Business Intelligence: What is a BI Strategy?

Business Intelligence Series

"A BI strategy is a plan to implement, use, and manage data and analytics to better enable your users to meet their business objectives. An effective BI strategy ensures that data and analytics support your business strategy." [1]

The definition is from Microsoft's guide on Power BI implementation planning, a long-awaited resource for those deploying Power BI in their organization. 

I read the definition repeatedly and, even if it looks logically correct, the general feeling is that it falls short, and I'm trying to understand why. A strategy is a plan indeed, even if various theorists use modifiers like unified, comprehensive, integrative, forward-looking, etc. Probably, because it talks about a BI strategy, the definition implies using a strategic plan. Conversely, using "strategic plan" in the definition seems to make the definition redundant, though it would pull then with it all what a strategy is about. 

A business strategy is about enabling users to meet organization's business objectives, otherwise it would fail by design. Implicitly, an organization's objectives become its employees' objectives. The definition kind of states the obvious. Conversely, it talks only about the users, and not all employees are users. Thus, it refers only to a subset. Shouldn't a BI strategy support everybody? 

Usually, data analytics refers to the procedures and techniques used for exploration and analysis. Isn't supposed to consider also the visualization of data? Did it forgot something else? Ideally, a definition shouldn't define what its terms are about individually, but what they are when used together.

BI as a set of technologies, architectures, methodologies, processes and practices is by definition an enabler if we take these components individually or as a whole. I would play devil's advocate and ask "better than what?". Many of the information systems used in organizations come with a set of reports or functionalities that enable users in their jobs without investing a cent in a BI infrastructure. 

One or two decades ago one of the big words used in sales pitches for BI tools was "competitive advantage". I was asking myself when and where did the word disappeared? Is BI technologies' success so common that the word makes no sense anymore? Did the sellers become more ethical? Or did we recognize that the challenges behind a technology are more of an organizational nature? 

When looking at a business strategy, the hierarchy of business objectives forms its backbone, though there are other important elements that form its foundation: mission, vision, purpose, values or principles. A BI strategy needs to be aligned with the business strategy and the other strategies (e.g. quality, IT, communication, etc.). Being able to trace this kind of relationships between strategies is quintessential. 

We talk about BI, Data Analytics, Data Management and newly Data Science. The relationship between them becomes more complex. Therefore, what differentiates a BI strategy from the other strategies? The above definition could apply to the other fields as well. Moreover, does it makes sense to include them in one form or another?

Independently how the joint field is called, BI and Data Analytics should be about gaining a deeper understanding about the business and disseminating that knowledge within the organization, respectively about exploring courses of action, building the infrastructure, the skillset, the culture and the mindset to approach more complex challenges and not only to enable business goals!

There are no perfect definitions, especially when the concepts used have drifting definitions as well, being caught into a net that makes it challenging to grasp the essence of things. In the end, a definition is good enough if the data professionals can work with it. 

Resources:

[1] Microsoft Learn (2004) Power BI implementation planning: BI strategy (link).

Project Management: Projects' Dynamics I (Introduction)

Despite the considerable collection of books on Project Management (PM) and related methodologies, and the fact that projects are inherent endeavors in professional as well personal life (setups that would give in theory people the environment and exposure to different project types), people’s understanding on what it takes to plan and execute a project seems to be narrow and questionable sometimes. Moreover, their understanding diverges considerably from common sense. It’s also true that knowledge and common sense are relative when considering any human endeavor in which there are multiple roads to the same destination, or when learning requires time, effort, skills, and implies certain prerequisites, however the lack of such knowledge can hurt when endeavor’s success is a must and a team effort. 

Even if the lack of understanding about PM can be considered as minor when compared with other challenges/problems faced by a project, when one’s running fast to finish a race, even a small pebble in one’s running shoes can hurt a lot, especially when one doesn’t have the luxury to stop and remove the stone, as it would make sense to do.

It resides in the human nature to resist change, to seek for information that only confirm own opinions, to follow the same approach in handling challenges, even if the attempts are far from optimal, even if people who walked the same path tell you that there’s a better way and even sketch the path and provide information about what it takes to reach there. As it seems, there’s the predisposition to learn on the hard way, if there’s significant learning involved at all. Unfortunately, such situations occur in projects and the solutions often overrun the boundaries of PM, where social and communication skills must be brought into play. 

On the other side, there’s still hope that change can be managed optimally once the facts are explained to a certain level that facilitates understanding. However, such an attempt can prove to be quite a challenge, given the various setups in which PM takes place. The intersection between technologies and organizational setups lead to complex scenarios which make such work more difficult, even if projects’ challenges are of organizational rather than technological nature. 

When the knowledge we have about the world doesn’t fit our expectation, a simple heuristic is to return to the basics. A solid edifice can be built only on a solid foundation and the best foundation in coping with reality is to establish common ground with other people. One can achieve this by identifying their suppositions and expectations, by closing the gap in perception and understanding, by establishing a basis for communication, in which feedback is a must if one wants to make significant progress.

Despite of being explorative and time-consuming, establishing common ground can be challenging when addressing to an imaginary audience, which is quite often the situation. The practice shows however that progress can be made by starting with a set of well-formulated definitions, simple models, principles, and heuristics that have the potential of helping in sense-making.

The goal is thus to identify first the definitions that reflect the basic concepts that need to be considered. Once the concepts defined, they can be related to each other with the help of a few models. Even if fictitious, as simplifications of the reality, the models should allow playing with the concepts, facilitating concepts’ understanding. Principles (set of rules for reasoning) can be used together with heuristics (rules of thumb methods or techniques) for explaining the ‘known’ and approaching the ‘unknown’. Even maybe not perfect, these tools can help building theories or explanatory constructs.

||>>Next Post

Knowledge Management: Definitions II (What's in a Name)

Browsing through the various books on databases and programming appeared over the past 20-30 years, it’s probably hard not to notice the differences between the definitions given even for straightforward and basic concepts like the ones of view, stored procedure or function. Quite often the definitions lack precision and rigor, are circular and barely differentiate the defined term (aka concept) from other terms. In addition, probably in the attempt of making the definitions concise, important definitory characteristics are omitted.

