Cyber Foundations: CIA, Risk, and Layered Controls
60 min · 2.1
Objective
Students will analyze a security scenario by (1) identifying which element(s) of the CIA triad are compromised, (2) distinguishing threat, vulnerability, and risk, (3) reasoning about risk as likelihood × impact, and (4) proposing a layered defense-in-depth plan whose controls are correctly classified by function (preventive/detective/corrective) and type (managerial/operational/technical).
Hook
5 minOpen with the May 2021 Colonial Pipeline ransomware incident. Give students the 30-second version out loud: attackers used a single leaked VPN password (no MFA) to get in, encrypted business systems, and Colonial voluntarily shut the pipeline that supplies ~45% of the U.S. East Coast's fuel. Gas stations ran dry in six states within days. Ask cold-call: 'Which part of the CIA triad failed here — confidentiality, integrity, or availability?' Take 2–3 answers. Most will say confidentiality (password stolen). Push back: the pipeline stopped pumping fuel. The catastrophic failure was availability. Frame the lesson: today we build the reasoning framework — CIA, threat vs vulnerability vs risk, and layered controls — that will let them diagnose incidents like this precisely for the rest of the course and on the AP exam.
Direct instruction
- 5m
The CIA Triad — Three Ways a System Can Fail
Content
Every security decision in this course starts by asking which of three properties an asset needs. Confidentiality means information is disclosed only to authorized parties — a stolen customer database breaks it. Integrity means data and systems are not modified in unauthorized ways — a manipulated bank balance or a tampered medical record breaks it. Availability means authorized users can reach the asset when they need it — a ransomware lockout or a DDoS breaks it. A useful real-world anchor for each corner: the 2017 Equifax breach exposed 147 million records (confidentiality failure); the 2010 Stuxnet worm quietly altered PLC commands so Iranian centrifuges spun themselves apart while telling operators everything was fine (integrity failure); the 2016 Dyn DNS DDoS took Twitter, Netflix, and Reddit offline for hours (availability failure). The triad is not ranked — a system that is perfectly secret but unreadable to its own users has still failed.
Delivery
Emphasize that students overwhelmingly default to 'security = keeping secrets.' Directly name the misconception: 'Confidentiality is not the whole game. A hospital where nobody can pull up your chart during a heart attack has failed you just as badly as one that leaked your chart.' Ask: 'Which corner did Stuxnet break?' — expect students to say confidentiality; correct them to integrity, because data was silently changed. The slide shows the triangle with each corner labeled by one of those three incidents; walk it once left-to-right.
- 5m
Threat vs Vulnerability vs Risk
Content
These three words are used interchangeably in everyday speech and it wrecks student reasoning. Pin them down. A threat is an actor or event with the potential to cause harm — a ransomware gang, a disgruntled employee, a hurricane, a power surge. A vulnerability is a weakness that a threat could exploit — an unpatched Windows server, a shared password, a server room with no lock, staff who click phishing links. Risk is the combination of the two: the likelihood a threat will exploit a vulnerability, times the impact if it does. Worked example — a hospital's patient records server: the threat is a ransomware crew, the vulnerability is that the server runs an unpatched OS reachable from the internet, and the risk is 'high likelihood, catastrophic impact: patients could die during a lockout.' Change any one variable and the risk changes. Patch the server (remove the vulnerability) and the same threat now presents lower risk even though the ransomware crew still exists.
Delivery
Do the vocabulary discipline out loud. Say 'phishing is a threat, not a vulnerability. The vulnerability is untrained users who click.' This will be worth points on the AP exam. Ask students to give you a threat, then a matching vulnerability, then describe the risk in one sentence — e.g., threat = tornado, vulnerability = data center with no offsite backup, risk = permanent loss of records if a tornado hits. Head off the second misconception now: 'The goal is not to make risk zero. Zero risk means you sold the hospital and moved to a cave. The goal is tolerable risk.'
