What cybersecurity is and is not
This is the first of 9 Foundations modules. The Foundations stage builds the conceptual vocabulary you need for the Applied and Practice & Strategy stages that follow (25 modules total, ~28 hours). No prior cybersecurity knowledge is required.
By the end of this module you will be able to:
- State the NCSC definition of cybersecurity and explain each of its three components
- Distinguish cybersecurity from information security and IT security with concrete examples
- Name the three goals of the CIA triad and identify which one WannaCry primarily violated
Real-world incident · 12 May 2017
Hospitals turned patients away. The cause was software.
On 12 May 2017, hospitals across England began turning patients away. Operating theatres went dark mid-procedure. Ambulances were redirected. Staff reverted to pen and paper.
The cause was a piece of software called WannaCry. It was ransomware: a program that encrypts files on a computer and demands payment (in this case, Bitcoin) to unlock them. WannaCry did not target the NHS specifically. It spread automatically to any machine running an older, unpatched version of Windows, exploiting a vulnerability in a protocol called SMBv1 (Server Message Block version 1, a file-sharing protocol used by Windows).
The UK's National Audit Office estimated the total cost to the NHS at approximately £92 million. 19,494 appointments were cancelled. Five hospitals diverted ambulances. No patient data was ultimately stolen, but the harm was real, immediate, and physical: people could not receive medical treatment.
No patient data was stolen. Yet people could not receive treatment. Does that still count as a cybersecurity incident?
That incident is a useful starting point for a cybersecurity course because it demonstrates something that surprises many newcomers to the field: cybersecurity failures are not abstract. They disrupt real services and affect real people. Understanding what cybersecurity actually covers, and what it does not cover, is the foundation for everything that follows.
This module assumes no prior cybersecurity knowledge. If the terms below are already familiar, use the knowledge checks to confirm your understanding and move to Module 2: Risk and outcomes.
With the learning outcomes established, this module begins by examining what cybersecurity actually means in depth.
1.1 What cybersecurity actually means
The word "cybersecurity" appears in legislation, boardrooms, and newspaper headlines with surprisingly little precision. Before building on the concept, it helps to pin down a working definition from a credible source.
“Cyber security is the protection of internet-connected systems, including hardware, software and data, from cyberattack.”
UK National Cyber Security Centre (NCSC) - Official definition, ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
This is the UK government's working definition. It deliberately uses 'internet-connected systems' to signal broad scope (not just desktops), and 'cyberattack' to distinguish from accidental failures. We will use this as our baseline throughout the Foundations stage.
That definition has three components worth examining individually:
- "Internet-connected systems" signals a broad scope: servers, laptops, smartphones, industrial control systems (think power stations and water treatment plants), medical devices, and cloud services all qualify.
- "Hardware, software and data" means physical devices, the programs running on them, and the information they hold are all in scope. Not just "the data." A compromised firmware update on a router is a cybersecurity problem even if no data is touched.
- "Cyberattack" refers to malicious acts carried out using digital means: criminal groups deploying ransomware, nation-states conducting espionage, insiders exfiltrating intellectual property, or automated bots scanning for unpatched systems.
What the definition does not say is equally informative. It does not say "hacking only." It does not restrict scope to desktop computers. An organisation's supply chain software, its backup tapes stored offsite, and the smart building management system controlling the air conditioning are all part of the attack surface that practitioners must consider.
With an understanding of what cybersecurity actually means in place, the discussion can now turn to cybersecurity, information security, and it security, which builds directly on these foundations.
1.2 Cybersecurity, information security, and IT security
These three terms are frequently treated as interchangeable. They are related but not identical, and conflating them creates real gaps in protection. Think of them as concentric circles.
Information security (often abbreviated InfoSec) is the broadest. It covers the protection of all information, regardless of format. A locked filing cabinet containing patient records is an information security control. A policy against discussing client names in public is an information security measure. InfoSec predates the internet by decades and is governed by frameworks such as ISO/IEC 27001:2022, which applies to any information asset whether digital, paper, or verbal.
IT security focuses specifically on the technology infrastructure: servers, databases, networks, operating systems, and applications. It is a subset of information security, restricted to digital and electronic systems. The IT security team ensures the servers are patched, the network is segmented, and the backups are tested.
