This glossary defines commonly used terms in cybersecurity in an enterprise-wide risk management (ERM) context. Words in italics have their own separate glossary entries, so please see cross listing for a complete understanding of definitions.

Access controls –

Mechanisms and techniques used to ensure that access to assets is authorized and restricted based on organization and security requirements.

Assessing risk-management effectiveness –

To evaluate or diagnose how well an organization risk management system is doing the right things (effectiveness) to manage risk. For internal audit/board: an objective written assessment of the effectiveness of the system of risk management and the internal control framework to the board.

BCP –

See business continuity plan (BCP).

Benchmarking –

The use of internal or external points of reference or standards against which risk management system and effectiveness may be compared, checked, or assessed.

Board –

The board of directors responsible for organization risk oversight and their equivalents in public agencies and not-for-profits.

Boom –

A term for a cyber event with all pre-event planning actions taking place left of boom and all reactionary measures happening right of boom.

Business continuity plan (BCP) –

Is typically made up of the corporate wide or level BCP and the business unit BCPs. The BCPs focus on the continuity, recovery, and resumption of the critical business unit functions (i.e., from a disruption).

Capabilities –

Specific and repeatable abilities, faculties, or powers of an organization enabling it to collectively deliver organization objectives in the face of threats and to leverage opportunities.

Capability level –

An indicator, position, or stage on a scale of quantity, extent, rank, or quality of organization capabilities.

Capability maturity model (CMM) –

A model based on the maturation of one specific organization process capability such as software development.

Chief information security officer (CISO) –

A traditional role for a manager dedicated to information security, including digital and nondigital assets and information.

Cloud computing –

A service-provider model for enabling on-demand network access to a shared pool of configurable computing capabilities or resources (e.g., networks, servers, storage, applications and services) that can be outsourced.

CMP –

See crisis management plan (CMP).

Combined assurance –

The joint and aligned organization assurance processes by the management and internal audit functional lines to maximize risk management, governance oversight, and control effectiveness, and optimize overall assurance to the audit and risk committee and Board.

Combined assurance report –

An extended or combined assurance report—including the activities of internal audit as the third of three lines of defense—presented to the board (or the audit committee of the board) by the head of ERM.

Competency –

An underlying ability of an individual (not an organization) to perform a job or task properly or excel at it by combining a set of observable knowledge, skills, and attitude, which often result in work behaviors.

Corporate governance –

A framework of rules and practices by which a board of directors ensures accountability, fairness, and transparency in a company’s relationship with its all stakeholders.

Crisis management plan (CMP) –

Contains the processes and procedures for the senior management team to control and ensure coordination of major crisis incidents. The crisis communications plan (CCP) complements the CMP. It contains the processes, procedures, and templates to manage internal and external communications during a crisis. Together, the CMP and CCP enable organizations to command, control and coordinate information, decisions, and communications during a crisis.

Crown jewels –

The most valuable digital assets or information to an organization.

Cyber risk management system –

A subset of the risk management system specific to cybersecurity capabilities.

Cyber risk sources –

Any root and other causes that give rise to a cyber risk such as supply chain, social media, ransomware, cloud computing/third-party vendors, Big Data analytics, the Internet of Things (IOT), and BYOD/mobile devices.

Cyber space –

An interdependent network of information technology infrastructures, that includes the Internet, telecommunications networks, computer systems and embedded processors and controllers.

Cybersecurity –

Protecting information assets by addressing threats (risks) to information processed, stored, and transported by internetworked information systems (ISACA) or protecting computers, networks, programs, and other digital data and digital assets from unintended or unauthorized threats while optimizing opportunities.

Cybersecurity negligence –

Not legally defined as yet; remains unclear as to the standard of care required or steps to secure data that must be “reasonable” or “appropriate”—taking the relevant circumstances into account—in order to avoid liability.

Effectiveness –

To produce a desired or intended result and a focus or mantra on “doing the right things” within organizations.

Digital quotient (DQ) –

New sets of capabilities in addition to IQ and emotional quotient (EQ) to succeed in the digital age including organization leadership competencies to cope with the digital revolution in technologies such as mobility, social networks, Big Data analytics, and cloud.

Digital risk officer (DRO) –

An emerging role for a risk manager dedicated to cybersecurity, typically reporting to the chief risk officer or chief executive officer.

