I am turning the tables and am going to ask all of YOU.
Post your examples of policies, regulations, articles, blogs, - basically anything written, that misuses key security terms like risk, threat, vulnerability, etc.....
This could be fun.
Since I (literally) "wrote the book" on security terminology, I'd love to join the game.
I'll start with "social engineering." I mean, really, what we have here is just a fancy term for "lying" most of the time, isn't it? As far as I'm concerned, we are giving the bad guys way too much credit for simple fibs. (Yeah, I'm a teacher, and I know enough psychology and sociology to know that social engineering can be a lot more complicated, and useful, than that. But it isn't the way we apply it to the bad guys.)
Another one the drives me up the wall is APT, or "Advanced Persistent Threat." Just break it down: "Advanced" - we didn't think of this first. "Persistent" - we didn't fix it, so they came back. "Threat" - they did something bad.
Somebody has mentioned cloud. Did you know cloud is actually an acronym? Standing for "Could Lose Our Under Drawers"? We had cloud for decades. We called it time-sharing, or distributed computing, or thin client, etc. It just means "using someone else's computer."
(I give you Slade's Law of Computer History - Those who fail to learn the lessons of computer history are doomed to buy it again--repackaged.)
Another whole category that bugs me is marketing terms. One example: you know what IDS is, right? Intrusion detection system. No problem. You know what IPS means? Whatever the vendor says it means. Search through the security literature and you will find all kinds of descriptions of intrusion prevention systems--no two alike. Does it discard packets? Does it analyse packets? Does it block packets? Depends on which vendor you ask, and what their "IPS" does.
Sometimes it's not funny.
I was at a meeting the other day where the topic was "risk management." That's central to what we do, but I realized that there wasn't much commonality to the definition of the term.
The meeting was sponsored by a business continuity group. They were definitely thinking about risks on the "A" point of the CIA triad. Most of us in information security tend to emphasize the confidentiality part. (Actually, my background started in in malware research, and we were really keen on integrity--it's one of the three key means of virus detection.) BC/DR people tend to lump confidentiality into a special corner of what they would call reputational risk.
There were some bankers there. When the banks (or others from fintech) talk about risk, it means capital risk. All of what we consider risk management they tend to put in a box called operational risk.
And then there is management. I don't really understand why management shuts down every time we talk about risk. If you are a manager, of anything, you manage two things: people, and risk. Management is managing business risk every minute of every day--they just do it "by the seat of their pants" rather than using formal tools.
Very often we need to enlarge our concept of the terms we use ...
I've found that it -sometimes- helps in the discussion on 'Risk Management' to break it down into 3 parts:
1- Risk Identification: Identifying and documenting a particular threat to an asset help set the stage;
2- Risk Assessment: After Identification, coming up with some way to quantify or rank risks helps;
3- Risk Mitigation: After the previous two steps, coming up with either a plan to lower the risk or to
document the acceptance of the risk is essential.
I'm basing this on my own experience of always insisting that risk is the likelihood of a threat to an asset manifesting. So this hinges upon the definitions of 'threats' and 'assets'. Hopefully 'likelihood' is not a point of disagreement.
I'd love to, but it's so prevalent I would have no time left for getting work done!