Cybersecurity Terminology in Layman’s Terms

By Bill Bernard, VP, Security & Content Strategy

Estimated Reading Time: 6 minutes

The topic of cybersecurity is much like an iceberg — the basics are generally known, but more detail and complexity lie beneath the surface. People generally know that they should not click on phishing emails, but when it comes to understanding the malware that those emails are trying to dump on their computers, the complexity of the situation skyrockets. 

Combine this with advanced technology like AI and/or just simply looking into the back end of a computer, and many people will throw up their hands in defeat and say, “I don’t get it.” While not everyone needs to know everything about the ins and outs of cybersecurity, we believe it’s important that everyone has a basic foundation of its key parts to help protect them from accidentally opening up a backdoor for attacks. 

What common terms are used in cybersecurity terminology?

Cybersecurity terminology is full of acronyms and jargon. Knowing some ground floor terms can help make sense of the tangle of technical words. 

APT (Advanced Persistent Threat)

This is an attack in which unauthorized entities (typically a nation-state or state-sponsored group) gain access to an organization through either malware or phishing, and that once inside, have access to files, emails, assets and data. What makes an APT different from many other attacks is that this type of attack is intended to be both stealthy and remain effective in the environment for long periods of time. If left undetected for weeks, months or even years, attackers can gain a significant amount of data on a company to use for malicious purposes. 

Read more: Managed Detection and Response


An acronym for confidentiality, integrity and availability, the CIA triad is a concept used by cybersecurity professionals to model and prioritize their efforts. It manages the tug of war between keeping data intact, untouched and ready for use for those who need it while preventing unauthorized user access.


The Cloud is, at its core, the virtual storage and processing place of data. Cloud computing is the delivery of that data from storage to the user. Cloud security is the protection of data, servers, etc. stored in virtual and remote locations from theft, alteration and unauthorized access. 

DDoS (Distributed Denial-of-Service)

DDoS is an attack that attempts to disrupt the normal traffic of a server, service or network by flooding it with increased traffic from multiple sources to ultimately crash or stall it. Often, this is carried out through control of malware infected devices around the Internet and controlled by a group who rents out this “bot herd” to people who wish to use it to perform this kind of attack. 

Identity and Access Management (IAM)

IAM is a set of policies, processes and tools an organization uses to match people with access levels in regard to company assets, data and technical resources. This can involve authorizing and authenticating identities to access both software and hardware and can be applied to employees and customers. 

Read more: Managed Endpoint Detection and Response 

Incident vs Event vs Alert 

A security event refers to the security-impacting activity that occurred. Alerts are the notifications — often found in logs or derived from analysis and a correlation of logs —  a system sends to inform IT and IS teams of the event. Incidents are high-impact security events that have a significant negative impact on a business as a whole and require significant effort to identify, mitigate and remediate. An event may be irregular and/or minor but does not seriously impact a business, or an event could be highly disruptive and possibly cause a loss of revenue, making it an incident. 

Incident Response (IR)

Incident Response occurs when an incident has been identified and must be addressed. Often times incident response requires a specialized team to resolve and can include both technical and business-level activities. The goal of IR is to reduce costs and damage caused by the attack. Identifying the cause of the attack is key in IR as it helps prepare a system to defend itself from similar attacks in the future. 

Incident Response Plan (IRP) 

An Incident Response Plan refers to the set of policies and actions taken to limit, respond and manage a security incident. This plan may be limited to technical activities and resources, but more mature plans also take into account legal, compliance and public relations concerns and requirements.

Insider Threat

An insider threat is a security risk that comes from inside an organization, either from current or former employees, consultants, partners or board members. An insider threat is classified as such when deliberate action is taken by an individual to do harm to their organization. Accidental policy violations are not considered insider threats. 

Machine Learning

Machine learning is the use of artificial intelligence (AI) to help security systems process vast amounts of data and learn from that data. Machine learning involves access to large quantities of data — often far more than the 90 days worth of security logs held in SIEM systems — and advanced mathematical theory employed by data scientists and other professionals. This is a very advanced toolset used in security, and it looks for the patterns and outliers that identify security issues not readily visible through other tools or by other professionals, such as threat hunters. Patterns can be identified and defenses can be put up across the security infrastructure for more proactive threat prevention. 

Multi-Factor Authentication (MFA)

Multi-factor authentication is authentication that relies on more than one authentication factor, which makes impersonating someone at the time of login much harder to do. There are only three recognized authentication factors:

  • Something you know — like a password, PIN, or the answer to a security question
  • Something you have — like a physical token, a signed certificate or a virtual token attached to your cell phone
  • Something you are — which covers biometrics like fingerprints, retinal scans or even the “unlock with your face” function on smart-phones and computers

When you need to use more than one of these factors (like a password AND a token) that is MFA. Using two examples from one factor (password and a security question) is NOT MFA.


This is a method in which fraudulent email messages are sent under the guise of a trustworthy person with the goal of obtaining information such as login information, credit card information or company data. Some phishing attempts can also set the groundwork for malware by asking users to click on links or download attachments. 

Where can I learn more about terms used in cybersecurity?

Cybersecurity is a quickly evolving industry that changes daily. Here are a few resources you can use to check current usage of terms and to get acquainted with new words or concepts as they are added and developed. 

Apply these terms to your cybersecurity setup

Knowing what all these words mean doesn’t help you much if you don’t use them. At Deepwatch, our experts keep themselves up to date on the latest developments in the cybersecurity industry, so they know every acronym, are familiar with every daring new concept and recognize which threats have evolved into something new. 

When you’re ready to take your business’s cybersecurity up a notch, we’ll be here. Contact us to put these words into action. 


Bill Bernard, VP, Security & Content Strategy

Bill Bernard is a seasoned security expert with 20+ years of experience collaborating with customers to select and deploy the right security solutions for their business. Bill has held various solutions architecture roles throughout his career and holds a variety of security certifications including CISSP, CIPP-E and CIPM.

Read Posts


LinkedIn Twitter YouTube

Subscribe to the Deepwatch Insights Blog