SEC

Foundations · cover

Introduction to Information Security and Information Assurance

Core idea

Security begins with a clear answer to three questions: what information matters, what could go wrong, and how can trust be preserved?

Scia 120 Week 01

SCIA 120 Week 01 builds the vocabulary used throughout the course.

Module Connects Protection Goals

The module connects protection goals, attacker goals, risk, controls, and professional roles.

The focus is practical

The focus is practical: students should be able to classify a real situation using security concepts.

Why it matters

Every later topic—physical security, malware, cryptography, networks, secure coding, cloud security—depends on these Week 01 mental models.

SEC

Foundations · roadmap

Week 01 Roadmap

Core idea

The week moves from definitions to decision-making: define security goals, recognize threats, estimate risk, select controls, and verify outcomes.

Start here

Start with information security and information assurance.

Use CIA and DAD as paired models

Use CIA and DAD as paired models: defender goals vs. attacker outcomes.

Apply the model

Apply risk thinking before choosing controls.

Connect to practice

Connect the security lifecycle to NIST CSF 2.0 and career pathways.

Example

A student-record system can be analyzed as assets, threats, CIA impact, controls, and assurance evidence.

SEC

Foundations · objectives

Learning Outcomes

Core idea

By the end of this module, students should be able to explain and apply the basic language of information security.

Distinguish Information Security Cybersecurity

Distinguish information security, cybersecurity, and information assurance.

Classify Incidents By CIA

Classify incidents by CIA and DAD properties.

Identify Threat Actors Likely

Identify threat actors and likely motivations.

Use the model

Use Risk = Threat × Vulnerability × Impact to compare scenarios.

Match Controls Risk Explain

Match controls to risk and explain what evidence would show they work.

Self-check

If you can read a short breach scenario and name the asset, CIA impact, likely actor, risk, control, and evidence, you are using the Week 01 toolkit.

TRUST

Assurance / Trust · concept

The Big Question: What Are We Defending?

Core idea

Security work starts with assets, not tools. An asset is anything valuable enough to protect: data, systems, services, identities, operations, or trust.

Information Exist As Database

Information can exist as database rows, files, emails, printed records, conversations, credentials, logs, and backups.

System Fail Security Even

A system can fail security even without a hacker: accidental deletion, misconfiguration, power failure, or unavailable backups can still harm users.

Good Security Decisions Name

Good security decisions name the protected asset before naming the technology.

Example

For an online gradebook, assets include grades, student identities, login credentials, audit logs, availability during registration, and trust in academic records.

Why it matters

If the asset is unclear, the control may protect the wrong thing.

RISK

Risk / Controls / Lifecycle · definition

Information Security

Core idea

Information security is the practice of protecting information and the systems that store, process, and transmit it from unauthorized access, use, disclosure, disruption, modification, or destruction.

Protects Information Stored Being

It protects information while it is stored, being processed, and moving across networks.

Practical goals

The practical goals are privacy, accuracy, and availability for authorized users.

Includes People Processes Policies

It includes people, processes, policies, and technology—not only firewalls or antivirus.

Useful Security Definition Should

A useful security definition should lead to concrete controls such as encryption, access control, backups, monitoring, and training.

Example

Encrypting a laptop protects stored information; MFA protects account access; backups protect availability after ransomware.

Why it matters

Information security turns abstract concern into decisions about what to protect and how.

TRUST

Assurance / Trust · comparison

Cybersecurity vs. Information Security

Core idea

Cybersecurity is usually the digital-systems subset of a broader information-security mission.

Cybersecurity Focuses On Networks

Cybersecurity focuses on networks, computers, software, cloud systems, devices, and digital attacks.

Information Security Also Includes

Information security also includes paper records, spoken information, physical files, human behavior, policy, and business processes.

Why the distinction matters

The distinction matters because information can leak without a network attack: an unlocked office, misplaced printout, or overheard conversation can still be a security failure.

