Course content Course content

Gamified Intelligent Cyber Aptitude and Skills Training (GICAST)

Start this free course now. Just create an account and sign in. Enrol and complete the course for a free statement of participation or digital badge if available.

More free courses

1.1 Talking security: the basics

Figure _unit2.1.1 Figure 1

Show description|Hide description

This is a photograph of a woman's head and shoulders. Going around her head are square images depicting images linked with security.

Figure 1

In any discussion of security, there are some basic terms that will be used a lot. This section will introduce you to the basic terminology of information security.

CIA

The guiding principles behind information security are summed up in the acronym CIA (and we’re pretty sure there’s a joke in there somewhere), standing for confidentiality, integrity and availability.

We want our information to:

be read by only the right people (confidentiality)
only be changed by authorised people or processes (integrity)
be available to read and use whenever we want (availability).

It is important to be able to distinguish between these three aspects of security. So let’s look at an example.

Case study _unit2.1.1 Case study: PlayStation Network

In April 2011, Sony revealed that the PlayStation Network, used by millions of consumers worldwide, had been breached by hackers. The breach went unnoticed by Sony for several days and ultimately resulted in the theft of up to 70 million customer records. The records included customer names, addresses, emails, dates of birth and account password details. Information which could have enabled additional attacks or identity theft.

In order to assess the scale of the damage and repair the vulnerabilities that led to the attack Sony took the PlayStation Network offline, a move which cost the company, and merchants who offered services via the network, significant amounts of revenue.

In addition to the cost of fixing the breach, Sony was fined £250,000 by the Information Commissioner’s Office as a result of a ‘serious breach’ of the Data Protection Act, stating that ‘The case is one of the most serious ever reported to us. It directly affected a huge number of consumers, and at the very least put them at risk of identity theft.’

The precise financial cost to Sony is unclear but estimates place it at approximately £105 million, excluding the revenue loss by partner companies, damage to its reputation and potential damage to its customers.

So how do the principles of CIA apply to the PlayStation case? Quite obviously, confidentiality was violated: there was a chance that unauthorised people could read the data. However, authorised users still had full access to the data, so it remained available; and the data was not changed, so its integrity was preserved.

Information assets

Time for another definition. When talking about valuable data we use the term ‘information assets’. In the PlayStation case, the information assets were the data about Sony’s customers.

When we consider security of online communications and services, we also need two additional concepts: ‘authentication’ and ‘non-repudiation’.

When we receive a message, we want to be confident that it really came from the person we think it came from. Similarly, before an online service allows a user to access their data, it is necessary to verify the identity of the user. This is known as authentication.

Non-repudiation is about ensuring that users cannot deny knowledge of sending a message or performing some online activity at some later point in time. For example, in an online banking system the user cannot be allowed to claim that they didn’t send a payment to a recipient after the bank has transferred the funds to the recipient’s account.

Malware

Finally, there are a number of terms associated with software that attempts to harm computers in different ways. Collectively these are known as ‘malware’ (a contraction of malicious software).

Depending on what the malware does, different terms are used to in relation to malware. For example:

ransomware is malware that demands payment in order to refrain from doing some harmful action or to undo the effects of the harmful action
spyware records the activities of the user, such as the passwords they type into the computer, and transmits this information to the person who wrote the malware
botnets are created using malware that allows an attacker to control a group of computers and use them to gather personal information or launch attacks against others, such as for sending spam emails or flooding a website with so many requests for content that the server cannot cope, called a denial-of-service attack.

You’ll learn more about malware in Week 3.

Now that you understand some of the basic concepts and terminology, you’ll use this knowledge to study real examples of cyber security breaches.

Previous Week 1: Threat landscape

Next 1.2 Obtaining Sophos Threatsaurus

Take your learning further

Making the decision to study can be a big step, which is why you’ll want a trusted University. We’ve pioneered distance learning for over 50 years, bringing university to you wherever you are so you can fit study around your life. Take a look at all Open University courses.

If you’re new to university-level study, read our guide on Where to take your learning next, or find out more about the types of qualifications we offer including entry level Access modules, Certificates, and Short Courses.

Want to achieve your ambition? Study with us and you’ll be joining over 2 million students who’ve achieved their career and personal goals with The Open University.

Browse all Open University courses

My OpenLearn Profile

About this free course

Become an OU student

Share this free course