Cybersecurity overlaps substantially with IT security but is specifically oriented toward threats that originate in or travel through cyberspace. It emphasises connectivity, the internet, and adversarial behaviour exploiting that connectivity. A virus spreading through a USB stick in an air-gapped network is an IT security concern. The same virus spreading through the internet is a cybersecurity concern.
“Information security is the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.”
ISO/IEC 27000:2018, Information security management systems - Clause 3.28, definition of 'information security'
ISO defines information security with no restriction on format. This is deliberate: it ensures paper records, verbal communications, and digital data are all covered. Cybersecurity is a subset of this broader discipline, focused specifically on networked digital threats.
Common misconception
“Cybersecurity and IT security are the same thing.”
IT security covers digital systems and infrastructure. Cybersecurity specifically focuses on networked systems and threats from cyberspace. Critically, both are subsets of information security, which also covers physical records, verbal disclosures, and procedural controls. An attacker who photographs a whiteboard containing passwords in a meeting room has exploited an information security gap that no firewall would prevent.
With an understanding of cybersecurity, information security, and it security in place, the discussion can now turn to three things cybersecurity is not, which builds directly on these foundations.
1.3 Three things cybersecurity is not
Clarity on scope requires ruling things out. Three misconceptions appear repeatedly in organisations new to the subject.
1.3.1 Cybersecurity is not just about preventing hacking
WannaCry was not a targeted attack. Nobody sat at a keyboard trying to break into the NHS. The ransomware spread automatically to any vulnerable system it could reach, like a virus spreading through a crowd. Many incidents involve negligence (an employee sending data to the wrong email address), misconfiguration (a cloud storage bucket left publicly accessible), or insider behaviour rather than skilled external attackers.
1.3.2 Cybersecurity is not solely an IT department responsibility
When the NIST CSF 2.0 was published in February 2024, it introduced Govern as an explicit function alongside Identify, Protect, Detect, Respond, and Recover. That was not an accident. Govern recognises that cybersecurity decisions involve the board, legal counsel, HR, procurement, and operations. If the CEO clicks a phishing link, the IT team's firewall is not the thing that failed.
1.3.3 Cybersecurity is not a product you can buy
No single tool, antivirus program, or "next-gen firewall" constitutes a complete cybersecurity posture. Security is a process requiring ongoing assessment, training, adaptation, and (frankly) accepting that perfect protection does not exist. The goal is to reduce risk to an acceptable level, not to eliminate it.
Common misconception
“We bought a firewall and an antivirus licence. We are secure.”
In 2017, Equifax suffered a breach exposing the personal data of approximately 147 million people despite having substantial security investment. An Apache Struts vulnerability (CVE-2017-5638), publicly known since March 2017, went unpatched for months because the organisation's patch management process failed. The technology was available; the process to apply it was not. This is exactly the gap the NIST CSF 2.0 Govern function was designed to address.
With an understanding of three things cybersecurity is not in place, the discussion can now turn to the cia triad: what cybersecurity protects, which builds directly on these foundations.
1.4 The CIA triad: what cybersecurity protects
Every cybersecurity control, policy, and technology aims to protect one or more of three core properties. These are collectively called the CIA triad (nothing to do with the intelligence agency). The three properties are Confidentiality, Integrity, and Availability.
Click each pillar below to see real-world examples and a major breach that violated it.
With an understanding of the cia triad: what cybersecurity protects in place, the discussion can now turn to the nist csf 2.0: a map for this course, which builds directly on these foundations.
Applying the CIA triad back to WannaCry: the attack primarily violated availability. NHS staff could not access patient records, scheduling systems, or diagnostic tools. The ransomware did not steal data (a confidentiality violation) or modify record contents (an integrity violation). It locked people out.
This distinction matters because the response differs. A confidentiality breach requires notification to regulators and affected individuals. An availability outage requires failover, recovery, and service restoration. Treating every incident the same way wastes time and resources.
You will revisit the CIA triad in depth in Module 5: CIA triad and simple attacks, where you will classify real attack types by which property they target and apply the STRIDE threat model.
A hospital's administrative staff are trained to shred documents containing patient names. A new manager argues this is 'not a cybersecurity issue' because it involves paper. Which statement is most accurate?
Your company buys an endpoint detection tool and the CISO declares the company 'secure.' Three months later, an attacker uses a phishing email to steal finance credentials and transfers funds. Which gap does this illustrate?