Disaster recovery plan (DRP) –

Documents the processes and procedures for the recovery of IT servers, networks, applications, and databases; usually at an alternate site called the IT disaster recovery center. The IT DRP focuses on the technical recovery of IT systems and infrastructure.

DQ –

See digital quotient (DQ).

DRO –

See digital risk officer (DRO).

DRP –

See disaster recovery plan (DRP).

Effective decision making –

A cognitive and managerial process alongside an integrated risk management system for making the right decisions when faced with choice(s) to achieve and optimize organization objectives or outcomes.

Efficiency –

Commonly, the ratio of the useful work performed by a machine or in a process to the total energy expended or heat taken in and a focus or mantra on “doing things right” in terms of achieving organization objectives faster, better, or cheaper.

Enterprise –

Synonymous with organization covering private, public, and nongovernmental organization sectors.

Enterprise-wide risk management (ERM) –

Typically synonymous with risk management for all sectors; also used to emphasize an integrated and holistic “umbrella” approach delivering objectives by managing risk across an organization, its silos, its risk specialist, and other subfunctions and processes.

ERM –

See enterprise-wide risk management (ERM).

Fiduciary duty –

Applies to cyber cases as it does to other cases in the United States and elsewhere, where corporate boards have a general duty to protect corporate assets, reputation, and goodwill; relevance for cyber cases includes failing to prevent unauthorized access to consumer information as “unfair or deceptive acts” or unfair and deceptive trade practices, data breach notification, and failure to timely notify and negligence or breach of contract claims.

Framework –

“a basic structure of something (Webster’s)” such as ideas, concepts, guidelines, rules, checklists, requirements, facts, or physical parts.

Incident and crisis management plan (ICMP) –

Documents the processes and procedures for IT teams and management—a framework to respond to and manage cyber incidents. IT may incorporate cyber response incidents into the corporate IT disaster recovery plan. Crisis management response actions for cyber incident may be embedded in the corporate crisis management plan.

Key control indicator (KCI) –

A metric that evaluates the effectiveness level of a control (or set of controls) that have been implemented to reduce or mitigate a given risk exposure. A calibrated threshold or trigger (typically) brackets a KCI metric. These metrics are usually backward-looking or lagging indicators. Control indicators link with operational or process objectives.

Key performance indicator (KPI) –

A metric that evaluates how a business is performing against objectives where a defined target (typically) provides the benchmark for evaluation of a KPI metric and the metrics are usually backward-looking or lagging indicators; may include a risk maturity model assessment index rating or measure.

Key risk indicator (KRI) –

A metric that permits a business to monitor changes in the level of risk in order to take action and to highlight pressure points that can be effective leading indicators of emerging risks or changes in risk as they are typically forward-looking; may be represented by part of whole of risk maturity model assessment index rating(s) or measure(s).

King III Code –

2009 – Leading corporate governance code for universal application in terms of quantity and quality of risk management guidance with detailed, specific and clear requirements for risk management by board, internal audit, risk, and other functions.

Levels –

The steps, classes, or tiers of overall risk management capability or capabilities, often themed into modules as a component within a risk maturity model.

Likert Scale –

A statistical method of ascribing quantitative value to qualitative data to make it amenable to statistical analysis. Commonly used in questionnaires as a five- or seven-point scale (scoring step). Sometimes stepped with negative and positive values to a neutral midpoint. Sometimes stepped in ascending sophistication, quality, or other measure.

Maturity –

Concept relating to the current or future state, fact, or period of evolving development, quality, sophistication, and effectiveness (not necessarily age dependent).

Maturity model –

A simplified system that “road-maps” improving, desired, anticipated, typical, or logical evolutionary paths of organization actions. The ascending direction implies progression increases organization effectiveness over time (albeit subject to stasis and regression).

Measurement –

A quantitatively expressed reduction of uncertainty based on one or more observations. For risk maturity models, may be expressed as an overall index score to 100 percent, within which certain percentiles equate to ascending maturity levels and/or as Likert scales to assess the capabilities being assessed to arrive at the overall score.

Organization –

Synonymous with enterprise as in ERM; an administrative structure in which people collectively manage one or more services/activities as a whole, share senior management, and operate under a set of policies.

