bridges day-to-day security operations with long-term security improvement.

Information Security Analyst

Information security analysts focus primarily on protecting information assets rather than specific technologies. Their work emphasizes data protection, access control, governance, and compliance, ensuring that sensitive information is handled securely throughout its lifecycle.

  • Protecting sensitive and regulated data
  • Supporting compliance and regulatory requirements
  • Defining and enforcing security policies
  • Reviewing access controls and data handling processes
  • Reducing risks related to insiders and human processes

This role operates at the intersection of technology, policy, and organizational behavior.

Digital Forensics and Incident Response (DFIR) Analyst

When prevention and detection are not enough, Digital Forensics and Incident Response analysts step in to understand what happened and how to recover. DFIR analysts specialize in deep technical investigation and evidence-based analysis following security incidents.

  • Investigating security breaches and intrusions
  • Preserving and analyzing digital evidence
  • Reconstructing attack timelines and techniques
  • Supporting containment, eradication, and recovery
  • Assisting with legal, regulatory, or law enforcement needs

DFIR analysts focus on accuracy, traceability, and technical depth, often working under significant time pressure.

How These Roles Work Together

Although these analyst roles have different focuses, they are tightly interconnected. SOC analysts detect incidents, security and cybersecurity analysts analyze patterns and improve defenses, information security analysts protect data and governance, and DFIR analysts investigate and recover from incidents. Together, they form a continuous security loop that strengthens the organization over time.

This layered structure allows security teams to move from reactive defense to proactive risk reduction, ensuring that lessons learned from incidents directly improve future protection.

Closing the Loop

Cybersecurity is fundamentally about managing risk in complex, interconnected systems. It combines people, processes, and technology to reduce the likelihood and impact of attacks. By understanding why security exists, who attacks, how attacks work, and how defenses are built and operated, you establish a foundation that supports every advanced topic that follows — from threat modeling and secure development to firmware security and incident response.