- 5m
Risk = Likelihood × Impact (the Risk Grid)
Content
On the AP exam students will be asked to reason about relative risk without computing an exact number. The tool is a 5×5 grid: likelihood (rare → almost certain) on one axis, impact (negligible → catastrophic) on the other. High-likelihood + high-impact = critical risk (top-right, red). Low-likelihood + high-impact = still serious, because a single event is catastrophic (think earthquake at a data center). High-likelihood + low-impact = manageable nuisance (a spam wave). Low-likelihood + low-impact = accept and move on. Concrete comparison: an employee losing an unencrypted laptop with 50,000 patient records versus losing an unencrypted laptop with only the cafeteria menu. Same threat (loss/theft), same vulnerability (no encryption), same likelihood — but the impact axis is completely different, so the risk is different. Organizations respond to risk in four ways: accept it (live with it), transfer it (buy insurance, outsource), mitigate it (add controls), or avoid it (stop doing the risky activity).
Delivery
Anchor the four responses with quick examples: accept = accept the risk of a keyboard being stolen; transfer = cyber insurance for ransomware; mitigate = install MFA; avoid = decide not to store SSNs at all. Ask a Skill Category 1 question aloud: 'A small clinic and a national bank both use the same unpatched software. Same vulnerability, same threat. Is their risk the same?' Push students to say no — the impact axis differs. The grid slide is the anchor visual; walk one point in each quadrant so students see the axes independently.
- 5m
Controls and Defense in Depth
Content
A security control is any safeguard that reduces risk. Controls are classified two ways at once. By FUNCTION: preventive (stops the event — a locked door, MFA, security awareness training), detective (notices the event — motion sensor, SIEM alert, audit log review), corrective (restores after the event — backups, incident response plan, disaster recovery site). By TYPE: managerial (policies, procedures, risk assessments — human decisions written down), operational (executed by people day-to-day — guards, training, visitor sign-in), technical (implemented by systems — firewalls, encryption, MFA). One control can be classified on both axes: MFA is preventive AND technical; a written acceptable-use policy is preventive AND managerial; a security camera reviewing footage after a break-in is detective AND operational. Defense in depth is the deliberate layering of multiple diverse controls so no single failure exposes the asset — like an onion. For a laptop with patient data: managerial layer (policy requiring full-disk encryption) + operational layer (annual training so the nurse doesn't leave it in a car) + technical layer (BitLocker + remote wipe + MFA on login). If one layer fails, the others still protect the asset.
Delivery
Directly correct the third misconception: 'A firewall is a control. A written policy is also a control. A trained guard is also a control. On the AP exam, all three are legitimate answers.' Ask students to give you one control of each function. Then ask: 'What's the point of layering — why not just use the strongest single control?' Expected answer: any single control can fail (patch bypassed, guard distracted, policy ignored); diverse layers mean an attacker must defeat multiple different kinds of protection. The onion slide anchors this visually.