People factors –

Influences on cybersecurity as opportunities and threats from staff as “insiders,” third parties acting as “trusted insiders” and human error, bias, and behaviors; human beings are often described as the “weakest link” in the cyber risk management system.

Reasonable assurance –

To check for correctness and truthfulness; achieved when the risk is at an acceptable level according to common sense and logic; while (1) acknowledging that it is not possible to assert absolutely and certainly that an event will (or will not) occur, and (2) qualifying that while a standard conforms to known limits, it is not excessive in any way (http://www.businessdictionary .com/definition/reasonable-assurance.html)

Risk –

The effect of uncertainty on objectives where the effect is a deviation from the expected—positive and/or negative.

Risk assessment –

A stepped approach after understanding internal and external context to the organization, in three steps: risk identification, risk analysis, and risk evaluation, enabling prioritization for risk treatment (including controls).

Risk management –

Coordinated activities that direct and control an organization in pursuit of its objectives and with regard to risk.

Risk management plan –

A scheme within the risk management framework specifying the approach, the management components, accountabilities and resources to be applied to the management of risk and how to implement risk maturity strategy (ISO 31000:2009, Risk management—Principles and guidelines); and, how to implement the improvement outputs “road-mapped” by a risk maturity model.

Risk management system –

The repeatable and interconnected mechanisms and initiatives organizing the right organization capabilities to deliver risk management effectiveness; inputs and desired risk management outputs-to-outcomes; may include risk management information systems.

Risk manager –

Typically, a risk officer/functionary within a full- or part-time dedicated risk management function to technically support line managers who remain the risk owners and managers. Sometimes extended to mean all board, executive, and staff members who all share risk management accountability.

Risk maturity model –

An abbreviation for a capability maturity model specialized to an expanded set of risk management system capabilities. It represents a diagnostic tool using levels of maturity to track gap improvement of the right organization capabilities designed to deliver risk management effectiveness. More correctly and in full: a risk management system capability maturity model.

Risk maturity strategies –

To develop and implement schemes to improve risk management maturity alongside all other aspects of their organization.

Risk specialty or subdisciplines –

A group label for sub-ERM disciplines such as safety and health and related organization functions such as legal.

Risk treatment options –

Controls and anything that modifies risk; if aligned with ISO 31000:2009, Risk management—Principles and guidelines, they will be tailored to (1) avoiding the activity that gives rise to the risk; (2) taking or increasing the risk in order to pursue an opportunity; (3) removing the risk source; (4) changing the likelihood; (5) changing the consequences; (6) sharing the risk with other parties (e.g., risk financing, contracts); and (7) retaining the risk by informed decision.

Silo factor –

A state where department-based management of organization activity and/or compartmentalized risk management activities may result in a narrow, parochial view of risk that prevents management from understanding risks facing the entire enterprise.

Standards –

Commonly, a level of quality or attainment or a required or agreed level of quality or attainment; formally, the most commonly agreed standard by accredited technical bodies for risk management representing nations, that is, ISO 31000:2009, Risk management—Principles and guidelines. For cybersecurity, standards/frameworks include: ISO/IEC 27000 family; COBIT 5 for Information Security; NIST Special Publication 800-53 Revision 4 Security and Privacy Controls for Federal Information Systems and Organizations; ISF Standard of Good Practice for Information Security; Center for Internet Security (CIS) Top 20 Critical Controls; IT-CMF:ISM; PCI-DSS; and European Union Agency for Network and Information Security (ENISA).

Tailoring –

To align the risk management approach to the unique-to-organization objectives, internal and external context and risk profile(s). For risk maturity models, tailoring is driven primarily by choice and quality of the capabilities content and scales and influenced by external and internal benchmarking, model design of components, and other techniques and methods.

Three lines of defense/offense –

An assurance approach relying on risk management co-operation between the organization front line managers and operating functions, support functions, and internal audit function. “Defense/Offense” relates to risk management functions combining capabilities to create as well as protect organization value and/or to deal with risk sources with either/both or alternating negative or positive consequences. Source: The IIA which adapted it from ECIIA/FERMA Guidance on the 8th EU Company Law Directive, article 41 https://na.theiia.org/standardsguidance/Public%20Documents/PP%20The%20Three%20Lines%20of%20Defense%20in%20Effective%20Risk%20Management%20and%20Control.pdf