Unfortunately, the same can be said about other non-scientific books, where the lack of appropriate definitions make the understanding of the content and presented concepts more difficult. Even if the reader can arrive in time to an approximate understanding of what is meant, one might have the feeling that builds castles in the air as long there is no solid basis to build upon – and that should be the purpose of a definition – to offer the foundation on which the reader can build upon. Especially for the readers coming from the scientific areas this lack of appropriateness and moreover, the lack of definitions, feels maybe more important than for the professional who already mastered the respective areas.

In general, a definition of a term is a well-defined descriptive statement which serves to differentiate it from related concepts. A well-defined definition should be meaningful, explicit, concise, precise, non-circular, distinct, context-dependent, relevant, rigorous, and rooted in common sense. In addition, each definition needs to be consistent through all the content and when possible, consistent with the other definitions provided. Ideally the definitions should cover as much of possible from the needed foundation and provide a unitary consistent multilayered non-circular and hierarchical structure that facilitates the reading and understanding of the given material.

Thus, one can consider the following requirements for a definition:

Meaningful: the description should be worthwhile and convey the required meaning for understanding the concept.

Explicit: the description must state clearly and provide enough information/detail so it can leave no room for confusion or doubt.

Context-dependent: the description should provide upon case the context in which the term is defined.

Concise: the description should be as succinct as possible – obtaining the maximum of understanding from a minimum of words.

Precise: the description should be made using unambiguous words that provide the appropriate meaning individually and as a whole.

Intrinsic non-circularity: requires that the term defined should not be used as basis for definitions, leading thus to trivial definitions like “A is A”.

Distinct: the description should provide enough detail to differentiate the term from other similar others.

Relevant: the description should be closely connected or appropriate to what is being discussed or presented.

Rigorous: the descriptions should be the result of a thorough and careful thought process in which the multiple usages and forms are considered.  

Extrinsic non-circularity: requires that the definitions of two distinct terms should not be circular (e.g. term A’s definition is based on B, while B’s definition is based on A), situation usually met occasionally in dictionaries.

Rooted in common sense: the description should not deviate from the common-sense acceptance of the terms used, typically resulted from socially constructed or dictionary-based definitions.

Unitary consistent multilayered hierarchical structure: the definitions should be given in an evolutive structure that facilitates learning, typically in the order in which the concepts need to be introduced without requiring big jumps in understanding. Even if concepts have in general a networked structure, hierarchies can be determined, especially based on the way concepts use other concepts in their definitions. In addition, the definitions must be consistent – hold together – respectively be unitary – form a whole.

Project Management: Redefining Projects' Success I

A project is typically considered as successful if has met the beforehand defined objectives within the allocated budget, timeframe and expected quality levels. Any negative deviation from any of these equates with a project failure. In other words, the success or failure of a project is judged as black or white with no grays in between, which is utopic, especially for mid to big software projects, typically associated with lot of uncertainty. According to this definition a project which had a delay of a few months, or the budget was overrun by 10%, or the users got only 90% from the planned functionality, or any combination of these negative deviations, can be considered as failed.

If a small project needed 6 instead of 3 months to complete, which is normal for projects with reduced priority, as long the project costs haven’t changed, then the increase in duration can be ignored. In exchange, 3 months of a delay for a 2 years project is normal, especially when the project is complex. Even if additional costs incurred within this timeframe, as long they are a small percentage in comparison with the overall project costs, then the impact can be acceptable for the business. On the other side, when the delays have an exponential growth with further implications, then the problem changes dramatically.

Big projects have typically a strategic importance. It’s the case of ERP implementations, which besides the technology changes have in theory have the potential to transform an organization pushing it to reach further performance levels. Such projects are estimated to take on average one to two years for a medium organization, however the delays can easily reach 50% to 100% from the initial estimation. Independently of what caused the delay, as long the organization achieved the intended goals and can cover project’s costs, one can say that the project made a (positive) difference.

Independently of project’s size, if 90% of the important functionality is available, then more likely the 10% can be covered in a first step with manual work, following in time to further invest into the system as part of a continuous improvement process. It’s maybe not ideal for the users, however the approach incorporates also the learning curve of working with the system and understanding ist possibilities and limitations. Of course, when the percentage of the available functionality decreases below a given limit, system’s acceptance is endangered, which users eventually start looking for alternatives.

There are also projects which opened the door to new possibilities and which require more investments to leverage the full capabilities. Some ERP implementations have this potential, despite overruns. Some of such investments are entitled while others are not. Related to this last category, there are projects which are on time, on budget, and the deliverables satisfy the quality criteria and objectives, however they make no difference for the organization despite the important investments made. Sure, some of the projects from this category are a must (e.g. updates, upgrade, technology changes), however there are also projects which can be considered as self-occupational hazard. In extremis such projects run in the background and cost organizations lot of energy and resources, while their effects are questionable.

At least from these examples the definition of a project's success needs to be changed or maybe standardized to consider not only intrinsic but also extrinsic aspects. In theory, that is the role of a Project Management Office (PMO), however it’s challenging to find an evaluation methodology that fits all needs. Further on, from same considerations, benchmarking projects across organizations and industries can prove to be a foolhardy attempt.

Business Process Management: Business Process (Definitions)

"A business process is a collection of activities that takes one or more kinds of input and creates an output that is of value to the customer. A business process has a goal and is affected by events occurring in the external world or in other processes." (James A Champy & Michael M Hammer, "Reengineering the Corporation", 1993)

"A process is a set of linked activities that take an input and transform it to create an output. Ideally, the transformation that occurs in the process should add value to the input and create an output that is more useful and effective to the recipient either upstream or downstream."