Example

A stolen database is cybersecurity and information security. A printed transcript left in a public hallway is information security even if no computer was hacked.

Why it matters

Professionals must protect information across its full lifecycle and all forms, not only inside computers.

TRUST

Assurance / Trust · definition

Information Assurance

Core idea

Information assurance is about confidence: can users trust that information is available, accurate, authentic, confidential, and tied to accountable actions?

Reading Expands Assurance Beyond

The reading expands assurance beyond protection to include authentication and non-repudiation.

Assurance Depends On Design

Assurance depends on design, evidence, monitoring, auditing, continuity planning, and recovery capability.

System May Appear Secure

A system may appear secure, but assurance asks whether there is proof that controls are operating correctly.

NIST guidance

NIST and CISA guidance both emphasize governance, readiness, and repeatable practices—not one-time setup.

Example

A backup policy is security; test-restoring the backup and recording the result is assurance evidence.

Why it matters

Organizations need confidence before relying on information for medical, financial, government, or academic decisions.

TRUST

Assurance / Trust · comparison

Security vs. Assurance

Core idea

Security protects; assurance verifies, sustains, and proves that protection remains trustworthy over time.

Security question

Security question: what control reduces unauthorized disclosure, alteration, or denial?

Assurance question

Assurance question: how do we know that control is correctly implemented and still working?

Implementation vs evidence

Security often focuses on implementation; assurance adds measurement, governance, documentation, and accountability.

Both are required

Both are required: a control without evidence is difficult to trust, and evidence without effective controls does not reduce risk.

Example

MFA reduces account takeover risk; logs showing MFA enrollment, failed login attempts, and periodic access reviews provide assurance.

Why it matters

Real organizations must defend systems and justify decisions to managers, auditors, regulators, and users.

CIA

CIA / Protection Goals · model

CIA Triad Overview

Core idea

The CIA Triad is the classic model for the three core security properties: confidentiality, integrity, and availability.

Confidentiality asks

Confidentiality asks: who is allowed to see this?

Integrity asks

Integrity asks: is this accurate, complete, and unmodified?

Availability asks

Availability asks: can authorized users access it when needed?

Most Incidents Described As

Most incidents can be described as damage to one or more CIA properties.

Example

Ransomware can affect availability by locking files, confidentiality by stealing data before encryption, and integrity by modifying systems.

Why it matters

CIA gives students a compact way to classify what went wrong and what controls are needed.

CIA

CIA / Protection Goals · concept

Confidentiality

Core idea

Confidentiality prevents unauthorized disclosure of information.

Sensitive information

Sensitive information includes passwords, student records, health data, financial data, business plans, source code, and private communications.

Threats

Common threats include stolen credentials, misconfigured cloud storage, phishing, insider snooping, lost devices, and weak access control.

Controls

Controls include encryption, least privilege, MFA, access reviews, secure disposal, and data classification.

CISA guidance

CISA Cyber Essentials emphasizes knowing who has access and using MFA, especially for privileged and remote users.

Example

A grade spreadsheet emailed to the wrong recipient is a confidentiality failure even if the file is not modified.

Why it matters

Confidentiality failures create legal, financial, reputational, and personal harm.

CIA

CIA / Protection Goals · concept

Integrity

Core idea

Integrity means information remains accurate, complete, and protected from unauthorized or accidental change.

Integrity

Integrity failures can be malicious, such as altering grades or payment instructions, or accidental, such as database corruption.

Controls

Controls include hashes, checksums, digital signatures, version control, database constraints, change approvals, and audit logs.

Integrity

Integrity is not only about preventing change; it is also about detecting and proving whether a change occurred.

Evidence matters

Evidence matters: logs and hashes help reconstruct what changed and when.

Example

If a student grade changes from 82 to 92 without authorization, the system has an integrity problem even if the record is still private and available.

Why it matters

Bad data can drive bad decisions: wrong medication, wrong payment, wrong grade, or wrong security response.

