1.

Basic Cybersecurity Terminology

• Malware: This is software that is created to harm, exploit, or take control of computer systems.
There are many types of malware, including:

o Virus: A type of malware that attaches itself to files and spreads when the infected file
is opened.

▪ Simple Example: A macro virus that infects a document and spreads to other
documents when you open it.

o Worm: A standalone malware that can copy itself and spread across a network without
any action from a user.

▪ Simple Example: A worm that finds and copies itself to other computers on a
network.

o Trojan: Malware that is disguised as a normal, legitimate piece of software. When you
run it, it gives an attacker access to your system.

▪ Simple Example: A fake software installer that you download, which secretly
gives an attacker remote access to your computer.

o Ransomware: Malware that encrypts your data and then demands a payment (a
ransom) for you to get your data back.

▪ Simple Example: A message appears on your computer saying your files are
encrypted and you need to pay in Bitcoin to unlock them.

o Spyware: Software that collects information about you, such as what you type or which
websites you visit, without your permission.

▪ Simple Example: A keylogger that records your keystrokes to steal your

passwords.

o Adware: Software that shows you unwanted advertisements and may also track your
online behavior.

▪ Simple Example: Pop-up ads that appear after you install some free software.

o Rootkit: A type of malware that is designed to hide its own presence and give an
attacker deep control over a system.

▪ Simple Example: A rootkit that hides its files and gives an attacker a secret way
to access your system.

o Botnet: A network of devices that have been compromised and are controlled by a
single attacker.

▪ Simple Example: A botnet used to send large amounts of spam emails or

launch a DDoS attack.

o Backdoor: A secret or hidden method to bypass a system's normal security and

authentication.
 ▪ Simple Example: A hidden administrator account in a web application.

o Cryptojacker: Software that uses your device's processing power to mine

cryptocurrency without your permission.

▪ Simple Example: A script on a website that uses the visitor's CPU to mine digital
coins.

• Phishing: A type of social engineering attack that tricks people into giving away their login
details or other sensitive information.

o Simple Example: A fake email from your bank that asks you to click a link and "verify"
your password.

• Social Engineering: The act of manipulating people to get them to break security rules or
reveal private information.

o Simple Example: Someone pretending to be a member of the IT support team to get

your login information.

• Attack Vector: The specific way or path an attacker uses to get into a system.

o Simple Example: An employee opens a malicious attachment in an email.

• CIA Triad: The three main goals of information security:

o Confidentiality: Keeping information secret and private.

▪ Simple Example: Encrypting files.

o Integrity: Making sure information is accurate and has not been changed without
permission.

▪ Simple Example: Using a checksum to verify that a file has not been altered.

o Availability: Making sure that systems and data are accessible when needed.

▪ Simple Example: Having backups and ensuring high system uptime.

2. Types of Security Controls

Security controls are measures used to protect systems and data. They are categorized into three
main types:

• Technical Controls: These are security measures that use technology to protect systems and
data.

o Simple Examples: Firewalls, antivirus software, encryption, and Identity and Access
Management (IAM) systems.

• Administrative Controls: These are policies, procedures, and rules that focus on human
behavior.

o Simple Examples: Security policies, performing background checks on new

employees, and providing security training.
 • Physical Controls: These are tangible measures that protect the physical environment and
hardware.

o Simple Examples: Locks on doors, employee badges, CCTV cameras, and biometric
scanners.

3. Vulnerabilities, Threats, and Risk Concepts

• Vulnerability: A weakness in software, hardware, or a process that an attacker can exploit.

o Simple Example: An old, unpatched software program that has a known bug which
allows remote code execution.

• Threat: Anything that has the potential to cause harm, such as a possible event or an attacker.

o Simple Example: A phishing email campaign targeting a company's employees.

• Threat Actor Types: These are different kinds of attackers.

o Simple Example: An insider (like an employee) stealing data for money.

• Risk: The possibility that a threat will exploit a vulnerability and cause harm, and what the
impact of that harm would be. Risk is often calculated as Likelihood multiplied by Impact.

o Simple Example: A 20% chance of a data breach occurring, which would have a high
impact.

• Residual Risk: The amount of risk that still remains even after you have applied security
controls.

o Simple Example: Even with a firewall in place, there is still some risk of a new, unknown
"zero-day" attack.

4. Risk Assessment Methodologies

These are different ways to evaluate and understand risks.

• Qualitative Risk Assessment: Describes risk using categories like "low," "medium," or "high"
and uses expert opinion.

o Simple Example: Calling a risk "High" because it involves sensitive customer data.

• Quantitative Risk Assessment: Assigns numbers to the likelihood and impact to calculate a
monetary value of the risk.

o Simple Example: Estimating how much money a company might lose in a year due to a
specific risk.

• Risk Matrix: A chart that uses a grid to show how likely a risk is versus how much impact it
would have, helping you decide which risks to handle first.

o Simple Example: Using a chart to decide which risks you need to fix immediately.

5. Firewall Basics and Placement

A firewall is a network security device that monitors and controls incoming and outgoing network
traffic.
 • Packet-Filtering Firewall: This is a basic type of firewall that filters network packets based on
their IP address, port, and protocol. It doesn't remember past connections (it's "stateless").

o Simple Example: Blocking all incoming traffic to a specific port, like port 23, which is
used for Telnet.

• Stateful Firewall: A more advanced firewall that keeps track of the state of a connection. It can
allow a reply to an outgoing connection because it knows the connection was started from
inside the network.

o Simple Example: Allowing replies to a connection that was started by a user inside the
network.

• Next-Generation Firewall (NGFW): This type of firewall has more advanced features, such as
understanding what applications are being used and performing deep inspections of traffic.

o Simple Example: Blocking specific applications like peer-to-peer file-sharing, even if

they use common ports.

• Firewall Placement:

o Perimeter: Placed at the edge of the network to separate the internal network from the
internet.

▪ Simple Example: A firewall placed between a company's network and its

Internet Service Provider (ISP) router.

o DMZ (Demilitarized Zone): A separate network area where public-facing services like
web or email servers are placed. This protects the main internal network from threats.

▪ Simple Example: Putting a public web server in a DMZ so that if it gets attacked,
the rest of the internal network is safe.

o Internal Segmentation: Using internal firewalls to separate different parts of the

network to prevent attackers from moving around easily.

▪ Simple Example: Separating servers that handle payments from the general
employee network.

6. Advanced Firewall Techniques

• Application-Layer Filtering: A technique where firewalls inspect and control traffic based on
the application or service, not just the port number.

o Simple Example: Allowing normal web traffic (HTTP) but blocking a specific application
like BitTorrent, even if it's trying to use the same web port.

• Sandboxing: Running suspicious files or programs in a safe, isolated environment to see what
they do without risking the real system.

o Simple Example: Opening an email attachment in a special sandbox to see if it tries to

act like ransomware.

• Deep Packet Inspection (DPI): A method that looks at the actual content (payload) of a
network packet, not just the header information. This is used to find threats or classify traffic.
 o Simple Example: Finding malware commands hidden inside a normal web request.

• SSL/TLS Inspection: Decrypting and inspecting encrypted traffic (like HTTPS) to scan for
malware, while being careful about privacy and compliance.

o Simple Example: Scanning encrypted downloads for viruses before they reach a user's
computer.

• URL & DNS Filtering: Blocking access to websites or domains that are known to be malicious
or unwanted.

o Simple Example: Blocking a user from going to a website that is known for phishing
attacks.

7. Deep Packet Inspection (DPI)

• What It Is: DPI goes beyond just looking at the packet headers (like IP addresses and ports)
and examines the actual content inside the packet to find threats or categorize the traffic.

• What It's Used For: Network security, managing network traffic, checking for compliance, and
detecting intrusions.

o Simple Example: Finding when someone is trying to secretly send data out of the
network by hiding it in normal traffic.

• Good and Bad Things:

o Pros: It can detect threats with a high level of detail.

o Cons: It can raise privacy concerns and slow down the network if not properly scaled.

8. IDS vs IPS (Intrusion Detection vs Prevention)

• IDS (Intrusion Detection System): A system that watches network or computer traffic to find
suspicious activity and sends an alert to an administrator. It only detects; it doesn't stop the
threat.

o Simple Example: An IDS alerts you when it sees many failed login attempts happening
in a short period.

• IPS (Intrusion Prevention System): A system that not only monitors for threats but also
actively blocks or stops them in real-time.

o Simple Example: An IPS automatically drops all network traffic coming from an IP
address that is launching an attack.

