Asking AI - for a Glossary of Cyber Risk Terms
Earlier this week I needed to do some research on cyber risk terminology. It’s an area I’m familiar with after years of working on cyber risk assessments, book reading, and certification study. But … I was in a discussion with a group of people from different teams and very quickly we saw that there was some healthy debate about the definitions of several of the terms used.
One of my follow-up actions was to get a list of cyber risk terms together to talk around at the next meeting and give us clarity on those as the meetings moved forward. I asked three AI apps for help on this - ChatGPT 4o, Claude 3.5 Sonnet, and Gemini 1.5 Pro.
My first prompt asked them to find good sources for cyber risk terminology:
Please list some sources for a glossary of cyber risk terminology - defining and distinguishing between terms like threat, vulnerability, risk, inherent risk, residual risk
My follow-up prompt asked them to use those sources to create a glossary of cyber risk terms:
Please create a glossary for me using those sources
The short story is that ChatGPT and Claude offered very good results - citing good, relevant sources and creating good, usable glossaries. I’m sad to say this is another occasion where Gemini was decent but not as good as its rivals. Its list of sources was very short and nowhere near as good as ChatGPT and Claude’s - once again, ironic to make this sort of point about the AI app built by the people who bring us the world’s leading web search product.
Anyway, on to the good stuff, the responses from ChatGPT and Claude. They both leveraged top sources. They had these in common and each had a couple that differed from the other:
ISACA
FAIR
ITIL
ISC(2)
SANS
NIST
ISO/IEC 2700 series
The glossary I asked each of the apps to create is the real end product here. ChatGPT and Claude both provided great results here. It would be tough to say one was better than the other, so I will most likely end up sharing both.
The inline citing of its source for each term is what I like best about ChatGPT’s glossary. Here is a slice of that:
Threat
Definition: A potential cause of an unwanted incident, which may result in harm to a system or organization.
Source: NIST SP 800-30, ISO/IEC 27005
Example: Malware, insider threats, natural disasters.
Vulnerability
Definition: A weakness in a system, process, or control that could be exploited by a threat.
Source: NIST SP 800-30, OWASP Glossary
Example: Unpatched software, misconfigured firewalls.
Risk
Definition: The potential for loss or harm due to a threat exploiting a vulnerability, considering the likelihood and impact.
Source: NIST SP 800-37, FAIR Institute
Formula: Risk = Threat × Vulnerability × Impact
Inherent Risk
Definition: The level of risk present before any controls or mitigating actions are applied.
Source: ISO/IEC 27005, FAIR Institute
Example: A system exposed directly to the internet without any security measures.
Claude’s response stands out in part because it created category sections within its glossary, for: core risk concepts, threat-related terms, vulnerability-related terms, control-related terms, assessment terms, and impact terms. Here’s the threat related terms section:
Threat Any circumstance or event with the potential to adversely impact organizational operations, assets, individuals, or other organizations through a system via unauthorized access, destruction, disclosure, modification of information, and/or denial of service.
Threat Actor An individual, group, organization, or nation-state that conducts or has the intent to conduct detrimental activities against an organization's security objectives.
Threat Vector The path or means by which a threat actor can gain access to a target system or network with the intent to cause harm.
Advanced Persistent Threat (APT) A sophisticated threat actor, typically a nation-state or state-sponsored group, that gains and maintains unauthorized access to a network while evading detection.
This took about 15 minutes of interaction with the three AI apps. Light years faster than this would been in the dark ages of web search. This is a simple example (with a topic that’s not rocket science) of how much more efficient we can be when we get some help from AI tools.
If you happen to like this sort of thing :), here are a couple more Asking AI posts:
