Cybersecurity Terminology and Definitions

Precise language is the foundation of effective cybersecurity practice, policy, and compliance. Ambiguous or inconsistent terminology creates gaps in controls, complicates audit findings, and undermines regulatory alignment across organizations operating under frameworks like NIST SP 800-53, ISO/IEC 27001, and the Federal Information Security Modernization Act (FISMA). This page defines the core vocabulary used across the field — from classification labels and procedural terms to regulatory language and practitioner shorthand — organized to support both policy writers and technical teams. For a broader conceptual orientation, see How Cybersecurity Works.

Terms of classification

Classification terminology establishes the boundaries of what is being protected, who bears responsibility, and how sensitive information is categorized. These terms shape every downstream security decision.

Asset — Any data, system, hardware, or software that holds value to an organization and requires protection. NIST defines an asset in SP 800-30 Rev 1 as anything of value that could be harmed by a threat.

Threat — A potential cause of an unwanted incident. The NIST Computer Security Resource Center distinguishes threats from threat actors (the entities) and threat events (the actions).

Vulnerability — A weakness in a system that a threat can exploit. The National Vulnerability Database (NVD), maintained by NIST, catalogs vulnerabilities using the Common Vulnerabilities and Exposures (CVE) identifier system.

Risk — The combination of the likelihood that a threat will exploit a vulnerability and the impact of that exploitation. Risk is not equivalent to vulnerability; the distinction matters when prioritizing controls.

Control — A safeguard or countermeasure designed to reduce risk. Controls are classified as preventive, detective, corrective, or compensating.

Attack surface — The total sum of exposure points where an unauthorized user can attempt to enter or extract data from a system. Advanced Security Authority examines how attack surface analysis informs both threat modeling and enterprise architecture decisions.

Confidentiality, Integrity, Availability (CIA Triad) — The foundational model for evaluating security properties. Confidentiality limits access to authorized parties; integrity ensures data is not altered without authorization; availability guarantees access when needed. FIPS PUB 199, published by NIST, uses these three properties to define federal information security categories.

State-specific classification requirements differ substantially. California Security Authority addresses California's data classification standards under the CCPA and related state statutes, while New York Security Authority covers classification obligations under the NY SHIELD Act and DFS Part 500.

Procedural terms

Procedural terminology describes the actions, sequences, and workflows that constitute active cybersecurity operations. Understanding the process framework for cybersecurity depends on fluency with these terms.

Authentication — The process of verifying that an entity is who it claims to be. Multi-factor authentication (MFA) requires 2 or more independent verification factors.

Authorization — The granting of specific permissions to an authenticated entity. Authorization is distinct from authentication; a user can be authenticated but unauthorized for a given resource.

Encryption — The transformation of plaintext into ciphertext using a cryptographic algorithm, rendering it unreadable without the corresponding decryption key. Encryption Authority covers symmetric and asymmetric encryption standards, including AES-256 and RSA-2048, as applied in enterprise and government settings.

Incident response — A structured methodology for detecting, containing, and recovering from security events. NIST SP 800-61 Rev 2 defines four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity.

Penetration testing — Authorized simulated attack activity conducted to identify exploitable vulnerabilities before malicious actors do. Penetration Testing Authority distinguishes black-box, white-box, and gray-box test methodologies and their respective use cases.

Patch management — The systematic process of acquiring, testing, and applying software updates to eliminate known vulnerabilities. CISA guidance recommends remediation of critical CVEs within 15 days of patch release for federal systems.

Backup and recovery — The practice of creating redundant copies of data and restoring systems after failure or attack. Data Recovery Authority covers recovery point objectives (RPO) and recovery time objectives (RTO), the two primary metrics governing backup strategy. Cloud Backup Authority extends this coverage to cloud-native backup architectures and vendor-managed snapshot systems.

