Glossary

Ref. Term Description
G1 Acceptable Risk The level of residual risk [G.26] that has been determined to be a reasonable level of potential loss/disruption for a specific system.
(CIAO – Critical Infrastructure Assurance Office - U.S.A)
G2 Accountability The property that ensures that the actions of an entity may be traced uniquely to the entity.
(ISO/IEC PDTR 13335-1)
  • This may cover non repudiation, deterrence, fault isolation, intrusion detection and prevention, and after-action recovery and legal action.
(ENISA)
G3 Asset Anything that has value to the organization, its business operations and their continuity, including Information resources that support the organization's mission.
(ISO/IEC PDTR 13335-1)
G4 Consequence Outcome of an event [G.11]
  • There can be more than one consequence from one event.
  • Consequences can range from positive to negative. 
  • Consequences can be expressed qualitatively or quantitatively
(ISO/IEC Guide 73)
G5 Contingency Plan A plan for emergency response, backup operations, and post-disaster recovery in a system, as part of a security program, to ensure availability of critical system resources and facilitate continuity of operations in a crisis.
(ENISA)
G6 Data Availability The fact that data is accessible and services are operational.
(ENISA)
G7 Data Confidentiality The protection of communications or stored data against interception and reading by unauthorized persons.
(ENISA)
The property that information is not made available or disclosed to unauthorized individuals, entities, or processes.
(ISO/IEC PDTR 13335-1)
G8 Data Integrity The confirmation that data which has been sent, received, or stored are complete and unchanged.
(ENISA)
The property that data has not been altered or destroyed in an unauthorized manner.
(ISO/IEC PDTR 13335-1)
G9 Definition of Scope Process for the establishment of global parameters for the performance of Risk Management within an organization. Within the definition of scope for Risk Management internal and external factors have to be taken into account.
(ENISA)
G10 Disaster Recovery The process of restoring a system to full operation after an interruption in service, including equipment repair / replacement, file recovery / restoration.
(ENISA)
G11 Event Occurrence of a particular set of circumstances
  • The event can be certain or uncertain.
  • The event can be a single occurrence or a series of occurrences.
(ISO/IEC Guide 73)
G12 Evidence Information that either by itself or when used in conjunction with other information is used to establish proof about an event [G.11] or action.
  • Evidence does not necessarily prove truth or existence of something but contributes to establish proof.
(ENISA)
G13 Exposure The potential loss to an area due to the occurrence of an adverse event [G.11].
(ISACA)
  • Generally, in the Risk Management [G.39] process [G.24] a risk does not always represent a loss or a negative consequence but can also be an opportunity or a result of a positive event.
(ENISA)
G14 Gap Analysis A comparison that identifies the difference between the actual and the expected / specified system status.
(ENISA)
G15 Impact The result of an unwanted incident [G.17].
(ISO/IEC PDTR 13335-1)
G16 Impact Analysis The identification of critical business processes [G.24], and the potential damage or loss that may be caused to the organization resulting from a disruption to those processes. Business impact analysis identifies:
  • the form the loss or damage will take
  • how that degree of damage or loss is likely to escalate with time following an incident
  • the minimum staffing, facilities and services needed to enable business processes to continue to operate at a minimum acceptable level 
  • the time for full recovery of the business processes
(ENISA)
G17 Incident An event [G.11] that has been assessed as having an actual or potentially adverse effect on the security or performance of a system.
(ENISA)
G18 Interested Party Person or group having an interest in the performance or success of an organization’s mission or objectives.
(ISO/IEC Guide 73)
G19 Mitigation Limitation of any negative consequence [G.4] of a particular event [G.11].
(ISO/IEC Guide 73)
G20 Monitor and Review A process for measuring the efficiency and effectiveness of the organization’s Risk Management processes is the establishment of an ongoing monitor and review process. This process makes sure that the specified management action plans remain relevant and updated. This process also implements control activities including re-evaluation of the scope and compliance with decisions.
(ENISA)
G21 Priority Sequence in which an incident [G.17] or problem needs to be resolved, based on impact [G.15] and urgency.
(ENISA)
G22 Probability Extent to which an event [G.11] is likely to occur.
(ENISA)
G23 Procedure A written description of a course of action to be taken to perform a given task.
(ENISA)
G24 Process An organized set of activities which uses resources to transform inputs to outputs.
(ENISA)
G25 Process Owner An individual held accountable and responsible for the workings and improvement of one of the organization's defined processes [G.24] and its related sub-processes.
(ENISA)
G26 Residual Risk Risk [G.27] remaining after risk treatment [G.45].
(ISO/IEC Guide 73)
G27 Risk The potential that a given threat will exploit vulnerabilities of an asset [G.3] or group of assets and thereby cause harm to the organization.
(ISO/IEC PDTR 13335-1)
G28 Risk Acceptance The potential that a given threat will exploit vulnerabilities of an asset [G.3] or group of assets and thereby cause harm to the organization.
