THE CYBERSECURITY

LEXICON
An introduction to basic cybersecurity
terminology and concepts

THE (ISC)2 CYBERSECURITY LEXICON 1

 INTRODUCTION
(ISC)2 – the world’s largest nonprofit
membership association of certified
cybersecurity professionals – is pleased to
provide you with the (ISC)2 Cybersecurity
Lexicon. Developed with industry leaders,
technology experts and academics comprising
the (ISC)2 North American Advisory Council,
this easy reference tool will quickly introduce
non-technical personnel to key cybersecurity
concepts they need to know.

The Cybersecurity Lexicon provides legislators,

legal professionals, journalists, boards of
directors and others with a quick reference
guide of common cybersecurity terms. Our
goal is to encourage the creation of more
effective legislation, standards and policies by
encouraging broader understanding of how
the accurate use of these terms ensures more
effective cybersecurity programs.

We welcome your comments and experiences

on using the Lexicon. Feel free to contact the
(ISC)2 Cybersecurity Advocate team at
www.isc2.org/cybersecurity-advocates.

2 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 3

 A
surface can help make your organization less
exploitable, reducing risk.

A typical attack surface has complex interrelationships

Antivirus among three main areas of exposure: software
software designed to detect and prevent computer attack surface, network attack surface and the often-
viruses and other malware from entering and overlooked human attack surface.
harming a system.
Software Attack Surface
Application Security comprised of the software environment and its
the use of software, hardware and procedural interfaces. These are the applications and tools
methods to protect applications from external and available to authorized (and unauthorized) users.
internal threats.
Network Attack Surface
Artificial Intelligence presents exposure related to ports, protocols,
the theory and development of computer systems channels, devices (from routers and firewalls to
able to perform tasks that normally require human laptops and smart phones), services, network
intelligence, such as visual perception, speech applications (SaaS) and even firmware interfaces.
recognition, decision-making and translation
between languages. Human Attack Surface
humans have a range of complex vulnerabilities
Asset that are frequently exploited. One of the great
any item perceived as having value; includes both strengths of highly secure organizations is their
tangible items such as information systems and emphasis on communicating security awareness
physical property, as well as intangibles such as and safety principles to their employees, partners,
intellectual property and data. supply chain and even their customers.
Attack Surface Authentication
the sum of the security risk exposure; it is the the process or action of verifying the identity of
aggregate of all known, unknown and potential a user or process.
vulnerabilities and controls across all software,
hardware, firmware and networks. A smaller attack

4 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 5

 Authorization party provider hosts applications and makes them
the function of specifying access rights/privileges available to customers over the internet.
to resources related to information security and
computer security in general and to access control Platform as a Service (PaaS)
in particular. is where a third-party provider delivers hardware
and software tools — usually those needed for
application development — to users over the

B internet. A PaaS provider hosts the hardware

and software on its own or another third-party’s
infrastructure.
Business Impact Assessment (BIA)
a systematic process to determine and evaluate Infrastructure as a Service (IaaS)
the potential effects of an interruption to critical a cloud computing service model that provides a
business operations as a result of exploitation, comprehensive suite of services and technology to
disaster, accident or emergency. operate an end-to-end IT system.

Other cloud computing models used are:

C Identity as a Service (IDaaS)

is an authentication infrastructure that is built,
hosted and managed by a third-party service
Cloud Computing provider. IDaaS can be thought of as single sign-on
a model for enabling ubiquitous, convenient, (SSO) for the cloud.
on-demand network access to a shared pool of
configurable computing resources (e.g., networks, Communications as a Service (CaaS)
servers, storage, applications and services) that can is an outsourced enterprise communications
be rapidly provisioned and released with minimal solution that can be leased from a single vendor.
management effort or service provider interaction. Such communications can include voice over IP
(VoIP or internet telephony), instant messaging
Three main cloud computing service models are: (IM), collaboration and videoconference
applications using fixed and mobile devices.
Software as a Service (SaaS)
is a software distribution model in which a third-

6 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 7

 Desktop as a Service (DaaS) Exploit
is a cloud computing solution in which virtual software, a subset of data, or a sequence of
desktop infrastructure is outsourced to a third- commands that takes advantage of a bug or
party provider. vulnerability to cause unintended or unanticipated
behavior to occur on computer software, hardware
Security as a Service (SecaaS) or something electronic (usually computerized).
web-based security solutions that are delivered Such behavior frequently includes things like
over the cloud. However, Security as a Service is gaining control of a computer system, allowing
better defined as a general business model for privilege escalation, or a denial-of-service (DoS
outsourcing cybersecurity capabilities. or related DDoS) attack — an event where a
human threat successfully takes advantage of

D
a vulnerability for denial or delay of service,
exfiltration or unauthorized modification of data.

