Browse — Entity Type · Metric
allDataSystemNetworkIdentityCredentialPhysicalProcessCapabilityOrganizationFrameworkEventMetricVulnerabilityThreatControlFindingRequirementRoleArtifactUnknown
128 terms
TermTypeDefinitionClassificationsUpdated
accuracynounThe quality or state of being correct, precise, or near to the true value.MetricRegulated
Aggregate Short PositionnounThe sum of a Settlement Member's short positions, each such short position expressed in its base currency equivalent and adjusted by the applicable haircut.MetricRegulated
BandwidthnounTerminology used to indicate the transmission or processing capacity of a system or of a specific location in a system (usually a network system) for information (text, images, video, sound). Bandwidth is usually defined in bits per second (bps) but also is usually described as either large or small. Where a full page of English text is about 16,000 bits, a fast modem can move approx. 15,000 bps. Full-motion, full-screen video requires about 10,000,000 bps, depending on compression.Metric
Behavioral OutcomenounWhat an individual who has completed the specific training module is expected to be able to accomplish in terms of IT security-related job performance.Metric
BenchmarknounA standard, or point of reference, against which things may be compared or assessed.Metric
Bit Error RatenounRatio between the number of bits incorrectly received and the total number of bits transmitted in a telecommunications system.Metric
Bits per second (BPS)nounA measurement of how fast data moves from one place to another. A 28.8 modem can move 28,800 bits per second.Metric
Business ValuenounHow much a business is worth. Business value is a highly subjective measure because it involves estimating the value of intangible assets like trade secrets and brand recognition. It adds to this the value of tangible assets like machinery and stockholder equity. Business value is especially important for potential investors or buyers.MetricConfidentialIP
completenessnounThe state of having all the necessary or appropriate parts; having everything that is needed.Metric
completion datenounA date when something will be finished, especially the date when a new building, road, etc. will be finished according to a contract the date when the ownership of a property legally passes from one person to another.Metric
complexitynounThe degree of intricacy of a system or system component, determined by such factors as the number of conditional branches, the degree of nesting and the length and types of data structures. (CMS).Metric
compliance risknounThe risk to current and prospective earnings that arises from violating or not acting in accordance with laws, rules, regulations, prescribed practices, or ethical standards.MetricRegulated
costnounThe monetary value of resources used or sacrificed or liabilities incurred to achieve an objective such as to acquire or produce a good or to perform an activity or service.Metric
CoveragenounAn attribute associated with an assessment method that addresses the scope or breadth of the assessment objects included in the assessment (e.g., types of objects to be assessed and the number of objects to be assessed by type). The values for the coverage attribute, hierarchically from less coverage to more coverage, are basic, focused, and comprehensive.Metric
criticalitynounA measure of the degree to which an organization depends on the information or information system for the success of a mission or of a business function.Metric
Criticality LevelnounRefers to the (consequences of) incorrect behavior of a system. The more serious the expected direct and indirect effects of incorrect behavior, the higher the criticality level.Metric
Cryptographic StrengthnounA measure of the expected number of operations required to defeat a cryptographic mechanism.Metric
cyber risknounThe combination of the probability of an event occurring within the realm of an organisation’s information assets, computer and communication resources and the consequences of that event for an organisation.Metric
cyber risk profilenounThe cyber risk actually assumed, measured at a given point in time.MetricInternal
cyber risk tolerancenounThe propensity to incur cyber risk, being the level of cyber risk that an FMI intends to assume in pursuing its strategic objectives.MetricInternal
DepthnounAn attribute associated with an assessment method that addresses the rigor and level of detail associated with the application of the method. The values for the depth attribute, hierarchically from less depth to more depth, are basic, focused, and comprehensive.Metric
Distance VectornounDistance vectors measure the cost of routes to determine the best route to all known networks.Metric
effectivenessnounThe degree to which information is relevant and pertinent to the business process as well as delivered in a timely, correct, consistent, and usable manner.Metric
EntropynounA measure of the amount of uncertainty that an Attacker faces to determine the value of a secret. Entropy is usually stated in bits.Metric
execution statusnounThe status of the implementation or enactment of a plan, order, or course of action.MetricRegulated
