Converged Security Definitions

Converged Security Definitions

Updated: 18 March 2025  |  57 terms

ALL

All in every language is All — all business units, all employees, all contractors, all suppliers, all countries, all customers, etc.

Analytics

The evaluation of information or data to ask and answer questions that drive changes in an organization.

Assessment

A structured process (e.g., checklist, tools, penetration test, tabletop exercise) for finding and hopefully exploiting vulnerabilities with actionable solutions.

Asset

A hard/physical asset (e.g., building), electronic asset (e.g., data on a computer), intellectual property, process, or person.

Assets

Physical, electronic, and intellectual assets that have a material impact or risk to the organization, suppliers, companies, and societies.

Audit

The (independent) verification and validation of a control to verify it meets the legal, regulatory, or business need to protect the business, government, or consumer.

Authorized Fraud

The commitment of fraud by a person who is technically approved/authorized to perform a specific function — they simply abuse that authority to commit the fraud.

Background Investigations

Investigations that are generally proactive in reviewing the background of a person (background checks/investigations) or company (due diligence) to determine the viability and integrity of the individual or company before a relationship is established or renewed.

Buildings

Locations where an organization’s assets are located — this can be as simple as a cinder-block building, a supplier’s warehouse, or more unusual "buildings" like street furniture (an old Telco term).

Classified Information vs. Information Classification

Classically speaking, classified information has been tied to sensitive and critical information assets requiring protection for national security interests. Information classification, by contrast, is the establishment of information owner-defined labels and controls for an organization’s non-public information. These terms have been used interchangeably, but classically, classified information is the implementation of information classification in a government/national security environment.

Compliant

A term indicating that an assessed element (organization, process, technology, function) meets the requirements of a documented standard, generally accepted set of requirements, law, regulation, or legally binding document such as a contract. Compliant does not mean the element is secure.

Cyber Security

The functional role, ideally within a converged security program, to "secure stuff with wires" — protecting against breaches in confidentiality, integrity, and availability.

Distributor / Distribution

A middle entity or person in the supply chain of a product, positioned somewhere between the manufacturer and the end user.

Enterprise-wide

A way of describing the scope of an element of a security program, function, or project where it represents all organizational elements under the Chief Executive Officer.

Ethical Stop

A term coined by Jim McConnell in fraud and insider threat presentations: the goal of a security and ethics department to encourage people not to go beyond a certain point of unethical behavior — for instance, stopping at stealing pens.

First Responder

An individual trained in one or more emergency response disciplines who is generally (part of) the first group of individuals on scene to care for others or prevent further crisis.

Fraud

Any activity that relies on deception in order to achieve a gain. Fraud becomes a crime (and thus a security concern) when it involves a knowing misrepresentation of the truth or concealment of a material fact to induce another to act to their detriment, based on the Fraud Triangle.

Fraud Investigations

Sometimes called a Fraud Examination — investigations that specifically focus on fraud and usually involve specialized skill sets around financial crimes, occupational fraud, and fraud analytics.

Fraud Management

The end-to-end coverage of activities involved in preventing, discovering, investigating, and mitigating fraud — including but not limited to fraud awareness, proactive fraud analytics, pre-deployment fraud assessments, mitigation, corrective action project management, and investigations.

HR Investigations

Personnel investigations involving employees, usually (but not always) run by HR team members rather than the security department. These tend to involve what some call social policy violations, such as hostile work environments and sexual harassment.

Incident Response

The immediate reaction to a safety or security incident, involving steps to reestablish a safe environment for ongoing business operations. One or more investigations may follow after response is prioritized, to determine cause and implement ongoing mitigation.

Information

Classic definition: Facts provided or learned about something or someone.

Contextual definition: Facts supplied or learned about an organization’s assets, or assets it is entrusted to manage and secure, regardless of form or where they are located.

Information Security

The prevention, detection, and corrective/response actions to protect the confidentiality, integrity, and availability of an organization’s information or information entrusted to the organization.

Information Security vs. Cyber / Application / Network / Privacy Security

It has been said that cyber security was once defined as securing things with wires. The securing of electronic systems incorporates not just security of information, but also the security of services operating within cyber, application, and network technology. Security of both information and these other areas is important — but without information, organizations do not exist; without technology-based services, organizations cannot run.

Infrastructure

All the technology you do not see — but unplug it, fail to maintain it, and your security department and security controls go downhill fast.

