Security Engineering (SE) Workbench

Security Terminology used in the SE-Workbench Project

The lexicon for "security" and "cybersecurity" is very large. A full Glossary of security related concepts and terminology for Security can be found in the Security Glossary published by the Computer Security Resource Center of the National Institute of Standards and Technology (NIST). The terms and definitions below represent a subset that relate directly to the topic of Security Analysis in the SE-Workbench Project.

Topic: General Terms

• Confidentiality - Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
• Integrity - Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity.
• Availability - Ensuring timely and reliable access to and use of information.
• Accountability - The security goal that generates the requirement for actions of an entity to be traced uniquely to that entity. This supports non-repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
• Assurance - Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
• Authentication - Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
• Access Control - The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances).
• Audit - Independent review and examination of records and activities to assess the adequacy of system controls, to ensure compliance with established policies and operational procedures.
• Authenticity - The property of being genuine and being able to be verified and trusted; confidence in the validity of a transmission, a message, or message originator.
• Non-repudiation - Assurance that the sender is provided with proof of delivery and that the recipient is provided with proof of the sender's identity so that neither can later deny having processed the data. [NS4009] Technical non-repudiation refers to the assurance a Relying Party has that if a public key is used to validate a digital signature, that signature had to have been made by the corresponding private signature key. Legal non-repudiation refers to how well possession or control of the private signature key can be established.
• Safety - Freedom from conditions that can cause death, injury, occupational illness, damage to or loss of equipment or property, or damage to the environment.

Topic: Risk

• Risk - A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
• Risk assessment - The process of identifying, estimating, and prioritizing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system.
• Risk mitigation - Prioritizing, evaluating, and implementing the appropriate risk-reducing controls/countermeasures recommended from the risk management process.
• Risk response - Accepting, avoiding, mitigating, sharing, or transferring risk to organizational operations
• Risk tolerance - The level of risk an entity is willing to assume (accept) in order to achieve a potential desired result.
• Residual risk - Portion of risk remaining after security measures have been applied.

Topic: Threat

• Threat - any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
• Threat Actor - an individual or a group posing a threat
• Threat Agent - the intent and method targeted at the intentional exploitation of a vulnerability or a situation and method that may accidentally trigger a vulnerability.
• Threat Analysis / Assessment - Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat.
• Threat Event - An event or situation that has the potential for causing undesirable consequences or impact.
• Threat Information - Analytical insights into trends, technologies, or tactics of an adversarial nature affecting information systems security.
• Threat Intelligence - Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes.
• Threat Model - A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment.
• Remediation - The act of mitigating a vulnerability or threat.
• Mitigation - A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.

Topic: Attack

• Attack - Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.
• Attacker - A party, including an insider, who acts with malicious intent to compromise a system.
• Attack Signature - A specific sequence of events indicative of an unauthorized access attempt.
• Attack Surface - The set of points on the boundary of a system, a system element, or an environment where an attacker can try to enter, cause an effect on, or extract data from, that system, system element, or environment.
• Attack Tree - A branching, hierarchical data structure that represents a set of potential approaches to achieving an event in which system security is penetrated or compromised in a specified way.

Topic: Vulnerability

• Vulnerability - Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source.
• Vulnerability Analysis / Assessment - Formal description and evaluation of the vulnerabilities in an information system.
• Vulnerability Scanner - A network tool (hardware and/or software) that scans network devices to identify generally known and organization specific vulnerabilities and weaknesses. It may do this based on a wide range of signature strategies.
• Weakness - Poor practices in design, coding, integration, operation and/or maintenance of information systems that expose the system to attack.
• Remediation - The act of mitigating a vulnerability or threat.
• Mitigation - A decision, action, or practice intended to reduce the level of risk associated with one or more threat events, threat scenarios, or vulnerabilities.

Topic: Trustworthiness

• Assurance - Measure of confidence that the security features, practices, procedures, and architecture of an information system accurately mediates and enforces the security policy.
• Trustworthiness - The attribute of a person or enterprise that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.
• Trustworthy information system - An information system that is believed to be capable of operating within defined levels of risk despite the environmental disruptions, human errors, structural failures, and purposeful attacks that are expected to occur in its environment of operation.
• Resilience - The ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents.
• Information System resilience - The ability of an information system to continue to: (i) operate under adverse conditions or stress, even if in a degraded or debilitated state, while maintaining essential operational capabilities; and (ii) recover to an effective operational posture in a time frame consistent with mission needs.
• Network Resilience A computing infrastructure that provides continuous business operation (i.e., highly resistant to disruption and able to operate in a degraded mode if damaged), rapid recovery if failure does occur, and the ability to scale to meet rapid or unpredictable demands.
• Operational Resilience - The ability of systems to resist, absorb, and recover from or adapt to an adverse occurrence during operation that may cause harm, destruction, or loss of ability to perform mission-related functions.

top of the page