Cybersecurity Glossary

The cybersecurity field operates under a dense and often inconsistent terminology landscape, where the same term can carry distinct meanings across regulatory frameworks, technical standards, and vendor contexts. This reference compiles and defines the core vocabulary used across US cybersecurity practice, organized by conceptual domain and mapped against authoritative sources including NIST, CISA, and the Committee on National Security Systems (CNSS). The definitions here reflect the operational and regulatory meanings applied in professional, compliance, and research contexts — not simplified analogies. Professionals navigating the digital security listings or assessing provider qualifications will find this glossary a stable reference for evaluating claims and documentation.

Definition and scope

The NIST Interagency Report 7298 (NIST IR 7298)Glossary of Key Information Security Terms — provides the most widely referenced authoritative definitions in US federal and commercial cybersecurity practice. CNSS Instruction 4009 serves a parallel function for national security systems, establishing definitions binding on Department of Defense components and intelligence agencies.

Access control — The process of granting or denying specific requests to obtain and use information and related information processing services, and to enter specific physical facilities. Defined in NIST IR 7298 Rev. 3 and codified as a control family under NIST SP 800-53 Rev. 5 (Control Family AC).

Attack surface — The set of points on the boundary of a system, system element, or environment where an attacker can attempt to enter, cause an effect on, or extract data from. NIST SP 800-160 Vol. 1 addresses attack surface reduction as a systems security engineering principle.

Authentication — The process of verifying the identity of a user, process, or device, typically as a prerequisite to allowing access to a system resource. Distinguished from authorization, which determines what an authenticated principal is permitted to do. NIST SP 800-63B governs digital identity authentication assurance levels across three tiers.

Confidentiality — One of the three properties of the CIA triad; refers to preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Defined in NIST FIPS 199.

Cyber threat intelligence (CTI) — Evidence-based knowledge about adversary capabilities, intent, and opportunity, used to inform defensive decisions. The Structured Threat Information Expression (STIX) standard, maintained by OASIS, provides a formal language for CTI sharing.

Exploit — A defined technique or code that takes advantage of a vulnerability in a system, application, or protocol to produce an unintended or unauthorized outcome. The MITRE CVE Program catalogs publicly disclosed vulnerabilities, each assigned a CVE identifier that correlates to one or more potential exploits.

Incident — A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. NIST SP 800-61 Rev. 2 establishes the federal incident response framework, defining four phases: preparation, detection and analysis, containment/eradication/recovery, and post-incident activity.

Integrity — The property that data has not been altered or destroyed in an unauthorized manner. Defined in NIST FIPS 199 and operationalized through cryptographic hash functions and digital signatures.

Risk — A measure of the extent to which an entity is threatened by a potential circumstance or event, expressed as a function of the likelihood of the threat occurring and the resulting adverse impact. NIST SP 800-30 Rev. 1 governs risk assessment methodology for federal information systems.

Zero-day vulnerability — A vulnerability in software or hardware that is unknown to the vendor or has no available patch at the time of exploitation. The term "zero-day" refers to the 0 days available to defenders before active exploitation begins.

Core mechanics or structure

Cybersecurity terminology is structured around three interlocking conceptual frameworks that inform how definitions are operationalized.

The CIA Triad — Confidentiality, Integrity, and Availability — represents the foundational properties any information security program is designed to protect. NIST FIPS 199 uses all three as axes for impact categorization (Low, Moderate, High) across federal systems. A fourth property, nonrepudiation, appears in NIST IR 7298 and refers to assurance that the sender of data is provided with proof of delivery and the recipient is provided with proof of identity, such that neither can deny having processed the information.

The NIST Cybersecurity Framework (CSF) — first published in 2014 and updated to CSF 2.0 in 2024 — organizes cybersecurity activities into six Functions: Govern, Identify, Protect, Detect, Respond, and Recover. Each Function contains Categories and Subcategories with specific informative references mapping to NIST SP 800-53 controls, ISO/IEC 27001 clauses, and COBIT controls.

The MITRE ATT&CK Framework — a publicly accessible knowledge base maintained by MITRE Corporation — catalogs adversary tactics and techniques derived from real-world observations. ATT&CK distinguishes between tactics (the adversary's goal, e.g., Initial Access), techniques (how the goal is achieved, e.g., Spearphishing Attachment), and sub-techniques (granular implementation variants). As of the Enterprise ATT&CK matrix, 14 tactic categories are defined.

