Design preview · adopts the Kaharagian design system
An official training service of the State of the Kaharagians
Royal Army CollegeRoyal Army CollegeRoyal Kaharagian ArmyThe College of the Army
CIS 201 Digital Security and Cyber Hygiene
Lesson 1 of 10CIS 201

Why Cyber Security Matters to a Digital Principality

Lesson Overview

Most states can point to a place. They have a border on a map, a coastline, a capital city with a flag over it. The Principality of Kaharagia, for now, cannot. What it has instead is information: a register of its nationals, a record of its decisions, a set of services its people rely on, and the accounts and keys that let the right people reach the right systems. Take the ground away from an ordinary country and a great deal still stands. Take the information away from a digital state and very little is left. That is the plain reason this course exists. For the Principality, protecting its systems and records is not a back-office chore; it is something close to protecting the state itself.

This first lesson of CIS 201 sets the scene for the whole speciality. It explains why a non-territorial, digitally organised Principality depends on protected systems, records, and accounts, and why every member who touches an account or a device is part of the defence and not a bystander to it. It describes the threat in plain terms, the phishing message, the malware that locks your files, the stolen password, the leaked record, without dressing any of it up. It names the three things we are really protecting, gathered under the old and useful idea of the CIA triad. It states the ethos that governs everything that follows: this speciality is defensive and lawful, always protection and never attack. And it introduces two maps you will use for the rest of the course, the NIST Cybersecurity Framework, which organises the whole job into six functions, and the idea of essential cyber hygiene, the sensible baseline of habits that a small force should reach first.

This is the knowledge layer. Reading about multi-factor authentication does not switch it on for you, any more than reading about a rifle makes you a marksman. The habits this speciality is built on, turning on MFA, taking and testing a backup, recognising a phishing lure, reporting trouble at once, are practised and signed off in person where supervision allows, on the real accounts and devices you are entrusted with and under the eye of someone responsible for them. By the end you will be able to explain why a digital Principality depends on protected systems, records, and accounts and why every member shares in its defence, describe the common threats of phishing, malware and ransomware, account takeover, and data loss or leak in plain terms, state the CIA triad and what each part means, explain why this speciality is defensive and lawful and never offensive, and outline the six functions of the NIST Cybersecurity Framework and the idea of essential cyber hygiene as the right baseline for a small force.

Key Terms

  • Cyber security: the practice of protecting systems, networks, accounts, and information from harm, loss, unauthorised access, and disruption. For most members it is not a specialist art but a set of plain, learnable habits.
  • The CIA triad: the three properties that together make information secure: confidentiality (only the right people can see it), integrity (it is accurate and unaltered), and availability (it is there when it is needed). Security means keeping all three at once.
  • Threat: anyone or anything that could cause harm to our systems or information, from a criminal sending phishing emails to a dropped laptop or a careless click.
  • Phishing: a fraudulent message, usually email, designed to trick you into revealing a password, clicking a harmful link, or opening a harmful attachment. The commonest way attackers get in.
  • Malware: malicious software that runs on a device to steal, spy, damage, or take control. Ransomware is malware that locks or encrypts your files and demands payment to release them.
  • Account takeover: an attacker gaining control of a legitimate account, usually with a stolen or guessed password, and then acting as if they were the rightful user.
  • Data loss or data leak: information being destroyed or made unavailable (loss), or exposed to people who should not see it (leak). Both are failures of security even when no attacker is involved.
  • NIST Cybersecurity Framework (CSF): a widely used way of organising the whole job of cyber security into six functions, Govern, Identify, Protect, Detect, Respond, and Recover. It is a map of the work, not a checklist.
  • Essential cyber hygiene: the foundational set of safeguards that a small organisation with limited expertise should put in place first, drawn from the CIS Critical Security Controls (Implementation Group 1). The right baseline for a small force.
  • Defensive and lawful: the governing ethos of this speciality. We protect Kaharagian systems, records, accounts, and people. We do not attack, intrude upon, exploit, or surveil anyone.

