Lexicon

Accounting

The act of accounting for actions and events (see logging).

Administrative Controls

Security controls enforced using administrative procedures (e.g., the Human Resources disciplinary procedure).

Annual Rate of Occurrence

The number of expected annual losses.

Annualised Loss Expectancy

The calculation used to determine the expected cost of annual losses due to a single event type.

Asset

The device, intellectual property, process, or system that has value to the organisation

Asset Register

A log of all assets.

Asset Value

The asset's value to the business, threat actor, or stakeholder.

Audit

Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.

Authentication

Validating the authenticity of something or someone.

Authorisation

The power or right to give orders or make decisions.

Availability

Present and ready for use; at hand; accessible.

Compliance

The act of complying with a wish, request, or demand; acquiescence.

Confidentiality

The state or attribute of being secret; privacy.

Consequence/Impact

The possible adverse effect of a security risk.

Control(s)

To exercise an authoritative or dominating influence over someone or something (e.g., implementing security controls to reduce the potential for adverse consequences of an event).

Countermeasure

A measure or action taken to counter or offset another one.

Corrective Controls

A type of security control (countermeasure) used to contain unapproved actions or behaviours.

Cyber Security/Cybersecurity

A buzzword is used to describe the act of protecting information technology (IT).

Detective Controls

A type of security control used to identify unwanted actions.

Exposure Factor

The cost of one incident or loss event.

Governance

The way that organizations or countries are managed at the highest level, and the systems for doing this.

Human Risk

The potential adverse effects of human interaction with information systems and business operations.

Human Risk Management

The art of safeguarding operating conditions and procedures to reduce the potential for adverse effects of human interaction with information systems and business operations.

Incompetence

The quality or state of being incompetent (e.g., a lack of physical, intellectual, or moral ability/lack of qualifications or training (for a particular task)/insufficiency/inadequacy).

Information

Facts provided or learned about something or someone

Information Security

The act of protecting information in all forms (e.g., digital and physical).

Information Security Management System (ISMS)

An organised set of principles and procedures to control information and reduce anxiety about its protection.

Insecure

The feeling or effect of a lack of protection or the presence of an exploitable vulnerability.

Insider Threat

Someone internal to the organisation acting against it or acting in their own self-interest to defraud the organisation of money or future revenue.

Integrity

Steadfast adherence to a strict moral or ethical code.

Least privilege

The principle is that a security architecture is designed to grant each entity the minimum system resources and authorisations needed to perform its function.

Legal Risk

Risks with potential legal or regulatory consequences.

Likelihood/Probability

The extent to which something is likely to happen.

Logging

The act of keeping a log of events in a computer system, such as problems, errors or just information on current operations.

Malware

A malicious code that carries out unauthorised and potentially harmful actions on a computer system.

Management

The process of dealing with or controlling things or people.

Managerial Controls

Security controls enforced using managerial procedures (e.g., the access management procedure).

Mitigating Controls

A type of security control used to reduce the consequences (impact) of unapproved actions or behaviours.

Monte Carlo Simulation

A type of calculation used in the security risk quantification assessments.

Negligence

The state or quality of being negligent (e.g., a negligent act or a failure to act).

Non-repudiation

A service that is used to provide assurance of the integrity and origin of data in such a way that the integrity and origin can be verified and validated by a third party as having originated from a specific entity in possession of the private key (i.e., the signatory).

Operational Risk

A potential impact on information system availability, resulting in contract and customer satisfaction problems.

Opportunity Risk

The potential positive effect of an uncertain outcome.

Policy

A set of ideas or a plan of what to do in particular situations that has been agreed to officially by a group of people, a business organisation, a government, or a political party.

Policy Enforcement

The act of enforcing the implementation of security policies using administrative and managerial security controls.

Possibility

The fact or state of being possible.

Preventative Controls

A type of safeguard (security control) used to prevent unwanted actions.

Privacy

The quality or condition of being secluded from the presence or view of others.

Probability/Likelihood

The extent to which something is likely to happen.

Protection

The action or effect of protecting or securing someone or something.

Pure Risk

The potential adverse effect of an uncertain outcome.

Qualitative Risk Assessment

A method of calculating risk with an output on an ordinal scale (e.g., critical, high, medium, and low).

Quantitative Risk Assessment

A method of calculating risk with a quantitative output (e.g., a percentage chance).

Risk

The effect of uncertainty on objectives.

Risk Appetite

The amount of risk the organisation is willing to accept accountability for (e.g., the cost they are willing to pay if a potential adverse event happens).

Risk Assessment

A repeatable method of assessing security risks.

Risk Decisions

A decision on how to address or mitigate a security risk.

Risk Exception/Tolerance

The amount of risk the organisation is willing to accept accountability for (e.g., the cost they are willing to pay if a potential adverse event happens) in exceptional circumstances (e.g., the potential income from an opportunity risk outweighs the potential cost of the pure risk).

Risk Management

The art of assessing, controlling, and understanding events that may have a potentially damaging impact on an organisation’s normal operations.

Risk Register

A log of all risks.

Risk Scenario

An analysis of a potential adverse security risk scenario.

Safeguard

Something that protects against attack, loss, or injury as a precautionary measure.

Security

The feeling of comfort and safety (e.g., without anxiety or free from care) in the activity or location.

Security Awareness

The act of sharing educational content to impart security knowledge throughout an organisation using all forms of communication.

Security Policy

A security policy is an agreed set of rules relating to the organisation’s security requirements.

Security Risk

A security risk is an adverse event that is possible because the conditions of our environment allow for the action to happen.

Segregation of Duties

The separation of duties ensures one person can not interfere with or complete a critical function as an individual.

Single Loss Expectancy

The expected cost of a single loss event.

System

A set of principles or procedures according to which something is done; an organised scheme or method.

Technical Controls

Security controls enforced using technical measures (e.g., access control using an Identity and Access Management (IAM) solution).

Threat

The behaviour or force applied to an asset that has the potential to cause harm.

Threat Actor

The person responsible for the unwanted behaviour

Vulnerability

An exploitable weakness within a device, process, security control, or system.