Cyber Security Definitions

Click on the hyperlinked letters below to view a list of alphabetized cyber security definitions.

A | B | C | D | E | F | G | H | I | J | K | L | M | N | O | P | Q | R | S | T | U | V | W | X | Y | Z

A

Access: Ability of Users to create, read, modify, or delete Information.

Accountability: Maintaining processes and controls necessary to trace actions to their source. Accountability supports the concepts of non-repudiation, deterrence, security monitoring, recovery, records, and legal admissibility.

Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources.

Authorization: The granting to a User, program, workstation, or process the right of access to an Information resource; For example, data.

Audit Log: A chronological record of system activities to enable the reconstruction, review, and examination of the sequence of activities surrounding or leading to an operation, a procedure, an event, or an incident from its inception to results.

Availability: Ensuring timely and reliable access to and use of Information.

Back to top

C

Cloud: Cloud computing (“cloud”) refers to a computing model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Confidentiality: The protection of data to ensure the data is only accessible by the people authorized to access it. 

Cyber Security: The understanding, managing, and mitigating the risks of our critical systems and data being disclosed, altered, or denied access to. It is the collective methods, technologies, and processes in place to protect the college’s information from cyber threats/breaches. 

Cyber Security Incident: An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.

Back to top

D

Data: A subset of Information that can be retrieved or transmitted. Information is processed data.

Back to top

E

Event: Any occurrence that can be observed, verified, and documented. An incident is one or more related events that negatively affect the company and/or impact its security posture.

Back to top

G

GBC System(s): Refers to all GBC-owned or licensed technologies, including the GBC network, equipment, applications, digital communications (including email, instant messaging, voicemail, and text messages), Internet access, digital collaborative platforms, system and application software, all other client or internal facing systems, and any other technological resource used to carry out GBC business.

Back to top

I

Impact: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.

Information: Emails, messages, documents, data, and other information, regardless of physical form or characteristic (including paper, electronic and audiovisual), created, reproduced, processed, stored, used, shared, archived, or destroyed by Users in the performance of their duties at the college.  

Information Systems: Information Technology (IT) infrastructure, including email, internet, intranet, networks (including VPN), authorized applications, hardware, software, and solutions.

Inherent Risk: The amount of risk that exists in the absence of controls or actions by management to alter its probability and/or impact. 

Integrity: Guarding against unauthorized Information modification or destruction and includes ensuring Information non-repudiation and authenticity.

IT Equipment: College issued/owned computers, mobile devices (including phones, tablets, etc.), and portable storage media. 

Back to top

L

Likelihood: The probability that the risk will materialize.

Back to top

M

Malware: Malicious software, commonly referred to as malware, is software and/or program code/instructions inserted into a system, usually covertly, to compromise one or more of the confidentiality, integrity, or availability associated with the system or the data it processes. A cybercriminal may use malware to steal information or carry out malicious activities. Malware is an overarching term that encompasses more traditional virus, worm, and trojan software, as well as modern ransomware, droppers/payloads, rootkits, and sniffer/logger threats.

Misuse: Use of services/solutions for purposes other than the official, authorized purpose (for example, personal gain, espionage, etc.). Misuse includes the threats of inadvertent and/or intentional execution of malicious functions (for example, virus, worm, Trojan horse, etc.), the performance of undesirable functions and other errors of commission, omission, and oversight. Misuse results in unauthorized disclosure or modification of Information, unauthorized receipt of services, or denial of service to legitimate Users or critical functions.

Multi-factor authentication (MFA): This is a method of authentication in which a User is granted access to an Information Technology (IT) resource only after successfully presenting two or more pieces of authentication information as part of the authentication mechanism. In other words, two or more pieces of evidence – your credentials – are required when logging into an account. These credentials (or factors) fall into three categories (To be considered MFA, each authentication factor must be from a different category):

•   Something you know, like a password or PIN
•   Something you have, like a token or an authenticator app on your mobile phone
•   Something you are, as represented by a fingerprint or face scan

Back to top

P

Personal Information: As defined by the Freedom of Information and Protection of Privacy Act (FIPPA), ‘personal information’ means recorded information about an identifiable individual, including:

• information relating to the race, national or ethnic origin, colour, religion, age, sex, sexual orientation or marital or family status of the individual,
• information relating to the education or the medical, psychiatric, psychological, criminal or employment history of the individual or information relating to financial transactions in which the individual has been involved,
• any identifying number, symbol or other particular assigned to the individual,
• the address, telephone number, fingerprints or blood type of the individual,
• the personal opinions or views of the individual except where they relate to another individual,
• correspondence sent to an institution by the individual that is implicitly or explicitly of a private or confidential nature, and replies to that correspondence that would reveal the contents of the original correspondence,
• the views or opinions of another individual about the individual, and
• the individual’s name where it appears with other personal information relating to the individual or where the disclosure of the name would reveal other personal information about the individual.

