Information security risk management terminology and key concepts

Abstract

Language is the foundation for any communication and the vocabulary used has a decisive influence on the ability of the communication partners to clearly understand each other. In Information Security Risk Management (ISRM), the terminology used is often dictated by industry standards and frameworks. However, there is no universally accepted terminology, which makes collaboration difficult for professionals and researchers alike. This publication compares the terminology defined by frequently used frameworks, such as ISO and NIST, in the field of ISRM. It examines the terms and inherent concepts of each terminology, compares the notion of risk and derives a concept diagram based on the most important key concepts. The result facilitates a common understanding of ISRM across frameworks and organisational boundaries, thus enables further research, discussion, intra- and inter-firm communication.