False Acceptance RatenounThe measure of the likelihood that the biometric security system will incorrectly accept an access attempt by an unauthorized user. A system’s false acceptance rate typically is stated as the ratio of the number of false acceptances divided by the number of identification attempts.Metric
False Rejection RatenounThe measure of the likelihood that the biometric security system will incorrectly reject an access attempt by an authorized user. A system’s false rejection rate typically is stated as the ratio of the number of false rejections divided by the number of identification attempts.Metric
Guessing EntropynounA measure of the difficulty that an Attacker has to guess the average password used in a system. In this document, entropy is stated in bits. When a password has n-bits of guessing entropy then an attacker has as much difficulty guessing the average password as in guessing an n-bit random quantity. The attacker is assumed to know the actual password frequency distribution.Metric
HaircutnounWith respect of an eligible currency, the percentage increase of a negative currency balance or reduction of a positive currency balance and is based on (a) the volatility of the historic foreign exchange movements in the applicable eligible currency determined by CLS Bank and (b) an add-on component.MetricRegulated
High ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a severe degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in major damage to organizational assets; 3) results in major financial loss; or 4) results in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries).MetricRegulatedCUI
ImpactnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.Metric
Impact LevelnounThe magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.MetricRegulated
Impact ValuenounThe assessed potential impact resulting from a compromise of the confidentiality, integrity, or availability of an information type, expressed as a value of low, moderate, or high.Metric
incoming debit and credit totalnounThe total balance of all credit and debit postings that go into an account.MetricRegulated
Information Security risknounThe risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. See Risk.MetricRegulatedCUI
Information Technology risknounAny possibility of harm or damage related to Information Technology systems and data.Metric
Information ValuenounA qualitative measure of the importance of the information based upon factors such as: level of robustness of the Information Assurance controls allocated to the protection of information based upon: mission criticality, the sensitivity (e.g., classification and compartmentalization) of the information, releasability to other countries, perishability/longevity of the information (e.g., short life data versus long life intelligence source data), and potential impact of loss of confidentiality and integrity and/or availability of the information.Metric
Inherent risknounThe risk level or exposure without taking into account the actions that management has taken or might take (e.g., implementing controls)Metric
IT-Related RisknounThe net mission/business impact considering 1) the likelihood that a particular threat source will exploit, or trigger, a particular information system vulnerability, and 2) the resulting impact if this should occur. IT-related risks arise from legal liability or mission/business loss due to, but not limited to: - Unauthorized (malicious, non-malicious, or accidental) disclosure, modification, or destruction of information; - Non-malicious errors and omissions; - IT disruptions due to natural or man-made disasters; or - Failure to exercise due care and diligence in the implementation and operation of the IT.Metric
Key risk indicatornounA subset of risk indicators that are highly relevant and possess a high probability of predicting or indicating important risk Scope Note: See also Risk Indicator.Metric
LatencynounThe time it takes a system and network delay to respond Scope Note: More specifically, system latency is the time that a system takes to retrieve data. Network latency is the time it takes for a packet to travel from the source to the final destination.Metric
Level of ConcernnounRating assigned to an information system indicating the extent to which protection measures, techniques, and procedures must be applied. High, Medium, and Basic are identified levels of concern. A separate Level-of-Concern is assigned to each information system for confidentiality, integrity, and availability.MetricRegulatedCUI
Likelihood of OccurrencenounIn Information Assurance risk analysis, a weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given vulnerability.Metric
Logical Completeness MeasurenounMeans for assessing the effectiveness and degree to which a set of security and access control mechanisms meets security specifications.Metric
Long positionnounIn respect of a currency balance that is greater than zero, the amount by which such currency balance is greater than zero. A position that appreciates in value if market prices increase. When one buys a currency, their position is long.MetricRegulated
Maximum Tolerable DowntimenounThe amount of time mission/business processes can be disrupted without causing significant harm to the organization’s mission.Metric