Tiny integrity demo

sha256sum assignment.txt
# Change the file, then run again.
# A different hash means the contents changed.

CIA

CIA / Protection Goals · concept

Availability

Core idea

Availability means authorized users can access systems and information when they need them.

Availability

Availability can be harmed by DDoS attacks, ransomware, hardware failure, expired certificates, power loss, bad updates, or cloud outages.

Controls

Controls include backups, redundancy, failover, monitoring, patch management, disaster recovery plans, and capacity planning.

Availability

Availability is a security property because a perfectly private and accurate system still fails users if it is unreachable.

CISA guidance

CISA Cyber Essentials emphasizes protecting critical assets and preparing for crisis response.

Example

A hospital scheduling system that is offline during emergency operations creates real-world harm even if no data is stolen.

Why it matters

For many organizations, downtime means lost revenue, safety risk, missed deadlines, and loss of public trust.

Simple availability check

ping -c 3 example.edu
# Replies suggest network reachability; failures need diagnosis.

CIA

CIA / Protection Goals · model

DAD Triad: The Attacker’s Mirror

Core idea

The DAD Triad describes attacker outcomes: disclosure, alteration, and denial—the opposites of confidentiality, integrity, and availability.

Disclosure Violates Confidentiality By

Disclosure violates confidentiality by exposing information to unauthorized parties.

Alteration Violates Integrity By

Alteration violates integrity by changing information or system state without authorization.

Denial Violates Availability By

Denial violates availability by preventing legitimate use.

DAD Helps Students Translate

DAD helps students translate incidents into attacker impact.

Example

A ransomware incident may involve disclosure through data theft, alteration through encrypted files, and denial through system outage.

Why it matters

Defenders preserve CIA; attackers try to create DAD. The paired model makes incident analysis easier.

CIA

CIA / Protection Goals · impact

Why Security Matters

Core idea

Security failures matter because they create real costs for people, organizations, and society.

Financial Impact Includes Incident

Financial impact includes incident response, legal fees, fines, customer notification, downtime, and lost trust.

Personal Impact Includes Identity

Personal impact includes identity theft, exposure of medical records, privacy violations, and fraud.

National-Security Impact Appears When

National-security impact appears when critical infrastructure, elections, defense, or public services are targeted.

Ibm’S 2025 Breach Report

IBM’s 2025 breach report emphasizes that governance gaps—especially around fast AI adoption—can increase breach risk and cost.

Example

A breach of a campus system could expose identities, interrupt services, require notification, trigger investigation, and damage trust in institutional systems.

Why it matters

Security is not just a technical preference; it is risk management for real harm.

TRUST

Assurance / Trust · timeline

A Brief History of Computer Security

Core idea

Computer security evolved as computing moved from shared mainframes to personal computers, the internet, organized cybercrime, cloud services, and AI-enabled systems.

1960s–1970s

1960s–1970s: timesharing raised early questions about user separation and unauthorized access.

1980s

1980s: PC malware and the Morris Worm showed that self-replicating code could disrupt connected systems.

1990s

1990s: the web and email expanded attack surfaces and fraud opportunities.

2000s–present

2000s–present: organized cybercrime, ransomware, nation-state operations, cloud, mobile, IoT, and supply-chain attacks changed the scale of risk.

Example

The Morris Worm is often used as an early lesson in how software flaws, trust assumptions, and network connectivity can turn a mistake into widespread disruption.

Why it matters

History shows that security problems follow technology adoption: every new platform creates new attack surfaces.

DAD

Threats / Attacker Goals · actors

Threat Actors: Capability, Intent, Opportunity

Core idea

A threat actor is any person, group, or entity with the potential to harm information systems.

Capability Means Actor Has

Capability means the actor has tools, skills, access, or resources.

Intent means the actor has a reason to act

Intent means the actor has a reason to act: money, ideology, coercion, ego, espionage, revenge, or negligence.

