What Truly Defines Cybersecurity? Vulnerabilities, Trust, Risk & More

With increasing national attention and new legal frameworks, cybersecurity has become a hot topic in China, with annual conferences and the "China National Cybersecurity Publicity Week" held nationwide during the third week of September.

The nature of network security is debated: some view it as vulnerabilities, others as confrontation, trust, risk, human awareness, cost, or management.

What is network security? Literally, it combines "network"—a system of electronic components—and "security"—the state of being free from danger. The Cybersecurity Law defines a network as a system of computers and related devices that collect, store, transmit, exchange, and process information.

1. Security as Vulnerability

Vulnerabilities are flaws in hardware, software, protocols, or security policies that allow unauthorized access or damage. They can stem from bugs (e.g., SMB ransomware vulnerability) or intentional backdoors. Fixing vulnerabilities often means patching bugs, but new vulnerabilities appear constantly—averaging 10,000 per month worldwide. Prioritization typically depends on the availability of public PoC code.

2. Security as Confrontation

Confrontation emphasizes the ongoing arms race between attackers and defenders. Any exposed product on the Internet can be exploited, and closed‑source designs often give a false sense of security. Competitions like the "Buxian Cup" and XCTF foster practical skills by challenging participants to discover and exploit IoT vulnerabilities.

3. Security as Trust

Trust assumptions shape security designs—whether developers, operators, or users are presumed trustworthy. Zero‑trust models reject implicit trust. However, trust alone cannot guarantee security; human error and malicious insiders still pose risks.

4. Security as Risk Management

Risk is the potential for harm caused by threats exploiting vulnerabilities. Effective risk management analyzes the risk environment, assesses system fragility, and devises mitigation strategies. The ALARP principle (As Low As Reasonably Practicable) guides risk prioritization.

5. Security as Human Awareness

Human factors—lack of security awareness, weak passwords, and insider threats—are major contributors to incidents. Training and cultivating a security‑first mindset are essential to complement technical controls.

6. Security as Cost

Investing in security incurs costs, but defensive expenses typically far exceed attackers' costs. Organizations must balance budget constraints with the need for robust protection, seeking cost‑effective solutions.

7. Security as Management

Management encompasses organizational structures, policies, and technologies. The Information Security Management System (ISMS) based on ISO/IEC 27001 provides a framework for establishing, implementing, and continuously improving security controls.

8. Security as CIA Protection

The ITSEC model defines three core security objectives—Confidentiality, Integrity, and Availability (CIA):

Confidentiality

Ensures that data is accessed only by authorized subjects, typically achieved through encryption, isolation, and access control mechanisms.

Integrity

Guarantees that data is modified only by authorized actions, often enforced with digital signatures, audit logs, and strict permission models.

Availability

Ensures that authorized users can reliably access data and services, requiring redundancy, load balancing, and protection against denial‑of‑service attacks.

Understanding these dimensions helps organizations define security requirements, prioritize controls, and build comprehensive protection strategies.