Vocabulary – Introduction

The words risk, threat, and vulnerability are the vocabulary of security professionals, but the are not used consistently. This series of blogs will explore common information security vocabulary starting with a dictionary definition, then listing other definitions with a brief analysis. Often the dictionary provides multiple meanings, so I have selected the one that best fits security.

The vocabulary includes:

  • Asset
  • Control
  • Policy
  • Risk
  • Threat
  • Vulnerability

I have evaluated the definitions using the following basic principles:

  1. Keep it simple
  2. Avoid complicated terms
  3. Avoid specialized terms
  4. Avoid circularity

Sources referenced include:

  1. Dictionary https://www.merriam-webster.com/
  2. The Center for Internet Security® (CIS) Risk Assessment Method Version 1.0 For Reasonable Implementation and Evaluation of Controls (2018)  https://www.cisecurity.org/
  3. The National Information Assurance (IA) Glossary CNSS (2003) https://www.ecs.csus.edu/csc/iac/cnssi_4009.pdf
  4. COBIT https://cobitonline.isaca.org/l3-main?book=framework#framework-glossary01
  5. Common Vulnerabilities and Exposures (CVE) http://cve.mitre.org/
  6. The Open Enterprise Security Architecture (ESA) (C02, ISBN 978-90-8753-672-5), 2011
  7. The Open Technical Standard: Risk Taxonomy (FAIR) (C081, ISBN: 1-931624-77-1), January 2009, published by The Open Group.
  8. ISACA https://www.isaca.org/Pages/Glossary.aspx?tid=2011&char=C
  9. The International Standards Organization’s Information technology – Security techniques – Information security management systems – Overview and vocabulary (ISO 27000 – 2018)  http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
  10. The NIST Framework for Improving Critical Infrastructure Cybersecurity (CSF) Version 1.1, 2018 https://www.nist.gov/cyberframework
  11. The Security and Privacy Controls for Federal Information Systems and Organizations     (NIST 800-53)  Revision 4, 2013
    https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf
  12. Open Trusted Technology Provider™ Standard (O-TTPS) Version 1.1 Mitigating Maliciously Tainted and Counterfeit Products https://publications.opengroup.org/c147
  13. OWASP https://www.owasp.org/index.php/Glossary
  14. The Payment Card Industry (PCI) Data Security Standard (DSS) and Payment Application Data Security Standard (PA-DSS) Glossary of Terms, Abbreviations, and Acronyms Version 3.2, 2016 https://www.pcisecuritystandards.org/document_library
  15. The Security Development Lifecycle (SDL), Michael Howard and Steve Lipner, Microsoft Press, 2006, ISBN 978-07356-2214-0
  16. STIX™ Version 2.0. Part 2: STIX Objects, Committee Specification 01, 19 July 2017 https://oasis-open.github.io/cti-documentation/resources#stix-20-specification

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s