Activities
- 12m
Case Sort — The Lost Laptop at Northgate Health
Targets Skill Category 1 Analyze Risk. Pairs read a short incident brief and sort 10 facts into four columns: Threat, Vulnerability, Risk statement, or Control (already in place). Then they identify which CIA property is most directly at stake and justify a relative risk rating using likelihood and impact. Circulate and press pairs on their reasoning — this is where the vocabulary discipline sticks. Debrief the last 3 minutes by taking one answer per column from different pairs. Student handout — Case Sort: The Lost Laptop at Northgate Health Scenario. Northgate Regional Hospital issues laptops to visiting nurses. On October 3, Nurse M leaves an issued laptop in the passenger seat of a locked car at a grocery store. The window is smashed and the laptop is stolen. The laptop stored a local cache of 8,400 patient records including names, diagnoses, and Social Security numbers. Hospital policy requires full-disk encryption on all mobile devices. IT records show this laptop's BitLocker was disabled during a driver troubleshooting session six months ago and never re-enabled. The laptop requires a Windows password but no MFA. The hospital carries cyber-liability insurance. Part 1 — Sort each fact (a–j) into ONE column: Threat · Vulnerability · Risk statement · Existing control - a) Organized theft rings target parked cars in that shopping center - b) BitLocker was disabled and never re-enabled on this laptop - c) 8,400 patients could have their SSNs and diagnoses exposed, triggering HIPAA fines up to $1.5M and loss of trust - d) Hospital policy requires full-disk encryption on mobile devices - e) Nurse left the laptop visible in a car - f) A curious opportunistic thief - g) Windows login has no MFA — password alone unlocks the OS - h) Cyber-liability insurance is in force - i) It is highly likely a stolen unencrypted laptop with SSNs will be exploited within days - j) Nurse M received annual security awareness training Part 2 — CIA analysis. Which element of the CIA triad is most directly compromised by this incident, and why? Answer in 2–3 sentences. Your answer must name the property AND cite the specific fact that broke it. Part 3 — Relative risk. Using the likelihood × impact framework, rate this risk as Low, Moderate, High, or Critical, and justify each axis in one sentence. - Likelihood: ______ - Impact: ______ - Overall risk: ______ - Justification (2 sentences): ______
Materials
- Printed handout (one per pair)
- Pens
Example outputs
- Sort key — Threats: a, f. Vulnerabilities: b, e, g. Risk statement: c, i. Existing controls: d, h, j.
- CIA answer: Confidentiality is most directly compromised, because the stolen laptop stores unencrypted patient names, diagnoses, and SSNs (fact b + fact g), which are now readable by whoever has the device.
- Risk rating: Critical — likelihood is High (unencrypted device, active theft ring, no MFA, so exploitation is nearly certain) and impact is Catastrophic (8,400 patients, HIPAA fines, reputational loss).
- A common student error to correct: labeling 'nurse left the laptop in the car' as a threat. It is a vulnerability — a weakness — not the actor. The thief is the threat.
- Another error: labeling insurance (h) as prevention. It is a corrective/transfer control, not preventive.
- 13m
Defense-in-Depth Tabletop — Build and Classify the LayersLab
Targets Skill Category 2 Mitigate Risk (and touches Skill Category 3 Detect Attacks via the detective-control requirement). Groups of 3–4 receive one asset card. In 8 minutes they must design a defense-in-depth plan with EXACTLY three layers, and for each control state (1) the function — preventive / detective / corrective, (2) the type — managerial / operational / technical, and (3) one sentence on what still protects the asset if that layer fails. Their plan MUST include at least one detective control and at least one non-technical control (either managerial or operational) — this forces them past the 'security = firewall' misconception. Last 5 minutes: two groups present, class critiques whether the layers are actually diverse or just three flavors of the same thing. Asset cards (assign one per group): - Card A — The school's student information system (SIS) server holds grades, IEPs, and family contact info. It runs in the district's on-prem server room. Threats include ransomware, insider grade-changers, and physical intrusion. - Card B — The 3D-printing lab's networked computer stores CAD files and controls three printers. Threats include malware from USB sticks students bring in, unauthorized after-hours access, and accidental file deletion. - Card C — The principal's laptop goes home nightly with district email, personnel files, and disciplinary records. Threats include theft from a car, phishing, and family members using it. - Card D — The school's badge-access door controller governs entry to the server room. Threats include tailgating, cloned badges, and someone propping the door open. Student instructions: 1. Identify which CIA properties matter most for your asset and why (one sentence). 2. Design a three-layer defense-in-depth plan. For EACH layer write: - The specific control (name it concretely — e.g. 'BitLocker full-disk encryption,' not 'encryption') - Function: preventive · detective · corrective - Type: managerial · operational · technical - One sentence: if this layer fails, what still protects the asset? 3. Your plan MUST include at least one detective control and at least one managerial OR operational control. A plan of three technical preventive controls will be sent back. 4. Be ready to defend any control whose classification is debatable.