Key procedural terms compared — Disaster Recovery vs. Business Continuity:

1. Disaster recovery (DR) — Focuses specifically on restoring IT systems and data after a disruptive event.
2. Business continuity (BC) — Encompasses the full organizational response to disruption, including non-IT functions such as staffing, supply chain, and communications.
3. Incident response (IR) — A subset of DR focused on the immediate technical reaction to a security incident.

Continuity Authority covers the intersection of business continuity planning and cybersecurity resilience under NIST SP 800-34.

Regulatory terminology

Regulatory vocabulary defines legal obligations, compliance frameworks, and enforcement mechanisms. These terms carry specific meanings in statute and administrative rule, and misapplication can expose organizations to liability. The regulatory context for cybersecurity page provides the structural overview; this section defines the key terms.

Covered entity — Under HIPAA (45 CFR §160.103), a covered entity is a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. The definition determines who must comply with the Privacy and Security Rules.

Controlled Unclassified Information (CUI) — A federal designation for information that requires safeguarding under law, regulation, or government-wide policy, but does not meet the classification threshold for classified national security information. NIST SP 800-171 governs CUI protection in non-federal systems.

Security Information and Event Management (SIEM) — A platform that aggregates and correlates log data from across an IT environment to support real-time threat detection and compliance reporting. The term appears in SOC 2 audit requirements and NIST 800-137.

Data breach notification — The legal obligation to inform affected parties following unauthorized access to personal data. All 50 U.S. states have enacted breach notification statutes, though thresholds and timelines differ. Florida Security Authority and Texas Security Authority document their respective states' specific notification windows and covered data categories.

Zero Trust — A security model premised on the principle that no user, device, or network segment is trusted by default, even inside a perimeter. The Office of Management and Budget (OMB) Memorandum M-22-09 established a federal Zero Trust strategy requiring agencies to meet specific architecture goals.

Compliance vs. Security — A critical distinction: compliance means satisfying the minimum requirements of a regulatory framework; security means actively reducing risk. Organizations can be compliant without being secure. Cyber Compliance Authority addresses this gap, and Cyber Audit Authority covers how compliance audits are structured under SOC 2, ISO 27001, and FedRAMP.

Personally Identifiable Information (PII) — NIST SP 800-122 defines PII as any information that can be used to distinguish or trace an individual's identity. National Privacy Authority and Nation Data Protection Authority both address PII handling obligations across federal and state frameworks.

Terms practitioners use

Operational and practitioner vocabulary tends to originate in the security community before migrating into formal standards. Fluency with this layer matters for the broader landscape mapped on the hub and for communicating across technical and non-technical teams.

Threat actor — An individual, group, or nation-state that carries out or sponsors malicious cyber activity. MITRE ATT&CK categorizes threat actors by tactics, techniques, and procedures (TTPs).

Indicators of Compromise (IOCs) — Forensic artifacts — such as specific IP addresses, file hashes, or domain names — that indicate a system has been breached. IOCs are shared through threat intelligence platforms and the STIX/TAXII data exchange standard maintained by OASIS.

Attack vector — The pathway a threat actor uses to gain access to a target. Common vectors include phishing, unpatched software, and supply chain compromise. Network Security Authority and Endpoint Security Authority each address the two primary vector categories — network-based and host-based — with distinct defensive frameworks.

Lateral movement — Post-compromise activity in which an attacker moves through a network from an initial access point to higher-value targets. Detection depends on behavioral analytics rather than signature-based tools.

Social engineering — Manipulation of human behavior to gain unauthorized access or information. Phishing, vishing, and pretexting are the three most common subtypes documented in the Verizon Data Breach Investigations Report.

Ransomware — A class of malware that encrypts victim data and demands payment for decryption. Ransomware Authority covers ransomware taxonomy, negotiation dynamics, and the regulatory reporting obligations triggered by ransomware events under HIPAA and CISA guidance.

AI and machine learning in security — Increasingly, practitioner vocabulary includes terms specific to AI-driven threat detection, adversarial machine learning, and AI-enabled attack tooling. [AI Cyber Authority](https