Chapter 1: Basic Concepts of Cybersecurity

Cybersecurity: Technology and Governance

Audun Jøsang,
1st Edition, Springer Nature, 2024.

Training of AI machine learning models for commercial purposes

based on this presentation is not permitted.
 What is security?
Security is the protection of assets from harm
Physical Life and Natural Law Critical State Information Personal
assets health environment and order infrastructure integrity assets data
‘

10101

– Physical security: Prevention of break-ins, theft and tampering with facilities equipment
– Safety: Protection of life and health
– Environmental safety: Preventing pollution and invasion of alien species into nature.
– Civic security: Maintaining law and order
– Societal security: Protection of critical infrastructures and basic functions in the society
– National security: Preservation of national sovereignty, territorial integrity, and government
– Cybersecurity: Protection of information assets
– Data privacy: Following legal principles for collecting, storing, processing and sharing personal data
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 2
Various sources of security breaches
Threat sources Security goals

Physical security

Safety

Environmental safety

Civic security
Technical faults can cause
breach of
Societal security

National security

Cybersecurity

Data privacy
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 3
 What is cybersecurity? (1)
• Cybersecurity is the protection of information assets from harm by cyberthreats.
• Information assets are:
– Data/information
– Resources involved in the processing of data/information
• IT hardware
• SW and configurations,
• IT-based business processes
• People by how they process information and interact with IT
• How can information assets be harmed?
– Breach of one or more of the security goals Confidentiality, Integrity and Availability (CIA)
• Mainly focuses on damage cause by adversarial threats
– But threats can also be technical failures
– Humans can do harm both intentionally and unintentionally
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 4
 What is cybersecurity? (2)
• More verbosely, cybersecurity is the protection of information assets
from adversarial attacks that may result in unauthorized disclosure of
information, corruption of data, software and hardware, as well as disruption
of the services they provide.
• There is no exact consensus of what cybersecurity is, and there are many
different definitions proposed by various standards, guidelines, and
frameworks.
• Practitioners who know where the shoe pinches typically describe
cybersecurity in practical terms such as Rick Howard’s first principle of
cybersecurity which is “to reduce the probability of material impact due to a
cyber incident over the next three years.”
R. Howard, Cybersecurity First Principles (Wiley, 2023)

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 5

 What is information security?
• ISO’s definition of Information Security:
– The preservation of confidentiality, integrity and availability of information.
In addition, other properties, such as authenticity, accountability, non-repudiation,
and reliability can also be involved.
(ISO/IEC 27000:2025)

Maybe it would have been better to say «preservation of CIA of information assets».

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 6

 We have many names for the things we love
• Cybersecurity: The protection of information assets from harm by cyber attacks.
The term has been popular since the 2010s.
• Information security: General term, i.e. it also covers the protection of information on
paper, popularly from the 1970s. Direct translation of "information security" that is enshrined
in several international standards and frameworks.
• Computer Security: To be interpreted as the protection of data stored in computer
systems, as well as the systems themselves. The term has been popularly since the 1980s.
• IT and ICT security: To be interpreted as security in IT/ICT systems. The term has been
popular since the 1990s.
• Digital security: The protection of anything digital, i.e. that has IT components.

Note that all these terms have more or less the same meaning!

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 7

 Sources of requirements for cybersecurity
• Good practice: Requirements for adequate security in business processes
according to common good practice and management.
– Good practice sets requirements for e.g. user authentication and access control.
• Risk assessment: Requirements to limit security risks to an acceptable level.
Measures are identified through risk assessment and risk management.
– Risk assessment can, for example, require 2-factor authentication. Risk
• Regulations: Legal, regulatory, regulatory, industry, and contractual
information security requirements, such as:
– The NIS2 Directive in the EU, mandating organizations to implement security measures.
– GDPR Article 32 mandates adequate security protection for personal data.
– PCI DSS (Payment Card Industry Data Security Standard) (Industry norm in finance).
Note that regulatory and legal requirements for information security often refer to risk
assessment as a requirement and a tool for identifying necessary security measures.

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 8

 Goal of cybersecurity governance
• Would it be possible to solve all security problems?
• No, because:
– New vulnerabilities are being discovered in legacy systems
– New services, often with vulnerabilities, are being exposed online
– Threat actors are good at finding vulnerabilities that can be exploited
– Increasingly effective attack tools are being developed
– Increasing number and severity of threats Cyber Security
Conclusion: cybersecurity is a continuous process to remove risks controls
vulnerabilities and mitigate threats.
• The goal of cybersecurity governance is to get a good
balance between security risk and security controls.