Materials
- Assigned asset card per group (one of four)
- Laptop or tablet per group (for control-classification lookups in the school's cybersecurity reference site)
- Chart paper or whiteboard space per group
- Markers
Example outputs
- Card C (Principal's laptop) sample plan — Layer 1: District policy requiring full-disk encryption and no personal use (Preventive, Managerial); if ignored, Layer 2 still applies. Layer 2: BitLocker + MFA on login + auto-lock after 5 min (Preventive, Technical); if bypassed, Layer 3 still applies. Layer 3: MDM remote-wipe triggered when the device is reported missing (Corrective, Technical) plus daily audit-log review for unusual off-hours logins (Detective, Technical). This plan meets the detective-control requirement; the group should be pushed to add a non-technical detective or corrective control, such as a required lost-device reporting procedure (Operational).
- Card D (Badge controller) strong plan — Layer 1: Written physical-security policy defining who gets server-room access and quarterly access reviews (Preventive/Managerial). Layer 2: Badge reader + anti-tailgating mantrap (Preventive/Technical). Layer 3: Motion-activated camera with alerts to the SOC when the door is held open >30 seconds (Detective/Technical), backed by a guard patrol every 2 hours (Detective/Operational). Diverse layers: policy, technology, human.
- A weak plan to flag during the critique: 'Firewall, antivirus, IDS' for Card A. All three are technical, all three are on the same network layer — that is not defense in depth, that is redundancy in one dimension. Ask the group where the managerial and operational layers are.
No-equipment fallback
If computers are unavailable, provide each group a printed one-page 'Controls Reference Sheet' listing 20 example controls (e.g., MFA, security cameras, backup policy, guard, SIEM, visitor log, BitLocker, IR playbook, awareness training, badge reader, firewall, patch policy, tabletop exercises, DLP, offsite backups, key management, screen lock, background checks, incident hotline, disk-wipe procedure) with a blank next to each for students to classify by function and type before selecting three for their plan.
Formative assessment
10 minA regional water utility discovers that an attacker briefly accessed its treatment-plant controls and altered a chemical dosing setpoint before an operator caught the change and reverted it. Which element of the CIA triad was most directly compromised, and justify your choice in one sentence. (Targets Skill Category 1 Analyze Risk.)
short answerIntegrity. The attacker modified system data (the dosing setpoint) in an unauthorized way; the information was neither disclosed to an unauthorized party (not primarily confidentiality) nor made unavailable (systems kept running), so the property that failed is integrity.Two hospitals run the same unpatched electronic health record software (same vulnerability). Both face the same ransomware threat actors. Hospital A serves 40 patients a day in a rural town; Hospital B is a Level 1 trauma center serving 2,000 patients a day. An AP student writes: 'Their risk is identical because the threat and vulnerability are identical.' Evaluate this claim in 2–3 sentences using the likelihood × impact framework. (Targets Skill Category 1 Analyze Risk.)
short answerThe claim is wrong. Likelihood may be similar because the vulnerability and threat are the same, but impact differs dramatically — a ransomware lockout at a Level 1 trauma center delays emergency care for far more patients and can cause deaths and huge financial and regulatory harm, while the rural clinic's impact, though still serious, is smaller in scale. Since risk ≈ likelihood × impact, Hospital B carries substantially higher risk.A company deploys a SIEM that generates an alert whenever more than 100 failed logins occur on a single account in 5 minutes. Classify this control by (a) function and (b) type, and (c) explain in one sentence how it contributes to defense in depth alongside MFA. (Targets Skill Category 3 Detect Attacks and Skill Category 2 Mitigate Risk.)