Opportunity means a weakness is reachable

Opportunity means a weakness is reachable: exposed service, weak password, unlocked device, misconfiguration, or trusted access.

Defenses should match the actor

Defenses should match the actor: a control that stops casual misuse may not stop a well-funded APT.

Example

A weak password creates opportunity for many actors, but a nation-state and a script kiddie differ greatly in patience, tools, and target selection.

Why it matters

Threat modeling becomes clearer when students ask who might attack, why, and with what capability.

DAD

Threats / Attacker Goals · actors

Common Threat Actor Profiles

Core idea

Different threat actors behave differently because their skills, goals, and resources differ.

Script Kiddies Use Existing

Script kiddies use existing tools with limited understanding and often seek curiosity, disruption, or status.

Hacktivists Use Cyber Actions

Hacktivists use cyber actions to advance political, social, or ideological goals.

Cybercriminals Pursue Profit Through

Cybercriminals pursue profit through ransomware, credential theft, fraud, extortion, and stolen-data markets.

These Actors Often Reuse

These actors often reuse known vulnerabilities, leaked credentials, and social engineering because those methods scale.

Example

A phishing kit sold online may allow low-skill attackers to steal credentials without understanding the underlying web or authentication technology.

Why it matters

Knowing the profile helps predict likely tactics and prioritize controls.

DAD

Threats / Attacker Goals · actors

Insiders and Nation-State/APT Actors

Core idea

Some of the hardest threats come from trusted access or patient, well-funded adversaries.

Insider Threats Come Employees

Insider threats come from employees, contractors, vendors, or partners with legitimate access; harm may be malicious or negligent.

Nation-State Actors May Pursue

Nation-state actors may pursue espionage, strategic advantage, sabotage, or influence operations.

Advanced Persistent Threats Long-Term

Advanced Persistent Threats are long-term, targeted campaigns that prioritize stealth and persistence.

Controls Must Include Least

Controls must include least privilege, monitoring, segmentation, logging, and incident response readiness.

Example

An employee copying customer data to a personal drive is an insider risk; a long-term stealth campaign against a supplier may indicate APT-style behavior.

Why it matters

Perimeter defenses are not enough when the actor may already have access or time to adapt.

DAD

Threats / Attacker Goals · motivation

Attack Motivations: MICE

Core idea

MICE summarizes common motivations: Money, Ideology, Coercion, and Ego.

Money Drives Ransomware Fraud

Money drives ransomware, fraud, credential theft, extortion, and data resale.

Ideology Drives Hacktivism Defacement

Ideology drives hacktivism, defacement, leaks, and disruption for a cause.

Coercion Appears When Someone

Coercion appears when someone acts under pressure, blackmail, or threat.

Ego Drives Bragging Revenge

Ego drives bragging, revenge, status seeking, or the thrill of access.

Motivation Helps Estimate What

Motivation helps estimate what the actor may target and how persistent they may be.

Example

A ransomware group usually wants money; a hacktivist group may want attention; an insider may be motivated by revenge, coercion, or financial gain.

Why it matters

Motivation changes likely targets, timing, tactics, and negotiation behavior.

RISK

Risk / Controls / Lifecycle · mindset

The Security Mindset

Core idea

The security mindset means looking at systems through failure, abuse, and trust assumptions—not only through intended use.

Adversarial thinking asks

Adversarial thinking asks: how could this be misused?

Skepticism Treats Inputs Identities

Skepticism treats inputs, identities, and assumptions as things to verify.

Failure-Mode Thinking Asks What

Failure-mode thinking asks what happens when a control breaks or a user makes a mistake.

Defense Depth Assumes No

Defense in depth assumes no single control is perfect.

Proportionality Balances Risk Reduction

Proportionality balances risk reduction against cost, complexity, and usability.

Example

A login form should be designed not only for correct passwords, but also for guessing attacks, stolen credentials, error-message leaks, lockout abuse, and logging.