Discretionary Access Control (DAC)

an access policy determined by the owner of a file or
other resource.
F
Firewall

E
a network security device that monitors incoming
and outgoing network traffic and decides whether
to allow or block specific traffic based on a defined
set of security rules. Usually the first line of defense
Encryption in a network.
the conversion of electronic data into ciphertext
that theoretically can only be decoded by Five Pillars of Information Security
authorized parties.
Confidentiality
Endpoint the attribute of data that ensures information is
a general term referring to a desktop computer, only being exposed to appropriately authorized
laptop or notebook computer or mobile device. parties and other systems.

8 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 9

 Integrity accountability for actions and responsibility
the attribute of data that ensures the information for outcomes, and addresses how expected
accurately reflects reality. Data and systems/ performance will be evaluated.
processes cannot be modified without
authorization.

Availability
the attribute of data that ensures it is always available
H
to appropriate parties when required for use. Hacker
a slang term that can mean a hostile human threat to
Non-repudiation IT systems, an IT security professional, a vulnerability
a method of guaranteeing message transmission researcher or an amateur security person.
between parties via digital signature and/or
encryption. Honeypot
decoy servers or systems set up to gather
Authentication information regarding human threats.
the process or action of verifying the identity of
a user or process.

I
G Identity and Access Management (IAM)
the framework for business processes that facilitates
Governance, Risk and Compliance (GRC) the management of electronic or digital identities.
the process of how an organization manages its The framework includes the organizational policies for
information resources. This process usually includes managing digital identity as well as the technologies
all aspects of how decisions are made for that needed to support identity management.
organization, such as policies, roles and procedures
the organization uses to make those decisions. Industrial Control Systems (ICS)
It is designed to ensure the business focuses on IT systems used to control industrial processes such
core activities, clarifies who in the organization as manufacturing, product handling, production
has the authority to make decisions, determines and distribution.

10 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 11

 Information States
information has three primary, non-overlapping
states: transmission, storage and processing. Data is
in one of these three states at any given point.
K
Key Management System (KMS)
Infrastructure as a Service (IaaS) a framework for the generation, storage, distribution
a cloud computing service model that provides a deletion, archiving, and application of encryption and
comprehensive suite of services and technology to decryption keys in accordance with a security policy.
operate an end-to-end IT system.

Internet of Things (IoT)

the network of physical or wireless IP-connected
objects that are embedded with electronics,
M
software, sensors and network connectivity. Machine Learning
application of artificial intelligence (AI) that provides
Internet Protocol (IP) systems with the ability to learn and improve from
the Open Systems Interconnection (OSI) Layer experience automatically without being explicitly
3 protocol that’s the basis of modern internet programmed or upgraded.
communications.
Managed Security Services Provider (MSSP)
Intrusion Detection System (IDS) a vendor providing security services to many clients
a technology that alerts organizations to adverse or that would otherwise be unaffordable to medium and
unwanted activity; a real-time monitoring of events as small companies due to cost or be unattainable due to
they happen in a computer system or network, using resource limitations such as qualified security personnel.
audit trail records and network traffic and analyzing
events to detect potential intrusion attempts. Managed Service Provider (MSP)
a company that remotely manages a client’s
Intrusion Prevention System (IPS) information technology infrastructure.
a technology that monitors activity like an IDS, but
will automatically take proactive, preventive action Mandatory Access Controls (MAC)
if it detects unacceptable activity; any hardware access control that requires the system itself to
or software mechanism that can detect and stop manage access controls in accordance with the
attacks in progress. organization’s security policies.

12 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 13

 Multi-Factor Authentication Perimeter-Based Security Model
an authentication method that requires two or technique of securing a network by controlling
more ways of establishing identity. access to all entry and exit points of a defined
networked environment.