Why a digital Principality lives or dies by its information

It is worth being precise about what "digitally organised" means here, because it is not a slogan. The Principality runs on self-hosted online services rather than buildings: the register of its nationals, the records of its decisions, the services people use to apply, enrol, and be recognised. Members and nationals reach those services through accounts, and access is governed by a single sign-on, an identity service that decides who you are and what you may touch. Some systems issue each person their own certificate or key, a small digital credential that proves they are entitled to connect. None of this has a wall around it in the ordinary sense. The wall is the security.

Set that against a territorial state for a moment. If a country with land suffers a computer failure, its citizens are still its citizens, its territory is still its territory, and life carries on inconveniently until the systems return. The state's existence does not hang on the database. For a non-territorial Principality the balance is different. In many respects the record is where the state actually lives. If the register of nationals were quietly altered, people's standing could be changed without anyone moving a border. If the identity service were taken over, an attacker could become whoever they pleased inside our systems. If the records were destroyed and no good backup existed, a piece of the Principality's memory would simply be gone. This is why, for Kaharagia, the unglamorous work of keeping systems confidential, accurate, and available rises to something near the dignity of defence.

That has a direct consequence for you, whatever your speciality. In a force this size there is no large body of specialists standing between the ordinary member and the threat. The person most likely to receive the phishing email is not a cyber officer; it is whoever happens to hold the account that day. The reused password that opens a door belongs to a real member who reused it. This is the single most important idea in the lesson, and the reason the course is required of everyone: in a small digital state, every member who holds an account or carries a device is part of the defence. The most valuable security tool the Army owns is not a product. It is an alert, disciplined member.

The threat in plain terms

You do not need to imagine sophisticated, targeted attacks to understand the danger we actually face. A small force is far more likely to be caught by the common, untargeted attacks that wash over everyone on the internet every day. Four kinds account for the great majority of real harm, and it is worth naming each in plain language.

Phishing and social engineering come first because they are the commonest way in and because they target the person, not the machine. A phishing message, by email, by text, or by a voice call, invents a believable story and pushes you to act before you think. It leans on urgency ("your account will be closed today"), authority ("this is the duty officer, do it now"), fear ("we have detected a breach"), or secrecy ("tell no one, this is sensitive"). The goal is to make you hand over a password, click a harmful link, or open a harmful attachment. No firewall stops a phishing email that a person decides to obey. This is exactly why the alert human is the first line of defence, and why Lesson 03 is devoted to recognising and reporting these attempts.

Malware and ransomware are the harm that runs once an attacker, or a careless click, gets code onto a device. Ordinary malware may quietly steal passwords, watch what you type, or open a back door for later. Ransomware is the blunt and increasingly common form: it encrypts your files and demands payment to unlock them, and a force that has lost its working data to ransomware and has no good backup is in genuine trouble. Most malware arrives through a phishing attachment, a malicious link, or a device left unpatched against a hole the attacker already knows how to use. The defences, patched software, anti-malware, careful clicking, and above all tested backups, run through the lessons that follow.

Account takeover is what happens when a legitimate password ends up in the wrong hands, by phishing, by guessing, or by being reused on some other website that was itself breached. The attacker then does not have to break in; they simply log in, and to the system they look exactly like you. From a single taken-over account they can read what that account can read, send messages in that person's name, and reach further into our systems. This is the precise reason the course pushes long, unique passphrases and multi-factor authentication so hard in Lesson 02: they are what turn a stolen password from a disaster into a nuisance.

Data loss and data leak are the last pair, and they matter because they can happen with no attacker at all. Data is lost when it is destroyed or made unavailable, by ransomware, by a failed disk, by a deleted folder, by a phone dropped in a river. Data is leaked when it is exposed to people who should not see it, by a record sent to the wrong address, a misconfigured share, or a lost unencrypted laptop. For a Principality whose nationals trust it with their information, a leak is not only an operational failure but a breach of that trust. Both are why we back up, encrypt, and handle records with care.

These four are not separate boxes. A phishing email delivers malware; the malware steals a password; the stolen password enables account takeover; the takeover leads to a data leak. The chain is ordinary, and breaking any one link defeats the whole sequence.

