1.1. The Security Mindset: What Are We Protecting and Why?

💡 First Principle: Every security decision is fundamentally about protecting something valuable from something harmful — and the right protection depends entirely on what you're protecting, who might want it, and how much you're willing to spend to keep it safe.

What happens when organizations lack a security mindset? They spend millions on firewalls while leaving sensitive documents in unlocked cabinets. They encrypt databases but send passwords in plaintext emails. They hire guards for the front door but forget the loading dock. Without a framework for thinking about security, decisions become reactive and inconsistent — you plug holes as they appear rather than building systematic protection.

Think of it like medicine: you wouldn't prescribe treatment without first diagnosing the problem and understanding the patient. Security works the same way. The "diagnosis" framework that underpins everything on this exam is the CIA Triad, and the "treatment planning" framework is risk-based thinking. Master these two concepts, and the rest of the exam becomes a series of applied scenarios.