Refresher of Security Taxonomy

A list of basic terminologies frequently used with security & privacy related discussions/articles/research papers

1. Principal : A legitimate actor of any system.

2. Credential(s) : An artifact(s) to provide identity.

3. Authentication : The process through which an identity is associated with some principal.

4. Authorization : A set of rights/permissions which a principal possesses.

5. Threat : A specific means by which an attacker can put a system at risk.

6. Threat model : A collection of threats that is deemed important for a particular environment. It can also be thought as a collection of attacker(s) abilities.

7. Vulnerability : A systematic artifact that exposes the user, data, or system to a threat. Vulnerabilities are also known as attack vectors which an adversary (bad guy(s)) use to compromise a system. Common sources of vulnerability could be bad software/hardware design, bad policy/configuration, system misuse etc.

8. Attack : An occurrence where a vulnerability is exploited by an adversary. When an attack is successful, we call it as a compromise.

9. Risk = Threat (Actors) + Vulnerability + Asset(s)

   

10. Trust : An expectation from a principal to act in an anticipated manner.

11. Trust model : An explicit assessment of the trust embodied in a system.

12. Security model : A combination of a trust and threat models that address the set of perceived risks along with security requirements.

13. Confidentiality vs Privacy: Privacy applies to the person while confidentiality applies to the data (more here).