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 9

 General model for IT security risk

Assets

Risk

Threats Vulnerabilities

• General risk model:

– The greater and more assets you have, the stronger and more threats you are faced with,
and the more serious vulnerabilities you have, then the greater your risk exposure.
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 10
 Assets, Threats, Vulnerabilities and Security Controls
• Assets: (Information) resources that are of value to the organization.
– Data, Systems, Applications, Networks, Devices, IT Services, People (as they interact with IT).
The goal of cybersecurity is to protect the CIA of assets, depending on the need.
– Personal datan
• Threat: A potential attack scenario controlled by a threat actor that could harm your
organization's assets.
• Vulnerability: Absence of controls against threats and inability to handle incidents.
• Security Control: Method to prevent or mitigate threats, or method reduce the
impact of incidents.
Threat actor executes … threat scenario … which harms assets and causes incident … with negative impact

Step 1 Step 2 Step 3

Vulnerabilities
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 11
 Information Security Controls
categorized according to cybersecurity functions

Cyber and
Information Security

Preventive controls Detective controls Corrective controls

Governance

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 12

 Information Security Controls
categorized in general control domains

Information Security
(ISO/IEC 27001-27002 framework)

Organizational People Physical Technological

controls controls controls controls

Information Security Management System (ISMS)

Organizational People controls Physical controls Technological
controls examples: examples: examples: controls examples:
• Policies/Procedures • Staff screening • Camera surveillance • User authentication
• Roles and responsibilities • Employment contract • Physical access control • Encryption
• Information classification • Awareness training • Shielding of cables • Network security
• Cyber readiness training • NDA when resigning • Locks and alarms • Incident detection
• etc. • etc. • etc. • etc.
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 13
 The four P’s
• The four P’s correspond roughly to the traditional “People + Process + Technology” (PPT) aspects
of cyber governance described e.g. by NIST CSF, but with the “Partner” aspect added.

People + Product + Partner + Process

• People: Staff must have necessary skills training for operating and managing cybersecurity, which
includes a good security culture in the organization.
• Product (Technology): Organizations must carefully consider which products/technology that in
the most optimal way can support the goal of reducing risk to an acceptable level.
• Partner: Organizations need to engage with partners when ackuiring products and services from
3rd parties. It can be a waste of money to buy an expensive security product if the vendor is not
able to provide adequate support for operating the product.
• Process: All use of technology (Product) consists of processes, so when an organization acquires
or implements security technology, they must ensure that there is an adequate process for
operating the technology. If the process is ineffective or inefficient, the technology has little value.
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 14
General Security Goals: CIA + P
• Information security is traditionally defined as the preservation of CIA:
•
• Confidentiality
• Integrity
• Availability:
Information-
•
security
Availability

• Data privacy (data protection) has an additional set of goals that includes,
among other things, CIA. The GDPR (General Data Protection Regulation)
defines data protection requirements.
Privacy
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 15
 Security goals and controls
• Security goals
– independent of specific implementation
– Can be implemented with different controls
• Security controls
– Based on specific implementation, often tied to specific products

Analogy for civic security

Security goals:
Confidentiality – Integrity – Availability

Support
Security controls:
e.g. policies – staff screening – locks – encryption

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 16

Confidentiality
• Property that information is not made available or disclosed to unauthorized
individuals, entities, or processes.
(ISO/IEC 27000)
• Threats:
– Data theft (external threat)
– Data leakage (internal threat)
• Security controls examples:
– Encryption
– Cryptographic communication protocols, e.g. TLS
– Authentication and access control,
– Anonymization, e.g. through a pseudonym or VPN
– Layered protection
– Security culture, awareness…

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 17

Integrity
• Data integrity: The property that data has not been altered or destroyed in
an unauthorized manner. (X.800)
• Integrity (of information assets in general): The property of accuracy and
completeness. (ISO/IEC 27000)
• Threats: Corrupted data and misconfigured systems
• Security control examples:
– Hashing, MAC, digital signature, encryption
– Configuration management
– Change management
– Authentication
– Access control
– Security culture, awareness…

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 18

Availability
• The property of being accessible and usable on demand by an authorized
entity. (ISO/IEC 27000)
• Threats:
– Denial of service, denial-of-service (DoS/DDoS) attacks
– Ransomware
– Delay of time-critical functions.
• Security control examples:
– Redundancy of resources,
– Failover configuration
– Firewalls
– Backup
– Incident response and preparedness

