In this case, instead of building real resilience, the company focused on following NIST compliance, which led to people blindly following frameworks but didn’t act fast when it mattered. The breach kept repeating because controls were treated as checkboxes, not living safeguards. The case shows that strong cybersecurity depends on behaviour and ownership as much as on firewalls. And governance should turn being compliant into actually being safe.
Our team focused on 'Exposure'. I think these four fragments map the progression of exposure across technical, procedural, and governance levels. Fragment 1 shows direct data exposure through compromised admin credentials; Fragment 2 reveals control exposure caused by poor credential hygiene and weak monitoring. Fragment 3 highlights communication and operational exposure, where unclear escalation and untested playbooks delayed containment. Finally, Fragment 4 exposes governance level vulnerabilities, as the lack of lessons learned and oversight left systemic weaknesses unaddressed. Together, they show how unmanaged exposures can compound from a single point of failure into an enterprise wide risk.
The slide explains cybersecurity failures through the classic CIA triad, but I'm wondering whether this framework is becoming too narrow for modern risk environments. For example, cyber attacks today increasingly target data authenticity, algorithm manipulation, and model poisoning, which are issues that don’t cleanly fit into availability or integrity. Should the CIA model be expanded to include concepts like resilience, verifiability, or algorithmic trust in order to keep pace with AI-driven systems?
Our group looked at resilience in this case. The breach spread because a vendor admin credential was stale and the API gateway had no audit logs, so the team started containment blind. In the war room, people argued about shutting APIs vs. notifying clients because there was no tested decision tree or clear owners—so time was lost. Afterward, there was no lessons-learned session, no KRI update, and no board check-in, which shows resilience was a document, not a capability. Fixes we’d push: a service-tiered shutdown matrix, quarterly data-exfil drills, enforced credential rotationfor vendors, API log coverage targets, and KRIs like time to contain and time to decision.
This class focuses on analyzing cybersecurity risk and applying the ECRG framework to a real-world case. Among the many insights I gained, the most valuable was the deeper understanding of controls, particularly authentication and authorization. Initially, I viewed these two controls as interchangeable since both relate to user identity. However, as Professor Peccia clarified, they serve distinct but interconnected purposes. Authentication verifies the identity of a user, confirming that you are who you claim to be, while authorization determines what an authenticated user is permitted to do within the system. In other words, authorization builds on authentication by defining and limiting the information and actions available to each user. This understanding reinforced how all controls within the ECRG framework are…
In this case, instead of building real resilience, the company focused on following NIST compliance, which led to people blindly following frameworks but didn’t act fast when it mattered. The breach kept repeating because controls were treated as checkboxes, not living safeguards. The case shows that strong cybersecurity depends on behaviour and ownership as much as on firewalls. And governance should turn being compliant into actually being safe.
Our team focused on 'Exposure'. I think these four fragments map the progression of exposure across technical, procedural, and governance levels. Fragment 1 shows direct data exposure through compromised admin credentials; Fragment 2 reveals control exposure caused by poor credential hygiene and weak monitoring. Fragment 3 highlights communication and operational exposure, where unclear escalation and untested playbooks delayed containment. Finally, Fragment 4 exposes governance level vulnerabilities, as the lack of lessons learned and oversight left systemic weaknesses unaddressed. Together, they show how unmanaged exposures can compound from a single point of failure into an enterprise wide risk.
The slide explains cybersecurity failures through the classic CIA triad, but I'm wondering whether this framework is becoming too narrow for modern risk environments. For example, cyber attacks today increasingly target data authenticity, algorithm manipulation, and model poisoning, which are issues that don’t cleanly fit into availability or integrity. Should the CIA model be expanded to include concepts like resilience, verifiability, or algorithmic trust in order to keep pace with AI-driven systems?
Our group looked at resilience in this case. The breach spread because a vendor admin credential was stale and the API gateway had no audit logs, so the team started containment blind. In the war room, people argued about shutting APIs vs. notifying clients because there was no tested decision tree or clear owners—so time was lost. Afterward, there was no lessons-learned session, no KRI update, and no board check-in, which shows resilience was a document, not a capability. Fixes we’d push: a service-tiered shutdown matrix, quarterly data-exfil drills, enforced credential rotationfor vendors, API log coverage targets, and KRIs like time to contain and time to decision.
This class focuses on analyzing cybersecurity risk and applying the ECRG framework to a real-world case. Among the many insights I gained, the most valuable was the deeper understanding of controls, particularly authentication and authorization. Initially, I viewed these two controls as interchangeable since both relate to user identity. However, as Professor Peccia clarified, they serve distinct but interconnected purposes. Authentication verifies the identity of a user, confirming that you are who you claim to be, while authorization determines what an authenticated user is permitted to do within the system. In other words, authorization builds on authentication by defining and limiting the information and actions available to each user. This understanding reinforced how all controls within the ECRG framework are…