The relationship between these frameworks determines how a given term is used in practice. "Threat" in NIST SP 800-30 carries a specific technical definition (any circumstance or event with the potential to adversely impact operations), distinct from its colloquial usage.

Causal relationships or drivers

The expansion of cybersecurity terminology is driven by three primary forces: regulatory codification, technological specialization, and adversarial evolution.

Regulatory codification creates mandatory vocabulary. The HIPAA Security Rule (45 CFR Part 164) defines "electronic protected health information" (ePHI) with precise statutory boundaries. The FTC Safeguards Rule (16 CFR Part 314) uses the term "information security program" in a way that imposes specific administrative, technical, and physical safeguard obligations on covered financial institutions. Failure to use defined terms correctly in compliance documentation creates regulatory exposure independent of the underlying security posture.

Technological specialization produces domain-specific vocabularies. Cloud computing introduced terms like shared responsibility model, cloud access security broker (CASB), and serverless security — none of which appear in original versions of NIST SP 800-53. The NIST SP 800-145 definition of cloud computing (five essential characteristics, three service models, four deployment models) became the reference definition adopted by federal agencies and widely cited in commercial contexts.

Adversarial evolution generates new threat terminology as attack categories are named and cataloged. The term advanced persistent threat (APT) entered formal use through US government reporting to describe nation-state actors conducting sustained, targeted intrusion campaigns — a category distinct from opportunistic cybercrime. CISA's Known Exploited Vulnerabilities (KEV) catalog tracks actively exploited vulnerabilities in a format that has itself become a regulatory reference point, with Binding Operational Directive 22-01 requiring federal civilian agencies to remediate KEV entries on specified timelines.

Classification boundaries

Cybersecurity terminology divides into distinct sub-domain vocabularies that should not be conflated.

Information security (InfoSec) vs. cybersecurity — InfoSec covers the protection of information in any form, including physical records and oral communication. Cybersecurity specifically addresses digital systems and networks. NIST treats these as overlapping but non-identical; NIST SP 800-12 Rev. 1 addresses both under the broader umbrella of information security.

Vulnerability vs. threat vs. risk — These three terms are frequently conflated. A vulnerability is a weakness in a system that can be exploited. A threat is an agent or event capable of exploiting a vulnerability. Risk is the probability-weighted adverse impact resulting from the intersection of the two. NIST SP 800-30 Rev. 1 provides the formal definitions and the risk equation: Risk = Likelihood × Impact.

Incident vs. breach vs. event — A security event is any observable occurrence in a system or network. An incident is an event that actually or potentially jeopardizes security. A breach carries a specific legal definition under statutes like the HITECH Act (42 U.S.C. § 17921) and state data breach notification laws, triggering notification obligations. Not every incident is a breach; the legal classification depends on the type of data involved and whether it was accessed or acquired by an unauthorized party.

Penetration testing vs. vulnerability assessment vs. red team exercise — A vulnerability assessment identifies and prioritizes weaknesses without exploiting them. A penetration test actively exploits identified vulnerabilities to determine real-world exposure. A red team exercise simulates a full adversary campaign, including social engineering and physical access attempts, against a defined objective. NIST SP 800-115 provides technical guidance distinguishing these categories.

Tradeoffs and tensions

Standardization vs. precision — NIST and CNSS definitions are authoritative but not universally binding in the private sector. ISO/IEC 27000:2018 — the information security management vocabulary standard — uses definitions that diverge in some cases from NIST equivalents. Organizations operating across US federal and international commercial contexts must explicitly identify which definitional framework governs each document, as regulatory auditors and ISO certification auditors apply different standards.

Operational clarity vs. legal precision — Technical teams use "breach" informally to describe any unauthorized access. Legal and compliance teams must apply the statutory definition, which in 47 US jurisdictions with data breach notification laws (NCSL tracking) varies in threshold, covered data categories, and notification timelines. Using the informal meaning in formal documentation creates liability exposure.

Comprehensiveness vs. usability — NIST SP 800-53 Rev. 5 defines 20 control families with over 1,000 individual controls and control enhancements. The vocabulary supporting those controls is technically precise but operationally dense. Organizations implementing the framework must make scoping decisions about which baseline (Low, Moderate, High) applies, which directly determines which defined terms are operative. This tension between comprehensive coverage and practical implementation is documented in NIST SP 800-53B.

