Foundations · Module 1

What cybersecurity is and is not

Cybersecurity is the practice of reducing risk in digital systems .

35 min 3 outcomes Cybersecurity Foundations

Previously

Start with Cybersecurity Foundations

Friendly on-ramp for data, networks, passwords, phishing and everyday defences using in-browser practice tools.

This module

What cybersecurity is and is not

Cybersecurity is the practice of reducing risk in digital systems .

Risk and security outcomes

Security is risk management.

Progress

Mark this module complete when you can explain it without rereading every paragraph.

Why this matters

Keep this sequence in mind whenever a new threat or tool appears.

What you will be able to do

1 Explain what cybersecurity is and what it is not
2 Use vulnerability, exploit, incident, and breach correctly
3 Explain why security depends on context and trade offs

Before you begin

No previous technical background required
Read the section explanation before using tools

Common ways people get this wrong

Control theatre. Lots of policy and little evidence. The system looks serious and fails quickly.
No recovery plan. Incidents become chaotic when nobody rehearsed the calm next steps.

Main idea at a glance

Diagram

How the four terms connect

`flowchart LR
V["Vulnerability\nA weakness exists"] --> X["Exploit\nA method uses the weakness"]
X --> I["Incident\nA security event needs response"]
I --> B["Breach\nConfirmed loss or impact"]

classDef term fill:#ffffff,stroke:#94a3b8,color:#0f172a;
classDef action fill:#eef2ff,stroke:#a5b4fc,color:#1e1b4b;
classDef event fill:#fff7ed,stroke:#fdba74,color:#7c2d12;
classDef impact fill:#fef2f2,stroke:#fca5a5,color:#7f1d1d;

class V term;
class X action;
class I event;
class B impact;
`

How the four terms connect

Cybersecurity is the practice of reducing risk in digital systems. It is not magic. It is not perfection. It is a set of decisions and controls that make harm less likely, less severe, and easier to recover from when it happens.

If this is your first time with the topic, think of it like this. The internet is a busy city. Cybersecurity is how we do four things.

Cybersecurity in four practical moves

Keep this sequence in mind whenever a new threat or tool appears.

Lock doors that should be locked

Reduce easy access to sensitive systems and data.
Check who is allowed in

Verify identity and least privilege before granting access.
Notice when something looks wrong

Detect unusual behaviour early and investigate quickly.
Have a plan for when mistakes happen

Contain impact, recover safely, and learn from the event.

You will hear the word cyber used as shorthand. Historically it connects to cybernetics, the study of control and communication in animals and machines. That term comes from the Greek kybernētēs, meaning “steering” or “governor”. It is a good reminder. Security is about steering risk, not pretending risk does not exist.

F0.1 Four words that stop confusion early

People often start by calling everything a breach. That makes teams panic about noise and miss real impact. These four words keep you precise.

Vulnerability

A vulnerability is a weakness that could be used or triggered to cause harm. It might be technical, human, or process related. A good habit is to ask whether the weakness exists even when nobody is attacking. If the answer is yes, you are looking at a vulnerability.

Exploit

An exploit is the method someone uses to turn a vulnerability into impact. It is the story of how the crack in the door becomes a break in.

Incident

An incident is a security event that needs a response. It might turn out to be a false alarm, but you treat it seriously until you have evidence.

Breach

A breach is confirmed impact, usually loss of control or unauthorised access to something valuable. Breach is about consequence, not about how loud the alert was.

Notice the difference.

How the four terms differ

Vulnerability

A weakness can exist even if nobody has used it yet.
Exploit

The method used to turn that weakness into impact.
Incident

A security event that needs response and verification.
Breach

Confirmed loss or unauthorised impact, not just an alert.

F0.2 What this course deliberately does not teach

This course is defensive and ethical. It does not teach you to break into systems. It teaches you to understand risk, spot weak assumptions, and choose controls that protect people.

Here is a short story that shows what "cyber" often looks like in real life. A finance team receives an email that looks like a supplier and almost everything about it matches what they expect, including the invoice number and the tone, except the bank details have changed. Under time pressure, they pay, then a week later the real supplier calls to chase the overdue invoice, and nobody was hacked in a dramatic way because this was an identity failure paired with a weak process. The loss is still real, and it lands on the business in the same way as a technical breach.

Real-world impact of getting this wrong

Security failures rarely look like movie hacking. They look like:

What real incidents often look like

Supplier payment redirection

Someone trusted a convincing email without secondary verification.
Password reuse

A leaked password from one service unlocks another account.
Missed patch on exposed service

A known weakness remains public long enough to be exploited.
Overpowered admin workflow

Too much privilege with too little logging creates silent high impact risk.

A well-known example is Equifax (2017). A publicly documented failure to patch a known vulnerability contributed to a massive exposure of personal data. It led to years of legal and regulatory fallout, leadership changes, and lasting trust damage. The lesson is boring and repeatable. Asset plus exposure plus one missed basic control can dominate your risk profile.