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 19

 Types of authentication
Authentication

Entity Data
authentication authentication

Based on cryptographic
techniques,
User System e.g. MAC & DigSig
authentication authentication

Based on passwords Based on

and different types of cryptographic
authenticators protocols e.g. TLS

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 20

 User authentication
• Present user ID (self-identification)
– User states (claims to have) a specific identity
• Authentication with Authenticator(s)
– Prove that you have the identity you claim to have
– Present authenticator(s) Present user ID
• Threat: Identity theft, fake login
• Security controls: Authenticators, e.g.:
– Password
– Authentication app, Alice Wonderland
D.O.B. 31.12.1985
– Authentication device, OTP generator Cheshire, England

– ID card Student nr.33033

University of Oxford

– Biometrics
– Secondary channels Present authenticator
– 2FA, multi-factor authentication
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 21
 System A System B
System Authentication

• Purpose
– Correct identification of systems through networks
• Threats:
– Fake systems
– Fraudulent transactions
– Man-in-the-middle attack
– Network intrusion
• Security controls:
– Cryptographic protocols for authentication and integrity
– For example: TLS, IPSEC

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 22

Simple or non-repudiable data authentication Authenticated with
Alice Bob our shared secret key,
Shared secret key so I know that Alice
sent the message.
Message with simple authentication
But you have the
same key, hence you
MAC MAC could have sent the
algorithm MAC (Message Authentication Code) algorithm message to yourself. Judge

Digitally signed with

Alice Alice’s Alice’s Bob Alice's private key
private key public key so I know that she
Message with non-repudiable autentication sent the message.

You are right, only

DigSig DigSig Alice could have
algorithm Digital signature algorithm signed the message. Judge
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 23
Accountability
• Purpose: To be able to track events and actions of specific users and
entities, so that they must be accountable for their actions.
– Systems that are used to process or handle classified or other sensitive information must
assure individual accountability. (TCSEC/Orange Book)

• Threats:
– Not being able to identify who was behind an action
– Lacking sufficient evidence to be able to make a report
• Security controls:
– Authentication of all users
– Logging of system events
– Electronic evidence
– Non-repudiation with digital signatures
– Digital forensics
Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 24
Reliability
• The property that systems do not contain (many) errors or weaknesses.
If failures do occur, reliability also means that the systems can tolerate
certain failures without (all) functionality dropping out.
• Focuses mostly on preventing non-intended incidents, but is also
important for preventing or reducing the consequences of intended
adversarial events.
• Threats:
– Low quality in the development, configuration, error correction and operation of
systems and especially a lack of attention to secure system development.
• Controls:
– Good (or best) practices for the secure development and operation of systems,
also known as "built-in information security"

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 25

 Access Authorization
• Access authorization is to specify access rights for entities, i.e., for users, roles,
and processes
– Specifies who should have access to what
– The authorization policy is usually defined by humans
– The authorization policy is formalized as rules and configurations for access control in systems.
• Authorization can be delegated
– Manager → Sys.Admin → User
• Be aware of confusion in literature and many textbooks (but not this textbook):
– In some text sources, access authorization is defined as equivalent to access control. This is
completely wrong, because it makes the definition of confidentiality meaningless, in the sense
that it would not be a breach of confidentiality if a hacker accesses an account with a cracked
password and steals data.
– It would make the US CFAA (Computer Fraud and Abuse Act) meaningless (see Sect. 17.3.1).

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 26

Access control
• Access control takes place after the user is authenticated.
• The user/entity must be authenticated for the system to know who is
trying to perform an action or requesting access.
• Access Control uses authorization policies/rules to decide whether or not
to grant the user access to resources.
• Access authorization policies/rules are defined during the configuration
phase so that access control can be performed during the usage phase.
• Many different ways to define access control rules, e.g.
– Identity-based (DAC)
– Brand-based (MAC)
– Role-based (RBAC)
– Attribute-based (ABAC) (generalization of all the above ways)

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 27

 IAM (Identity and Access Management)

Configuration phase IAM Usage phase

authentication
Registration of
Provide user ID
new user ID

User
Identity
management
Provisioning of provide/check
authenticator(s) authenticator(s)

Access Access
management Access control
authorization

Cybersecurity: Technology and Governance Ch. 1: Basic Concepts 28

End of presentation