(Henry J Johansson, "Business process reengineering: Breakpoint strategies for market dominance", 1993)

"Major operational activities or processes supported by a source system, such as orders, from which data can be collected for the analytic purposes of the data warehouse. Choosing the business process is the first of four key steps in the design of a dimensional model." (Ralph Kimball & Margy Ross, "The Data Warehouse Toolkit" 2nd Ed., 2002)

"The sequence of activities 'enclosing' the production process. These activities are common to all types of products and services, and include defining the job, negotiation with the customer, and reporting project status." (Richard D Stutzke, "Estimating Software-Intensive Systems: Projects, Products, and Processes", 2005)

"The subject areas of a business. The method by which a business is divided up. In a data warehouse, the subject areas become the fact tables." (Gavin Powell, "Beginning Database Design", 2006)

"A structured description of the activities or tasks that have to be done to fulfill a certain business need. The activities or tasks might be manual steps (human interaction) or automated steps (IT steps)." (Nicolai M Josuttis, "SOA in Practice", 2007)

"A structured and measured, managed, and controlled set of interrelated and interacting activities that uses resources to transform inputs into specified outputs." (Nathalíe Galeano, "Competency Concept in VO Breeding Environment", 2008) 

"The codification of rules and practices that constitute a business." (Judith Hurwitz et al, "Service Oriented Architecture For Dummies" 2nd Ed., 2009)

"The defined method for a range of activities that organizations perform. A business process can include anything from the steps needed to make a product to how a supply is ordered or how an invoice is created." (Tony Fisher, "The Data Asset", 2009)

"A structured description of the activities or tasks that have to be done to fulfill a certain business need. The activities or tasks might be manual steps (human interaction) or automated steps (IT steps)." (David Lyle & John G Schmidt, "Lean Integration", 2010)

"An activity as carried out by business people, including the mechanisms involved. This is in the domain of Row Two, the Business Owner’s View. Alternatively, the architect in Row Three sees a system process which is about the data transformations involved in carrying out a business process. In either case, processes can be viewed at a high level or in atomic detail." (David C Hay, "Data Model Patterns: A Metadata Map", 2010)

"A collection of activities performed to accomplish a clearly defined goal." (Linda Volonino & Efraim Turban, "Information Technology for Management" 8th Ed., 2011)

"A collection of activities designed to produce a specific output for a particular customer or market." (International Qualifications Board for Business Analysis, "Standard glossary of terms used in Software Engineering", 2011)

"A process that is intended to contribute to the overall value of an enterprise. The complex interactions between people, applications, and technologies designed to create customer value. A process is composed of activities." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"A business process is a series of steps required to execute a function that is important to an organization. Business processes include things like taking an order or setting up an account or paying a claim. In process analysis, business processes are the focus of opportunities for improvement. Organizations usually have a set of key processes that require support from other areas, like information technology." (Laura Sebastian-Coleman, "Measuring Data Quality for Ongoing Improvement ", 2012)

 "A holistic management approach for the detection, analysis, modeling, implementation, improvement and governance of the activities within or between enterprises." (Michael Fellmann et al, "Supporting Semantic Verification of Process Models", 2012)

"An activity (or set of activities) that is managed by an organization to produce some result of value to that organization, its customers, its suppliers, and/or its partners." (Graham Witt, "Writing Effective Business Rules", 2012)

"The codification of rules and practices that constitute a business." (Marcia Kaufman et al, "Big Data For Dummies", 2013)

"A coordinated set of collaborative and transactional work activities carried out to complete work steps." (Robert F Smallwood, "Information Governance: Concepts, Strategies, and Best Practices", 2014)

"The defined method for a range of activities that organizations perform. A business process can include anything from the steps needed to make a product to how a supply is ordered or how a decision is made." (Jim Davis & Aiman Zeid, "Business Transformation", 2014)

"A set of activities that teams within an organization carry out to accomplish a specific goal." (David K Pham, "From Business Strategy to Information Technology Roadmap", 2016)

"The business activities executed to deliver products or services to external customers. Business process is supported by and consumes IT-services to achieve their objectives." (by Brian Johnson & Leon-Paul de Rouw, "Collaborative Business Design", 2017)

"At its most generic, any set of activities performed by a business that is initiated by an event, transforms information, materials or business commitments, and produces an output. Value chains and large-scale business processes produce outputs that are valued by customers. Other processes generate outputs that are valued by other processes." (Appian)

Information Security: Firewall (Definitions)

"A device or program that blocks outsiders from accessing a computer connected to the Internet. Some firewalls also monitor data traffic outbound from a computer or network." (Andy Walker, "Absolute Beginner’s Guide To: Security, Spam, Spyware & Viruses", 2005)

"Software or devices that examine network traffic so that it may restrict access to network resources to unauthorized users." (Tom Petrocelli, "Data Protection and Information Lifecycle Management", 2005)

"A network security system used to monitor and restrict external and internal traffic." (Robert McCrie, "Security Operations Management" 2nd Ed., 2006)

"A firewall is part of a computer network or system that is designed to block unauthorized access over communications lines." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"A system level networking filter that restricts access based on, among other things, IP address. Firewalls form a part of an effective network security strategy. See Firewalls." (MongoDb, "Glossary", 2008)

"A piece of software that filters incoming and outgoing network traffic and stops messages that violate the rules that define allowable traffic." (Jan L Harrington, "Relational Database Design and Implementation" 3rd Ed., 2009)

"A computer system placed between the Internet and an internal subnet of an enterprise to prevent unauthorized outsiders from accessing internal data." (Paulraj Ponniah, "Data Warehousing Fundamentals for IT Professionals", 2010)

"A combination of specialized hardware and software set up to monitor traffic between an internal network and an external network (i.e. the Internet). Its primary purpose if for security and is designed to keep unauthorized outsiders from tampering with or accessing information on a networked computer system." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"Hardware and software that blocks outsiders from accessing your data and creates a secure environment for your data while permitting those with authorization, such as employees, to access information as needed." (Gina Abudi & Brandon Toropov, "The Complete Idiot's Guide to Best Practices for Small Business", 2011)

"System or group of systems that enforces an access-control policy between two networks." (Linda Volonino & Efraim Turban, "Information Technology for Management" 8th Ed., 2011)