• Types of Systems:

o NIDS (Network IDS): Monitors all traffic on a network.

o HIDS (Host IDS): Monitors a single computer's logs and files.

• Detection Methods:

o Signature-based: Looks for known patterns or signatures of attacks.

 ▪ Simple Example: Looking for the specific "hash" (a unique digital fingerprint) of
a known piece of malware.

o Anomaly-based: Looks for unusual behavior or deviations from a normal baseline.

▪ Simple Example: An alert is triggered when a large spike in network traffic

happens during non-business hours.

9. Incident Management and Response (General)

This is the process of handling a security incident.

• Phases:

1. Identification: Figuring out that an incident is happening.

2. Containment: Isolating the affected systems to stop the incident from spreading.

3. Eradication: Removing the cause of the incident, like the malware.

4. Recovery: Restoring systems and data back to normal.

5. Lessons Learned: Reviewing what happened and updating procedures to prevent it

from happening again.

• SOC Roles: The Security Operations Center (SOC) is a team that handles security incidents.

o Simple Example: A Tier 1 analyst looks at new alerts, and a Tier 2 analyst does a deeper
investigation.

• Playbooks & Runbooks: These are pre-written, step-by-step instructions for how to handle
common incidents.

o Simple Example: A playbook for ransomware attacks that tells the team exactly what to
do to contain and recover from it.

10. Handling False Positives in IDS/IPS

A false positive is when a security system wrongly flags something normal as a threat.

• Common Reasons: Misconfigurations, noisy signatures, incorrect baselines, or activities that

look suspicious but are actually normal.

o Simple Example: A security system alerts that data is being stolen when a nightly
backup job is running, because the large amount of data looks suspicious.

• How to Fix It: You can adjust the sensitivity of the system, create whitelists for normal activity,
update signatures, and add more context to alerts.

o Simple Example: Creating a "whitelist" that tells the system to ignore specific,
expected traffic between monitoring tools.

• Feedback Loop: After an incident, you can use the review to improve your rules and reduce
future false positives.

o Simple Example: An analyst marks an alert as a false positive, and then a rule is
changed so that the same normal activity doesn't trigger an alert again.
11. Cyber Risk Supervision (SBP Focus)

This section focuses on how supervisory bodies, like the State Bank of Pakistan (SBP), oversee
cybersecurity in financial institutions.

• Purpose: To make sure that financial institutions are properly managing their cyber risks.

o Simple Example: A regulator checks to ensure that banks have the required minimum
cybersecurity controls in place.

• Risk-Based Supervision: Regulators focus more on institutions that have a higher risk or
weaker security controls.

o Simple Example: A bank that has had recent security incidents gets more frequent
inspections from the regulator.

• Inspections and Reporting: Regulators perform periodic reviews and require banks to report
significant incidents.

o Simple Example: A bank must report a major fraud event to the regulator.

• Risk Profiling: This involves identifying a bank's most important assets, potential threats, and
how well their controls are working.

o Simple Example: Identifying a bank's payment systems as high-value targets for

attackers.

12. Digital Fraud Supervision (Banking Context)

• Types of Digital Fraud: These include phishing, identity theft, smishing (phishing via SMS), SIM
swap, and vishing (voice phishing).

o Simple Example: A customer receives an SMS with a link that asks for their login
details.

• Financial Monitoring Units (FMUs): These are groups that analyze transactions to find
suspicious activity.

o Simple Example: Flagging an unusually large transfer of money or rapid fund

movements.

• Transaction Monitoring: Using rules and machine learning to spot payments that don't fit a
customer's normal behavior.

o Simple Example: An alert is triggered when a customer who usually only makes local
transactions suddenly sends a large amount of money overseas.

13. Incident Management & Response in Banking

• Fraud Detection Systems: These are specialized systems that look for patterns of fraudulent
activity in a bank.

o Simple Example: A system that gives real-time alerts about unusual logins or
"credential stuffing" attacks.
 • Fraud Workflows: These are the specific steps a bank follows when fraud is detected. The
steps usually include:

1. Getting an alert.

2. Verifying with the customer.

3. Investigating the issue.

4. Blocking the affected accounts.

5. Trying to recover the funds.

6. Reporting the incident.

o Simple Example: Blocking a compromised credit card and sending the customer a new
one.