Why it matters

Security professionals find problems by asking different questions than ordinary users or developers.

RISK

Threats / Attacker Goals · risk

Risk = Threat × Vulnerability × Impact

Core idea

Risk is the potential for loss when a threat can exploit a vulnerability and cause impact.

Threat

Threat: what harmful event or actor could occur?

Vulnerability

Vulnerability: what weakness could be exploited?

Impact

Impact: how severe is the harm if exploitation succeeds?

Formula Conceptual Not Exact

The formula is conceptual, not exact arithmetic, but it forces structured thinking.

Risk Reduced By Lowering

Risk can be reduced by lowering likelihood, removing vulnerability, or reducing impact.

Example

An internet-facing unpatched server with sensitive customer data has high risk because threat likelihood, exploitable vulnerability, and impact are all significant.

Why it matters

Risk thinking prevents random control selection. It connects security spending to actual harm reduction.

Simple risk scoring idea

risk_score = threat_likelihood × vulnerability_exposure × impact
Use it to compare scenarios, not as perfect math.

RISK

Risk / Controls / Lifecycle · risk

Risk Treatment Options

Core idea

After identifying risk, organizations choose how to handle it: avoid, mitigate, transfer, or accept.

Avoid

Avoid: stop the risky activity entirely.

Mitigate

Mitigate: reduce likelihood or impact with controls.

Transfer

Transfer: shift some financial impact to another party, such as insurance or a service provider contract.

Accept

Accept: document the risk and choose not to act when it is low or treatment cost is disproportionate.

Good Risk Decisions Should

Good risk decisions should be explicit, not accidental.

Example

Turning off an unused exposed service avoids risk; patching it mitigates risk; cyber insurance transfers some financial risk; documenting a low-risk issue accepts it.

Why it matters

Security teams rarely eliminate all risk. They help organizations choose defensible treatment strategies.

RISK

Risk / Controls / Lifecycle · controls

Control Functions: Preventive, Detective, Corrective

Core idea

Controls reduce risk by stopping incidents, finding incidents, or helping recover from incidents.

Preventive Controls Stop Block

Preventive controls stop or block unwanted events: MFA, encryption, firewall rules, secure configuration.

Detective Controls Reveal Events

Detective controls reveal events or suspicious activity: logs, IDS alerts, monitoring, file integrity checks.

Corrective Controls Limit Damage

Corrective controls limit damage and restore operations: backups, patches, account resets, incident response procedures.

Strong Programs Combine All

Strong programs combine all three because prevention eventually fails.

Example

For phishing: MFA is preventive, suspicious-login alerts are detective, password reset and session revocation are corrective.

Why it matters

Classifying controls helps students understand what a defense actually does.

RISK

Risk / Controls / Lifecycle · controls

Control Layers: Administrative, Technical, Physical

Core idea

Controls also differ by implementation layer: policy and process, technology, or physical protection.

Administrative Controls Include Policies

Administrative controls include policies, training, hiring procedures, acceptable-use rules, and incident response plans.

Technical Controls Include Authentication

Technical controls include authentication, encryption, access control, endpoint protection, logging, and network segmentation.

Physical Controls Include Locks

Physical controls include locks, cameras, guards, badges, secure rooms, and cable locks.

Effective Defense Depth Uses

Effective defense in depth uses multiple layers because one layer alone is fragile.

Example

Protecting a server room may require badge policy, access-control logs, locked doors, cameras, and system authentication—not just one control.

Why it matters

A technically strong system can still fail if physical access or organizational process is weak.

RISK

Risk / Controls / Lifecycle · lifecycle

Security Lifecycle and NIST CSF 2.0

Core idea

Security is a continuous lifecycle, not a one-time project. NIST CSF 2.0 organizes cybersecurity outcomes around Govern, Identify, Protect, Detect, Respond, and Recover.