Phishing: Phishing is the most common form of social engineering attack. Phishing occurs when a threat actor impersonates a trusted entity through email to try and fraudulently obtain personal information, financial information or access to systems. The email prompts the targeted individual to act. The action could be to click on a link, provide information, open an attachment, download a file, or provide remote access to a workstation. This action provides the threat actor with information or access to a system. Phishing uses email to solicit your information by posing as a trustworthy person or entity. For example, the threat actor may send emails disguised as your boss or a financial institution requesting your account information. The threat actor will use this information to gain access to your online accounts. Once the threat actor has access to your accounts, they may use this access to carry out a larger cyber attack. 

Principle of Least Privilege: A Cyber Security concept in which a user is given the minimum levels of access (or permissions) needed to perform their job functions.

Prompt Engineering: The practice of designing and refining input prompts to guide AI models, such as large language models (LLMs), toward generating desired outputs. It involves crafting precise and context-rich instructions to improve the relevance and quality of the AI's responses.

Back to top

R

Ransomware: A type of malware that makes data inaccessible. When ransomware infects a device, it will either lock your screen or encrypt all your files. It may be contained to a single device but can also make the data of an entire organization inaccessible. Once the files are inaccessible the threat actor will send you a message indicating the ransom that must be paid to regain access to your files. This payment is typically requested in cryptocurrency as it is harder to track. The threat actor may also threaten to leak private information or threaten your clients directly if you do not pay right away.

Residual Risk: A portion of risk remaining after controls/countermeasures have been applied as part of risk treatment. 

Risk: Any risk of financial loss, disruption, or damage to GBC’s reputation resulting from a Cyber Security event, threat, or attack. It is an expectation of loss expressed as the probability that a particular threat will exploit a particular vulnerability leading to a negative business impact.

Risk Appetite: The desired amount and type of risk an organization is willing to accept in pursuit of its objectives.

Risk Assessment: A formal process, conducted by the Cyber Security team, which evaluates and prioritizes responses to identified cyber threats. It determines risk management priorities by evaluating and comparing the level of risk associated with an activity against predetermined risk appetite/tolerances at GBC. The assessment informs Risk Owners about potential risks and recommends strategies to manage those risks, providing a foundation for risk-based decision-making before key milestones. The assessment produces a Risk Mitigation Report (RMR), bridging identified risks and agreed-upon mitigation strategies, leading to the evaluation of Residual Risks. 

Risk Assessment Report: The results of the Risk Assessment are documented in the Risk Assessment Report. 

Risk Assessment Methodology: A risk assessment process, together with a risk model, assessment approach, and analysis. 

Risk Management: Coordinated activities and processes to manage risk effectively and to direct and control an organization regarding risk. 

Risk Management Process: systematic application of management policies, procedures and practices to the activities of communicating, consulting, establishing the context and identifying, analyzing, evaluating, treating, monitoring and reviewing risk.

Risk Mitigation Report: As a follow-up to the Risk Assessment Report, the Risk Mitigation Report includes all Cyber Security recommendations to mitigate risks as per the college's risk appetite. 

Risk Owner: A senior executive with the accountability and authority for managing risks and all aspects of a specific risk outcome. 

Risk Profile: A risk profile is an analysis of the types of threats an organization, asset, project, or individual faces. The goal of a risk profile is to provide an objective understanding of risk by assigning values to variables representing different types of threats and the dangers they pose. It includes a prioritized inventory of the most significant risks identified and assessed through the Risk Assessment process. 

Risk Report: The Risk Assessment Report and Risk Mitigation Report are collectively referred to as the Risk Report.

Risk Tolerance: The maximum threshold that the organization is willing to accept for a particular risk before incremental remediation is required. 

Risk Treatment: The process, consisting of various tactics, tools, and strategies, chosen to respond to a specific risk to achieve the desired outcome concerning the risk. Risk treatment can involve:

• Avoiding the risk by deciding not to start or continue with the activity that gives rise to the risk;
• Taking or increasing risk to pursue an opportunity;
• Removing the risk source;
• Changing the likelihood;
• Changing the consequences;
• Sharing the risk with another party or parties (including contracts and risk financing);
• Retaining the risk by informed choice.

