Module 01

Security Frameworks

The mental models the field uses to talk about risk. Subsection A — the CIA Triad — covers the foundational properties every security control defends. Subsection B — CVE & CVSS — covers the public systems for naming and scoring the specific bugs that put those properties at risk.

00

About this module

This module has three subsections. Subsection A — the CIA Triad — breaks the foundational model into eight reference pages: the three properties (Confidentiality, Integrity, Availability), how they pull against each other, the Parkerian Hexad extension, a map of common attacks to the pillars they violate, and a controls matrix. Subsection B — CVE & CVSS — covers the public systems for naming and scoring real vulnerabilities, with a focus on how AI is about to change the volume. Subsection C — Ethics — is a directory of the professional codes of ethics and corporate codes of conduct used as this course's choose-one-and-agree assignment.

There is no required reading order, but the pages within each subsection are sequenced for a first read. Each one ends with prev/next navigation if you want to walk the track straight through.

Pages

10 of 10 live

Module

01.A · 01.B · 01.C · 01.D

Track

Foundational

01

Subsection A · The CIA Triad

Foundations of the Triad

What the model is, where it came from, why it became the default mental map of information security, and what it deliberately does not try to cover.

Confidentiality

Who is allowed to see what, and how we enforce it. Classifications, encryption, access controls, masking. Anchored on the 2017 Equifax breach.

Has the data been changed, and can we tell? Hashing, digital signatures, MACs, version control, separation of duties. Anchored on the SolarWinds Orion supply-chain attack.

Is the system there when the right people need it? Redundancy, failover, backups, DDoS mitigation, the math of uptime. Anchored on the 2021 Colonial Pipeline shutdown.

The Tensions Between Pillars

Why the triad is a triangle. Maximum confidentiality often hurts availability, maximum availability often hurts integrity, and every real decision picks a side.

The Parkerian Hexad

Donn Parker's 1998 extension. Possession/Control, Authenticity, and Utility added to the original three, with the encrypted stolen laptop scenario that exposed the gap.

Mapping Real Attacks to the Triad

A reference table for every attack category you will see in Rolling Thunder Security, tagged with the CIA pillars it violates and a one-sentence justification.

Controls Matrix

A two-axis reference: CIA pillar across, control category down. Cells filled with concrete examples so any proposed control can be placed on the map.

02

Subsection B · Naming and scoring vulnerabilities

How vulnerabilities get named (the CVE program) and scored (the CVSS framework). Interactive Base Score calculator, the 1999–2025 publication chart, the last six months in detail, and what happens to the system when AI tools like Mythos enter production.

03

Subsection C · Ethics and professional conduct

Codes of Ethics

A directory of the codes professionals in this field actually agree to — eight professional cybersecurity organizations ((ISC)², ISACA, ACM, IEEE, SANS/GIAC, EC-Council, CompTIA, OffSec) and ten major technology companies (Google, Microsoft, Apple, Amazon, Meta, IBM, Cisco, Oracle, Palantir, Salesforce). Used as the course's choose-one-and-agree assignment.

04

Subsection D · Threat Modeling

Threat Modeling overview

Six methodologies for asking what could go wrong with this system before the system goes wrong — STRIDE, DREAD, PASTA, LINDDUN, Attack Trees, OCTAVE/VAST — plus a chooser and the MITRE ATT&CK Navigator lab.

05

Subsection E · Compliance Fundamentals

Compliance Fundamentals overview

The legal and regulatory frameworks that turn security from "nice idea" into "required practice." Five reference pages: HIPAA (US healthcare), PCI-DSS (payment cards), GDPR (EU personal data), SOX (US public-company financial reporting), and FERPA (US student education records).