Cybersecurity is the protection of computers, networks, and electronic communications—along with the information they process—through measures that ensure confidentiality, integrity, availability, authentication, and non‑repudiation, and by preventing, detecting, and responding to attacks, as defined in the National Institute of Standards and Technology glossary. NIST CSRC Glossary. (csrc.nist.gov)

Scope and practice

Cybersecurity encompasses policies, processes, and technologies applied to endpoints, networks, applications, data, and operational technology. The widely adopted NIST Cybersecurity Framework (CSF) provides a risk‑based taxonomy of outcomes; Version 2.0 (February 26, 2024) expands its scope to all organizations and adds a sixth core function—Govern—alongside Identify, Protect, Detect, Respond, and Recover. NIST News; The NIST Cybersecurity Framework (CSF) 2.0. (nist.gov) The CSF 2.0 quick‑start guides published in 2024–2025 illustrate alignment with the NICE workforce framework and enterprise risk management. NIST CSRC. (csrc.nist.gov)

Complementary control catalogs, such as NIST SP 800‑53 Rev. 5 (updated August 27, 2025) and the CIS Critical Security Controls, enumerate technical and organizational safeguards; CIS v8.1 (June 24–25, 2024) realigned mappings to CSF 2.0 and introduced an explicit Governance function. NIST SP 800‑53; CIS Controls v8.1. (csrc.nist.gov)

Historical development

Early networked‑system incidents exposed systemic risk and shaped cyber incident response. On November 2, 1988, the Morris worm spread widely; in its aftermath, DARPA tasked Carnegie Mellon University’s Software Engineering Institute to establish the CERT Coordination Center (CERT/CC) in 1988 as a neutral hub for vulnerability disclosure and incident coordination. SEI/CMU. (insights.sei.cmu.edu) In the 2010 discovery of Stuxnet, analysts demonstrated how malicious code targeting industrial control systems could manipulate physical processes, marking a milestone in offensive cyber capability. Britannica – Stuxnet. (britannica.com)

To standardize vulnerability identification and enable data sharing across tools, MITRE launched the Common Vulnerabilities and Exposures (CVE) program in 1999, providing unique identifiers for publicly disclosed software flaws. cve.org – Development of CVE. (cve.org)

Threat landscape

Threat actors employ social engineering, credential abuse, exploitation of software vulnerabilities, and supply‑chain compromises. The ENISA Threat Landscape 2024 report (covering June 2023–July 2024) singles out ransomware, threats to availability, and threats against data among prime threats impacting European organizations. ENISA Threat Landscape 2024. (enisa.europa.eu) Verizon’s 2025 Data Breach Investigations Report notes that third‑party involvement in breaches doubled to 30% year‑over‑year, exploitation of vulnerabilities rose 34%, and ransomware was present in 44% of breaches among more than 12,000 confirmed cases. Verizon DBIR 2025 press release. (verizon.com)

Economic impacts are substantial. IBM’s industry benchmark reports place the 2024 global average cost of a data breach at USD 4.88 million, with extensive use of security AI/automation associated with multi‑million‑dollar cost reductions; the 2025 edition reports a decline to USD 4.44 million globally. IBM Newsroom (2024); IBM Think blog (2025). (newsroom.ibm.com)

Frameworks, standards, and methods

Risk management: The NIST CSF 2.0 structures outcomes by functions and categories and maps to numerous references, enabling organizations to profile current and target states and to communicate cyber risk to senior leadership. NIST News; CSF 2.0 publication. (nist.gov)

Controls engineering: NIST SP 800‑53 Rev. 5 catalogs security and privacy controls—including supply‑chain risk management—and is maintained with periodic updates; Release 5.2.0 (August 27, 2025) added and revised controls across several families. NIST SP 800‑53 Rev. 5. (csrc.nist.gov)

Management systems: ISO/IEC 27001 specifies an auditable information security management system (ISMS) for organizations of all types and sizes, with certification demonstrating capability to manage information risks. ISO/IEC 27001 overview. (committee.iso.org)

Architecture: Zero trust re‑centers protections on identities, assets, and resources rather than implicit network trust. NIST SP 800‑207 defines core ZT principles and deployment models used across public and private sectors. NIST SP 800‑207. (nist.gov)

Identity and authentication: NIST SP 800‑63 (Revision 4, 2025) sets requirements for identity assurance and multi‑factor authentication; 800‑63B guidance clarifies authenticator assurance levels and disallows email as an out‑of‑band factor. NIST SP 800‑63 program site; NIST 800‑63B FAQ. (pages.nist.gov)

Application and API security: The OWASP API Security Top 10 (2023) highlights prevalent API risks—such as broken object‑level authorization, unrestricted resource consumption, and SSRF—to guide secure design and testing. OWASP API Security Top 10 (2023). (owasp.org)

Supply‑chain transparency: A software bill of materials (SBOM) enumerates components to support vulnerability management; NTIA published minimum SBOM elements under U.S. Executive Order 14028, and CISA curates community guidance to operationalize SBOM and related VEX attestations. NTIA – Minimum Elements for an SBOM; CISA SBOM. (ntia.gov)

Regulation and governance

Privacy and breach notification laws shape cybersecurity programs. In the European Union, the General Data Protection Regulation requires notifying supervisory authorities of qualifying personal‑data breaches without undue delay and within 72 hours of awareness, with potential notification of affected individuals. European Commission – Data breach obligations. (commission.europa.eu) The EU also publishes annual cyber‑threat assessments through ENISA and has updated horizontal cybersecurity legislation (e.g., NIS2) for essential and important entities. ENISA Threat Landscape 2024. (enisa.europa.eu)

In the United States, public companies must disclose material cybersecurity incidents on Form 8‑K within four business days after determining materiality and describe their cyber risk management and governance in periodic filings under SEC rules adopted July 26, 2023. SEC press release; SEC small‑entity guide. (sec.gov) Sectoral and state breach‑notification statutes further influence practices, alongside federal guidance and frameworks.

Representative incidents and programs

Notable incidents illustrate evolving modalities and impacts: the Morris worm (1988) catalyzed the creation of a national response capability via CERT/CC; Stuxnet (2010) demonstrated cyber‑physical sabotage of industrial systems; contemporary ransomware ecosystems show sustained criminal monetization and third‑party exposure risks. SEI/CMU CERT history; Britannica – Stuxnet; Verizon DBIR 2025. (insights.sei.cmu.edu)

Related institutions, artifacts, and concepts

The National Institute of Standards and Technology develops measurement science and cybersecurity standards and guidance, including CSF 2.0 and SP 800 series; ISO/IEC 27001 provides an international ISMS standard; Common Vulnerabilities and Exposures (CVE) enables consistent tracking of publicly disclosed vulnerabilities; the General Data Protection Regulation governs personal data processing and breach notification in the EU. NIST CSF 2.0 publication; ISO overview; cve.org; European Commission – GDPR breach notice. (nist.gov)