What we protect: the CIA triad

Underneath all of this sits a simple question worth answering before any other: when we say we are keeping information "secure", what exactly are we keeping? The oldest and most useful answer in the field is the CIA triad. It has nothing to do with any agency; the letters stand for three properties that information must hold at the same time for it to be genuinely secure.

                      THE CIA TRIAD
              what "secure" actually means

                         /\
                        /  \
                       / I  \          INTEGRITY
                      /      \         the information is accurate
                     /        \        and has not been altered
                    /          \       by anyone who should not
                   /            \
                  /  SECURE      \
                 /  INFORMATION   \
                /                  \
               /____________________\
              C                      A
        CONFIDENTIALITY         AVAILABILITY
        only the right          the information and
        people can see it       systems are there
                                when they are needed

   Security is not one of these. Security is keeping ALL THREE
   at once. Lose any corner and the information is no longer secure.

Confidentiality means that only the people who are entitled to see information can see it. The register of nationals, personal records, keys, and credentials are confidential. Confidentiality is broken by a leak, a stolen password, an over-broad share, or a lost unencrypted device. It is defended by access control, encryption, and discipline about what is sent where.

Integrity means that information is accurate and has not been altered by anyone or anything it should not have been. A record that has been quietly changed is in some ways more dangerous than one that is missing, because people may go on trusting it. Integrity is defended by controlling who can change what, by keeping logs of changes, and by being able to detect tampering.

Availability means that the information and the systems are actually there when they are needed. A perfectly confidential, perfectly accurate record is useless if ransomware has locked it or the service is down. Availability is defended by backups, by tested recovery, by resilience, and by keeping systems patched and running.

The reason the triad is taught first is that it gives you a way to reason about any security decision. When you wonder whether some habit matters, ask which corner it protects. A passphrase and MFA protect confidentiality. A backup protects availability. Controlling who may edit a record protects integrity. Every later lesson, and every safeguard in this speciality, is in the end about defending one or more corners of this triangle.

The ethos: defensive and lawful, always

There is a temptation, when people hear "cyber security", to picture breaking into systems, intercepting other people's traffic, or striking back at an attacker. Put that picture down now, because it is the opposite of what this speciality is. CIS is defined as defensive and lawful only, and that is not a polite caveat; it is the boundary of the entire discipline.

We study how attacks work for exactly one reason: you cannot defend against a danger you have refused to look at squarely. Knowing how a phishing lure is built is what lets you spot one. At no point does that knowledge become permission to use it against anyone. The Royal Kaharagian Army is a lawful, defensive, humanitarian home-defence force, and this speciality guards Kaharagian systems, records, accounts, and people. It is never cyber warfare, never hacking, never intrusion, exploitation, or surveillance of others. If a line of work would involve reaching into a system that is not ours, the answer is simply no.

This ethos pairs with a rule that runs through the whole specialities framework and that you should fix now: access follows appointment, not qualification. Completing this course does not grant you administrative access to any system. A certificate proves you have learned something; it does not, on its own, entitle you to touch anything. Access to a real system is granted by the authority responsible for that system, is limited to what your appointment actually needs, and is taken away when the appointment ends. This is not bureaucracy for its own sake; it is the practical face of confidentiality and integrity, and Lesson 04 of the later course CIS 220 is built around it. For now, hold the two halves of the ethos together: we are defenders, and we touch only what we are appointed to touch.

The map of the work: the NIST Cybersecurity Framework

Cyber security can feel like a scattered pile of advice: use MFA, take backups, patch your phone, watch for phishing, report incidents. The advice is sound, but a pile is hard to remember and hard to reason about. The NIST Cybersecurity Framework, in its current version, gives the pile a shape. It organises the whole job into six functions, and once you know them you have a place to file every piece of advice in this course and a way to see what you might be missing.