N Personal Health Information

any patient-related health information as defined by
the Health Insurance Portability and Accountability
Network Act of 1996.
system of computers, and/or connected devices that
are joined together so that they can communicate by Personally Identifiable Information (PII)
exchanging information and sharing resources. information that can be traced back to an individual
user through their name, postal address or email
Network Access Control (NAC) address. Personal user preferences tracked by
network computer technology that uses a set a website can also be considered personally
of protocols for authenticating to a network identifiable when linked to other personally
control device such as a switch, router or wireless identifiable information.
access point, usually based on a unique address
or a certificate. Privacy Policy
the right of a human individual to control the
distribution of information about themselves;

P
it documents the rights and obligations of individuals
and organizations with respect to the collection, use,
retention and disclosure of personal information.
Penetration Test
Privacy Impact Assessment (PIA)
an assessment of the effectiveness of established
decision tool used to identify and mitigate privacy
security defenses through mimicking the actions
risks. Notifies the public of 1) what PII is being
of a hostile human threat for finding exploitable
collected, 2) why the PII is being collected, 3) how the
vulnerabilities or other weaknesses and to attempt
PII will be retrieved, shared, accessed and stored.
to exploit those vulnerabilities or weaknesses.

14 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 15

 Role-Based Access Control (RBAC)
R an access control model that bases the access
control authorizations on the roles (or functions)
that the user is assigned to within an organization.
Red Team Testing
penetration testing done by security personnel to

S
mimic an attack of an external, hostile, experienced
human threat on an organization’s infrastructure for
locating and reporting on vulnerabilities.

Risk Safeguard
the possibility of damage or harm, and the a process, procedure, technique or feature that
likelihood that damage or harm will be realized; a mitigates the effects of a risk. Safeguards can be
function of the likelihood of a given threat source classified as technology, procedures/policies or
exploiting a potential vulnerability, and the resulting human factors.
impact of that adverse event on the organization.
Secrecy
Risk Assessment attempting to hide information or data.
assessing the threats, vulnerabilities and assets of
Secure Coding
information systems to determine the likelihood
the practice of developing computer software in a
threats will exploit these vulnerabilities and
way that guards against the accidental introduction
weaknesses to cause adverse effects.
of security vulnerabilities.
Risk Management
Software as a Service (SaaS)
The process of designing, developing, sustaining
a cloud computing service model that provides
and modifying operational processes and systems
software applications.
in consideration of applicable risks to asset
confidentiality, integrity and availability. Applicable
risks are those reasonably expected to be realized
and to cause an unacceptable impact.

16 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 17

 Vulnerability-Based Security Model

T risk assessment methodology centered on the

presence or absence of vulnerabilities irrespective
of the threat or asset value. For example, banning
Threat specific items considered dangerous from
a person, event or circumstance with the potential commercial aircraft passengers because they could
to cause harm to an asset. Threats are either be used as weapons.
environmentally or human-based.

Threat Actor
human-based agent that can negatively impact a
system’s IT assets. The threat agent is evaluated on
the agent, intent, target and mechanism used.

V
Virtual Desktop Infrastructure (VDI)
a desktop operating system running within a virtual
machine (VM) on a physical host server.

Virtual Machine
an IT endpoint or server designed to perform in a
software environment in exactly the same way as the
dedicated hardware.

Vulnerability
a weakness or exposure in a technology, protocol or
design of an information technology system such as
hardware, firmware and software.

18 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 19

 ABOUT (ISC)2 NOTES
(ISC)2 is an international nonprofit membership
association focused on inspiring a safe and secure
cyber world. Best known for the acclaimed Certified
Information Systems Security Professional (CISSP®)
certification, (ISC)2 offers a portfolio of credentials
that are part of a holistic, programmatic approach
to security. Our membership, over 130,000 strong,
is made up of certified cyber, information, software
and infrastructure security professionals who are
making a difference and helping to advance the
industry. Our vision is supported by our commitment
to educate and reach the general public through our
charitable foundation – The Center for Cyber Safety
and EducationTM. For more information on (ISC)2,
visit www.isc2.org.

20 THE (ISC)2 CYBERSECURITY LEXICON THE (ISC)2 CYBERSECURITY LEXICON 21

 NOTES

22 THE (ISC)2 CYBERSECURITY LEXICON © 2018

THE (ISC) 2 (ISC)2, Inc. All rights
CYBERSECURITY reserved.
LEXICON 23
24 THE (ISC)2 CYBERSECURITY LEXICON