Introduction to Cybersecurity
The starting point for understanding how normal actions, accounts, data and everyday habits can become a risk in personal life and at work.
Objectives and practical frame
By the end of this module, participants will be able to:
- 01
explain what cybersecurity is using simple, everyday examples.
- 02
understand why security affects every person who uses digital tools, not only technical roles.
- 03
identify data, accounts and digital tools that need to be protected.
- 04
interpret cyber risk by connecting the situation, the weakness and the possible consequences.
- 05
distinguish between threat, vulnerability, impact and likelihood in practical cases.
- 06
understand the role of haste, habit and trust in security decisions.
1.1 What Cybersecurity Is
Cybersecurity is the way we protect what we use and produce in the digital world: accounts, devices, documents, data and services. It is not only about servers, firewalls or technical roles. It comes into play whenever one of our digital actions can open, close or leave something exposed.
Think of security as the habit of checking doors and keys, but in the digital world. A password is a key, an account is a door, a shared document is a room you are giving access to. The point is not to live in alarm, but to understand when a normal gesture deserves one more check.
Many problems do not come from complex attacks, but from automatic decisions: trusting a message, opening an unexpected file, always using the same password or sharing a document without looking carefully at who can access it. Security is there precisely to slow down those moments.
1.2 Why It Affects Everyone Today
Today almost every personal or work activity leaves a digital trace. Even someone who does not do technical work can handle important information every day: an invoice to approve, a document to send, access to a portal or a customer detail. Security enters there, at the moment when something passes through our digital hands.
Think of your digital identity as a set of keys. Some open private rooms, others open work services, others let people speak in your name. If a key ends up with the wrong person, the problem does not stay closed in one place: it can spread to other accounts, contacts, documents and relationships.
Compromised email account
A compromised email account can become a very powerful key. From there, someone can recover passwords, read confidential documents or send false messages to contacts. This is why security is not only about “people who have something to hide”, but about anyone who has accounts, relationships and information to protect.
1.3 Cybersecurity in Everyday Life
Cybersecurity does not appear only when an obvious attack happens. It is present in small everyday decisions: updating a device, choosing a solid password, avoiding unknown apps or checking a site before entering sensitive data. These are normal actions, but they become protection when they are done carefully.
In daily work, risk often hides in ordinary moments. A payment request arrives, an attachment is opened, a document is shared with a customer, a computer is left on during a break. None of these actions is dangerous in itself; it becomes dangerous when it is done in a hurry or without checking.
This is why security comes from the meeting between correct tools and correct behaviors. Antivirus software, a strong password or an updated system help a lot, but they do not replace the ability to stop, read the context and verify before acting.
1.4 The Concept of Cyber Risk
To understand cybersecurity, you first need to understand risk. Cyber risk arises when something can go wrong, finds a weak point and produces a consequence. The definition sounds technical, but it describes very concrete situations.
Take a fake message that invites someone to enter a password. The threat is the message built to deceive; the vulnerability may be haste, a missing procedure or a skipped check; the impact is what happens if the account is compromised; the likelihood depends on how plausible it is that a person falls for it in that context.
Thinking in terms of risk helps give problems the right weight. Not everything deserves the same attention: some events are frequent but limited, others are rare but very serious. Practical security helps understand where to focus controls, time and energy.
1.4.1 Threat
A threat is something that can cause a security problem. It does not always look like a spectacular attack: it can appear as a credible message, a polite phone call, a file received at the right moment or a request that seems normal only because it arrives while we are busy.
The point is not to ask whether the threat looks “like something from a movie”, but what it is trying to obtain. It wants to make you click, enter a password, open an attachment, authorize a payment or lower your attention. If it pushes toward a risky action, it should be treated as a threat even when its tone is polite and professional.
By itself, however, a threat does not always produce damage. To succeed, it must meet a vulnerability: a technical weak point, an unclear procedure or a person placed under pressure at the wrong moment.
1.4.2 Vulnerability
A vulnerability is the weak point that allows the threat to work. It can be an outdated device, a poorly protected account or a reused password; but it can also be a habit, such as clicking too quickly or sharing information without verifying the context.
Many vulnerabilities make no noise. A company can have valid technical tools but remain exposed if it does not have clear procedures for verifying payments, bank-detail changes, permissions and unusual requests. In that case, the weak point is not a computer: it is the way a decision is made.
