Cyber defense is the practice of proactively preparing for, detecting, and responding to attacks in order to limit or prevent damage. The key insight that shapes every strategy on this page is that cyber warfare is asymmetric: an attacker only needs to find one flaw, while you must protect everything. That asymmetry means no single control is enough — you need overlapping layers, realistic economics, and resilient backups.

The economics of defense

Before choosing any control, ask whether it is worth the cost. The formula that guides this decision is:
Risk = Threat × Vulnerability × Cost
  • Threat — who wants to attack you, and what are they after?
  • Vulnerability — how exposed are you to that threat?
  • Cost — what do you lose if the attack succeeds?
You have four ways to respond to any risk:
ResponseWhat it meansExample
MitigateReduce likelihood or impact to an acceptable levelAdd MFA to reduce credential-theft risk
AvoidStop the activity that creates the riskDon’t store credit card numbers at all
AcceptCost of the fix exceeds the impactA low-traffic site accepts the risk of a minor DDoS
TransferMove the risk to a third partyPurchase cyber insurance
Security measures must also be psychologically acceptable. If a control is too burdensome, users route around it — a complex password policy often ends with credentials on a sticky note. The most secure computer is one that’s unplugged and buried in concrete; it’s also completely useless. Always balance security with usability.

Defense in depth

Defense in depth (DiD) is a layered approach where multiple independent controls protect the same asset. If one layer fails, others still stand. Think of it as an onion: each ring is a different category of control. By type:
  • Physical controls — locks, access cards, security cameras, guards
  • Technical controls — firewalls, encryption, access control, IDS/IPS, MFA
  • Administrative controls — security policies, staff training, incident response plans, audits
By function:
  • Preventive — stop attacks before they reach assets (firewalls, access control, input validation)
  • Detective — identify and log attacks in progress (IDS, monitoring, anomaly detection)
  • Corrective — contain damage and restore normal operation (backups, incident response, patching)
Scenario: A laptop is stolen (physical control fails). Full-disk encryption (data-layer technical control) means the attacker cannot read the contents even with direct hardware access — a second layer caught what the first layer missed.

Core design principles (Saltzer & Schroeder)

Implementing DiD well means following these foundational principles:
  • Least privilege — grant each user or process only the minimum access required. A web server process that runs as root gives an attacker root on compromise; one that runs as a limited service account does not.
  • Fail-safe defaults — default to no access; grant it explicitly. It’s easy to notice when someone has too little access (they complain), but no one complains about having too much.
  • Economy of mechanism — keep designs as simple as possible. Complexity hides vulnerabilities.
  • Complete mediation — check every access to every resource for authorization, every time.
  • Open design — security must not depend on keeping the design secret. Security through obscurity is not reliable.

Zero Trust vs. Castle and Moat

These two models represent a fundamental shift in how you think about network perimeters.
The Castle and Moat model treats your internal network as the castle and your perimeter defenses (firewalls, IDS) as the moat. If you’re inside the perimeter, you are trusted.How it works:
  • Strong perimeter defenses keep attackers outside
  • Devices and users inside the network are implicitly trusted
  • Access controls focus on the boundary
Limitations:
  • Assumes threats come only from outside — internal threats or compromised insiders are not addressed
  • A single breach of the moat gives an attacker relatively free movement inside
  • Cloud services, remote work, and BYOD make the perimeter impossible to define cleanly
  • Lateral movement after initial compromise is easy
Most real-world organizations operate somewhere on a spectrum between these two models. Zero Trust is a goal, not a binary state. You can adopt its principles incrementally — start with MFA everywhere, then move toward micro-segmentation and least-privilege enforcement.

The 3-2-1 backup rule

Ransomware specifically targets backups before encrypting production data. A backup that lives on the same machine it protects is not a backup — it is a second copy that gets encrypted alongside the first. The 3-2-1 rule is the minimum viable backup strategy:
  • 3 copies of your data (1 production + 2 backups)
  • 2 different storage media types (e.g., local disk and cloud, or disk and tape)
  • 1 copy stored offline and physically separated from the others
Immutable backups take this further: they cannot be altered or deleted — even by an administrator — for a defined retention period. Ransomware cannot encrypt what it cannot write to.
Cost-benefit thinking applies here too. You do not buy a 5,000titaniumlocktosecurea5,000 titanium lock to secure a 50 bike. Match your backup frequency (and therefore your Recovery Point Objective) to the actual value and replacement cost of your data.

Frameworks and standards

You do not need to design a security program from scratch. Established frameworks provide prioritized, auditable checklists of controls:
  • NIST Cybersecurity Framework (CSF) — Identify, Protect, Detect, Respond, Recover
  • ISO/IEC 27001 — international standard for Information Security Management Systems (ISMS)
  • CIS Controls — prioritized technical controls ranked by defensive value
  • OWASP Top 10 — the ten most critical web application security risks
If you operate in the EU (or, for Iceland, the EEA), also pay attention to GDPR, NIS2, and the incoming Cyber Resilience Act, which imposes mandatory security requirements on software and IoT products placed on the EU market.