Insider Threat

The pre-action awareness and indicators that an insider in an organization is planning to commit a security offense in the near future. Also used as the label for the overall prevention, detection, and response to an insider’s malicious actions.

Insider Threat (Non-Malicious)

A term sometimes used to describe situations where an insider carries out a malicious act but is simply following standard protocols or weak controls. Another malicious party (insider or outsider) has generally social-engineered this insider to assist in the malicious activity.

Investigations

The collection, analysis, and reporting of facts to prove or disprove an allegation of wrongdoing or an incident. Facts can include any evidence detectable or produced by the five senses. Investigations can cover areas such as safety (e.g., a train derailment) that are not necessarily security investigations, and are not limited to any specific group of human victims or perpetrators.

Law Enforcement Agency

An entity commissioned by the laws of the land to prevent, detect, and respond to crime committed against individuals, companies, governments, or property.

Link Analysis

An analytical investigative technique usually presented visually — on a board or with software — to connect elements, entities, and evidence of an incident, background check, or due diligence in order to better visualize interconnections and possibly related incidents.

Loss Prevention

Usually tied to the retail, transportation, and logistics industries, with a focus on preventing and investigating the theft of products throughout the supply chain.

Pen Test

A structured vulnerability exploitation process designed to test prevention, detection, and response controls of a target — usually a technology-based or physical building/area-based target. Utilizes people, process, technology, tools, and physical environments to accomplish the defined scope of the test.

Personnel

Employees and non-employees (e.g., suppliers or contractors) with physical or logical/electronic access to confidential assets. Generally, this does not include the general public or customers.

Personnel Investigations

A specific investigation area focused on allegations involving employees. Some practitioners also include contractors in this category.

Risk

The (hopefully measured) probability that something bad is going to happen.

Risk Management

The management of controls to reduce the probability that something bad will happen to the lowest level practical for an organization, taking into consideration brand, legal, cost, operations, and productivity.

Security

The prevention and detection of, and response to, a crime or violation of company policy.

Security Assessment

The assessment of a defined scope to determine whether the assets within that scope are susceptible to (or have been victimized by) being part of a crime or violation of an organization’s policies.

Security Audit

The assessment of a defined scope to determine whether the assets within that scope are susceptible to (or have been victimized by) being part of a crime or violation of an organization’s policies. Security audits are also tied to compliance scope and are usually reported to a board, audit committee, or other oversight body.

Security Department Technology

The tools used or managed by the Security Department — such as websites, databases, analytics tools, desktops, servers, IoT devices, applications, networks, mobile devices, or software (open source, commercial, or proprietary).

Security Investigations

An investigation that involves a crime or violation of an organization’s policies or Code of Conduct.

Security Response

The tools, techniques, and procedures used to prevent, detect, and respond to an incident (observe–orient–decide–act [OODA Loop] approach).

Software

Firmware, disk-based software, cloud-based software, operating system level, database level, application level, etc.

Subcontractors

Any external entity used by your direct suppliers from which you receive products or services that affect risk to the company — regardless of whether you pay them directly or indirectly, and regardless of whether you have them under contract.

Supply Chain (Vendor / Supplier / Third Party)

Any external entity from which you receive products or services that affect risk to the company — regardless of whether you pay them directly or indirectly, and regardless of whether you have them under contract.

Supply Chain Investigations

Investigations involving a supplier or vendor and the organization. Like other specialized investigations, this area requires special skill sets to address the unique attributes related to the supply chain.

Threat

The direct or implied communication of intent to inflict harm or loss on another person or entity.

Threat Assessment

The one-time or recurring evaluation of actions, indicators, or communications by a person, entity, or technology that is believed to be planning a breach, attack, or other malicious action against another person, technology, or entity.

Threat Management

The ongoing actions to prevent, detect, and respond to threats posed by an individual, entity, or technology.

Training

The education of an individual through any organizationally acceptable means — trackable, culturally adapted — that communicates, demonstrates implementation of, and tests students on the security rules, standards, guidelines, good practices, and procedures recommended and required for an organization’s safe and secure success. This does not require an employee to serve as trainer/teacher, but a dedicated employee managing the training program is recommended.

Training Sustainment Timing

Some training should be annual; some monthly. Some should be recurring (e.g., via screensaver splash screens). Some should repeat the same content; others should progressively increase in difficulty.