"A device that is used to control access between two networks. Typically used when connecting a private network to the Internet as a way of protecting and securing the internal network from threats, hackers, and others. Also used when connecting two private networks (e.g., supplies, partners, etc.)." (Bill Holtsnider & Brian D Jaffe, "IT Manager's Handbook" 3rd Ed., 2012)

"A network access control system that uses rules to block or allow connections and data transmission between a private network and an untrusted network, such as the Internet." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"A form of protection that allows one network to connect to another network while maintaining some amount of protection." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Software or hardware designed to control traffic. A network-based firewall is typically hardware, and it controls traffic in and out of a network. A host-based firewall is software installed on individual systems and it controls traffic in and out of individual systems." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A a network security measure designed to filter out undesirable network traffic." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"A gateway machine and its software that protects a network by filtering the traffic it allows" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"A security barrier on your computer or network that controls what traffic is allowed to pass through." (Faithe Wempen, "Computing Fundamentals: Introduction to Computers", 2015)

"Software that blocks hackers from accessing a computer by closing unnecessary services and ports." (Faithe Wempen, "Computing Fundamentals: Introduction to Computers", 2015)

"A network device designed to selectively block unauthorized access while permitting authorized communication to devices within a subnetwork." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

Information Security: Data Leak/Loss Prevention (Definitions)

"Attempts to prevent the loss of confidentiality of sensitive information by limiting the use of confidential information only for authorized purposes." (David G Hill, "Data Protection: Governance, Risk Management, and Compliance", 2009)

"A feature that protects data on laptops by enabling file-level authentication and secure erase options in the event that a laptop is lost or stolen." (CommVault, "Documentation 11.20", 2018)

"A set of technologies and inspection techniques used to classify information content contained within an object—such as a file, an email, a packet, an application or a data store - while at rest (in storage), in use (during an operation), or in transit (across a network). DLP tools also have the ability to dynamically apply a policy—such as log, report, classify, relocate, tag, and encrypt - and/or apply enterprise data rights management protections." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"The actions that organizations take to prevent unauthorized external parties from gaining access to sensitive data." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"Data loss prevention (DLP; also known as data leak prevention) is a computer security term referring to systems that identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, and so on) and with a centralized management framework. Systems are designed to detect and prevent unauthorized use and transmission of confidential information." (Robert F Smallwood, "Information Governance for Healthcare Professionals", 2018)

 "A capability that detects and prevents violations to corporate policies regarding the use, storage, and transmission of sensitive data. Its purpose is to enforce policies to prevent unwanted dissemination of sensitive information." (Forrester)

"A systems ability to identify, monitor, and protect data in use (e.g. endpoint actions), data in motion (e.g. network actions), and data at rest (e.g. data storage) through deep packet content inspection, contextual security analysis of transaction (attributes of originator, data object, medium, timing, recipient/destination, etc.), within a centralized management framework. Data loss prevention capabilities are designed to detect and prevent the unauthorized use and transmission of NSS information." (CNSSI 4009-2015 CNSSI 1011)

"Data loss protection (DLP) describes a set of technologies and inspection techniques used to classify information content contained within an object - such as a file, email, packet, application or data store - while at rest (in storage), in use (during an operation) or in transit (across a network). DLP tools are also have the ability to dynamically apply a policy - such as log, report, classify, relocate, tag and encrypt - and/or apply enterprise data rights management protections." (Gartner)

"Data loss prevention (DLP) is a strategy for making sure that end users do not send sensitive or critical information outside the corporate network. The term is also used to describe software products that help a network administrator control what data end users can transfer." (TechTarget) [source]

"Data loss prevention (DLP) makes sure that users do not send sensitive or critical information outside the corporate network. The term describes software products that help a network administrator control the data that users can transfer." (proofpoint) [source]

Information Security: Data Breach (Definitions)

[data loss:] "Deprivation of something useful or valuable about a set of data, such as unplanned physical destruction of data or failure to preserve the confidentiality of data." (David G Hill, "Data Protection: Governance, Risk Management, and Compliance", 2009)

"The unauthorized disclosure of confidential information, notably that of identifying information about individuals." (David G Hill, "Data Protection: Governance, Risk Management, and Compliance", 2009)

"A failure of an obligation to protect against the release of secure data." (Janice M Roehl-Anderson, "IT Best Practices for Financial Managers", 2010)

"The release of secure information to an untrusted environment. Other terms for this occurrence include unintentional information disclosure, data leak, and data spill." (Craig S Mullins, "Database Administration", 2012)

"The unauthorized movement or disclosure of sensitive information to a party, usually outside the organization, that is not authorized to have or see the information." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"An incident in which sensitive, protected or confidential data has been viewed, stolen or used by an unauthorized body." (Güney Gürsel, "Patient Privacy and Security in E-Health", 2017)

[data leakage:] "The advertent or inadvertent sharing of private and/or confidential information." (Shalin Hai-Jew, "Beware!: A Multimodal Analysis of Cautionary Tales in Strategic Cybersecurity Messaging Online", 2018)

"A security incident involving unauthorized access to data." (Boaventura DaCosta & Soonhwa Seok, "Cybercrime in Online Gaming", 2020)

"An incident where information is accessed without authorization." (Nathan J Rodriguez, "Internet Privacy", 2020)

"A process where large amounts of private data, mostly about individuals, becomes illegally available to people who should not have access to the information." (Ananda Mitra & Yasmine Khosrowshahi, "The 2018 Facebook Data Controversy and Technological Alienation", 2021)

"This refers to any intentional or unintentional leak of secure or private or confidential data to any untrusted system. This is also referred to as information disclosure or data spill." (Srinivasan Vaidyanathan et al, "Challenges of Developing AI Applications in the Evolving Digital World and Recommendations to Mitigate Such Challenges: A Conceptual View", 2021) 

"When the information is stolen or used without consent of the system’s owner, the data stolen may cover confidential information like credit cards or passwords." (Kevser Z Meral, "Social Media Short Video-Sharing TikTok Application and Ethics: Data Privacy and Addiction Issues", 2021)

[data loss:] "The exposure of proprietary, sensitive, or classified information through either data theft or data leakage." (CNSSI 4009-2015)

Information Security: Data Privacy (Definitions)

