Today, the built environment is designed, built, and managed using digital technology, making it increasingly exposed to cyber security risks. Cybersecurity is a general topic, and the construction sector has been borrowing general solutions and frameworks. However, the construction industry is specific and needs a specialized framework that would assist in understanding and managing cybersecurity. We have studied general cybersecurity frameworks, cybersecurity standards, research literature, and first principles of systems theory and process engineering. Drawing from that, we developed an original framework that identifies three kinds of wrongful activities: stealing, lying, and harming. It identifies four elements that can be affected by wrongful activities: information asset, material asset, person, and system. It defines cybersecurity as the absence of the three wrongs across the four kinds of elements. The framework is construction-specific, and as such, a useful tool for senior management to understand security problems and organize security processes. It can lead to better standardization and also helps the researchers to structure future work on the topic. The latter should be concentrated in areas where construction was found to be different: the dynamic and overlapping process and organizational boundaries in the design stage, the exposed shared design information, and the vulnerability of control information of the built environment, particularly in critical infrastructures.