During the WannaCry incident, NHS hospitals could not access patient records or scheduling systems. Which CIA triad property was most directly violated?
1.6 The NIST CSF 2.0: a map for this course
The NIST Cybersecurity Framework 2.0, published in February 2024, provides a widely adopted structure for organising cybersecurity activities. Think of it as a table of contents for everything a security programme needs to do. It defines six functions.
This course uses the NIST CSF 2.0 as a structural reference throughout. Each module maps to one or more of these functions. By the end of the Foundations stage, you will be able to place any cybersecurity concept you encounter into this framework.
With an understanding of the nist csf 2.0: a map for this course in place, the discussion can now turn to what this looks like in a real organisation, which builds directly on these foundations.
The addition of Govern in CSF 2.0 was significant. Previous versions treated governance as part of Identify. The NIST team separated it because years of breach investigations showed that the most common root cause was not a technical failure. It was a leadership failure: organisations that did not treat cybersecurity as a business priority, did not fund it adequately, and did not hold anyone accountable for outcomes. Governance addresses that gap directly.
In Module 2: Risk and outcomes, you will learn the risk formula that the Govern function uses to prioritise investment. The SolarWinds supply chain attack will show why risk assessment is not a one-time exercise.
1.8 What this looks like in a real organisation
To make this concrete, here is how a mid-sized UK company might map its cybersecurity activities to the NIST CSF 2.0 functions:
Key takeaways
- Cybersecurity protects internet-connected systems (hardware, software, data) from cyberattack. It is a subset of information security, which also covers physical and verbal security. IT security sits between the two.
- Cybersecurity is not synonymous with hacking prevention, IT department responsibility, or a product purchase. It requires governance, people, process, and technology working together. The Equifax and WannaCry incidents both demonstrate this.
- The CIA triad (Confidentiality, Integrity, Availability) is the foundational model for understanding what cybersecurity protects. Every attack violates at least one. WannaCry primarily violated availability.
- The NIST CSF 2.0 (February 2024) organises cybersecurity into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. Govern was added because leadership failures, not just technical ones, are the most common root cause of breaches.
- Real security programmes map concrete activities to each CSF function. The framework is not a compliance checklist; it is a language for structuring risk decisions.
Standards and sources cited in this module
NCSC UK, 'What is cyber security?' (2023)
Definition section, ncsc.gov.uk/section/about-ncsc/what-is-cyber-security
Primary UK government definition. Sets the three-part scope (systems, assets, cyberattack) used as the baseline throughout Foundations.
NIST Cybersecurity Framework 2.0 (February 2024)
Section 1 (Introduction), Section 2 (Framework Core), Appendix A (Function/Category/Subcategory taxonomy)
Structural reference for this course. Defines six functions and the risk management framing introduced in Section 1.6. The addition of Govern is discussed as a direct response to governance failures in breach investigations.
NIST SP 800-12 Rev.1, An Introduction to Information Security (2017)
Section 2.1, Three Goals of Information Security
Authoritative US government definition of the CIA triad. Establishes Confidentiality, Integrity, and Availability as the basis for all security programme design.
ISO/IEC 27000:2018, Information security management systems - Overview and vocabulary
Clause 3.28, definition of 'information security'
Defines information security with no format restriction. Used in Section 1.2 to establish the concentric circles model and distinguish InfoSec from cybersecurity. Note: this is the vocabulary standard (27000), not the requirements standard (27001:2022).
National Audit Office, 'Investigation: WannaCry cyber attack and the NHS' (October 2017)
Full report, Sections 1-4
Source for all NHS WannaCry impact figures: £92 million cost, 19,494 cancelled appointments, 5 hospitals diverting ambulances. Used as the opening case study.
CompTIA Security+ (SY0-701) Exam Objectives
Domain 1.0: General Security Concepts (12%)
The CIA triad and security frameworks are testable objectives in Domain 1. This module maps directly to SY0-701 objectives 1.1 (security concepts) and 1.2 (security controls).
You now have the vocabulary: cybersecurity protects internet-connected systems from cyberattack, the CIA triad defines what it protects, and the NIST CSF 2.0 organises how. The next question is: how do you decide what to protect first? That requires understanding risk - the likelihood that a threat will exploit a vulnerability, multiplied by the impact if it does. That is Module 2.
Module 1 of 25 · Cybersecurity Foundations