• Regulatory Reporting: Banks are required to report certain incidents and breaches to
regulators within a specific timeframe.

o Simple Example: Notifying the regulator about a data breach that affected customer
information.

14. Session Security

A "session" is the period of time a user is logged in to a website or application.

• Session Hijacking: Stealing a user's session ID (like a special cookie) to pretend to be them
and access their account.

o Simple Example: An attacker steals a user's web browser cookie and uses it to access
the user's account without a password.

• Session Fixation: An attacker forces a user to use a specific session ID. When the user logs in,
the attacker can then use that same session ID to access their account.

o Simple Example: An attacker sends a user a link with a preset session ID. When the
user clicks the link and logs in, the attacker can use that ID to take over the session.

• Secure Cookies: Using special attributes like HttpOnly, Secure, and SameSite to protect
cookies from being stolen or misused.

o Simple Example: The HttpOnly attribute prevents a script from reading the cookie, and
Secure ensures the cookie is only sent over a secure HTTPS connection.

• Token Regeneration: Creating a brand new session token after a user logs in or changes their
privileges.

o Simple Example: After a user successfully logs in, the server gives them a completely
new session token to prevent a session fixation attack.

15. Common Web Application Attacks

• XSS (Cross-Site Scripting): An attack where an attacker injects malicious code (usually a
script) into a webpage that is then viewed and executed by other users.
 o Simple Example: An attacker posts a malicious script in a forum post. When another
user views that post, the script runs in their browser.

• CSRF (Cross-Site Request Forgery): An attack that tricks a logged-in user's web browser into
making an unwanted request to a website.

o Simple Example: A malicious website causes a user's browser to send a request to

their bank to transfer money without the user knowing.

• SQL Injection: An attacker inserts malicious SQL code into a web form to get or change
information in a database without permission.

o Simple Example: Typing ' OR '1'='1' into a login form to bypass the authentication and
log in as an administrator.

• Directory Traversal: An attack that tries to access files and folders outside of the intended
directory by using sequences like ../.

o Simple Example: An attacker requests a file path like /etc/passwd to get a sensitive
system file from a poorly configured web server.

16. Preventing Web-Based Attacks

• Input Validation & Sanitization: Checking what a user inputs to make sure it's the right type,
length, and format. Also, cleaning or encoding the input before it's used.

o Simple Example: Rejecting unexpected characters in a form and encoding the output
to prevent XSS attacks.

• Parameterized Queries: Using prepared statements for database queries instead of building
SQL commands by adding strings together. This is the main way to prevent SQL injection.

o Simple Example: Using a prepared statement ensures that the user input is treated
only as data, not as a command, so it can't run malicious SQL.

• Authentication Controls: Using things like strong passwords, multi-factor authentication

(MFA), and account lockouts to make it harder for attackers to get in.

o Simple Example: Requiring a password plus a one-time code from an app for an
administrator to log in.

• Secure Headers: Adding special headers to web requests to harden a user's browser against
attacks.

o Simple Example: A Content Security Policy (CSP) header can prevent inline scripts
from running, which helps stop XSS attacks.

• Least Privilege & Segmentation: Giving users and applications the minimum access they
need to do their job and separating sensitive parts of the system.

o Simple Example: A database user is only given permission to SELECT and INSERT data,
not to delete or modify the database structure.

17. Cybersecurity Frameworks Overview

Frameworks provide a set of guidelines and best practices for managing cybersecurity.

• NIST Cybersecurity Framework (CSF): A voluntary framework that helps organizations

manage and reduce their cyber risk. It has five main functions:

1. Identify: What are your assets and risks?

2. Protect: How do you protect your assets?

3. Detect: How do you find threats?

4. Respond: How do you handle a threat?

5. Recover: How do you get back to normal after an attack?

o Simple Example: Using the CSF to organize all of your cybersecurity activities from
finding assets to responding to an incident.

• ISO/IEC 27001: An international standard for creating and managing an Information Security
Management System (ISMS).

o Simple Example: Implementing a set of security policies, controls, and audits to get a
certification.

• CIS Controls: A prioritized list of actions that organizations can take to improve their defenses
against common attacks.

o Simple Example: Implementing the top 5 CIS Controls to quickly protect against a large
number of common threats.

