Commonly Misused Terms in Cybersecurity

Words are hard. English is hard. How we manage to communicate anything is nigh a miracle. Here are list of some commonly misused terms in the field of cybersecurity (these are unofficial descriptions that are meant to be informative):

Data vs. Information vs. Knowledge

Data is usually considered the bits and bytes that information is composed of. Information turns multiple bits and bytes into something useful. For example, a temperature sensor may read “102,” but information tells us that it’s 102 degrees Fahrenheit on a temperature sensor that was in a human’s mouth. Knowledge is what allows information to turn into action. It says that 102 degrees Fahrenheit for a human being is much too hot. The lines between data, information and knowledge are blurry, but there are some who argue those lines fiercely.

Threat vs. Risk

A threat is either used to mean something bad that could happen or an entity that may cause something bad to happen (also called a “threat actor”). Risk includes the probability that the bad thing could happen and the potential result(s). People often (incorrectly) use these words interchangeably.

Risk Management

The process of responding to the potential that something bad might happen. There are generally four options: accept the risk, transfer it, avoid it or mitigate it. Depending on who you talk to, there are at least eight options, but these are the traditional four. When a cybersecurity person talks risk management, they may be referring to the process laid out in the Risk Management Framework.

Cybersecurity

Basically, the protection of computer systems (including networks, the internet and anything “smart”). However, it has been used as an umbrella term that also encompasses information assurance, data protection and privacy. This term will likely keep changing until somebody can adequately explain what “cyber” is.

Information Assurance (or Security)

The protection of any facts, news, knowledge, or sometimes data, in any form – paper, electronic, stone tablet, signals, memorized, etc. Often confused with and put under the cybersecurity umbrella.

Standard

The word standard can be used to mean a level of quality or an accepted norm.

Requirements vs. Controls

Both of these terms can be used to identify specific activities, processes, practices or capabilities an organization may have or do to manage their cybersecurity risk. Controls may or may not be mandatory, whereas requirements generally are.

Audit vs. Assessment

In cybersecurity, the term audit often has a more formal and negative undertone than in some other disciplines. Audits are done after an incident such as a data breach (generally an internal audit), at the request of a customer (usually an external audit conducted by the customer), or to obtain a certification (a third-party audit). Assessments are typically, but not always, more like a friendly health check-up. Encompassing any number of activities, assessments can be narrow or broad, with as much rigor as the company being assessed desires, or is appropriate to the situation. One exception to this general rule is in the Cybersecurity Maturity Model Certification (CMMC) program, which uses the word assessment as the formal method by which a company is evaluated.

Compliance

Compliance typically refers to meeting a requirement (internal or external, sometimes regulatory) and often is shown with a certification or attestation of some sort.

Summary

Words in English evolve almost as quickly as memes on the internet. In the field of cybersecurity, it seems this is done with reckless abandon. But understanding some of these key terms and how they are used will help in understanding and communicating your cybersecurity needs. Source

How Can ITM Help You?

iTM covers all aspects of Cyber Security including but not limited to Home cyber security managed solutions to automated, manage threat intelligence, forensic investigations, Cloud security best practice & architecture and cyber security training. Our objective is to support organisations and consumers at every step of their cyber maturity journey. Contact Us for more information.

Leave a Reply

Your email address will not be published. Required fields are marked *