INFORMATION SECURITY AND RISK MANAGEMENT TERMINOLOGY

“Half of the communication battle in information security today is caused by not agreeing on a common terminology for information security and risk management”

Dr. Gary McGraw, CTO Cigital

Introduction

When using the PASTA risk-centric threat modeling process for threat model and conducting the various stages and activities, it is important to use a risk management language and terminology that is industry standard terminology for works such as threats, vulnerabilities, attacks, and risk and of other terminology used to describe activities in the information security and risk management domains. Throughout this book and specifically for the execution of PASTA as risk-centric threat modeling process, we use standard definitions for threats, attacks, and vulnerabilities such as the ones documented in the various National Institute of Standards and Technologies (NIST) standards and guidelines and SPs (Special Publications). At high level, the definition of the information security and risk management terminology is included in this glossary while more specific terminology definitions provided in the glossary section.

For what concern the definition of threats, we refer to the NIST SP 800-37 “Guide for Applying the Risk Management Framework to Federal Information Systems.” This guide defines a threat as “Any circumstance or event with the potential to adversely impact agency operations (including mission, functions, ...