18. State Bank of Pakistan Cybersecurity Regulations

• SBP IT Governance Guidelines: These are rules from the State Bank of Pakistan (SBP) that tell
banks how they should manage their IT governance, risks, and controls.

o Simple Example: Banks must have official IT policies and a dedicated Chief
Information Security Officer (CISO) or IT head.

• Required Controls: Banks are typically required to have strong access controls, logging,
incident reporting, and a process for managing vendors.

o Simple Example: Banks must keep detailed logs and report any security incidents to
the regulator within a specific timeframe.

• Audit & Compliance: Internal and external auditors review a bank's security controls to make
sure they are working correctly.

o Simple Example: An audit finds a security gap and forces the bank to create a plan to
fix it.

19. Cloud Security

• Shared Responsibility Model: This is a key concept in cloud computing. The cloud provider
(like Amazon or Google) is responsible for securing the cloud infrastructure itself, while the
customer is responsible for securing their data, applications, and access within the cloud.
 o Simple Example: The cloud provider patches the physical servers, but the customer is
responsible for configuring their firewall and user access settings.

• Common Risks: Misconfigured settings, too many privileges given to user accounts, storage
that is exposed to the public, and weak access management.

o Simple Example: A data bucket (like an S3 bucket) that is accidentally left open to the
public, causing data to leak.

• Best Practices: Encrypting your data, using IAM roles, turning on logging, monitoring for
threats, patching systems, and using multi-factor authentication (MFA).

o Simple Example: Using temporary credentials and rotating encryption keys regularly.

20. Artificial Intelligence and Machine Learning in Cybersecurity

• Applications: Using AI and ML for things like detecting threats and anomalies, finding phishing
emails, classifying malware, and automating security tasks.

o Simple Example: An ML model flags unusual login patterns as suspicious.

• Benefits: AI and ML can analyze huge amounts of data quickly, find new and unknown attack
patterns, and speed up the process of sorting through alerts.

o Simple Example: An AI system can quickly sort through thousands of security alerts,
finding the most important ones.

• Challenges: AI systems can produce many false positives, be vulnerable to "adversarial

attacks" (where attackers trick the AI), and can be hard to explain why they made a certain
decision.

o Simple Example: Attackers can create special inputs that are designed to trick an ML-
based detection system.

21. Internet of Things (IoT) Security

• Challenges: IoT devices often have limited processing power, don't get security updates, have
weak default passwords, and are made by many different vendors.

o Simple Example: A security camera left with the default password "admin" is easily
hacked.

• Best Practices: Designing devices with security in mind, using strong authentication, regularly
updating firmware, separating devices on their own network, and using encryption.

o Simple Example: Placing all IoT devices on a separate, isolated network (VLAN) so they
can't access the main company network.

• Device Lifecycle: This involves securing devices from the very beginning, monitoring them
while in use, keeping them patched, and securely removing them when they are no longer
needed.

o Simple Example: Revoking a device's security keys when it is taken out of service.

22. Threat Intelligence

 • Definition: The process of collecting and analyzing information about current and future
threats to help improve a company's defenses.

o Simple Example: Using a list of known malicious IP addresses to block them at the
firewall.

• Types of Intelligence:

o Tactical: Technical details like Indicators of Compromise (IOCs).

o Operational: Information about specific attack campaigns.

o Strategic: High-level trends and long-term insights.

• Benefits: It helps to detect threats faster, gives more context to alerts, and improves the
response to incidents.

o Simple Example: Blocking IP addresses known for phishing reduces the number of
phishing emails that reach employees.

23. Malware Analysis Basics

• Purpose: To understand how a piece of malware works, where it came from, what it can do,
and what its Indicators of Compromise (IOCs) are.

o Simple Example: Figuring out which files the malware changes and what network
addresses it tries to connect to.

• Static Analysis: Looking at a malware file's code and properties without actually running it.
This includes looking at strings, file headers, and signatures.

o Simple Example: Extracting suspicious URLs from the text inside a malware file.

• Dynamic Analysis: Running the malware in a safe, controlled environment (a "sandbox") or a

virtual machine to watch what it does in real-time.

o Simple Example: Watching the malware create new files, change registry keys, or make
network connections inside a sandbox.

• Tools & Safety: Always use isolated environments and network controls when analyzing
malware to prevent it from spreading.

o Simple Example: Always test malware samples in a sandbox that is not connected to
the internet.

