Forrest Pham

Christopher Bowman

CYSE 200T

September 15, 2024

CIA Triad and Authorization vs. Authentication

BLUF: The paper provides an overview of the CIA Triad, which includes Confidentiality, Integrity, and Availability-important concepts in information security. It also explains the differences between Authentication and Authorization, showing how each plays its own unique role in the process of keeping data safe and managing access to it.

The CIA Triad

The three significant concepts that the CIA Triad is based on form the basis for information security: confidentiality, integrity, and availability. These concepts are crucial for the making and following of rules meant to protect data and systems.

Confidentiality ensures that information is kept away from unauthorized people. Techniques to do this include encryption, access controls, and authentication, which ensure only allowed individuals can access sensitive information. For instance, “Confidentiality measures have been developed to prevent unauthorized access attempts to sensitive information” (Chai). This could be in the use of 2FA for online banking, which requires both password and code received on the user’s mobile phone.

Integrity assumes that data should be correct and reliable. This ensures that no unauthorized person makes changes to the data and the data is consistent when utilized. Mechanisms like cryptographic checksums and version control ensure data integrity. As indicated, “Integrity refers to maintaining the consistency, accuracy, and trustworthiness of the data throughout its entire life-cycle” (Chai). For example, a digital signature might serve as proof that authentic software updates have not been tampered with.

Availability ensures that information and resources are accessible to the allowed user when required. This includes maintaining hardware and software in proper condition to prevent any type of malfunction. “Availability means information should be consistently and readily accessible for authorized parties” (Chai). Techniques such as the implementation of additional server systems and frequent backup activities ensure that a website remains functional during hardware failure.

Authentication vs. Authorization

Authentication is how users or systems are verified as to who they are. Normally, it is used to verify the identity of users with information such as usernames and passwords. It would mean, for example, the checking of information like usernames, passwords, or personal features, fingerprints, or facial identification. For instance, to log into an email account, one needs a password to verify who the user is.

Authorization determines what an authenticated user is permitted to do. It notifies the rights and privileges that are given to the user. After verifying the identity, one sees what the user can perform or what access he can achieve. According to this article, “Authorization is a process of determining and granting the permissions to a authenticated user or system which defines what resources they can access and what operations they’re allowed to perform” (GeeksforGeeks). For instance, in the case of the user logging into their email account, it is authentication, while authorization will decide what he can do inside sending or reading emails.

Conclusion

Understanding the CIA Triad is important for creating good information security policies. Confidentiality, Integrity, and Availability each focus on key parts of data protection. Also, knowing the difference between Authentication and Authorization helps manage user access and make sure that security measures work well. Authentication checks who the user is, while Authorization decides what access rights they have. Together, these ideas are the basis of strong security practices, keeping data safe from unauthorized access and ensuring it remains complete and available.

Works Cited

Chai , Wesley. “What is the CIA Triad? Definition, Explanation, Examples.” (28 June 2022)

“Difference Between Authentication and Authorization.” GeeksforGeeks, 24 July 2024, www.geeksforgeeks.org/difference-between-authentication-and-authorization/.

---

Forrest Pham

Christopher Bowman

CYSE 200T

November 10, 2024

Balancing Technology and Training: Addressing the Human Factor in Cybersecurity

BLUF: Given limited cybersecurity budgets, organizations must balance spending on cybersecurity training and technology investments. Both are vital in defending against cyber threats.

Given the limited resources, securing an organization’s systems becomes more difficult as sophisticated cyberattacks become more frequent. It goes without saying that investments are to be made toward cybersecurity technologies like firewalls, encryption, and intrusion detection systems to help protect sensitive data from potential breaches. The company should also invest in an equal measure in employee training on how the employees can identify potential threats and prevent them. Collins et al. (2011) observe that organizational data breaches, especially in the health and education sectors, are a cause of alarm. The authors attribute this tendency of the cyber attackers targeting these sectors to a lack of appropriate security measures. For instance, health information systems in states with breach notification laws report more incidents than others as an indication that protection is still not at its best state. This calls for a two-prong mechanism involving technology and human influence in the fight against cyber threats. An efficient employee who has been adequately trained to identify suspicious activities and takes appropriate actions accordingly compliments the technological protection (Collins et al., 2011).

In spite of the relevance of training, the investment in technology cannot be disregarded still as fundamentally very significant. Ashwin Krishnan says, “While cybersecurity budgets are usually strained, investment in advanced technologies remains imperative, especially in threat detection, automated response systems, and secure network infrastructure, to stay ahead of the evolving threats. Without these tools, even the best-prepared staff can be overwhelmed by sophisticated attacks, leaving organizations vulnerable to compromise. Payne further details how white-collar crime and cybercrime increasingly overlap, with advances in technology-coupled with broadened access to computers-opening up avenues of criminal opportunity. Many such crimes melt conventional financial crime together with digital methods, again underlining the demand for state-of-the-art security tools to deter these threats.

In fact, the balance between technology and training largely depends on that very specific risk profile of an organization and industries in which it operates. As Krishnan said, “This is where a risk-based approach towards budgeting can assist in trying to determine an effective means of resource allocation.” Indeed, such industries as healthcare, seriously affected by sensitive data and highly sought after, de facto require a leading role in advanced security technologies, joined by continuous employee education. Such a combination ensures that organizations are ready both to defeat technical vulnerabilities and human frailties, thus establishing an all-encompassing and proactive security posture.

Conclusion

Cybersecurity resource investments are at hand, but organizations should make difficult choices depending on the unique risk landscape. The right balance needs to be struck in technological investments and employee training that would be ongoing in nature, hence strengthening the defenses against emerging threats of cyber-attacks. Thus, this two-fold approach offers an organization preparedness both on the technical and human elements of cybersecurity and, hence, provides the safeguarding of valued assets and is of immense help in reducing potential damage due to cyber-attacks.

Works Cited

Collins, Jason D., Vincenzo A. Sainato, and David N. Khey. “Organizational Data Breaches 2005-2010: Applying SCP to the Healthcare and Education Sectors.” International Journal of Cyber Criminology, vol. 5, no. 1, Jan.-July 2011, pp. 794-810. International Journal of Cyber Criminology, ISSN 0974-2891.

Krishnan, Ashwin. “Cybersecurity Budget Breakdown and Best Practices.” TechTarget, 1 Sept. 2022, https://www.techtarget.com/searchsecurity/Cybersecurity-Budget-Breakdown-and-Best-Practices.

Payne, Brian K. “White-Collar Crime, Cybercrime, or Both?” Criminology, Criminal Justice, Law & Society, vol. 19, no. 3, 2018, pp. 16-32. Scholastica, https://scholasticahq.com/criminology-criminal-justice-law-society/.

---

ePortfolio Entry #3