Cybersecurity Glossary for Non-IT Professionals

business professionals at a conference table
It’s becoming increasingly important for business owners, board members, and non-IT leaders to understand the basics of cybersecurity. Unfortunately, the cybersecurity industry doesn’t make it easy with loads of acronyms, dense jargon, and highly technical explanations of even simple concepts. That’s why we’ve designed our cybersecurity glossary for non-IT professionals.

Table of Contents


Access Control

This refers to both a tool and a process. Access Control is designed to only give access to information or systems to those that need it. For example, access control can limit your frontline workers from being able to access all employee HR files.

Access control is primarily done in 3 ways:

  • Discretionary Access Control (DAC) – Gives permission/privileges to specific people to access specific things.
    • i.e. John Smith has access to Payroll.
  • Mandatory Access Control (MAC)- Assigns people and systems a label then limits access based on the labels with those having higher clearance being able to access more. 
    • i.e. John Smith has a “Top Secret” label and Payroll access is granted to anyone with “Classified” designation or higher.
  • Role Based Access Control (RBAC) – Controls access through use of job labels for people so they can accomplish job-related tasks. 
    • i.e. John Smith is in an Accountant, so he can access any software in the Accounting department list. 

APT (Advanced Persistent Threat)

An Advanced Persistent Threat (APT) is a security breach that allows an attack to gain access or control of a system for an extended period of time. The attackers are able to stay in your systems, often unnoticed, for days, months, or even years collecting data before you’re ever aware they exist. Some of the most well-known (and best named) APT attacks include Titan Rain, GhostNet, and Deep Panda.

AV (Anti-Virus/Anti-malware)

A security program designed to monitor a system for malicious software. The anti-virus (AV) software will then try to remove or quarantine any threats.


An asset is a person, place, or — tangible or intangible — used to complete business tasks. Assets include equipment (like phones and computers), software code, data, facilities, personnel, and more.


The process of proving a person is who they say they are. Authentication can happen by having the person provide one of the following:
  • Something they know (like a password or security question)
  • Something they are (a biometric measure like a fingerprint or face scan)
  • Something you have (like a token or authenticator app on a phone)


The security mechanism determining and enforcing what users are able to do. Authorization uses the rules and roles established in Access Control (DAC, MAC, and RBAC) to determine what authenticated user can do.


Behavior monitoring

Recording the events and activities of a system and its users. These recorded events can then be compared against security policies and behavioral baselines to find violations or anomalies. By monitoring behaviors, you can establish trendlines which can help to spot increasing errors (indicating more tech support is needed), abnormal load levels (often indicating malicious activity), or understand when production/growth means you need to upgrade/expand your capacity.

BCP (Business Continuity Planning)

Business continuity planning (BCP) is the act of creating a business management plan to resolve issues that threaten core business tasks. The goal of BCP is to limit the impact of breaches and/or accidents by ensuring core business tasks can continue. BCP can help get business back into operation quickly in the event of a cyber attack, ransomware event, or natural disaster. If operations have been impacted past the level of your BCP protocol, it’s time to work through a Disaster Recovery Process.

Black-box Testing

A version of penetration testing where the customer provides network access, but no information other than static IP addresses. Black-box testing mimic real-world cyber attacks and tests all levels of security defenses (firewalls, EDR tools, etc). It is the most time-consuming and expense form of penetration test.


A security mechanism that blocks specified files or programs from running. The blacklist can contain both benign or malicious software and is often used to prevent users from knowingly or unknowingly running programs that may lead to a breach or other loss of productivity.


A group of innocent computers that have been compromised by malicious code granting an attacker the ability to remotely take advantage of the system’s resources in order to perform illicit or criminal activities. These activities can include DoS flooding attacks, hosting false web services, spoofing DNS, transmitting spam, eavesdropping on network communications, recording VOIP communications, and attempting to crack encryption or password hashes. Botnets can be comprised of dozens to 1 million+ computers.


