Words are hard. English is hard. How we manage to communicate anything is nigh a miracle.
Sometimes I wish I was Oscar Wilde or Mark Twain or any of the other great authors who seem to be able to effortlessly describe a character or a scenario so that the reader can envision perfectly what they mean.
“In height, he was rather over six feet, and so excessively lean that he seemed to be considerably taller….” (A Study in Scarlet, Sir Arthur Conan Doyle)
Instead, I fear that I am more like Shakespeare who invented words, and twisted others to fit his insane meter, so that average people like me struggle to understand the intended meanings (incidentally, I love Shakespeare).
“His heart fracted and corroborate.” (Henry V, Act 2, Scene 1)
“You have congreeted” (Henry V, Act 5, Scene 2)
Unfortunately, my chosen field seems filled with fellow Shakespeareans – people who use words by throwing alphabet soup at a wall and reading the results like one might read tea leaves, only with less accuracy.
When I created the cybersecurity term database, which is the backbone of the NIST Cybersecurity Glossary, I was amazed at how much confusion there was about even ubiquitous terms like “risk” and “security.” There still is no real consensus of what the word “cybersecurity” means!
So, I’ve compiled a list of some commonly misused terms in the field of cybersecurity (these are unofficial descriptions that are meant to be informative):
Data vs. Information vs. Knowledge
Data is usually considered the bits and bytes that information is composed of. Information turns multiple bits and bytes into something useful. For example, a temperature sensor may read “102,” but information tells us that it’s 102 degrees Fahrenheit on a temperature sensor that was in a human’s mouth. Knowledge is what allows information to turn into action. It says that 102 degrees Fahrenheit for a human being is much too hot. The lines between data, information and knowledge are blurry, but there are some who argue those lines fiercely.
Threat vs. Risk
A threat is either used to mean something bad that could happen or an entity that may cause something bad to happen (also called a “threat actor”). Risk includes the probability that the bad thing could happen and the potential result(s). People often (incorrectly) use these words interchangeably.
The process of responding to the potential that something bad might happen. There are generally four options: accept the risk, transfer it, avoid it or mitigate it. Depending on who you talk to, there are at least eight options, but these are the traditional four. When a cybersecurity person talks risk management, they may be referring to the process laid out in the Risk Management Framework.
Basically, the protection of computer systems (including networks, the internet and anything “smart”). However, it has been used as an umbrella term that also encompasses information assurance, data protection and privacy. This term will likely keep changing until somebody can adequately explain what “cyber” is.
Information Assurance (or Security)
The protection of any facts, news, knowledge, or sometimes data, in any form – paper, electronic, stone tablet, signals, memorized, etc. Often confused with and put under the cybersecurity umbrella.
Many people misname NIST special publications as standards, but it’s a bit more complicated than that. NIST does develop formal standards – Federal Information Processing Standards (FIPS), such as FIPS 200 and FIPS 140-3, for example. NIST also participates in the development of industry and international standards. The word standard can also be used to mean a level of quality or an accepted norm. In this last case, NIST publications are often used as a standard. It’s a subtle difference, but an important one. Still, in general, it is best to refrain from calling NIST special publications (SPs), internal/interagency reports (IRs), white papers, or anything other than a FIPS a standard and instead use the terms “publication,” “document” or “guidance.”
Requirements vs. Controls
Both of these terms can be used to identify specific activities, processes, practices or capabilities an organization may have or do to manage their cybersecurity risk. Controls may or may not be mandatory, whereas requirements generally are. It’s always best to check what term a document uses. For example, many people refer to NIST SP 800-171 requirements as controls, which is incorrect.
Audit vs. Assessment
In cybersecurity, the term audit often has a more formal and negative undertone than in some other disciplines. Audits are done after an incident such as a data breach (generally an internal audit), at the request of a customer (usually an external audit conducted by the customer), or to obtain a certification (a third-party audit). Assessments are typically, but not always, more like a friendly health check-up. Encompassing any number of activities, assessments can be narrow or broad, with as much rigor as the company being assessed desires, or is appropriate to the situation. One exception to this general rule is in the Cybersecurity Maturity Model Certification (CMMC) program, which uses the word assessment as the formal method by which a company is evaluated.
Compliance typically refers to meeting a requirement (internal or external, sometimes regulatory) and often is shown with a certification or attestation of some sort. People often use phrases like “NIST compliant.” This can be misleading as many interpret it to mean NIST is enforcing a requirement or certifying or attesting to the security of a company’s products or processes. What is typically meant by “NIST compliant” is that the company has used the practices and procedures in NIST publications, often to meet some requirement. While this may be viewed as a compliance activity, it is generally best to avoid confusion by instead stating what rule or requirement is the subject of the compliance. For example, one can follow NIST SP 800-171 to be compliant with DFARS. An exception to this is with cryptographic algorithms and modules, in which case the correct terminology is validated and compliant indicates the overall product has not been formally evaluated.
Words in English evolve almost as quickly as memes on the internet – a million Shakespeareans taking the English language out back to be butchered, manipulated and folded into barely recognizable script. In the field of cybersecurity, it seems this is done with reckless abandon. But understanding some of these key terms and how they are used will help in understanding and communicating your cybersecurity needs.