              THE SIX CSF FUNCTIONS AS A CYCLE

                       +-----------+
                       |  GOVERN   |
                       | strategy, |
                       | policy,   |
                       | oversight |
                       +-----+-----+
                  it sits across all the rest
                             |
        +-----------+   +----v-----+   +-----------+
        |  RECOVER  |<--| IDENTIFY |-->|  PROTECT  |
        | restore   |   | know your|   | safeguard |
        | systems & |   | assets,  |   | accounts, |
        | data      |   | data,    |   | data,     |
        +-----+-----+   | risks    |   | devices   |
              ^         +----------+   +-----+-----+
              |                              |
        +-----+-----+                  +-----v-----+
        |  RESPOND  |<-----------------|  DETECT   |
        | act on an |                  | spot      |
        | incident  |                  | events &  |
        +-----------+                  | anomalies |
                                       +-----------+

   IDENTIFY -> PROTECT -> DETECT -> RESPOND -> RECOVER, and round again,
   with GOVERN sitting over the whole cycle and steering it.

Govern (GV) is the newest function and sits across all the others. It is the Principality's cyber-risk strategy: the policies, the roles, the decisions about what matters most, and the oversight that keeps the rest honest. Govern is what makes the difference between security as a set of personal good intentions and security as something the organisation actually directs and is accountable for.

Identify (ID) is knowing what you have and what could go wrong. You cannot protect assets you have not listed, data you do not know you hold, or risks you have never named. For a small force this means knowing the systems, the accounts, the devices, and the records, and being honest about where the danger lies.

Protect (PR) is the safeguards, and it is where most of this course lives. Identity and access control, multi-factor authentication, awareness training, data security, and secure, patched configuration all belong here. Protect is the everyday cyber hygiene that stops most attacks before they start.

Detect (DE) is noticing in good time that something is wrong: an event, an anomaly, a sign that does not fit. For an ordinary member, "detect" often means being the alert person who sees the odd login warning, the strange email, or the device behaving wrongly, and not shrugging it off.

Respond (RS) is acting once an incident is real: containing it, reporting it, and following direction. For most members this is a short and disciplined drill rather than deep technical work, and Lesson 10 teaches it.

Recover (RC) is getting back to normal afterwards: restoring systems and data, chiefly from backups, and learning from what happened so the next time is less costly. Recover is the function that good backups serve, and it is why "test that you can restore" is treated as seriously as the backup itself.

You do not need to master all six now. The point of meeting them in the first lesson is that everything you learn from here on slots into this map. When Lesson 02 teaches passphrases and MFA, that is Protect. When Lesson 03 teaches phishing recognition, that is Detect feeding Respond. When Lesson 05 teaches backups, that is Recover. The safe browsing, malware and scam awareness, updates, and privacy of Lessons 06 to 09 are mostly Protect, with a good deal of Detect. The framework turns a pile of habits into a system you can reason about.

The right baseline for a small force: essential cyber hygiene

The framework tells you the shape of the work; it does not tell you what to do first. A small organisation with limited expertise cannot do everything a large one with a security team can, and it should not try to. The answer the field gives is a prioritised starting set, drawn from the CIS Critical Security Controls, called Implementation Group 1, and known plainly as essential cyber hygiene. It is a foundational set of safeguards, on the order of fifty-odd in number, chosen specifically for small organisations defending against the common, untargeted attacks that we are most likely to meet. For a force our size it is not a watered-down option; it is exactly the right baseline.

Its themes will sound familiar, because they are the spine of this whole course:

  • Know your assets: keep an inventory of the hardware and the software you actually use, because you cannot protect or patch what you have forgotten you own.
  • Control accounts and access: know who has which accounts, grant only what a role needs, and remove access promptly when it is no longer needed.
  • Use multi-factor authentication: so that a stolen password alone is not enough to get in.
  • Secure configuration: set systems and devices up safely rather than leaving them on careless defaults.
  • Keep software patched and updated: because most attacks exploit known holes that a patch had already fixed.
  • Use anti-malware: to catch the common malicious software before it does its work.
  • Protect and back up data, with tested recovery: keep good backups and prove you can actually restore from them.
  • Security awareness training: so that every member can recognise and report the attacks aimed at people. This course is part of that theme.
  • Basic incident response: have a simple, practised drill for when something goes wrong.

