ABBREVIATIONS

GLOSSARY

Some of the following definitions are taken from ISO/IEC 27000:2020 [1], ISO 22301:2019 [2], ISO Guide 73:2009 [3], BS ISO/IEC TR 18044:2004 [4] and ISO/IEC 27032:2012 [5]. A few are not defined in any standards, so I have suggested my own definition.

Access control: The means to ensure that access to assets is authorised and restricted to business and security requirements. [1]

Asset: Any item that has value to the organisation. [1] Assets may be tangible, normally having some physical form such as network equipment, systems and so on, or intangible, having no physical form, such as trademarks or reputation.

Attack: An attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset. [1]

Audit: The systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. [1]

Authentication: The provision of assurance that a claimed characteristic of an entity is correct. [1]

Availability: The property of being accessible and useable upon demand by an authorised entity. [1]

Business continuity (BC): The capability of the organisation to continue delivery of products and services at acceptable predefined levels following a disruptive incident. [2]

Business impact analysis (BIA): The process of analysing activities and the effect that a business disruption might have upon them. [2]

Confidentiality: The property that information is not made available or disclosed to unauthorised individuals, entities or processes. [1]

Consequence: An outcome of an event affecting objectives. [3] Consequences are also referred to as impacts.

Control: A measure that is modifying risk. [3] Controls come in a number of forms – at the strategic level, they can be to modify or reduce the risk; to avoid or terminate it; or to transfer or share it. At the tactical level, control choices are preventative, to stop something from happening; corrective, to fix something that has happened; detective, to discover when something has happened; and directive, to put processes and procedures into place. Finally, operational controls can be physical, such as locks and barriers; procedural, such as change control mechanisms; and technical, such as antivirus software.

Cyber-attack: Aggressive cyber action taken against people, organisations, networks, systems and services, and which is intended to cause loss or damage.

Cyber bullying: Cyber bullying or cyber harassment is simply the act of harassing or bullying a person or group of people using cyber-based methods such as social media, text messaging and the like.

Cybercrime: Criminal activity where services or applications in the cyberspace are used for or are the target of a crime, or where the cyberspace is the source, tool, target or place of a crime. [5]

Cyber espionage: Covert surveillance activity conducted over cyberspace.

Cyber hacktivism: Includes individuals or groups who may be stalking someone in an act of revenge for a perceived grievance, looking to expose some wrongdoing, or a business trying to place their competitors on the wrong foot.

Cyber security: Preservation of confidentiality, integrity and availability of information in the cyberspace. [5]

Cyberspace: Complex environment resulting from the interaction of people, software and services on the internet by means of technology devices and networks connected to it, which does not exist in any physical form.

Cyber terrorism: Includes cyber-attacks by terrorists against nation states, business and commerce. It may also include a terrorist group trying to turn people against their own government, or a nation state trying to unbalance another government. One way or another, it’s all a form of terrorism designed to induce fear or to stir up hatred.

Cyber theft: Theft or a fraudulent activity conducted over cyberspace.

Cyber warfare: An attack on another nation state’s information or infrastructure conducted over cyberspace.

Data: A collection of values assigned to base measures, derived measures and/or indicators. [1]

Disaster recovery (DR): A coordinated activity to enable the recovery of IT systems and networks due to a disruption.

Event: The occurrence or change of a particular set of circumstances. [3]

Exploit or exploitation: A particular form of attack that takes advantage of one or more vulnerabilities, and in which a tried-and-tested method of causing an impact is followed with some rigour. Exploits are similar in nature to processes, but whereas processes are generally benign, exploits are almost always harmful.

Hazards: A source of potential harm. [3] They are frequently viewed as being natural, as opposed to human-made, events, including such things as severe weather and pandemics.

Impact: An outcome of an event affecting objectives. [3] This is also referred to as a consequence.

Information: An organised and formatted collection of data.

Information assurance: The process of ensuring that data is not lost when critical events or incidents occur. It is generally associated with computer, cyber or IT security rather than the somewhat wider meaning of ‘information security’.

Information security: The preservation of confidentiality, integrity and availability of information. [1]

Information security incident: An information security incident is indicated by a single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security. [4]

Integrity: Property of protecting the accuracy and completeness of assets. [1]

Level of risk: The magnitude of a risk expressed in terms of the combination of consequences and their likelihood. [1]

Likelihood: The chance of something happening. [3] The terms ‘likelihood’ and ‘probability’ are often used interchangeably, but ‘likelihood’ is a rather general term denoting a degree of uncertainty, whereas the term ‘probability’ has a more statistical underpinning. The term ‘possibility’ is generally not used, since many things are possible, but the term gives no indication whether or not the event is actually likely to take place.

Malware payload: Malicious code that can cause harm to the victim. Malware payloads can be distributed by methods such as worms and emails. Malware authors typically encrypt the payload to hide the malicious code from malware detection systems.

Monitoring: Determining the status of a system, a process or an activity. [2]

Non-repudiation: The ability to prove the occurrence of a claimed event or action and its originating entities, in order to resolve disputes about the occurrence or non-occurrence of the event or action and involvement of entities in the event. [1]

Objective: A result to be achieved. [1]

Organisation: A person or group of people that has its own functions with responsibilities, authorities and relationships to achieve its objectives. [1]

Policy: The intentions of an organisation as formally expressed by its top management. [1]

Probability: The measure of the chance of occurrence expressed as a number between 0 and 1, where 0 is impossibility and 1 is absolute certainty. [3]

Process: A set of interacting activities, which transforms inputs into outputs. [1]

Resilience: The adaptive capacity of an organisation in a complex and changing environment. [3] Although this definition refers to organisations rather than to information assets, the definition holds true in that where an information asset is properly protected, it is able to resist certain threats. However, to make an information asset fully resilient may be a very complex task and require several different methods of protection.