"Right of an individual to participate in decisions regarding the collection, use, and disclosure of information personally identifiable to that individual." (Reima Suomi, "Telework and Data Privacy and Security", 2008)

"Current United States laws provide protection to private data, including students’ performance data. Online distance education environments need to address privacy issues though design of courses and security features built into record keeping systems." (Gregory C Sales, "Preparing Teachers to Teach Online", 2009)

"Personal data should not be automatically available to other persons or organizations. Even if data have been processed, each individual should be able to exercise his or her right to control access to data and related information." (Astrid Gesche, "Adapting to Virtual Third-Space Language Learning Futures", 2009)

"The right to have personally identifiable information not disclosed in any unauthorized manner." (David G Hill, "Data Protection: Governance, Risk Management, and Compliance", 2009)

"The limitation of data access to only those authorized to view the data." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"The legal, political, and ethical issues surrounding the collection and dissemination of data, the technology used, and the expectations of what information is shared with whom." (Jonathan Ferrar et al, "The Power of People: Learn How Successful Organizations Use Workforce Analytics To Improve Business Performance", 2017)

"A compliance program aimed at protection of personal information about any individual the company may poses." (Svetlana Snezhko & Ali Coskun, "Compliance in Sustainability Reporting", 2019)

"Data containing information about a person should be treated with special attention according to the organization’s data privacy policy and legislation." (Lili Aunimo et al, "Big Data Governance in Agile and Data-Driven Software Development: A Market Entry Case in the Educational Game Industry", 2019)

"The term refers to the confidentiality of information that one has and other parties are not allowed to share it without a consent of the data owner. Privacy is a measure of control for individuals about their personal information." (M Fevzi Esen & Eda Kocabas, "Personal Data Privacy and Protection in the Meeting, Incentive, Convention, and Exhibition (MICE) Industry", 2019)

"This term relates to the individual right to restrict access to their personal, health, political/philosophical views, religious affiliation and educational data. In the case of students, schools and districts have the responsibility to control access to student data, providing it is available only to those who play a role in the learning process and for a defined time span." (Beatriz Arnillas, "Tech-Savvy Is the New Street Smart: Balancing Protection and Awareness", 2019)

"Protection of personal privacy during data acquisition, storage, transmission, and usage." (Hemlata Gangwar, "Big Data Adoption: A Comparative Study of the Indian Manufacturing and Services Sectors", 2020)

"the protection of any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means." (James Kelly et al, "Data in the Wild: A KM Approach to Collecting Census Data Without Surveying the Population and the Issue of Data Privacy", 2020)

"A person’s right to control how much information about her/him/them is collected, used, shared by others." (Zerin M Khan, "How Do Mobile Applications for Cancer Communicate About Their Privacy Practices?: An Analysis of Privacy Policies", 2021)

"Deals defining what data may be lawfully shared with third parties, by an individual or organization." (Nikhil Padayachee & Surika Civilcharran, "Predicting Student Intention to Use Cloud Services for Educational Purposes Based on Perceived Security and Privacy", 2021)

"Is the aspect of information and communication technology that deals with the ability an organization or individual to determine what data and information in computer system can be shared with third parties." (Valerianus Hashiyana et al, "Integrated Big Data E-Healthcare Solutions to a Fragmented Health Information System in Namibia", 2021)

Information Security: Distributed Denial of Service (Definitions)

"An electronic attack perpetrated by a person who controls legions of hijacked computers. On a single command, the computers simultaneously send packets of data across the Internet at a target computer. The attack is designed to overwhelm the target and stop it from functioning." (Andy Walker, "Absolute Beginner’s Guide To: Security, Spam, Spyware & Viruses", 2005)

"A type of DoS attack in which many (usually thousands or millions) of systems flood the victim with unwanted traffic. Typically perpetrated by networks of zombie Trojans that are woken up specifically for the attack." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"A denial of service (DoS) attack that comes from multiple sources at the same time. Attackers often enlist computers into botnets after infecting them with malware. Once infected, the attacker can then direct the infected computers to attack other computers." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A denial of service technique using numerous hosts to perform the attack. For example, in a network flooding attack, a large number of co-opted computers (e.g., a botnet) send a large volume of spurious network packets to disable a specified target system. See also denial of service; botnet." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A DoS attack in which multiple systems are used to flood servers with traffic in an attempt to overwhelm available resources (transmission capacity, memory, processing power, and so on), making them unavailable to respond to legitimate users." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"DDoS stands for distributed denial of service. In this type of an attack, an attacker tends to overwhelm the targeted network in order to make the services unavailable to the intended or legitimate user." (Kirti R Bhatele et al, "The Role of Artificial Intelligence in Cyber Security", Countering Cyber Attacks and Preserving the Integrity and Availability of Critical Systems, 2019)

"In DDoS attack, the incoming network traffic affects a target (e.g., server) from many different compromised sources. Consequently, online services are unavailable due to the attack. The target's resources are affected with different malicious network-based techniques (e.g., flood of network traffic packets)." (Ana Gavrovska & Andreja Samčović, "Intelligent Automation Using Machine and Deep Learning in Cybersecurity of Industrial IoT", 2020)

"This refers to malicious attacks or threats on computer systems to disrupt or break computing activities so that their access and availability is denied to the consumers of such systems or activities." (Heru Susanto et al, "Data Security for Connected Governments and Organisations: Managing Automation and Artificial Intelligence", 2021)

"A denial of service technique that uses numerous hosts to perform the attack." (CNSSI 4009-2015)

"A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic on a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic." (proofpoint) [source]

Information Security: Privacy (Definitions)

"Privacy is concerned with the appropriate use of personal data based on regulation and the explicit consent of the party." (Martin Oberhofer et al, "Enterprise Master Data Management", 2008)

"Proper handling and use of personal information (PI) throughout its life cycle, consistent with data-protection principles and the preferences of the subject." (Alex Berson & Lawrence Dubov, "Master Data Management and Data Governance", 2010)

"Control of data usage dealing with the rights of individuals and organizations to determine the “who, what, when, where, and how” of data access." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed, 2011)