Vendor terminology vs. standards terminology — Commercial vendors frequently introduce proprietary terminology (e.g., "extended detection and response" or XDR) that lacks a formal standards-body definition. When procurement documents, contracts, or compliance mappings incorporate vendor terms without anchoring them to a defined standard, audit and liability gaps emerge.

Common misconceptions

Misconception: "Encryption" and "hashing" are interchangeable. Encryption is a reversible transformation of data using a key; the original data can be recovered with the correct key. Hashing is a one-way transformation; the original data cannot be recovered from the hash output. NIST FIPS 140-3 governs approved cryptographic modules, and NIST FIPS 180-4 specifies approved hash algorithms. Conflating the two in policy documentation produces controls that do not actually protect the data they reference.

Misconception: "Firewall" means complete network perimeter defense. A firewall is a network security device that monitors and controls incoming and outgoing network traffic based on predefined rules. It is a single control, not a comprehensive defense. NIST SP 800-41 Rev. 1 defines firewall types and explicitly notes that firewalls alone cannot protect against attacks that originate from inside the perimeter or exploit application-layer vulnerabilities.

Misconception: Compliance equals security. Compliance with a regulatory framework (e.g., PCI DSS, HIPAA) establishes that defined minimum controls are in place at a point in time. It does not assert that a system is secure against all current threats. The PCI Security Standards Council explicitly notes that compliance validation is a snapshot assessment; the threat environment changes continuously.

Misconception: "Two-factor authentication" (2FA) and "multi-factor authentication" (MFA) are synonymous. 2FA is a subset of MFA requiring exactly 2 factors. MFA requires 2 or more factors drawn from distinct categories: something you know, something you have, and something you are. NIST SP 800-63B defines these authentication factor categories and establishes three Authentication Assurance Levels (AAL1, AAL2, AAL3) based on factor type and verification rigor.

Misconception: A CVE score represents exploitability. The Common Vulnerability Scoring System (CVSS), maintained by the Forum of Incident Response and Security Teams (FIRST), produces a base score reflecting severity characteristics — not the probability of exploitation in any specific environment. The Exploit Prediction Scoring System (EPSS), also maintained by FIRST, provides a separate probability-of-exploitation estimate based on empirical data. High CVSS scores do not automatically indicate high exploitation likelihood.

Checklist or steps

The following sequence maps the steps involved in establishing a documented cybersecurity terminology baseline for an organization, consistent with NIST guidance.

  1. Identify the applicable regulatory framework(s) — Determine which statutes, regulations, and standards bind the organization (e.g., HIPAA, FTC Safeguards Rule, FISMA, CMMC). Each framework carries a defined vocabulary that governs compliance documentation.
  2. Adopt a primary definitional source — Designate NIST IR 7298 Rev. 3, CNSS 4009, or ISO/IEC 27000:2018 as the organization's reference glossary. Document the choice in the information security policy.
  3. Map vendor and operational terms to the primary source — Where vendor or product documentation uses terms that diverge from the primary source, document the mapping explicitly (e.g., "vendor term 'XDR' maps to NIST IR 7298 definition of 'security monitoring'").
  4. Audit existing policy documents for term consistency — Review information security policies, incident response plans, and data classification standards against the adopted glossary. Identify and resolve conflicts where the same term is used with different meanings across documents.
  5. Establish a versioning protocol for the glossary — Regulatory definitions change (e.g., NIST SP 800-63 identity definitions were substantially revised in revision 3). Assign a review cycle — no less frequent than annually — tied to NIST, CISA, and relevant agency publication schedules.
  6. Align with the NIST Cybersecurity Framework functions — Map internal operational processes to the six CSF Functions (Govern, Identify, Protect, Detect, Respond, Recover) so that terminology used in security operations aligns with the
📜 2 regulatory citations referenced  ·  🔍 Monitored by ANA Regulatory Watch  ·  View update log

Read Next

Digital Security Listings Coverage spans the full range of service categories recognized under the NIST Cybersecurity Framework — from managed detection... Digital Security Directory: Purpose and Scope This page defines the directory's inclusion criteria, classification logic, geographic scope, and navigation structure. How to Use This Digital Security Resource This page describes how the directory is organized, how content is classified and verified, and how different professional...