Govern Sets Strategy Accountability

Govern sets strategy, accountability, policy, and risk management direction.

Identify Understands Assets Dependencies

Identify understands assets, dependencies, threats, vulnerabilities, and risk.

Protect Implements Safeguards Reduce

Protect implements safeguards to reduce likelihood or impact.

Detect Finds Possible Cybersecurity

Detect finds possible cybersecurity events.

Respond Contains Manages Incidents

Respond contains and manages incidents; Recover restores operations and improves resilience.

Cycle Repeats Because Threats

The cycle repeats because threats, systems, and business needs change.

Example

A school system identifies student-record assets, protects them with access control, detects suspicious logins, responds to compromised accounts, recovers affected services, and updates policy under governance.

Why it matters

The framework gives students a professional vocabulary used by organizations beyond this course.

CIA

CIA / Protection Goals · scenario

Student Scenario: Classify the Incident

Core idea

Apply the Week 01 toolkit to a realistic incident instead of memorizing terms in isolation.

Scenario

Scenario: a staff member receives a phishing email, enters credentials into a fake page, and an attacker downloads a spreadsheet of student records.

Asset

Asset: student records and account credentials.

CIA impact

CIA impact: confidentiality is violated; integrity and availability may also be at risk if the attacker changes or deletes data.

Threat actor

Threat actor: likely cybercriminal unless evidence suggests another motive.

Controls

Controls: MFA, phishing-resistant training, login anomaly detection, least privilege, access review, and incident response.

Evidence

Evidence: sign-in logs, MFA logs, email headers, file access logs, affected-account timeline.

Why it matters

Scenario practice builds the habit of moving from vocabulary to analysis.

Self-check

Can you identify DAD impact, risk treatment, and at least one preventive, detective, and corrective control for this scenario?

PATH

Apply / Careers · careers

Cybersecurity Career Paths

Core idea

Week 01 concepts appear in many security roles, from technical operations to governance and leadership.

Security Analyst

Security Analyst: monitors alerts, investigates suspicious activity, and supports response.

Penetration Tester

Penetration Tester: performs authorized testing to find weaknesses before attackers do.

Security Engineer

Security Engineer: builds and maintains secure systems and infrastructure.

Incident Responder / Forensic Analyst

Incident Responder / Forensic Analyst: investigates incidents, preserves evidence, and identifies root cause.

Security Architect

Security Architect: designs security posture across systems.

Ciso Grc Roles Connect

CISO and GRC roles connect security to risk, policy, compliance, and executive decisions.

Isc2’S 2025 Study Emphasizes

ISC2’s 2025 study emphasizes demand for both technical and nontechnical skills, including incident response, security engineering, risk, cloud, AI, and GRC.

Example

The same CIA/risk/control vocabulary is used in SOC tickets, penetration test reports, architecture reviews, audits, and executive risk briefings.

Why it matters

A strong foundation helps students move toward certifications and roles such as Security+, CEH, CISSP, OSCP, analyst, engineer, responder, or GRC analyst.

CIA

CIA / Protection Goals · summary

Week 01 Takeaway

Core idea

Security is a process for preserving trust in information under uncertainty, attack, failure, and change.

Start Every Analysis Assets

Start every analysis with assets and context.

Use the model

Use CIA to name defender goals and DAD to name attacker outcomes.

Estimate Risk Through Threat

Estimate risk through threat, vulnerability, and impact.

Choose Controls By Function

Choose controls by function and layer, then look for evidence that they work.

Use the lifecycle mindset

Use the lifecycle mindset: Govern, Identify, Protect, Detect, Respond, Recover.

Keep building the security mindset

Keep building the security mindset: ask what can fail, who could abuse it, and what proof would increase confidence.

Why it matters

These concepts are the foundation for the rest of SCIA 120.

Self-check

Explain one recent security incident using: asset, CIA impact, DAD impact, threat actor, motivation, vulnerability, impact, controls, and assurance evidence.