Tamara Shoemaker - Böcker

Let’s be realistic here. Ordinary K-12 educators don’t know what "cybersecurity" is and could probably care less about incorporating it into their lesson plans. Yet, teaching cybersecurity is a critical national priority. So, this book aims to cut through the usual roadblocks of confusing technical jargon and industry stovepipes and give you, the classroom teacher, a unified understanding of what must be taught. That advice is based on a single authoritative definition of the field. In 2017, the three societies that write the standards for computing, software engineering, and information systems came together to define a single model of the field of cybersecurity. It is based on eight building blocks. That definition is presented here. However, we also understand that secondary school teachers are not experts in arcane subjects like software, component, human, or societal security. Therefore, this book explains cybersecurity through a simple story rather than diving into execution details. Tom, a high school teacher, and Lucy, a middle school teacher, are tasked by their district to develop a cybersecurity course for students in their respective schools. They are aided in this by "the Doc," an odd fellow but an expert in the field. Together they work their way through the content of each topic area, helping each other to understand what the student at each level in the educational process has to learn. The explanations are simple, easy to understand, and geared toward the teaching aspect rather than the actual performance of cybersecurity work. Each chapter is a self-contained explanation of the cybersecurity content in that area geared to teaching both middle and high school audiences. The eight component areas are standalone in that they can be taught separately. But the real value lies in the comprehensive but easy-to-understand picture that the reader will get of a complicated field.

Let’s be realistic here. Ordinary K-12 educators don’t know what "cybersecurity" is and could probably care less about incorporating it into their lesson plans. Yet, teaching cybersecurity is a critical national priority. So, this book aims to cut through the usual roadblocks of confusing technical jargon and industry stovepipes and give you, the classroom teacher, a unified understanding of what must be taught. That advice is based on a single authoritative definition of the field. In 2017, the three societies that write the standards for computing, software engineering, and information systems came together to define a single model of the field of cybersecurity. It is based on eight building blocks. That definition is presented here. However, we also understand that secondary school teachers are not experts in arcane subjects like software, component, human, or societal security. Therefore, this book explains cybersecurity through a simple story rather than diving into execution details. Tom, a high school teacher, and Lucy, a middle school teacher, are tasked by their district to develop a cybersecurity course for students in their respective schools. They are aided in this by "the Doc," an odd fellow but an expert in the field. Together they work their way through the content of each topic area, helping each other to understand what the student at each level in the educational process has to learn. The explanations are simple, easy to understand, and geared toward the teaching aspect rather than the actual performance of cybersecurity work. Each chapter is a self-contained explanation of the cybersecurity content in that area geared to teaching both middle and high school audiences. The eight component areas are standalone in that they can be taught separately. But the real value lies in the comprehensive but easy-to-understand picture that the reader will get of a complicated field.

The relevant statistic for this book is that only twenty-nine percent of the annual, overall loss to cyber exploits is attributable to purely electronic attacks. The remaining human and physical exploits account for seventy-one percent. Hence, it is self-evident that effective cyber-protection requires an appropriately tailored and synergistic electronic, human, and physical security control system. The problem is that the industry doesn't view it that way. Over the past thirty years, cyber protection has been viewed as a purely electronic computer-based problem. That thinking might even have made sense before the advent of sophisticated social engineering and other kinds of non-electronic attacks. But now that significant losses from exploits such as insider theft or phishing can occur, any cyber defence that relies solely on an electronic solution is, almost by definition, doomed to failure. That is because the modern adversary is smart. That is why reconnaissance is the hacker's first principle. Before any attack begins, the aim is to identify the places in the defence that are insufficiently secured or lack appropriate controls. Hence, in practical terms, investing in intricate electronic solutions is a waste of time. That's because they only encourage your adversary to try something else. Saltzer and Schroeder called this phenomenon the "work factor." In practical terms, the work factor principle means that the hacker will follow the path of least resistance. So, it is irrelevant whether the attack is elegant or brute force—if it succeeds in breaching the protection. Consequently, if there are robust electronic elements protecting your system, the intruder will simply go to exploits like social engineering, subverting an insider, accessing an unattended endpoint, or simply stealing the device. A proper defence requires all the fort's walls to be present and properly designed and implemented. So, robust human and physical controls must also be integrated into the solution. That requirement—e.g., no apparent gaps in the defence—is the justification for this book. The book will present the basic principles of holistic security. Holistic security is based on developing a complete architecture of synergistic controls tailored to specifically address the actual concerns of a given protection target. It is a strategic reconnaissance design and implementation process, not a head-down focus on deploying electronic controls.