"Keeping information as a secret, known only to the originators of that information. This contrasts with confidentiality, in which information is shared among a select group of recipients. See also confidentiality." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"Control of data usage dealing with the rights of individuals and organizations to determine the “who, what, when, where, and how” of data access." (Carlos Coronel & Steven Morris, "Database Systems: Design, Implementation, & Management" 11th  Ed.", 2014)

"The ability of a person to keep personal information to himself or herself." (Jason Williamson, "Getting a Big Data Job For Dummies", 2015)

"The protection of individual rights to nondisclosure." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web" 2nd Ed., 2015)

"The right of individuals to control or influence what information related to them may be collected and stored and by whom, as well as to whom that information may be disclosed." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

 "The right of individuals to a private life includes a right not to have personal information about themselves made public. A right to privacy is recognised by the Universal Declaration of Human Rights and the European Convention on Human Rights. See data protection legislation." (Open Data Handbook)

"to seclude certain data /information about oneself that is deemed personal." (Analytics Insight)

Information Security: Denial of Service (Definitions)

"A type of attack on a computer system that ties up critical system resources, making the system temporarily unusable." (Tom Petrocelli, "Data Protection and Information Lifecycle Management", 2005)

"Any attack that affects the availability of a service. Reliability bugs that cause a service to crash or hang are usually potential denial-of-service problems." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"This is a technique for overloading an IT system with a malicious workload, effectively preventing its regular service use." (Martin Oberhofer et al, "The Art of Enterprise Information Architecture", 2010)

"Occurs when a server or Web site receives a flood of traffic - much more traffic or requests for service than it can handle, causing it to crash." (Linda Volonino & Efraim Turban, "Information Technology for Management 8th Ed", 2011)

"Causing an information resource to be partially or completely unable to process requests. This is usually accomplished by flooding the resource with more requests than it can handle, thereby rendering it incapable of providing normal levels of service." (Mark Rhodes-Ousley, "Information Security: The Complete Reference, Second Edition" 2nd Ed., 2013)

"Attacks designed to disable a resource such as a server, network, or any other service provided by the company. If the attack is successful, the resource is no longer available to legitimate users." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"An attack from a single attacker designed to disrupt or disable the services provided by an IT system. Compare to distributed denial of service (DDoS)." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"A coordinated attack in which the target website or service is flooded with requests for access, to the point that it is completely overwhelmed." (Faithe Wempen, "Computing Fundamentals: Introduction to Computers", 2015)

"An attack that can result in decreased availability of the targeted system." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web" 2nd Ed., 2015)

"An attack that generally floods a network with traffic. A successful DoS attack renders the network unusable and effectively stops the victim organization’s ability to conduct business." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"A type of cyberattack to degrade the availability of a target system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Any action, or series of actions, that prevents a system, or its resources, from functioning in accordance with its intended purpose." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"The prevention of authorized access to resources or the delaying of time-critical operations." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"An attack shutting down running of a service or network in order to render it inaccessible to its users (whether human person or a processing device)." (Wissam Abbass et al, "Internet of Things Application for Intelligent Cities: Security Risk Assessment Challenges", 2021)

"Actions that prevent the NE from functioning in accordance with its intended purpose. A piece of equipment or entity may be rendered inoperable or forced to operate in a degraded state; operations that depend on timeliness may be delayed." (NIST SP 800-13)

"The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided)." (NIST SP 800-12 Rev. 1)

"The prevention of authorized access to a system resource or the delaying of system operations and functions." (NIST SP 800-82 Rev. 2)

Information Security: Cybersecurity (Definitions)

 "The art of ensuring the existence and continuity of the Information Society of a nation, guaranteeing and protecting, in Cyberspace, its information assets and critical infrastructure." (Claudia Canongia & Raphael Mandarino, "Cybersecurity: The New Challenge of the Information Society", 2012)

"The act of protecting technology, information, and networks from attacks." (Jason Williamson, "Getting a Big Data Job For Dummies", 2015)

"The practice of protecting computers and electronic communication systems as well as the associated information." (Weiss, "Auditing IT Infrastructures for Compliance" 2nd Ed., 2015)

"Cybersecurity deals with damage to, unauthorized use of, exploitation of electronic information and communications systems that ensure confidentiality, integrity and availability." (Sanjukta Pookulangara, "Cybersecurity: What Matters to Consumers - An Exploratory Study", 2016)

"Focuses on protecting computers, networks, programs and data from unintended or unauthorized access, change or destruction." (Kimberly Lukin, "Russian Cyberwarfare Taxonomy and Cybersecurity Contradictions between Russia and EU", 2016)

"The activity or process, ability or capability, or state whereby information and communications systems and the information contained therein are protected from and/or defended against damage, unauthorized use or modification, or exploitation." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"The ability to protect against the unauthorized use of electronic data and malicious activity. This electronic data can be personal customer information such as names, addresses, social security numbers, credit cards, and debit cards, to name a few." (Brittany Bullard, "Style and Statistics", 2016)

"A trustworthiness property concerned with the protection of systems from cyberattacks." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"Information security (infosec) but broadly referring to technology and human systems that are built around the secure exchange, storage, and management of information." (Shalin Hai-Jew, "Safe Distances: Online and RL Hyper-Personal Relationships as Potential Attack Surfaces", 2018)

"Is defined as the collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment, organization, and user assets." (Thokozani I Nzimakwe, "Government's Dynamic Approach to Addressing Challenges of Cybersecurity in South Africa", 2018)

"Protection against criminal access to one’s data and information and against criminal manipulation of computer networks/data/systems." (Shalin Hai-Jew, "Beware!: A Multimodal Analysis of Cautionary Tales in Strategic Cybersecurity Messaging Online", 2018)

"The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance, and technologies that can be used to protect the cyberspace environment and organization and users’ assets." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"The organization and collection of resources, processes, and structures used to protect cyberspace from occurrences that misalign de jure from de facto property rights." (Mika Westerlund et al, "A Three-Vector Approach to Blind Spots in Cybersecurity", 2018)

