Why Cybersecurity Exists
Mission Brief
You're the new junior consultant at ShadowX Labs. A regional fintech, Glasshouse Bank, signs a 90-day engagement after a near-miss incident. Your first deliverable: a one-page asset/threat/risk register the CISO can present to the board on Monday.
Story · A 02:14 a.m. phone call
It's Tuesday, 02:14 a.m. The Glasshouse SOC analyst sees a spike of failed logins against the customer banking portal — 41,000 in eight minutes, sourced from 1,200 residential IPs. Credentials are valid pairs leaked from an unrelated breach two years ago. Three accounts succeed before MFA blocks the rest.
Nothing is stolen. The CEO still calls the CISO at 06:30. 'Why are we exposed to a breach we had nothing to do with?' The CISO has no good one-sentence answer.
That sentence is what you're about to learn to write. It lives at the intersection of six words: information, asset, threat, vulnerability, risk, security. Get those six straight and every other CEH topic — kill chain, MITRE, controls, pentesting — snaps onto a frame that already makes sense.
Trainer · Core Concepts
Information is raw data with meaning (a customer's date of birth). An asset is anything of value to the organisation — could be information, but also a person, a process, a server, a brand. Every asset has an owner, a value, and a sensitivity classification.
A threat is a potential cause of harm. It needs an adversary (who), intent (why), and capability (how). Lightning is a threat to a datacentre even without intent — natural threats count too. CEH cares mostly about human/adversarial threats: criminals, insiders, nation-states.
A vulnerability is a flaw the threat can exploit — unpatched software, weak passwords, a process gap, an untrained user. No vulnerability = the threat has nothing to grab onto. Most controls target vulnerabilities, not threats.
Risk is the *probability that a threat exploits a vulnerability and causes business impact*. Risk only exists when threat AND vulnerability AND impact line up. Remove any one and risk collapses. CEH frames every defensive decision as risk treatment: accept, avoid, mitigate, transfer.
Exposure is the period or state where the vulnerability is reachable by the threat (an unpatched server published to the internet). Security is the set of people, process, and technology controls that reduce risk to an acceptable level — never zero.
Knowledge Map · drag to explore
Micro Labs
Lab 1 · Identify Assets
Glasshouse Bank inventory — classify each item as a CRITICAL ASSET, supporting asset, or NOT an asset.
Lab 2 · Identify Threats
Tag each scenario by threat category. Think: who is the adversary?
Lab 3 · Map Vulnerability → Risk
Match each vulnerability to the most precise resulting risk statement.
Knowledge Check
Challenge · Board-Brief in 90 seconds
Pick ONE asset from Lab 1, ONE threat from Lab 2, ONE vulnerability you can imagine, and write the resulting risk in board language (≤25 words). Self-grade against the rubric.
CEH v13 Exam Focus
- ·Risk vs. threat vs. vulnerability vs. exposure (definitions)
- ·Risk = likelihood × impact formula
- ·Risk treatment options: accept / avoid / mitigate / transfer
- ·Asset valuation drives control prioritisation
- ·TVRE — Threat needs Vulnerability to create Risk; Exposure is the window.
- ·AAMT — Accept / Avoid / Mitigate / Transfer (the only four risk responses).
- ⚠'Risk' and 'threat' used as synonyms in the answer options — pick the one matching the textbook formula.
- ⚠A vulnerability that nobody can reach is exposure-zero, not risk-zero (capable threat could appear).
- ▸Insurance = risk TRANSFER (not mitigate)
- ▸Decommissioning a service = risk AVOID
- ▸Patching a CVE = risk MITIGATE
- ▸Knowing-and-accepting = risk ACCEPT (must be documented + signed)