Скачать или смотреть 01 - Cyber Security and Risk Management: From Ancient Ciphers to Modern Defence

Cyber Security and Risk Management: From Ancient Ciphers to Modern Defence 🛡️💻

This annotation introduces key concepts from the "Cyber Security and Cyber Defence" Master’s degree program presentation on Risk Management offered by Prof. Zaza Tsotniashvili at Caucasus International University. This session explores how systems are protected, tracing the roots of secret communication and detailing modern strategies for mitigating digital threats.

Understanding Cyber and Information Security 🔒

Cyber Security focuses on protecting information systems (including hardware, software, and infrastructure) and the data and services they provide from unauthorized access, harm, or misuse. This protection covers both intentional harm and accidental damage resulting from failures to follow security procedures.

The foundational goal of Information Security is the Preservation of Confidentiality, Integrity, and Availability (CIA)**. Beyond the CIA triad, other critical properties like authenticity, accountability, non-repudiation, and reliability are also involved. Protecting these systems is vital as modern society relies heavily on technology 🌐, and cyber attacks can halt essential services, threatening national security and economic stability.

The Evolution of Cryptology 📜🔑

The session delves into Cryptology, defined as the science of secret communication. This field includes:
Cryptography (creating codes to hide messages).
Cryptanalysis (breaking or decoding those messages).

Efforts to hide messages date back to ancient history, with examples like Egyptians using hidden symbols in hieroglyphs, the Greeks employing the Scytale, and Romans utilizing "Caesar’s Cipher" (shifting letters in the alphabet) 🧐.

Cryptography became more advanced during the Middle Ages, where Arab scholars, such as Al-Kindi (9th century), developed new methods and wrote the first book on how to break substitution ciphers. The modern era sees cryptology based on mathematics and computers 🔢, utilized across banking, the internet, and national security, employing systems like RSA, AES, and public key encryption.

Mastering Cyber Risk Management 📊🚨

Risk management is central to cyber defence. *Risk* is fundamentally defined as the possibility that events or human actions could lead to consequences that negatively impact valuable assets. In the cyber domain, managing risk is fundamental because cyber attacks (like ransomware) can disrupt digital infrastructure.

Risk is calculated as a product of threat × vulnerability × impact.

The critical elements of risk assessment involve understanding the:
Vulnerability (a weakness)
Threat (an actor exploiting the weakness)
Likelihood (the probability of exploitation)
Impact (the negative effect)

Key international frameworks guide this process, including the NIST framework (which involves Prepare, Conduct, Communicate, and Maintain steps), and ISO/IEC 27005 (which explicitly includes Risk Treatment and Risk Acceptance). Vulnerability Management - the continuous process of finding, prioritizing, and fixing weaknesses—is a critical task, especially since many breaches occur because available software patches were not applied 🩹.

The Human Factor and Continuous Defence 🧑‍💻➡️🧠

A recurring theme is that the human factor is the weakest link in security. Technology alone cannot fix security problems. People often fail to follow security rules because the rules are too complex, or they simply disagree with the policy or think it is a waste of time. Therefore, security culture and awareness are essential, and effective training reduces risk.

Organizations should strive to build a "Just Culture" that balances accountability with learning, ensuring people feel safe reporting security issues to improve the system, not just to blame and punish them.

Finally, cyber risk management is a continuous cycle, not a one-time product 🔄. Every organization must have an Incident Response plan covering phases like Plan/Prepare, Detect/Report, Assess/Decide, Respond, and Learn, because it is not a matter of if an attack will happen, but when 💥.