Why this matters to you

If you are responsible for a system, your job is not to promise “no breaches”. Your job is to reduce likelihood, reduce blast radius, and make recovery fast. That means:

What responsible security ownership looks like

Know what matters most

Identify the data and privileges that create the highest harm if compromised.
Keep attack surface small

Remove or restrict unnecessary exposure paths before adding complexity.
Patch and harden reliably

Treat known weaknesses as operational debt that must be reduced continuously.
Collect useful logs

Capture signals you can actually use for containment and investigation.
Rehearse response

Practise a simple containment and recovery loop before a real incident.

What experts know

The best security work is often invisible. It is clear boundaries, clear logs, and controls that survive an incident report. It is patching known vulnerabilities promptly. It is verifying identities before making payments. It is understanding that security is about reducing risk, not eliminating it. And it is knowing that the cost of prevention is always less than the cost of a breach.

Diagram

Threat, vulnerability, and risk relationship

`flowchart LR
subgraph Threats["Threat sources"]
  External["External attacker"]
  Insider["Insider"]
  Accident["Accident / error"]
  Environment["Environmental event"]
end

subgraph Vulns["Vulnerabilities"]
  Tech["Technical flaw"]
  Process["Process gap"]
  Human["Human factor"]
end

subgraph Risk["Risk"]
  Likelihood["Likelihood"]
  Impact["Impact"]
  Level["Risk level"]
end

External --> Tech
External --> Process
Insider --> Process
Insider --> Human
Accident --> Human
Accident --> Process
Environment --> Tech

Tech --> Likelihood
Process --> Likelihood
Human --> Likelihood

Likelihood --> Level
Impact --> Level

classDef node fill:#ffffff,stroke:#94a3b8,color:#0f172a;
class External,Insider,Accident,Environment,Tech,Process,Human,Likelihood,Impact,Level node;

style Threats fill:#fff1f2,stroke:#fecdd3;
style Vulns fill:#fffbeb,stroke:#fed7aa;
style Risk fill:#ecfdf5,stroke:#a7f3d0;
`

Threat, vulnerability, and risk relationship

Everyday example. If you leave your house key under a plant pot, the threat is someone trying doors, the vulnerability is the predictable hiding place, and the risk depends on your street, your neighbours, and what happens if someone gets inside.

Common mistake. Treating cybersecurity as a list of scary words, instead of a habit of checking assumptions. Another common mistake is over focusing on rare, advanced attacks while ignoring the easy ones that happen daily.

Why it matters. When you separate threat, vulnerability, and risk, you stop guessing. You can choose the control that reduces harm most, and you can explain that choice to a manager without waving your hands.

Good, bad, best practice (Foundations mindset)

Good practice: Use correct terms. When you say “incident”, mean incident. When you say “breach”, mean breach. Precise language prevents expensive misunderstandings.
Bad practice: Calling everything a breach because it sounds serious. That is how teams overreact to noise and underreact to real signals.
Best practice: Tie every security discussion to harm. Who gets hurt, how quickly, and how you would know. If the conversation cannot answer that, it is drifting into theatre.

Mental model

Security as a system

Security connects intent, controls, evidence, and recovery. If one is missing, you are guessing.

1

Intent
2

Controls
3

Evidence
4

Recovery

Assumptions to keep in mind

We can name what matters. If you cannot name the asset and the outcome, you cannot choose the right control.
Controls can be tested. A control is real when you can verify it. Otherwise it is only a promise.

Failure modes to notice

Control theatre. Lots of policy and little evidence. The system looks serious and fails quickly.
No recovery plan. Incidents become chaotic when nobody rehearsed the calm next steps.

Check yourself

Quick check. What cybersecurity is

0 of 6 opened

What is cybersecurity in one sentence

Reducing risk in digital systems so harm is less likely, less severe, and easier to recover from.

Scenario. Your bank texts you a one-time code. You did not request it. Is this an event, an incident, or a breach

It is an incident until proven otherwise. It is a security event that needs attention because it may be an attempted account takeover. It becomes a breach if someone actually gains unauthorised access or causes impact.

What is the difference between vulnerability and exploit

A vulnerability is the weakness. An exploit is a method for using that weakness to cause harm.

Scenario. A teammate accidentally shares a private link to a folder. Nobody outside the team has accessed it yet. Is it a breach

Not necessarily. It is a risky incident. You treat it as a security event and you fix it quickly. It becomes a breach if unauthorised access is confirmed or confidentiality is violated.

What does NIST CSF 2.0 add that many people miss

It makes govern explicit. You need clear ownership, decisions, and thresholds, not only tools and technical controls.

Why is 'secure' contextual

Because controls must balance risk with cost, usability, time, and the reality of how people work. One size fits nobody.

Artefact and reflection

Artefact

A short note on one system you use and what harm would look like if it failed

Reflection

Where in your work would explain what cybersecurity is and what it is not change a decision, and what evidence would make you trust that change?

Optional practice

Use correct terms. When you say “incident”, mean incident. When you say “breach”, mean breach. Precise language prevents expensive misunderstandings.