CND (Computer Network Defense)

Actions taken and tools implemented to defend a computer network against cyberattacks. A CND is defined by a security policy and can be stress tested using a vulnerability assessment and penetration testing measures.


Any attempt to gain unauthorized access to a digital environment. An attack can focus on gathering information, damaging business processes, exploiting flaws, monitoring targets, interrupting business tasks, extracting value, causing damage to logical or physical assets, or using system resources to support attacks against other targets.


The efforts to design, implement, and maintain security for an organization’s network which is connected to the internet. It’s a combination of technical, physical, and personnel-focused countermeasures, safeguards, and security controls. An organization’s cybersecurity should be defined in a security policy, verified (through evaluations like a penetration test or vulnerability scan), and updated as the organization changes and new threats are discovred.

Common Vulnerabilities and Exposures (CVE)

An online database of attacks, exploits, and compromises organized by the MITRE organization for the benefit of the public. It includes any and all types of attacks and abuses known for any type of computer system or software product.


Data breach

Access to or disclosure of confidential information by an unauthorized party. Data breaches may also be the destruction of data or abusive use of a private IT environment.

DDoS/DoS (Distributed Denial of Service/ Denial of Service) Attacks

DDoS and DoS attacks aim to block access to an used of a resource. These can include
  • Flooding attacks – massive amounts of network traffic is sent in efforts to overload devices/servers
  • Connection exhaustion – Repeatedly making connection requests to a target to consume all system resources
  • Resource demand – repeatedly requesting a resource from a server in order to keep it too busy to respond to other requests
DoS attacks originate from one source while DDoS attacks come from multiple sources at the same time.

Digital Forensics

The act of gathering digital information to be used as evidence in a legal procedure. Computer data that is relevant to a security breach and/or criminal action is often mixed with standard, benign data from business functions and personal activities. Digital forensics can be challenging to properly collect relevant evidence while complying with the rule-s of evidence in order to ensure is it admissible in court.



The act of transforming plaintext (the original, readable form of normal data) into ciphertext (i.e. unintelligible, and seemingly random data). Encrypt and encode are often used interchangeably. 

encryption comic


Endpoints are (mostly) physical devices that connect to a network system such as a mobile devices, laptops, desktop computers, IoT Devices (thermostats, sensors, etc), Servers, POS devices, printers, wearables, Cloud-based servers/Apps, and other network devices. 

EDR (Endpoint Detection and Response)

Endpoint Detection and Response (EDR) is a security solution designed to protect endpoints. This technology continuously monitors the end-user devices (endpoints) to detect and respond to threats.



A security tool, which may be a hardware or software solution, that is used to filter network traffic. A firewall is based on an “implicit deny” stance where all traffic is blocked by default. Rules, filters or access control lists can be defined to indicate which traffic is allowed to cross the firewall. Advanced firewalls can make allow/deny decisions based on user authentication, protocol, header values and even payload contents.


Gray-box Testing

Gray-box testing is a version of penetration testing where the customer provides limited information such as number of active devices, number of subnets, and IP addresses/ranges. A gray-box test can be used to thoroughness and efficiency by simulating an insider threat or an attack that has breached the network perimeter.


IaaS (Infrastructure as a Service)

Type of cloud computing service where the provider offers the customer the ability to craft virtual networks within their computing environment. Some of the most popular examples of IaaS are Amazon Web Services (AWS), Linode, Microsoft Azure, and Google Compute Engine (GCE).

IDS (Intrusion Detection System)

An Intrusion Detection System (IDS) is a tool that attempts to detect the presence of intruders or the occurrence of security violations. The goal of an IDS is to notify administrators, enable more detailed or focused logging, or trigger a response like blocking an IP or disconnecting a session. IDS is considered a passive security tool as it detects and responds to threats after they have started instead of preventing them.