measurenounTo ascertain the size, amount, or degree of (something) by using an instrument or device marked in standard units or by comparing it with an object of known size.Metric
Measures of EffectivenessnounMeasures of Effectiveness is a probability model based on engineering concepts that allows one to approximate the impact a give action will have on an environment. In Information warfare it is the ability to attack or defend within an Internet environment.Metric
Millions of instructions per second (MIPS)nounA general measure of computing performance and, by implication, the amount of work a larger computer can do.Metric
Min-EntropynounA measure of the difficulty that an Attacker has to guess the most commonly chosen password used in a system.Metric
Moderate ImpactnounThe loss of confidentiality, integrity, or availability that could be expected to have a serious adverse effect on organizational operations, organizational assets, individuals, other organizations, or the national security interests of the United States; (i.e., 1) causes a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; 2) results in significant damage to organizational assets; 3) results in significant financial loss; or 4) results in significant harm to individuals that does not involve loss of life or serious life threatening injuries).MetricRegulatedCUI
negative effectnounA measure, expressed as a function of the likelihood that an event may occur, how fast the event may impact objectives and the estimated negative impact that an event may have on objectives or the impact that an event had on objectives.MetricRegulated
network integritynounThe state of a computer network where it is performing its intended functions without being degraded or impaired by changes or disruptions in its internal or external environments. A network is functioning properly when several things occur: applications and client get enough network availability, applications and clients get proper bandwidth, network security does its job during both peacetime and attack, and network management has complete control of the entire network.Metric
organizational risk tolerancenounThe level of risk an organization is willing to take in order to achieve a potential desired result.Metric
Outcome measurenounRepresents the consequences of actions previously taken; often referred to as a lag indicator Scope Note: Outcome measure frequently focuses on results at the end of a time period and characterize historic performance. They are also referred to as a key goal indicator (KGI) and used to indicate whether goals have been met. These can be measured only after the fact and, therefore, are called lag indicators.Metric
period of inactivitynounThe planned or actual time an operation is not engaged in run time, or the active production of a product. Idle time is typically scheduled, for setup, maintenance or other activities, or unscheduled due to lack of a required resource such as material.Metric
PII Confidentiality Impact LevelnounThe PII confidentiality impact level—low, moderate, or high—indicates the potential harm that could result to the subject individuals and/or the organization if PII were inappropriately accessed, used, or disclosed.MetricRegulatedPII
potential impactnounThe loss of confidentiality, integrity, or availability could be expected to have: 1) a limited adverse effect (FIPS 199 low); 2) a serious adverse effect (FIPS 199 moderate); or 3) a severe or catastrophic adverse effect (FIPS 199 high) on organizational operations, organizational assets, or individuals.Metric
prioritynounA category based on impact and urgency used to identify the relative importance of an incident, problem, or change and the required time for action to be taken. For example, the SLA may state that priority 2 incidents must be resolved within 12 hours.Metric
ratingnounA classification according to a comparative assessment of quality, standard, or performance.Metric
Recipient Usage PeriodnounThe period of time during the cryptoperiod of a symmetric key when protected information is processed.MetricRegulated
Recovery point objectivenounThe point in time to which data must be recovered after an outage.Metric
Recovery point objective (RPO)nounThe amount of data that can be lost without severely impacting the recovery of operations or the point in time in which systems and data must be recovered (e.g., the date and time of a business disruption).MetricInternal
Recovery time objectivenounThe overall length of time an information system’s components can be in the recovery phase before negatively impacting the organization’s mission or mission/business functions.Metric
Recovery time objective (RTO)nounThe maximum allowable downtime that can occur without severely impacting the recovery of operations or the time in which systems, applications, or business functions must be recovered after an outage (e.g. the point in time that a process can no longer be inoperable).MetricInternal
reputationnounThe beliefs, opinion, or social evaluation of the public about someone or something.Metric
Residual risknounThe remaining potential risk after all IT security measures are applied. There is a residual risk associated with each threat.Metric