short answer(a) Detective — it notices an attack in progress rather than blocking it. (b) Technical — it is implemented by a system. (c) MFA is a preventive/technical control that blocks brute-force logins; the SIEM alert is a diverse, detective layer that catches attackers who bypass or attempt to defeat MFA, so a single failure of the preventive layer does not go unnoticed.Which of the following is the BEST example of defense in depth for a laptop containing sensitive HR data? A) Full-disk encryption, plus a stronger encryption algorithm, plus a longer encryption key B) A written encryption policy, full-disk encryption enforced by MDM, and a required lost-device reporting procedure with remote wipe C) A firewall, antivirus, and an intrusion detection system all installed on the laptop D) Requiring users to change their password every 30, 60, and 90 days on rotating schedules (Targets Skill Category 2 Mitigate Risk.)
multiple choiceB. Defense in depth requires DIVERSE layers across the managerial/operational/technical dimensions and across preventive/detective/corrective functions. Option B combines a managerial control (policy), a technical preventive control (encryption + MDM), and an operational/corrective control (reporting + remote wipe). A and D stack the same kind of control; C stacks three technical network-security controls on one device, which is redundancy in one dimension, not depth.
Vocabulary
- CIA triad
- The three core security properties every asset is evaluated against: confidentiality, integrity, and availability.
- confidentiality
- The property that information is only disclosed to authorized parties.
- integrity
- The property that information and systems are not modified in unauthorized or unintended ways.
- availability
- The property that authorized users can access information and systems when needed.
- threat
- An actor or event with the potential to cause harm (e.g., a ransomware crew, a hurricane, a careless insider).
- vulnerability
- A weakness in an asset or control that a threat could exploit (e.g., an unpatched server, an unlocked door).
- risk
- The combination of how likely a threat is to exploit a vulnerability and how bad the impact would be if it did; roughly risk ≈ likelihood × impact.
- likelihood
- The probability that a specific threat will successfully exploit a specific vulnerability in a given period.
- impact
- The magnitude of harm (financial, operational, reputational, safety) if the event occurs.
- security control
- Any safeguard used to reduce risk; classified by function (preventive, detective, corrective) and by type (managerial, operational, technical).
- defense in depth
- A design strategy that layers multiple, diverse controls so that failure of one layer does not expose the asset.
- risk assessment
- The structured process of identifying assets, threats, vulnerabilities, and existing controls, then estimating likelihood and impact to prioritize mitigation.
Common misconceptions
- Students use threat, vulnerability, and risk interchangeably. Correction: a threat is an ACTOR or EVENT (ransomware crew, hurricane); a vulnerability is a WEAKNESS (unpatched server, unlocked door); risk is the COMBINED likelihood × impact of the threat exploiting the vulnerability. On the AP exam, using the wrong word costs points.
- Students assume the goal of security is to eliminate all risk. Correction: zero risk is neither achievable nor affordable — organizations choose to accept, transfer, mitigate, or avoid risk to bring it to a tolerable level.
- Students think only technical controls (firewalls, antivirus, encryption) count as 'real' security. Correction: a written policy (managerial) and a trained guard or awareness program (operational) are equally legitimate controls, and the AP exam explicitly tests all three types.
- Students treat confidentiality as the only CIA property that matters. Correction: an integrity failure (Stuxnet silently altering PLC commands) or an availability failure (Colonial Pipeline shutdown, Dyn DDoS) can be just as catastrophic as a data leak — a system that is secret but corrupted or unreachable has still failed.
- Students confuse redundancy with defense in depth: three antivirus products on one laptop is not depth, it is redundancy in one dimension. Depth requires DIVERSE layers across managerial/operational/technical and preventive/detective/corrective.
Materials checklist
- Printed 'Case Sort — Northgate Health' handout, one per pair
- Printed asset cards A/B/C/D, one per group of 3–4
- Chart paper or whiteboard space and markers for each group
- Student laptops or tablets (one per group) for controls-classification lookup
- Projector for the auto-generated slide deck
- Exit-ticket copies of the 4 formative assessment items, one per student