IPS (Intrusion Prevention System)

An Intrusion Prevention System is a security tool designed to detect attempts to compromise the security of a target and then prevents that attack from becoming successful. An IPS is considered a more active security tool as it attempts to proactively respond to potential threats. An IPS can block IP addresses, turn off services, block ports and disconnect sessions as well as notify administrators.


MDR (Managed Detection and Response)

Managed Detection and Response (MDR) is a cybersecurity service that uses technology, paired with human expertise, to perform threat hunting, monitoring, and response. MDR solutions are used to protect cloud, on-premises, and hybrid environments by quickly proactively looking for potential threats and triggering alerts about suspicious activity.

MSP (Managed Services Provider)

A Managed Services Provider (MSP) is a third-party company that manages a company’s IT infrastructure, networks, and end-user systems. An MSP can be a beneficial addition to your business when there is not an internal IT resource to help with selection, procurement, implementation, management, and/or maintenance of IT tools and systems.

MSSP (Managed Security Services Provider)

A Managed Security Services Provider (MSSP) is a third-party company that manages cybersecurity for an organization or business. The MSSP can offer a variety of services including consulting, monitoring, alerting, implementation of security tools, remediation, and more to help a business stay protected from cybersecurity threats.


NIST CSF (National Institute for Standards & Technology Cyber Security Framework)

The National Institute for Standards & Technology (NIST) has been charged with creating a standardized cybersecurity framework by the U.S. Government. The NIST CSF was originally designed to help ensure the security of critical infrastructure systems, but has been widely adopted by non-governmental organizations. A main advantage to using the NIST CSF is that it provides standardized language so that security and risk levels can be quantified across businesses and industries in a supply chain.



An update or change or an operating system or application. A patch is often used to repair flaws or bugs in deployed code as well as introduce new features and capabilities. It is good security practice to test all updates and patches before implementation and attempt to stay current on patches in order to have the latest version of code that has the fewest known flaws and vulnerabilities.

Patch Management

The management activity related to researching, testing, approving and installing updates and patches to computer systems, firmware, operating systems and applications. Patch management is an essential part of security management in order to prevent downtime, minimize vulnerabilities and prevent new untested updates from interfering with productivity.

Penetration Testing (Pen Test)

A security evaluation where automated tools and manual exploitations are performed by security and attack experts. This is an advanced security assessment that should only be used by environments with a mature security infrastructure. A penetration test will use the same tools, techniques and methodologies as criminal hackers, and thus, it can cause downtime and system damage in some cases. These evaluations are designed to assist with securing a network by discovering flaws that are not visible to automated tools based on human (i.e. social engineering) or physical attack concepts. This is sometime also known as “ethical hacking.”


A social engineering attack that attempts to collect information from victims. Phishing attacks can take place over e-mail, text messages, through social networks or via smart phone apps. The goal of a phishing attack may be to learn logon credentials, credit card information, system configuration details or other company, network, computer or personal identity information. Phishing attacks are often successful because they mimic legitimate communications from trusted entities or groups such as false emails from a bank or a retail website. The text message version is sometimes known as “Smishing” while the phone call/voicemail equivalent is known as “vishing.”
phishing comic



Ransomware is form of malware that hold’s a victim’s data hostage on their computer, usually through strong encryption. This is followed by a demand for payment (often in the form of Bitcoin) in order to release access to systems and control of the captured data back to the user.

Risk Assessment

The process of evaluating the state of risk of an organization. Risk assessment is often initiated through taking an inventory of all assets, assigning each asset a value, and then considering any potential threats against each asset. Threats are evaluated for their exposure factor (EF) (i.e. the amount of loss that would be caused by the threat causing harm) and frequency of occurrence (i.e. ARO—Annualized Rate of Occurrence) in order to calculate a relative risk value known as the ALE (Annualized Loss Expectancy). The largest ALE indicates the biggest concern or risk for the organization.