Return on investmentnounA measure of operating performance and efficiency, computed in its simplest form by dividing net income by the total investment over the period being consideredMetric
risknounA measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. [Note: Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. Adverse impacts to the Nation include, for example, compromises to information systems that support critical infrastructure applications or are paramount to government continuity of operations as defined by the Department of Homeland Security.]Metric
risk exposurenounThe extent of risk faced by an organization that is expressed in terms of either the likelihood or impact of a loss.Metric
risk factornounMeasurable characteristic or element, a change in which can affect the value of an asset, such as exchange rate, interest rate, and market price.Metric
risk levelnounThe extent to which vulnerability could be exploited or the amount of damage that could be done. Risk levels are usually measured in a qualitative manner as high, moderate, or low.Metric
Risk tolerancenounThe level of risk an entity is willing to assume in order to achieve a potential desired result.Metric
Security Control EffectivenessnounThe measure of correctness of implementation (i.e., how consistently the control implementation complies with the security plan) and how well the security plan meets organizational needs in accordance with current risk tolerance.Metric
Security LevelnounA hierarchical indicator of the degree of sensitivity to a certain threat. It implies, according to the security policy being enforced, a specific level of protection.Metric
Security metricsnounA standard of measurement used in management of security-related activitiesMetric
Security PosturenounThe security status of an enterprise’s networks, information, and systems based on IA resources (e.g., people, hardware, software, policies) and capabilities in place to manage the defense of the enterprise and to react as the situation changes.MetricInternal
Security StrengthnounA measure of the computational complexity associated with recovering certain secret and/or security-critical information concerning a given cryptographic algorithm from known data (e.g. plaintext/ciphertext pairs for a given encryption algorithm).Metric
SensitivitynounA measure of the importance assigned to information by its owner, for the purpose of denoting its need for protection.Metric
service level performancenounThe degree of service expected of a service provider and promised to a client as encapsulated in a contract.Metric
Short positionnounIn respect of a currency balance that is less than zero, the amount by which such currency balance is less than zero. An investment position that benefits from a decline in market price. When one sells a currency their position is short.MetricRegulated
SustainabilitynounThe period of time for which operations can continue at an alternate processing facility.Metric
thresholdnounThe level which must be exceeded in order for a certain reaction, phenomenon, result, or condition to occurred or be manifested.Metric
Total cost of ownershipnounIncludes the original cost of the computer plus the cost of: software, hardware and software upgrades, maintenance, technical support, training, and certain activities performed by usersMetric
Total cost of ownership (TCO)nounThe true cost of ownership of a computer or other technology system that includes original cost of the computer and software, hardware and software upgrades, maintenance, technical support, and training.Metric
Total RisknounThe potential for the occurrence of an adverse event if no mitigating action is taken (i.e., the potential for any applicable threat to exploit a system vulnerability).Metric
Training EffectivenessnounA measurement of what a given student has learned from a specific course or training event.Metric
Training Effectiveness EvaluationnounInformation collected to assist employees and their supervisors in assessing individual students’ subsequent on-the-job performance, to provide trend data to assist trainers in improving both learning and teaching, and to be used in return-on-investment statistics to enable responsible officials to allocate limited resources in a thoughtful, strategic manner among the spectrum of IT security awareness, security literacy, training, and education options for optimal results among the workforce as a whole.MetricInternalPII
TrustworthinessnounThe attribute of a person or organization that provides confidence to others of the qualifications, capabilities, and reliability of that entity to perform specific tasks and fulfill assigned responsibilities.Metric
UncertaintynounThe difficulty of predicting an outcome due to limited knowledge of all componentsMetric
usagenounThe action of being used, the manner in which something is used, or the amount of something that is used.Metric
ValuenounThe relative worth or importance of an investment for an enterprise, as perceived by its key stakeholders, expressed as total life cycle benefits net of related costs, adjusted for risk and (in the case of financial value) the time value of moneyMetric
work factornounEstimate of the effort or time needed by a potential perpetrator, with specified expertise and resources, to overcome a protective measure.Metric