Communication is incredibly important in the security industry. We must work together, be it small teams, across organizations, or beyond boarders throughout the industry, government, supporting ecosystem and academia. But we have a problem. It has become commonplace to talk past each other with terms a speaker perceives as precise, but audiences interpret in vastly differing ways. In many cases terms can have a multitude of definitions with a high dependency on context. But when the description of the context also contains words with varying or unclear meanings, the problem is proliferated.
It causes enough separation to inhibit conveyance of clear ideas, concerns, and expectations.
To make matters worse, the sheer size of the security vocabulary has grown immense and continues to expand. Listening to some conversations, it sounds like a new language of acronym soup: "The ROSI of the SEIM is highly dependent on the SOC's ability to filter False Positives to track APT's and protect SPOF's from Integrity and DOS Availability attacks. " I am truly sorry for anyone who actually understood that...
Even the hard core professionals get tripped up over terms which may be clear in their mind but not so with listeners. Terms like hacker, Advanced-Persistent-Threat (APT), identity, loss, threat, and even what constitutes an 'Attack' can differ greatly. One of the most overused and inconsistently defined term is 'virus'. It has become a catchphrase and conglomeration of negative events, computer code, and a moniker for vulnerability. If you asked twenty people to define 'virus', you would likely get twenty-one different answers. It did at one time, have a very specific definition. It was a type of code which injected itself into other code or processes and replicated. But today it tends to be used as a term which covers all manner of malware, including Trojans, bots, droppers, worms, spyware, sniffers, loggers, backdoors, spyware, ad-ware, Potentially-Unwanted-Programs (PUP), etc. Some of which are actual categories of code, while others are simply descriptions of how or what that code does. A blurry line of delineation to be sure and all of which actually have their own definitions. It can be all so confusing and we in the industry are not helping the situation. Does anti-virus software only target viruses? No, of course not. But we cannot be more articulate, at the risk of confusing everyone even more!
The industry is hobbled by an inability to consistently and effectively communicate. So, with a big round of applause and gratitude, I want to thank those hard working folks at NIST. NIST has been busy, very busy. They have released the second draft of their Glossary of Key Information Security Terms. An impressive listing of technical and general industry terms, covered in over 200 pages. It is a sizeable document, defining terms from Access to Zone-of-Control. But sadly, it is not even close to a complete reference for computer security vocabulary. The NIST glossary focuses on aggregating the terms and definitions of their library of documents. It is not intended to define terms for the whole of security. Acronyms and expressions like ROSI (Return on Security Investment), Crossover Rate (the point where False-Positives equals False Negatives, also referred as the Crossover Error Rate), SOC (Security Operations Center), and CERT (Computer Emergency Response Team) won’t be found in those pages.
So how big is the computer security vocabulary? It is a bit scary to ponder and doubtful anyone knows for certain. But until someone comes out with something better, I am adding this to my reference library. In the end, we must all struggle to communicate effectively. Defining common terms goes a long way to make our security industry stronger.