Cybersecurity
Cybersecurity is the practice of protecting systems, networks, and data from unauthorised access, disruption, and theft. It is fundamentally an asymmetric, adversarial discipline: defenders must secure every path, while an attacker needs only one.
Watch — a 3-minute tour of this section, narrated in my own AI-cloned voice.
1. The CIA triad
Nearly every security control serves one of three objectives, known collectively as the CIA triad[1]. The model is old — it predates the modern internet — but it remains the organising principle of the discipline.
| Property | Guarantee | Primary controls |
|---|---|---|
| Confidentiality | Only authorised parties can read the data | Encryption, access control, least privilege |
| Integrity | Data is not altered without detection | Hashing, digital signatures, MACs |
| Availability | Systems and data remain accessible when needed | Redundancy, backups, DDoS mitigation |
A fourth and fifth property — authenticity (the data’s origin is verifiable) and non-repudiation (a party cannot deny an action) — are often added, giving the extended “CIANA” model. The U.S. NIST Cybersecurity Framework[2] reframes the same goals as five operational functions: Identify, Protect, Detect, Respond, Recover (with Govern added in the 2024 2.0 revision).
2. Threat modelling & risk
Threat modelling is the structured process of identifying what you are protecting, who might attack it, and how. A common decomposition is the STRIDE taxonomy developed at Microsoft[3]:
- Spoofing — impersonating something or someone
- Tampering — modifying data or code
- Repudiation — denying having performed an action
- Information disclosure — exposing data to unauthorised parties
- Denial of service — degrading or denying availability
- Elevation of privilege — gaining capabilities one should not have
Risk is conventionally expressed as Risk = Likelihood × Impact. Because neither term can be driven to zero, security is an exercise in risk management, not risk elimination. The key strategic insight — articulated repeatedly in the security literature — is the attacker–defender asymmetry: the defender must cover the entire attack surface, while the attacker needs to succeed only once. Defence therefore favours layering and the assumption that some controls will fail.
3. The attack lifecycle
Real intrusions are rarely a single event; they unfold as a sequence of stages. Lockheed Martin’s Cyber Kill Chain[4] and the more granular MITRE ATT&CK knowledge base[5] are the two dominant models. A simplified lifecycle:
| Stage | Attacker goal | Defensive opportunity |
|---|---|---|
| Reconnaissance | Map the target’s surface | Attack-surface management, threat intel |
| Initial access | Get a foothold (phishing, exploit) | Email filtering, patching, MFA |
| Privilege escalation | Gain higher rights | Least privilege, EDR |
| Lateral movement | Spread to other hosts | Segmentation, zero trust |
| Exfiltration / impact | Steal data or deploy ransomware | DLP, egress monitoring, backups |
The defensive value of the model is that breaking the chain at any single stage defeats the attack — the rationale for defence in depth (§7).
4. Cryptographic foundations
Cryptography provides the mathematical machinery behind confidentiality, integrity, and authenticity. Modern systems combine three families of primitive:
- Symmetric encryption — one shared key for both encryption and decryption. AES[6] (Rijndael, standardised by NIST in 2001) is the workhorse for bulk data.
- Asymmetric (public-key) encryption — a public/private key pair. RSA[7] and elliptic-curve cryptography enable key exchange and digital signatures without a pre-shared secret. The Diffie–Hellman key exchange[8] (1976) was the conceptual breakthrough.
- Cryptographic hash functions — one-way functions like SHA-256[9] that map arbitrary input to a fixed-length digest, underpinning integrity checks, password storage, and digital signatures.
These are bound together by TLS 1.3[10], the protocol that secures essentially all modern web traffic: asymmetric crypto authenticates the server and negotiates a session key, which then drives fast symmetric encryption of the actual data.
The most famous unproven assumption in computing — that P ≠ NP — is also the load-bearing assumption of public-key cryptography: RSA is secure precisely because factoring large integers is believed to be intractable for classical computers.
5. Identity & access control
Most breaches are, at root, failures of identity and access management (IAM). The discipline rests on three steps: authentication (proving who you are), authorisation (deciding what you may do), and auditing (recording what you did).
- Authentication factors — something you know (password), something you have (hardware token, phone), something you are (biometric). Combining factors gives multi-factor authentication (MFA), the single most cost-effective control against credential theft.
- Authorisation models — role-based access control (RBAC), attribute-based access control (ABAC), and the principle of least privilege: every actor should hold the minimum rights needed for its function.
- Phishing-resistant credentials — the FIDO2 / WebAuthn standards replace shared secrets with public-key authentication bound to the origin, defeating credential phishing by design.
6. Network security
Because the internet’s foundational protocols (see the Computer Science branch) were not designed with security as a first-class concern, much of network security is retrofitted defence:
- Firewalls — enforce policy on which traffic may cross a boundary; modern next-generation firewalls inspect application-layer content.
- Network segmentation — dividing a network into zones so that a compromise in one cannot freely reach the rest.
- VPNs & encrypted transport — protecting data in transit across untrusted networks.
- IDS / IPS — intrusion detection and prevention systems that flag or block malicious traffic patterns.
- DNS & routing security — DNSSEC and RPKI/BGP-origin validation harden the internet’s addressing and routing substrate.
7. Defence in depth
“The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards — and even then I have my doubts.”
— attributed to Gene Spafford
Because no single control is perfect, security is built in layers, so that the failure of one is caught by another. This is defence in depth. Two modern doctrines extend it:
- Assume breach — design as though attackers are already inside, prioritising detection, containment, and recovery alongside prevention.
- Zero trust[12] — never trust by network location; authenticate and authorise every request continuously. Codified in NIST SP 800-207. Explored further on the Defensive page.
The throughline of this branch is that these fundamentals do not change when capabilities shift — but the speed and cost of attack and defence can change dramatically. That is exactly what is happening in 2026, as the AI & Security page details.