Review: An activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. [1]

Risk: The effect of uncertainty on objectives. [3] Risk is the product of consequence or impact and likelihood or probability, and is not the same as a threat or hazard. In the context of information risk management, risk is usually taken to have negative connotations. In the wider context of risk, however, it can also be seen in a positive light and referred to as ‘opportunity’.

Risk acceptance: The informed decision to take a particular risk. [3] Risk acceptance (or risk tolerance) is the final choice in risk treatment once all other possible avenues have been explored. This is not the same as ignoring risks – something that should never be done.

Risk analysis: The process to comprehend the nature of risk and to determine the level of risk. [3] This is the part of risk assessment where we combine the impact and the likelihood (or probability) of a risk to calculate the level of risk in order to plot it onto a risk matrix, which allows us to compare risks for their severity and to decide which are in most urgent need of treatment.

Risk appetite: The amount and type of risk that an organisation is willing to pursue or retain. [3]

Risk assessment: The overall process of risk identification, risk analysis and risk evaluation. [3] This includes identification of the information assets and their owners; impact assessment; threat and vulnerability identification; likelihood assessment; risk analysis; production of the risk matrix; and finally risk evaluation.

Risk avoidance: An informed decision to not be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk. [3] Risk avoidance (or risk termination) is one of the four strategic options for risk treatment. Avoiding the risk should normally remove the risk completely but may leave the organisation with other challenges.

Risk evaluation: The process of comparing the results of risk analysis with risk criteria to determine whether the risk and/or its magnitude is acceptable or tolerable. [3]

Risk identification: The process of finding, recognising and describing risks. [3]

Risk management: The coordinated activities to direct and control an organisation with regard to risk. [3]

Risk matrix: A graphical representation of impact versus likelihood used to assist in the prioritisation of risks.

Risk modification: Risk modification (or risk reduction) is the process of treating risk by the use of controls to reduce either the consequence/impact or the likelihood/probability. Sometimes the term ‘risk treatment’ is used in this context, but risk treatment is really a generic term for all four kinds of strategic control. Strangely, ISO Guide 73 does not attempt to define risk modification or reduction, although it does refer to it under the definition of ‘control’.

Risk reduction: See ‘Risk modification’.

Risk retention: The acceptance of the potential benefit of gain, or burden of loss, from a particular risk. [3] Once risks have undergone the risk treatment process, there may be some outstanding risk that cannot be further reduced, transferred or eliminated. This is referred to as ‘residual risk’, and risk retention is the ongoing process of accepting and managing this.

Risk review: The activity undertaken to determine the suitability, adequacy and effectiveness of the subject matter to achieve established objectives. [3]

Risk sharing: A form of risk treatment involving the agreed distribution of risk with other parties. [3]

Risk termination: An informed decision to not be involved in, or to withdraw from, an activity in order not to be exposed to a particular risk. [3]

Risk tolerance: An organisation or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives. [3]

Risk transfer: Risk transfer (or risk sharing) is a form of risk treatment involving the agreed distribution of risk with other parties. [3] One of the strategic risk treatment options is to transfer the risk to or to share it with a third party. Transferring or sharing the risk, however, does not change ownership of the risk; it remains with the organisation itself, regardless of who else shares the risk.

Risk treatment: The process to modify risk. [3] While this may be technically correct, risk modification is just one form of risk treatment, and alternatively may involve risk transference or sharing, or risk avoidance or termination.

Stakeholder: A person or organisation that can affect, be affected by, or perceive themselves to be affected by, a decision or activity. [3]

Threat: The potential cause of an unwanted incident, which may result in harm to a system or organisation. [1] Whereas hazards are generally viewed as natural events, threats are usually human-made, whether accidental or deliberate, and may include such things as sabotage and cyber-attacks.

Threat actions: The actual attacks. These are often not a single isolated event, but can consist of many discrete activities, involving surveillance, initial activities, testing and the final attacks.

Threat actor or threat agent: An individual or group of individuals who actually execute a cyber-attack.

Threat analysis: The process of understanding the level of threat – this is referred to in more detail in Chapter 6.

Threat consequences or impacts: The results or impacts of a cyber-attack, which we deal with in Chapter 4.

Threat source: A person or organisation that wishes to benefit from attacking an information asset. Threat sources often pay or otherwise pressurise threat actors to attack information assets on their behalf.

Threat vectors or attack vectors: Tools, techniques and mechanisms by which an attacker conducts the attack on their target.

Vulnerability: The intrinsic properties of something resulting in susceptibility to a risk source that can lead to an event with a consequence. [1] Vulnerabilities or weaknesses in or surrounding an asset leave it open to attack from a threat or hazard. Vulnerabilities come in two types – intrinsic vulnerabilities, which are something inherent in the very nature of an information asset, such as the ease of erasing information from magnetic media (whether accidental or deliberate), and extrinsic vulnerabilities, which are those that are poorly applied, such as software that is out of date due to a lack of patching.

Sources of standards information:

[1] ISO/IEC 27000:2020 – Information technology – Security techniques – Information security management systems – Overview and vocabulary.

[2] ISO 22301:2019 – Societal security – Business continuity management systems – Requirements.

[3] ISO Guide 73:2009 – Risk management – Vocabulary.

[4] BS ISO/IEC TR 18044:2004 – Information technology – Security techniques – Information security incident management.

[5] ISO/IEC 27032:2012 – Information technology – Security techniques – Guidelines for cybersecurity.