Risk Management

The process of performing a risk assessment and evaluating the responses to risk in order to mitigate or otherwise handle the identified risks. Countermeasures, safeguards or security controls are to be selected that may eliminate or reduce risk, assign or transfer risk to others (i.e. outsourcing or buying insurance) or avoid and deter risk. The goal is to reduce risk down to an acceptable or tolerable level.


Security Control

Anything used as part of a security response strategy which addresses a threat in order to reduce risk. Also known as countermeasure or safeguard.

Security Information and Event Management (SIEM)

A formal process by which the security of an organization is monitored and evaluated on a constant basis. SIEM helps to automatically identify systems that are out of compliance with the security policy as well as to notify the IRT (Incident Response Team) of any security violating events.

SOC (Security Operations Center)

A Security Operations Center (SOC) is a team of IT professionals who are responsible for protecting an organization from cyber threats. These professionals configure, use, and maintain tools such as firewalls, EDRs, and others to spot and stop cybersecurity threats.

Social Engineering

An attack focusing on people rather than technology. This type of attack is psychological and aims to either gain access to information or to a virtual or physical environment. A social engineering attack may be used to gain access to a facility by tricking a worker into assisting by holding the door when making a delivery, gaining access into a network by tricking a user into revealing their account credentials to the false technical support staff, or gaining copies of data files by encouraging a worker to cut-and-paste confidential materials into an e-mail or social networking post.

Spear Phishing

While phishing casts a wide net to capture the information of any unsuspecting target, spear phishing is an attack that is targeted at a specific person or group. A spear phishing message is often an e-mail —although there are also text message and VoIP spear phishing attacks as well — which looks exactly like a legitimate communication from a trusted entity. The attack tricks the victim into clicking on a hyperlink to visit a company website only to be re-directed to a false version of the website operated by attackers. The false website will often look and operate similarly to the legitimate site and focus on having the victim provide their login credentials and potentially other personal identity information such as answers to their security questions, an account number, their social security number, mailing address, email address and/or phone number. The goal of a spear phishing attack is to steal identity information for the purpose of account takeover or identity theft.


Threat assessment

The process of evaluating the actions, events, and behaviors that can cause harm to an asset or organization. Threat assessment is an element of risk assessment and management. (Also known as threat modeling and threat inventory.)


VPN (Virtual Private Network)

A communication link between systems or networks that is typically encrypted in order to provide a secured, private, isolated pathway of communications.


A form of phishing attack which takes place over VoIP (telephone systems). In this attack, the attacker uses VoIP systems to be able to call any phone number and often falsifies their caller-ID in order to trick the victim into believing they are receiving a phone call from a legitimate or trustworthy source such as a bank, retail outlet, law enforcement or charity. The victims do not need to be using VoIP themselves in order to be attacked over their phone system by a vishing attack.


Any weakness in an asset or security protection which would allow for a threat to cause harm. It may be a flaw in coding, a mistake in configuration, a limitation of scope or capability, an error in architecture, design or logic, or a clever abuse of valid systems and their functions. Known vulnerabilities can be detected via a vulnerability scan and may require patches, reconfigurations, or other changes to be fixed.


White-box Testing

A style of assessment where the organization provides the assessor with detailed information about the network, including IP addresses, network diagrams, and more. By providing this information, the assessor will be able to quickly simulate a targeted attack on a specific system using as many attack vectors as possible.


A pre-approved list of software programs that are allowed to run. The whitelist is often a list of the file name, path, file size and hash value of the approved software. Any code that is not on the list, whether benign or malicious, will not be able to execute on the protected system.


XDR (Extended Detection and Response)

A holistic approach to threat detection that allows for monitoring, detection, and response to threats across endpoints, networks, and clouds. XDR platforms take in data from many assets and pair it with machine learning, AI, and behavior monitoring trendlines to get a clear view of the safety and security of the entire environment. An XDR platform may only be able to work with data from specific tools (usually those made by the XDR platform’s parent company) or it can be an “Open XDR” which allows for data to be accepted from a wide variety of tools.
Tristin Zeman

Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.