Useful Terminology

• Absolute Criteria: Risk acceptance thresholds that dictate zero tolerance for specific outcomes.

• Agency Theory: A governance theory suggesting managers (agents) often prioritise self-interest over shareholders' (principals) long-term goals, necessitating strict monitoring.

• Aleatory Uncertainty: The inherent, irreducible variability within a physical system or environment that is tied to chance.

• Anchoring Bias: A cognitive bias where individuals rely too heavily on the first piece of information encountered, unconsciously distorting risk evaluation.

• Asset Dependency Graphs: Visual tools utilised by practitioners to map how a vulnerability in a supporting asset cascades into a compromise of a primary business asset.

• Asset-Based Approach: An operational, bottom-up risk identification methodology prioritising the granular cataloguing of hardware, software, network appliances, and data repositories.

• Attack Trees: Probabilistic logic models that map the path of least resistance for a rational, intelligent adversary, rather than random decay.

• Availability Bias: A cognitive bias in the assessment process that assessors must actively mitigate to ensure that empirical data, rather than heuristic shortcuts, inform opinions.

• Clustering Illusion: A cognitive bias that assessors must mitigate, involving the tendency to see patterns in random events.

• Cognitive Biases: Psychological heuristic shortcuts, such as groupthink or confirmation bias, that profoundly influence human risk perception and distort objective evaluation.

• Conditional Criteria: Risk acceptance thresholds that allow for nuance and exceptions under specific circumstances.

• Confirmation Bias: The psychological tendency to interpret data in a way that confirms existing preconceptions.

• Continuous Improvement: A foundational principle requiring organisations to leverage iterative learning, incident post-mortems, and metrics to refine their risk management capabilities over time.

• Corrective Controls: Countermeasures intended to limit the consequences of an event and restore normal operations.

• COSO ERM (2017): A prescriptive, component-based framework rooted in accounting and internal control, structured around 20 principles across five interrelated components.

• Decision Uncertainty: The ambiguity surrounding subjective organisational value systems, conflicting strategic objectives, and the professional judgments used when selecting risk treatments.

• Desired End States (DES): Categorisations of the motivations of deliberate risk sources in an event-based approach.

• Detective Controls: Countermeasures intended to detect an information security event as it occurs or shortly thereafter.

• Drive to Acquire: A deliberate threat actor motivation aimed at predatory financial benefits.

• Drive to Conquer: A deliberate threat actor motivation aimed at long-term resource capture.

• Drive to Disrupt and Sabotage: A deliberate threat actor motivation aimed at causing destruction or halting operations.

• Epistemic Uncertainty: Uncertainty resulting directly from a lack of knowledge, which can be systematically reduced through research and data gathering.

• Event-Based Approach: A strategic, top-down risk identification methodology requiring the formulation of strategic scenarios by examining potential risk sources and overarching events.

• Groupthink: A cognitive bias during expert elicitation where the desire for group consensus overrides individuals' critical evaluation.

• Hazard: The strictly negative potential of an object, process, or activity to cause harm, financial loss, or operational disruption.

• Information Security Management System (ISMS): The overarching framework whose resilience rests upon a structured, defensible, and repeatable approach to risk management.

• Intangible Consequences: Non-physical impacts affecting an organisation's objectives.

• Linguistic Uncertainty: The ambiguity and vagueness inherent in human language that complicates organisational communication regarding risk.

• Methodological Uncertainty: Uncertainty arising from flaws in simplistic modelling tools or poorly designed risk matrices.

• Non-numerical Consequence Framework: A structured matrix that anchors impact levels to observable, objective business realities rather than subjective ordinal scales.

• Oversight Body: The governance entity acting on behalf of stakeholders, responsible for defining the overarching corporate risk appetite and ensuring management's systems operate effectively.

• Personal Uncertainty: The inherent cognitive bias of the human assessor during the risk determination process.

• Policy-as-Code: A paradigm in DevSecOps where risk treatment rules are embedded directly into machine-readable code to enforce continuous compliance.

• Preventive Controls: Countermeasures intended to prevent information security events that could lead to negative consequences.

• Primary Assets: Assets representing the information and processes of core value to the organisation.

• RACI Matrix: A framework (Responsible, Accountable, Consulted, Informed) used to establish clear governance and ultimate accountability across business units.

• Secure by Design: An architectural principle of embedding invisible, automated governance mechanisms into infrastructure to maintain high security without degrading user experience.

• Sensitivity Analysis: A review mechanism identifying which specific input parameters have the most dramatic effect on the final risk outcome.

• Software Bill of Materials (SBOM): A detailed record mapping the dependency trees of applications, used to scrutinise software supply chains.

• Statement of Applicability (SoA): A vital, mandatory artefact documenting which ISO 27001 Annex A controls are deemed necessary, their justification, and their implementation status.

• Stewardship Theory: A governance theory based on the idea that managers are inherently motivated to act as loyal, responsible guardians, focusing on long-term sustainability.

• Supporting Assets: The physical and logical components upon which primary business assets depend.

• Systemic Uncertainty: A fundamental lack of historical data regarding novel, emerging threat vectors.

• Third Line (Internal Audit): The governance line providing highly independent and objective assurance, evaluating the efficacy of the First and Second lines.

• Top Management: The executive tier holding the ultimate operational accountability for managing risk and translating the Board's risk appetite into functional policies.

• Zero Trust Architecture (ZTA): A fundamental security paradigm shift requiring identity verification rather than trusting network location ("never trust, always verify").