(ISO/IEC PDTR 13335-1)
(Definition adopted from ISO/IEC Guide 73 with some modification by ENISA)
G29 Risk Analysis Systematic use of information to identify sources [G.48] and to estimate the risk [G.27] (ISO/IEC Guide 73
G30 Risk Assessment A scientific and technologically based process [G.24] consisting of three steps, risk identification [G.38], risk analysis [G.29] and risk evaluation [G.36].
(ENISA)
G31 Risk Avoidance Decision not to become involved in, or action to withdraw from, a risk [G.27] situation.
(ISO/IEC Guide 73)
G32 Risk Communication A process [G.24] to exchange or share information about risk [G.27] between the decision-maker and other stakeholders [G.50].
  • The information can relate to the existence, nature, form, probability [G.22], severity, acceptability, treatment or other aspects of risk.
(ISO/IEC Guide 73)
G33 Risk Control Actions implementing risk management [G.39] decisions.
  • Risk [G.27] control may involve monitoring, re-evaluation, and compliance with decisions.
(ISO/IEC Guide 73)
G34 Risk Criteria Terms of reference by which the significance or risk [G.27] is assessed.
  • Risk criteria can include associated cost and benefits, legal and statutory requirements, socio-economic aspects, the concerns of stakeholders [G.50], priorities [G.21] and other inputs to the assessment.
(ISO/IEC Guide 73)
G35 Risk Estimation Process [G.24] used to assign values to the probability [G.22] and consequences [G.4] of a risk [G.27]. (ISO/IEC Guide 73)
G36 Risk Evaluation Process [G.24] of comparing the estimated risk [G.27] against given risk criteria [G.34] to determine the significance of risk.
(ISO/IEC Guide 73)
G37 Risk Financing Provision of funds to meet the cost of implementing risk treatment [G.45] and related costs.
(ISO/IEC Guide 73)
G38 Risk Identification Process [G.24] to find, list and characterize elements of risk [G.27].
(ISO/IEC Guide 73)
G39 Risk Management The process [G.24], distinct from risk assessment [G.30], of weighing policy alternatives in consultation with interested parties [G.18], considering risk assessment and other legitimate factors, and selecting appropriate prevention and control options.
(ENISA)
G40 Risk Optimization Process [G.24], related to a risk [G.27] to minimize the negative and to maximize the positive consequences [G.4] and their respective probabilities [G.22]. (ISO/IEC Guide 73)
G41 Risk Perception Way in which a stakeholder [G.50] views a risk [G.27], based on a set of values or concerns.
  • Risk perception depends on the stakeholder’s needs, issues and knowledge.
  • Risk perception can differ from objective data.
(ISO/IEC Guide 73)
G42 Risk Reduction Actions taken to lessen the probability [G.22], negative consequences [G.4] or both, associated with a risk [G.27].
(ISO/IEC Guide 73)
G43 Risk Retention Acceptance of the burden of loss, or benefit of gain, from a particular risk [G.27].
  • Risk retention includes the acceptance of risks that have not been identified.
  • Risk retention does not include treatments involving insurance, or transfer by other means.
(ISO/IEC Guide 73)
G44 Risk Transfer Sharing with another party the burden of loss or benefit of gain, for a risk [G.27].
  • Legal or statutory requirements can limit, prohibit or mandate the transfer of certain risk.
  • Risk transfer can be carried out through insurance or other agreements.
  • Risk transfer can create new risks or modify existing risk.
(ISO/IEC Guide 73)
G45 Risk Treatment Process [G.24] of selection and implementation of measures to modify risk [G.27].
  • Risk treatment measures can include avoiding, optimizing, transferring or retaining risk
(ISO/IEC Guide 73)
G46 Safeguards Practices, procedures [G.23] or mechanisms that reduce risk.
  • The term 'safeguard' is normally considered to be synonymous with the term 'control'.
(ISO/IEC PDTR 13335-1)
G47 Security All aspects related to defining, achieving, and maintaining data confidentiality [G.7], integrity [G.8], availability [G.6], accountability [G.2], authenticity, and reliability.
  • A product, system, or service is considered to be secure to the extent that its users can rely that it functions (or will function) in the intended way.
(ISO/IEC WD 15443-1)
G48 Source Item or activity having a potential for a consequence [G.4].
(ISO/IEC Guide 73)
G49 Source Identification Process [G.24] to find, list and characterize sources [G.48]
(ISO/IEC Guide 73)
G50 Stakeholder Any individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a risk [G.27].
(ISO/IEC Guide 73)
G51 Threat Any circumstance or event with the potential to adversely impact an asset [G.3] through unauthorized access, destruction, disclosure, modification of data, and/or denial of service.
(ENISA)
G52 Vulnerability The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.
(ITSEC)