Vulnerability

A weakness in a physical or electronic asset, procedure, or implementation that could be exploited or triggered by a threat source or an operational security assessor. Some people, cultures, environments, or organizations prefer the phrase "security gap" — the underlying concept is the same.

Vulnerability Assessment

The discovery or detection of weaknesses in people, processes, technology, or other company assets (e.g., buildings) that would make them susceptible to being used to commit a crime or violation of organizational policies. May also involve probability, mitigation, and impact analysis.

Vulnerability Discovery

The malicious or operational security method for finding a vulnerability in a person, physical asset, electronic asset, procedure, or implementation. Discovery does not necessarily mean the vulnerability was exploited — for example, observing a door with exposed hinges or a computer running EOL/EOS software without taking advantage of the finding.

Vulnerability Exploit(ed)

The active application of methods that use a discovered weakness to take advantage of it and compromise an asset — executed by either a threat source or an operational security assessor.

Vulnerability Management

The ongoing actions to prevent, detect, and respond to vulnerabilities posed by individuals, entities, or technology. Patch management is a subset of overall vulnerability management, not a synonym for it.

Wholesale

A middle entity or person in the supply chain of a product, positioned between the manufacturer and the end user — usually the first entity after the manufacturer that sells to various parties, though generally not directly to a retail consumer.

---

🖶 To save or print this page, use your browser’s Print function (Ctrl+P / Cmd+P) and select “Save as PDF” if needed.