A vulnerability is often noticed only after the incident, when it becomes clear which control was missing. Looking for it earlier means observing habits, tools and procedures with a simple question: if a false request arrived, where could it get through?
1.4.3 Impact
Impact is what happens afterward, when the risk materializes. It does not measure how serious the episode seems at the beginning, but what consequences it actually produces: a lost account, a wrong payment, an exposed document, a blocked service or a person deceived using our name.
The same gesture can have very different impacts depending on the context. Opening a suspicious attachment on an isolated computer is not the same as doing it on a workstation connected to shared documents, customers and internal systems. This is why it is not enough to ask “what happened?”, but also “what can it reach from here?”.
In a company, impact can spread quickly. A small incident can interrupt work, involve customer data, generate costs, damage trust or create formal management obligations. Understanding impact helps set priorities: not everything is urgent in the same way.
1.4.4 Likelihood
Likelihood indicates how realistic it is that a problem will happen. It is not a perfect prediction, but a practical estimate: something that happens often, or that many people encounter every week, deserves simple and repeatable controls.
A phishing message may seem trivial if we look at it alone. But if an office receives many of them, with different tones and perhaps during high-workload moments, the likelihood that someone will click increases. Frequency changes risk.
At the same time, a rare event may deserve attention if it would have very serious consequences. Likelihood helps avoid two opposite mistakes: ignoring what happens often because it seems normal, or treating every remote scenario as if it were imminent.
1.5 Human Behavior as a Weak Point
Many attacks work because they do not try to overcome technology immediately: they first try to overcome us. They exploit the moment when we are in a hurry, trust the name we see on the screen or want to resolve quickly a request that seems urgent.
In daily work, a dangerous message rarely appears as something absurd. It usually resembles a plausible communication: a payment to release, an account to verify, a document to open, a delivery to fix. Its strength lies in seeming normal enough to make us skip a check.
When a person acts under pressure, they check less. This is why slowing down in front of an urgent request is not a waste of time: it is the moment when common sense starts working again.
1.6 Not Only Technology, but Method
Cybersecurity cannot rely only on technical tools. Antivirus software, updates, backups and access controls are important, but they really work only when they are accompanied by attention, verification, clear procedures and willingness to report doubts or errors.
A good method starts from a simple question: does this request make sense in context? If an unexpected urgent invoice arrives, looking at the logo is not enough. You need to stop, understand whether the request was expected and verify the data using reliable contact details, not those provided in the suspicious message.
Fake bank SMS
A person receives a text message that seems to come from the bank: “Suspicious access detected. Verify your account immediately”. The message creates anxiety and invites them to click. The correct behavior is to leave the path indicated by the message: open the official app or the known website, do not communicate OTP codes and contact the bank only through official channels.
Unlocked company computer
A company computer left unlocked for a few minutes can expose email, documents, business applications and customer data. Locking the screen when stepping away is a simple measure, but it protects information and responsibility.
Cyber risk does not come only from hackers. It can come from an impulsive click, a reused password, an attachment opened without verification or a document shared with the wrong recipient.
“I have nothing important, so I am not a target” is a dangerous belief. Every person has accounts, contacts, documents, photos, banking data and personal information. In a company, even an apparently secondary account can become an entry point toward data, suppliers, payments or internal systems.
Before acting on a suspicious message, it is useful to stop and reconstruct the context. An expected request, a recognizable sender and a consistent channel lower the risk; urgency, pressure and requests for data or money raise it. If a doubt remains, verification must go through an official channel or a reliable contact.
Digital tools map
Choose some digital tools you use every week. For each one, ask yourself what data it contains, what would happen if someone accessed it without permission and which protections are already active.
Fake bank email
Use the worksheet below to analyze a fake bank email. Fill in the fields by identifying threat, vulnerability, impact and likelihood. The character limit is not an obstacle: it is there to force you to seek synthesis, remove the unnecessary and keep only the truly important concepts.
Cybersecurity concerns anyone who uses digital tools, because every day we manage accounts, documents, messages and decisions that can have concrete consequences. Technology helps, but it does not replace method: understanding risk, recognizing weak points and not acting automatically when a request creates pressure. The principle to carry with you is simple: slow down, check and verify before clicking, sharing or authorizing something.