24. Identity and Access Management (IAM)

• Definition: The systems and processes used to manage a person's digital identity and control
what they can access.

o Simple Example: An employee's account has a specific role that determines which
systems they are allowed to use.

• Components (AAA):

o Authentication: Verifying who a person is.

 o Authorization: Deciding what a person is allowed to do.

o Accounting: Keeping a record of what a person did.

o Simple Example: Using MFA for authentication, Role-Based Access Control (RBAC) for
authorization, and logging for accounting.

• Best Practices: Granting the "least privilege" (only the access needed to do a job), using Role-
Based Access Control (RBAC), using MFA, regularly reviewing access, and using Single Sign-On
(SSO).

o Simple Example: Only giving administrator rights to people who absolutely need them,
and reviewing their access every three months.

25. Digital Forensics

• Definition: The process of collecting and analyzing digital evidence to support a legal
investigation or case.

o Simple Example: Recovering deleted files and creating a timeline of an attacker's

actions.

• Process:

1. Identification: Finding the digital evidence.

2. Preservation: Making sure the evidence is not changed.

3. Collection: Getting the evidence in a proper way.

4. Examination: Looking at the evidence.

5. Analysis: Interpreting the evidence.

6. Reporting: Writing a report of the findings.

• Chain of Custody: A strict record of who has handled the evidence and when, to prove that it
hasn't been tampered with and is admissible in court.

o Simple Example: Logging every time a USB drive containing evidence is handed from
one person to another, with timestamps and signatures.

• Common Tools: Tools for forensic analysis, creating timelines, and analyzing a computer's
memory.

o Simple Example: Using a "write-blocker" tool when making a copy of a hard drive to
ensure that no data is accidentally changed.

26. Data Privacy Regulations and Compliance (e.g., GDPR)

• Purpose: To protect people's personal data and make sure that organizations handle data
responsibly.

o Simple Example: Giving users the right to see and delete their personal data.

• Key Principles:
 o Lawfulness: You must have a legal reason to collect data.

o Purpose Limitation: Only use the data for the reason you collected it.

o Data Minimization: Only collect the data you actually need.

o Accuracy: Make sure the data is correct.

o Storage Limitation: Don't keep data longer than you need it.

o Integrity and Confidentiality: Keep the data safe and private.

o Simple Example: Only collecting the necessary data for a service and deleting it when
you no longer need it.

• Compliance Requirements: Organizations may need to appoint a Data Protection Officer

(DPO), have rules for notifying about data breaches, and keep records of how they process
data.

o Simple Example: Notifying a regulator within a specific time period if a data breach
affects personal information.

27. Business Continuity and Disaster Recovery Planning

• Business Continuity (BC): Plans to keep the most important business functions running
during a major disruption.

o Simple Example: Having a plan for employees to work from a different office or from
home if the main office is unusable.

• Disaster Recovery (DR): The specific technical plan to restore IT systems and data after a
major outage or disaster.

o Simple Example: Having a step-by-step plan for restoring all databases from backups.

• Key Metrics:

o RTO (Recovery Time Objective): How quickly a system must be back up and running
after an outage.

o RPO (Recovery Point Objective): How much data you can afford to lose.

o Simple Example: An RTO of 4 hours means that a system must be restored within 4
hours of a disaster.

• Best Practices: Regularly testing your plans, making sure you have good backups, defining
clear roles for people, and having well-documented plans.

o Simple Example: Doing a "tabletop exercise" (a discussion-based test) and a full

failover test to make sure the plans work.

28. Cybersecurity Awareness and Training Programs

• Purpose: To educate employees to reduce the risk of human error and help them spot threats
early.
 o Simple Example: Training on how to spot phishing emails helps reduce the number of
people who click on malicious links.

• Key Elements: Training should be regular, include simulated phishing attacks, be tailored to
different job roles, and have clear ways for employees to report incidents.

o Simple Example: Sending out monthly security updates and doing fake phishing tests.

• Measuring Effectiveness: You can track things like how many people fall for phishing
simulations, the number of security incidents caused by human error, and how many
employees complete their training.

o Simple Example: The rate of people clicking on a phishing link drops from 20% to 5%
after a training program.

• Ongoing Culture: Creating a company culture where employees feel comfortable reporting
security issues, are rewarded for good security behavior, and receive simple, frequent security
communication.

o Simple Example: Giving recognition to teams that have a low number of security
incidents.