{ “@context”: “https://schema.org”, “@type”: “DefinedTermSet”, “@id”: “https://askmcconnell.com/definitions/”, “name”: “Converged Security Definitions”, “description”: “Jim McConnell’s working perspective definitions for converged security, safety, and fraud terms — built from 36+ years of practice across industries and organizations.”, “url”: “https://askmcconnell.com/definitions/”, “author”: { “@type”: “Person”, “name”: “Jim McConnell”, “url”: “https://askmcconnell.com/about/” }, “definedTerm”: [ { “@type”: “DefinedTerm”, “name”: “ALL”, “description”: “All in every language is All — all business units, all employees, all contractors, all suppliers, all countries, all customers, etc.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Analytics”, “description”: “The evaluation of information or data to ask and answer questions that drive changes in an organization.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Assessment”, “description”: “A structured process (e.g., checklist, tools, penetration test, tabletop exercise) for finding and hopefully exploiting vulnerabilities with actionable solutions.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Asset”, “description”: “A hard/physical asset (e.g., building), electronic asset (e.g., data on a computer), intellectual property, process, or person.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Assets”, “description”: “Physical, electronic, and intellectual assets that have a material impact or risk to the organization, suppliers, companies, and societies.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Audit”, “description”: “The (independent) verification and validation of a control to verify it meets the legal, regulatory, or business need to protect the business, government, or consumer.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Authorized Fraud”, “description”: “The commitment of fraud by a person who is technically approved/authorized to perform a specific function — they simply abuse that authority to commit the fraud.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Background Investigations”, “description”: “Investigations that are generally proactive in reviewing the background of a person (background checks/investigations) or company (due diligence) to determine the viability and integrity of the individual or company before a relationship is established or renewed.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Buildings”, “description”: “Locations where an organization’s assets are located — this can be as simple as a cinder-block building, a supplier’s warehouse, or more unusual “buildings” like street furniture (an old Telco term).”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Classified Information vs. Information Classification”, “description”: “Classically speaking, classified information has been tied to sensitive and critical information assets requiring protection for national security interests. Information classification, by contrast, is the establishment of information owner-defined labels and controls for an organization’s non-public information. These terms have been used interchangeably, but classically, classified information is the implementation of information classification in a government/national security environment.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Compliant”, “description”: “A term indicating that an assessed element (organization, process, technology, function) meets the requirements of a documented standard, generally accepted set of requirements, law, regulation, or legally binding document such as a contract. Compliant does not mean the element is secure.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Cyber Security”, “description”: “The functional role, ideally within a converged security program, to “secure stuff with wires” — protecting against breaches in confidentiality, integrity, and availability.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Distributor / Distribution”, “description”: “A middle entity or person in the supply chain of a product, positioned somewhere between the manufacturer and the end user.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Enterprise-wide”, “description”: “A way of describing the scope of an element of a security program, function, or project where it represents all organizational elements under the Chief Executive Officer.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Ethical Stop”, “description”: “A term coined by Jim McConnell in fraud and insider threat presentations: the goal of a security and ethics department to encourage people not to go beyond a certain point of unethical behavior — for instance, stopping at stealing pens.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “First Responder”, “description”: “An individual trained in one or more emergency response disciplines who is generally (part of) the first group of individuals on scene to care for others or prevent further crisis.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Fraud”, “description”: “Any activity that relies on deception in order to achieve a gain. Fraud becomes a crime (and thus a security concern) when it involves a knowing misrepresentation of the truth or concealment of a material fact to induce another to act to their detriment, based on the Fraud Triangle.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Fraud Investigations”, “description”: “Sometimes called a Fraud Examination — investigations that specifically focus on fraud and usually involve specialized skill sets around financial crimes, occupational fraud, and fraud analytics.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Fraud Management”, “description”: “The end-to-end coverage of activities involved in preventing, discovering, investigating, and mitigating fraud — including but not limited to fraud awareness, proactive fraud analytics, pre-deployment fraud assessments, mitigation, corrective action project management, and investigations.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “HR Investigations”, “description”: “Personnel investigations involving employees, usually (but not always) run by HR team members rather than the security department. These tend to involve what some call social policy violations, such as hostile work environments and sexual harassment.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Incident Response”, “description”: “The immediate reaction to a safety or security incident, involving steps to reestablish a safe environment for ongoing business operations. One or more investigations may follow after response is prioritized, to determine cause and implement ongoing mitigation.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Information”, “description”: “Classic definition: Facts provided or learned about something or someone. Contextual definition: Facts supplied or learned about an organization’s assets, or assets it is entrusted to manage and secure, regardless of form or where they are located.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Information Security”, “description”: “The prevention, detection, and corrective/response actions to protect the confidentiality, integrity, and availability of an organization’s information or information entrusted to the organization.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Information Security vs. Cyber / Application / Network / Privacy Security”, “description”: “It has been said that cyber security was once defined as securing things with wires. The securing of electronic systems incorporates not just security of information, but also the security of services operating within cyber, application, and network technology. Security of both information and these other areas is important — but without information, organizations do not exist; without technology-based services, organizations cannot run.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Infrastructure”, “description”: “All the technology you do not see — but unplug it, fail to maintain it, and your security department and security controls go downhill fast.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Insider Threat”, “description”: “The pre-action awareness and indicators that an insider in an organization is planning to commit a security offense in the near future. Also used as the label for the overall prevention, detection, and response to an insider’s malicious actions.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Insider Threat (Non-Malicious)”, “description”: “A term sometimes used to describe situations where an insider carries out a malicious act but is simply following standard protocols or weak controls. Another malicious party (insider or outsider) has generally social-engineered this insider to assist in the malicious activity.