"A computing-based discipline involving technology, people, information, and processes to enable assured operations. It involves the creation, operation, analysis, and testing of secure computer systems. It is an interdisciplinary course of study, including aspects of law, policy, human factors, ethics, and risk management in the context of adversaries." (Matt Bishop et al, "Cybersecurity Curricular Guidelines", 2019)

"Acts taken, technologies created and deployed, policies written and enacted, to protect computer systems and networks against misuse, intrusion, and exploitation." (Shalin Hai-Jew, "The Electronic Hive Mind and Cybersecurity: Mass-Scale Human Cognitive Limits to Explain the “Weakest Link” in Cybersecurity", 2019)

"Also known as computer security or IT security, is the protection of computer systems from the theft or damage to the hardware, software or the information on them, as well as from disruption or misdirection of the services they provide." (Soraya Sedkaoui, "Big Data Analytics for Entrepreneurial Success", 2019)

"Includes process, procedures, technologies, and controls designed to protect systems, networks, and data." (Sandra Blanke et al, "How Can a Cybersecurity Student Become a Cybersecurity Professional and Succeed in a Cybersecurity Career?", 2019)

"The protection of computer systems from theft and damage to their assets and from manipulation and distraction of their services." (Viacheslav Izosimov & Martin Törngren, "Security Awareness in the Internet of Everything", 2019)

"The protection of internet-connected systems including hardware, software, and data from cyberattacks."  (Semra Birgün & Zeynep Altan, "A Managerial Perspective for the Software Development Process: Achieving Software Product Quality by the Theory of Constraints", 2019)

"Cybersecurity is seen where security alerts and cyber-attacks are becoming more frequent and malicious, these threats include private access attempts and exploitation software or phishing, malware, web application attacks, and network penetration." (Theunis G Pelser & Garth Gaffley, "Implications of Digital Transformation on the Strategy Development Process for Business Leaders", 2020)

"Is the protection of internet-connected systems, including hardware, software and data, from cyberattacks. In a computing context, security comprises cybersecurity and physical security - both are used by enterprises to protect against unauthorized access to data centers and other computerized systems." (Alexander A Filatov, "Sovereign Bureaucrats vs. Global Tech Companies: Ethical and Regulatory Challenges", 2020)

"It is a general term which describes technologies, processes, methods, and practices for the purpose of protection of internet-connected information systems from attacks, i.e., cyberattacks. Cybersecurity can refer to security of data, software or hardware within information systems." (Ana Gavrovska & Andreja Samčović, "Intelligent Automation Using Machine and Deep Learning in Cybersecurity of Industrial IoT: CCTV Security and DDoS Attack Detection", 2020)

"Cybersecurity is an act to protect data, devices, applications, servers, network from the malicious attack through various tools and techniques. The process also ensures the confidentiality, integrity, availability, and non-repudiation of the content." (Shafali Agarwal, "Preserving Information Security Using Fractal-Based Cryptosystem", 2021)

"Cybersecurity refers to the set of technologies, processes, and practices designed to safeguard networks, devices, programs, and data from attack, threats, or unauthorized access." (Sanjeev Rao et al, "Online Social Networks Misuse, Cyber Crimes, and Counter Mechanisms", 2021)

"It is the organization and collection of resources, processes, and structures used to protect cyberspace from security events." (Carlos A M S Teles et al, "A Black-Box Framework for Malicious Traffic Detection in ICT Environments", Handbook of Research on Cyber Crime and Information Privacy, 2021)

"Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation." (CNSSI 4009-2015)

"The ability to protect or defend the use of cyberspace from cyber attacks." (NISTIR 8170)

"The prevention of damage to, unauthorized use of, exploitation of, and - if needed - the restoration of electronic information and communications systems, and the information they contain, in order to strengthen the confidentiality, integrity and availability of these systems." (NISTIR 8074 Vol. 2)

"The process of protecting information by preventing, detecting, and responding to attacks." (NISTIR 8183)

Information Security: Attack Surface (Definitions)

"The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to, user input fields, protocols, interfaces, and services." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"The total vulnerabilities of a system that can be exploited by an attacker." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"Components available to be used by an attacker against the product itself." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The avenues of attack that are available to an attacker by virtue of those avenues being exposed in some manner." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"The reachable and exploitable vulnerabilities in a system." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

 "The sum of all externally addressable vulnerabilities within an environment or system." (Forrester)

Information Security: Attack (Definitions)

[active attack:] "Any network-based attack other than simple eavesdropping (i.e., a passive attack)." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"Unauthorized activity with malicious intent that uses specially crafted code or techniques." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"An attempt to destroy, expose, alter, disable, steal or gain unauthorised access to or make unauthorised use of an asset," (David Sutton, "Information Risk Management: A practitioner’s guide", 2014)

[active attack:] "Attack where the attacker does interact with processing or communication activities." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

[passive attack:] "Attack where the attacker does not interact with processing or communication activities, but only carries out observation and data collection, as in network sniffing." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity." (Olivera Injac & Ramo Šendelj, "National Security Policy and Strategy and Cyber Security Risks", 2016)

"A sequence of actions intended to have a specified effect favorable to an actor that is adversarial to the owners of that system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"An attempt to bypass security controls in a system with the mission of using that system or compromising it. An attack is usually accomplished by exploiting a current vulnerability." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed., 2018)

"Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or information itself." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

"an aggressive action against a person, an organisation or an asset intended to cause damage or loss." (ISO/IEC 27000:2014)

Information Security: Digital Signature (Definitions)

"A form of electronic authentication of a digital document. Digital signatures are created and verified using public key cryptography and serve to tie the document being signed to the signer." (J P Getty Trust, "Introduction to Metadata" 2nd Ed., 2008)

"Data which proves that a document, message, or other piece of data was not modified since being processed and sent from a particular party." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"cryptographic transformations of data that allow a recipient of the data to prove the source (non-repudiation) and integrity of the data." (Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Data that is appended to a message, made from the message itself and the sender’s private key, to ensure the authenticity of the message" (Nell Dale & John Lewis, "Computer Science Illuminated" 6th Ed., 2015)