Read that list against the threats earlier in this lesson and you will see the fit. MFA and access control answer account takeover. Patching and anti-malware answer malware. Backups with tested recovery answer ransomware and data loss. Awareness training answers phishing. The baseline is not arbitrary; it is the field's considered answer to the very dangers a small digital state actually faces. The rest of CIS 201 is, in effect, this baseline taught one habit at a time.

In Practice: a systems assistant's ordinary Tuesday

Recruit Adeyemi is the most junior member of a small section and has been entrusted with an everyday account on one of the Principality's self-hosted services so that she can update a roster. She has completed Lesson 01 of this course and nothing more, and she has, deliberately, no administrative access to anything, because access follows appointment and hers does not include it.

Mid-morning an email arrives. It is addressed to her, it carries what looks like the Army's badge, and it says her account has been flagged for suspicious activity and will be suspended within the hour unless she confirms her password through the link provided. It is urgent, it speaks with authority, and it makes her anxious, which is precisely the point. A week ago she might have clicked. Today she recognises the shape of it: urgency, authority, and fear, all at once, pushing her to act before thinking, and a request to enter her password through a link in a message she did not expect. That is a phishing lure, an attack on the confidentiality of her credentials and a doorway to account takeover. She does not click. She does not panic. She reports it through the channel the section uses for suspected phishing, exactly as the ethos of the speciality asks: recognise, then report, and never hide it.

Her little account is not important on its own, but it is a door into systems where the Principality's records live. By not clicking, she has protected confidentiality. Because the service she uses requires multi-factor authentication, even if she had slipped, the stolen password alone would not have let the attacker in, a safeguard from the Protect function doing its quiet job. And because the team keeps tested backups of the records, a bad day would still not be a lost day, which is the Recover function standing ready. Adeyemi has not done anything clever. She has done the plain, disciplined thing the course is built to make ordinary, and in a digital Principality that is what defence looks like.

Check Your Understanding

  1. Explain, in your own words, why the security of its systems and records matters more to a non-territorial, digitally organised Principality than the same systems might matter to a state with territory. Give one concrete example of what could be lost.
  2. Name the three parts of the CIA triad and state, for each, one threat from this lesson that attacks it.
  3. List the six functions of the NIST Cybersecurity Framework in order, and say which function each of these belongs to: taking a backup, turning on multi-factor authentication, and noticing a suspicious login warning.

Reflection (write a short paragraph): Think about the accounts and devices you personally use on Army business. Where in your own habits is the weakest corner of the CIA triad right now, and what is one plain change you could make this week, before any later lesson teaches it, to strengthen it?

Summary

  • The Principality of Kaharagia is non-territorial and digitally organised; its records, services, accounts, and keys are where much of the state actually lives, so protecting them is close to protecting the state itself.
  • In a small force there is no wall of specialists between the member and the threat: every member who holds an account or carries a device is part of the defence, and the most valuable security tool is an alert, disciplined person.
  • The common threats are plain: phishing and social engineering (the commonest way in, aimed at people), malware and ransomware, account takeover from stolen or reused passwords, and data loss or leak. They link into a chain, and breaking any link defeats it.
  • The CIA triad names what we protect: confidentiality (only the right people see it), integrity (it is accurate and unaltered), and availability (it is there when needed). Security is keeping all three.
  • This speciality is defensive and lawful only: protection, never attack, intrusion, or surveillance, and access follows appointment, not qualification.
  • The NIST Cybersecurity Framework gives the work a shape in six functions, Govern, Identify, Protect, Detect, Respond, Recover, and essential cyber hygiene (the CIS IG1 baseline) is the right first set of habits for a small force. The rest of CIS 201 teaches that baseline one habit at a time.
  • This lesson is the foundation of CIS 201 and the entry to the Information Systems and Cyber Security speciality. It is the natural partner of SIG 220 · Communications Security and Digital Discipline, supports HCR 220 · Emergency Preparedness and Civil Resilience (continuity) and PME 210 · Basic Staff Duties and Written Orders (handling records), and leads on to CIS 210, CIS 220, and CIS 310.

Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia

Lesson 1 · Knowledge Check

Question 1 of 3

Why does protecting records, accounts, and keys come close to protecting the state itself?