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Investigations”, “description”: “The collection, analysis, and reporting of facts to prove or disprove an allegation of wrongdoing or an incident. Facts can include any evidence detectable or produced by the five senses. Investigations can cover areas such as safety (e.g., a train derailment) that are not necessarily security investigations, and are not limited to any specific group of human victims or perpetrators.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Law Enforcement Agency”, “description”: “An entity commissioned by the laws of the land to prevent, detect, and respond to crime committed against individuals, companies, governments, or property.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Link Analysis”, “description”: “An analytical investigative technique usually presented visually — on a board or with software — to connect elements, entities, and evidence of an incident, background check, or due diligence in order to better visualize interconnections and possibly related incidents.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Loss Prevention”, “description”: “Usually tied to the retail, transportation, and logistics industries, with a focus on preventing and investigating the theft of products throughout the supply chain.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Pen Test”, “description”: “A structured vulnerability exploitation process designed to test prevention, detection, and response controls of a target — usually a technology-based or physical building/area-based target. Utilizes people, process, technology, tools, and physical environments to accomplish the defined scope of the test.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Personnel”, “description”: “Employees and non-employees (e.g., suppliers or contractors) with physical or logical/electronic access to confidential assets. Generally, this does not include the general public or customers.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Personnel Investigations”, “description”: “A specific investigation area focused on allegations involving employees. Some practitioners also include contractors in this category.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Risk”, “description”: “The (hopefully measured) probability that something bad is going to happen.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Risk Management”, “description”: “The management of controls to reduce the probability that something bad will happen to the lowest level practical for an organization, taking into consideration brand, legal, cost, operations, and productivity.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security”, “description”: “The prevention and detection of, and response to, a crime or violation of company policy.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security Assessment”, “description”: “The assessment of a defined scope to determine whether the assets within that scope are susceptible to (or have been victimized by) being part of a crime or violation of an organization’s policies.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security Audit”, “description”: “The assessment of a defined scope to determine whether the assets within that scope are susceptible to (or have been victimized by) being part of a crime or violation of an organization’s policies. Security audits are also tied to compliance scope and are usually reported to a board, audit committee, or other oversight body.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security Department Technology”, “description”: “The tools used or managed by the Security Department — such as websites, databases, analytics tools, desktops, servers, IoT devices, applications, networks, mobile devices, or software (open source, commercial, or proprietary).”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security Investigations”, “description”: “An investigation that involves a crime or violation of an organization’s policies or Code of Conduct.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Security Response”, “description”: “The tools, techniques, and procedures used to prevent, detect, and respond to an incident (observe–orient–decide–act [OODA Loop] approach).”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Software”, “description”: “Firmware, disk-based software, cloud-based software, operating system level, database level, application level, etc.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Subcontractors”, “description”: “Any external entity used by your direct suppliers from which you receive products or services that affect risk to the company — regardless of whether you pay them directly or indirectly, and regardless of whether you have them under contract.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Supply Chain (Vendor / Supplier / Third Party)”, “description”: “Any external entity from which you receive products or services that affect risk to the company — regardless of whether you pay them directly or indirectly, and regardless of whether you have them under contract.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Supply Chain Investigations”, “description”: “Investigations involving a supplier or vendor and the organization. Like other specialized investigations, this area requires special skill sets to address the unique attributes related to the supply chain.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Threat”, “description”: “The direct or implied communication of intent to inflict harm or loss on another person or entity.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Threat Assessment”, “description”: “The one-time or recurring evaluation of actions, indicators, or communications by a person, entity, or technology that is believed to be planning a breach, attack, or other malicious action against another person, technology, or entity.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Threat Management”, “description”: “The ongoing actions to prevent, detect, and respond to threats posed by an individual, entity, or technology.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Training”, “description”: “The education of an individual through any organizationally acceptable means — trackable, culturally adapted — that communicates, demonstrates implementation of, and tests students on the security rules, standards, guidelines, good practices, and procedures recommended and required for an organization’s safe and secure success. This does not require an employee to serve as trainer/teacher, but a dedicated employee managing the training program is recommended.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Training Sustainment Timing”, “description”: “Some training should be annual; some monthly. Some should be recurring (e.g., via screensaver splash screens). Some should repeat the same content; others should progressively increase in difficulty.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Vulnerability”, “description”: “A weakness in a physical or electronic asset, procedure, or implementation that could be exploited or triggered by a threat source or an operational security assessor. Some people, cultures, environments, or organizations prefer the phrase “security gap” — the underlying concept is the same.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Vulnerability Assessment”, “description”: “The discovery or detection of weaknesses in people, processes, technology, or other company assets (e.g., buildings) that would make them susceptible to being used to commit a crime or violation of organizational policies. May also involve probability, mitigation, and impact analysis.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Vulnerability Discovery”, “description”: “The malicious or operational security method for finding a vulnerability in a person, physical asset, electronic asset, procedure, or implementation. Discovery does not necessarily mean the vulnerability was exploited — for example, observing a door with exposed hinges or a computer running EOL/EOS software without taking advantage of the finding.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Vulnerability Exploit(ed)”, “description”: “The active application of methods that use a discovered weakness to take advantage of it and compromise an asset — executed by either a threat source or an operational security assessor.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Vulnerability Management”, “description”: “The ongoing actions to prevent, detect, and respond to vulnerabilities posed by individuals, entities, or technology. Patch management is a subset of overall vulnerability management, not a synonym for it.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” }, { “@type”: “DefinedTerm”, “name”: “Wholesale”, “description”: “A middle entity or person in the supply chain of a product, positioned between the manufacturer and the end user — usually the first entity after the manufacturer that sells to various parties, though generally not directly to a retail consumer.”, “inDefinedTermSet”: “https://askmcconnell.com/definitions/” } ] }