Back to top

S

Security Incident: An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. 

Sensitive Information: Information that if released without authorization, would cause harm, embarrassment, or unfair economic advantage, i.e., a breach of confidentiality of personal information, unauthorized modification of financial data, or a release of pre-budget information and strategic planning documents. The following encompasses various sensitivity levels, their description, and examples of each:

• High Sensitivity: Information that is of highest value to the GBC and is intended for use by named individuals only. Could reasonably be expected to cause loss of life or public safety, extremely serious personal or enterprise injury, major political or economic impact, sabotage/terrorism, significant financial loss, and social hardship. Also included is all financial information about identifiable individuals. Examples include Personally Identifiable Information (bank account numbers, SINs, identity documents (e.g., driver’s license, tax returns, payroll records, credit card numbers, and personnel files). Personal Health Information (e.g., diagnoses, medical procedure descriptions, test results). 
• Medium Sensitivity: Information that is sensitive within GBC and is intended for use by specific groups of employees only. Could reasonably be expected to cause serious personal or enterprise injury, loss of competitive advantage, loss of confidence in the government program, moderate financial loss, damage to partnerships, relationships and reputation and loss of trade secrets or intellectual property. Also included is all other personal information that is confidential under the Freedom of Information and Protection of Privacy Act (FIPPA) or any other applicable law or policy that is not included under the High Sensitivity level. Examples include legal opinions, personal contact information, business information, policies, briefing notes, and source code.
• Low Sensitivity: Information generally available to GBC students, employees and approved non-employees. Could reasonably be expected to cause injury that would result in minor financial loss, embarrassment, and inconvenience. Also included are any other documents and information that does not fall within the classifications of High or Medium Sensitivity. Information that is publicly available and disclosure of which will not result in any harm or injury. Examples include materials containing escalation procedures, org charts, telephone directory, meeting minutes, and agenda items.
• Unclassified: Information that is publicly available and disclosure of which will not result in any harm or injury. Examples include materials that are in the public domain including information posted on the GBC website.

Service Accounts: A non-human privileged account that an operating system uses to run applications, automated services, virtual machine instances, and various background processes.

Shoulder Surfing: A form of data theft where criminals steal personal information by observing victims using devices such as IT equipment, or other electronics. The term refers to malicious actors peering over the shoulders of potential targets.

Social Engineering: The use of deception to exploit human nature, our habits and our trust to gain information or access information systems. Threat actors attempt to drive desired behaviour through fear including fear of missing out, intimidation, coercion, urgency, opportunity or even befriending the user. Information sought by threat actors for fraudulent purposes can include:

• Confidential information, such as passwords and login credentials
• Personal information, such as bank information

Social Media: Internet services/applications such as Facebook, Twitter, LinkedIn, Instagram, Reddit, etc.

Spam: Unauthorized and/or unsolicited email messages.

Stakeholder: Anyone who has a responsibility for, an expectation from, or some other interest in Cyber Security; for example, Users, suppliers, customers, and the public. 

Back to top

T

Technology Asset: All George Brown Polytechnic Information, Information Systems, and/or IT equipment.  

Technology Asset Owner: Accountable for the security and management of an asset over the asset’s lifecycle (development, procurement, integration, modification, operation, maintenance, and/or final disposition of an information system). Ownership should be assigned when assets are created, procured, or transferred to the college. The asset owner shall:

• Ensure that assets are inventoried;
• Ensure that assets are appropriately classified and protected;
• Define and periodically review access restrictions and classifications to important assets, considering applicable access control policies;
• Ensure proper handling when the asset is decommissioned.

Threat: Any circumstance or event with the potential to adversely impact the college’s operations (including mission, functions, image, or reputation), college assets, or individuals through an information system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service. 

Threat actors: Used to describe malicious actors who perpetrate cybercrime. Colloquially they are sometimes referred to as hackers or cyber criminals. Threat Actors can include:

• Foreign states
• Criminal groups
• Individuals

Many threat actors are well-organized groups who work together to perpetrate sophisticated cybercrime. Their work settings can be very similar to your own. Threat actors also work together with other groups to amplify their work.

Threats: The possibility of a malicious attempt to exploit a vulnerability and damage, disrupt, or gain unauthorized access to any GBC resources.

Back to top

U 

User: An individual with access to GBC information and/or information systems including GBC students, employees, consultants, contractors, sub-contractors, vendors, temporary workers, guests, trusted partners, alumni, and agents of the GBC.

Back to top

V 

Vulnerability: Weakness of an asset or control that can be exploited by one or more threats.

Back to top