"Ensuring the authenticity and integrity of a message through the use of hashing algorithms and asymmetric algorithms. The message digest is encrypted with the sender’s private key." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"A means of authenticating that a message or data came from a particular source with a known system identity." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"An electronic signature based upon cryptographic methods of originator authentication, computed by using a set of rules and a set of parameters such that the identity of the signer and the integrity of the data can be verified." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide, 8th Ed", 2018)

"An encrypted means of identification that cannot be forged and that enables clients to validate servers and vice versa." (Microfocus)

"The combination of the private key, public key, message and hashing generates a digital signature. A digital signature is unique for every transaction and is a way to prove that the originator of the message has access to the private key." (AICPA)

Information Security: Brute-Force Attack (Definitions)

"A brute force attack attempts to defeat a cryptographic algorithm by trying a large number of possibilities. A brute force attack on a cipher might include trying a large number of keys in the key space to decrypt a message. Brute force attack is the most inefficient method of attacking a cipher, and most cryptanalysis is concerned with finding more efficient means of defeating ciphers." (Michael Coles & Rodney Landrum, , "Expert SQL Server 2008 Encryption", 2008)

"An attack on an encryption algorithm in which the encryption key for ciphertext is determined by trying to decrypt with every key until valid plaintext is obtained." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A method used for breaking encryption systems. Brute-force methodology entails trying all the possible keys until the proper one is found." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"A method by which a hacker tries to gain access to an account on the target system by trying to “guess” the correct password." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"Involves programs designed to guess at every possible combination until the password or key is cracked." (Mike Harwood, "Internet Security: How to Defend Against Attackers on the Web 2nd Ed.", 2015)

"An attack that continually tries different inputs to achieve a predefined goal, which can be used to obtain credentials for unauthorized access." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide" 8th Ed, 2018)

Information Security: Cybercrime (Definitions)

 "A variety of offenses related to information technology, including extortion, boiler-room investment and gambling fraud, and fraudulent transfers of funds." (Robert McCrie, "Security Operations Management" 2nd Ed., 2006)

"Any type of crime that targets computers, or uses computer networks or devices, and violates existing laws. Cybercrime includes cyber vandalism, cyber theft, and cyber-attacks." (Darril Gibson, "Effective Help Desk Specialist Skills", 2014)

"Any crime that is facilitated through the use of computers and networks. This can include crimes that are dependent on computers or networks in order to take place, as well as those whose impact and reach are increased by their use." (Hamid R Arabnia et al, "Application of Big Data for National Security", 2015)

"Cybercrime is defined as any illegal activity that uses a computer either as the object of the crime OR as a tool to commit an offense." (Sanjukta Pookulangara, "Cybersecurity: What Matters to Consumers - An Exploratory Study", 2016)

"Any crime that is facilitated or committed using a computer, network, or hardware device." (Anisha B D Gani & Yudi Fernando, "Concept and Practices of Cyber Supply Chain in Manufacturing Context", 2018)

"Is all illegal acts, the commission of which involves the use of information and communication technologies. It is generally thought of as any criminal activity involving a computer system."  (Thokozani I Nzimakwe, "Government's Dynamic Approach to Addressing Challenges of Cybersecurity in South Africa", 2018)

"Any criminal action perpetrated primarily through the use of a computer." (Christopher T Anglim, "Cybersecurity Legislation", 2020)

"Criminal activity involving computer systems, networks, and/or the internet." (Boaventura DaCosta & Soonhwa Seok, "Cybercrime in Online Gaming", 2020)

Information Security: Access Control Lists (Definitions)

"In Windows-based systems, a list of access control entries (ACE) that apply to an entire object, a set of the object's properties, or an individual property of an object, and that define the access granted to one or more security principals." (Microsoft, "SQL Server 2012 Glossary", 2012)

"An electronic list that specifies who can do what with an object. For example, an ACL on a file specifies who can read, write, execute, delete, and otherwise manipulate the file." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"a list of permissions attached to specified objects. Often abbreviated as ACL." ( Manish Agrawal, "Information Security and IT Risk Management", 2014)

"In systems such as electronic records management, electronic document and records management systems, or document management systems, a list of individuals authorized to access, view, amend, transfer, or delete documents, records, or files. Access rights are enforced through software controls." (Robert F Smallwood, "Information Governance: Concepts, Strategies, and Best Practices", 2014)

"A list of credentials attached to a resource that indicates who has authorized access to that resource." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"A data structure that enumerates the access rights for all active entities (e.g., users) within a system." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"A list of subjects that are authorized to access a particular object. Typically, the types of access are read, write, execute, append, modify, delete, and create." (Shon Harris & Fernando Maymi, "CISSP All-in-One Exam Guide, 8th Ed", 2018)

"Lists of permissions that define which users or groups can access an object." (Weiss, "Auditing IT Infrastructures for Compliance, 2nd Ed", 2015)

Information Security: Attack Surface (Definitions)

"The attack surface of a software environment is the code within a computer system that can be run by unauthenticated users. This includes, but is not limited to, user input fields, protocols, interfaces, and services." (Mark S Merkow & Lakshmikanth Raghavan, "Secure and Resilient Software Development", 2010)

"The total vulnerabilities of a system that can be exploited by an attacker." (Mark Rhodes-Ousley, "Information Security: The Complete Reference" 2nd Ed., 2013)

"Components available to be used by an attacker against the product itself." (Adam Gordon, "Official (ISC)2 Guide to the CISSP CBK" 4th Ed., 2015)

"The avenues of attack that are available to an attacker by virtue of those avenues being exposed in some manner." (O Sami Saydjari, "Engineering Trustworthy Systems: Get Cybersecurity Design Right the First Time", 2018)

"The reachable and exploitable vulnerabilities in a system." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

 "The totality of different attack vectors through which cyber compromises may occur." (Shalin Hai-Jew, "Safe Distances: Online and RL Hyper-Personal Relationships as Potential Attack Surfaces", 2018)

"The sum of all externally addressable vulnerabilities within an environment or system." (Forrester)