[WIP] A vocabulary list

Information Asset

Information or the systems, processes, people, and facilities that facilitate information handling.

Security

An assurance that characteristics of information assets are protected. Confidentiality, Integrity, and Availability (aka C.I.A.) are common security characteristics. Other characteristics of information assets such as velocity, authenticity, and reliability may also be considered if these are valuable to the organization and its constituents.

Threat

A potential or foreseeable event that could compromise the security of information assets.

Threat Actor

Anything that can possibly damage or disrupt the system’s ability to perform as it needs to. This isn’t limited to malicious actors like hackers.

Individuals within a threat population; Practically anyone and anything can, under the right circumstances, be a threat actor— the well-intentioned, but inept, computer operator who trashes a daily batch job by typing the wrong command, the regulator performing an audit, or the squirrel that chews through a data cable.
— An Introduction to Factor Analysis of Information Risk (FAIR)” (PDF). Riskmanagementinsight.com. November 2006

Also includes God (as in “acts of”), “Mother Nature,” and random chance.
— http://veriscommunity.net/schema

Non-Human Elements: Floods, Lightning strikes, Plumbing, Viruses, Fire, Electrical, Air (dust), Heat control
— SANS: An Overview of Threat and Risk Assessment

Impact

The harm that may be suffered when a threat compromises an information asset.

Impact Score

The magnitude of impact that can be suffered. This is stated in plain language and is associated with numeric scales, usually from ‘1’ to ‘3’ or ‘1’ to ‘5’.

Likelihood

The degree to which a threat is expected to create an impact. May be stated in terms of frequency, foreseeability, or probability.

Risk

An estimation of the likelihood that a threat will create an undesirable impact. Often expressed as the product of a likelihood and an impact, or
Risk = Likelihood x Impact.

Risk Management

A process for analyzing, mitigating, overseeing, and reducing risk.

Risk Treatment Option

The selection of a method for addressing risks. Organizations may choose to Accept, Reduce, Transfer, or Avoid risks.

Inherent Risk

The likelihood of an impact occurring when a threat compromises an unprotected asset.

Control

A documented method for protecting information assets using technical, physical, or procedural safeguards.

Standard of Care

A set of practices, controls, or requirements that are known to improve
outcomes and reduce failures for practitioners of a specialized field or profession.

Risk Assessment

A comprehensive project that evaluates the potential for harm to occur within a scope of information assets, controls, and threats.

Safeguard

Technologies, processes, and physical protections that prevent or detect threats against information assets. Safeguards are implementations of controls.

Residual Risk

The risk that remains after a safeguard is applied.
This concept is not directly used by CIS RAM, but implies that risk is lowered when a safeguard is applied. Residual risk does not take into account potential negative impacts to the organization when safeguards are applied.

Safeguard Risk

The risk posed by recommended safeguards. An organization’s mission or
objectives may be negatively impacted by a new security control. These impacts must be evaluated to understand their burden on the organization, and to determine whether the burden is reasonable.

Vulnerability

A weakness that could permit a threat to compromise the security of information assets.

Risk Analysis

The process of estimating the likelihood that an event will create an impact. The foreseeability of a threat, the expected effectiveness of safeguards, and an evaluated result are necessary components of risk analysis. Risk analysis may occur during a comprehensive risk assessment, or as part of other activities such as change management, vulnerability assessments, system development and acquisition, and policies exceptions.

Risk Evaluation

The mathematical component of risk analysis that estimates the likelihood and
impact of a risk, and compares it to acceptable risk.

Risk Treatment Recommendations

A listing of safeguards or processes that may be implemented and operated to reduce the likelihood and/or impact of a risk.

Risk Treatment Plan

A comprehensive project plan for implementing risk treatment recommendations.

Threat Model

A description of how a threat could compromise an information asset, given the current safeguards and vulnerabilities around the asset.