Online Safety and Cybersecurity Glossary

This page covers the standardized terminology used across the online safety and cybersecurity service sectors in the United States. Definitions here draw from authoritative public sources including the National Institute of Standards and Technology (NIST), the Cybersecurity and Infrastructure Security Agency (CISA), and the Committee on National Security Systems (CNSS). Precise terminology is the foundation for regulatory compliance, incident response coordination, and professional licensing — imprecision in this vocabulary carries measurable operational and legal risk.

Definition and scope

Cybersecurity terminology operates within a structured definitional ecosystem maintained by federal standards bodies, not through informal consensus. NIST Special Publication 800-53, Revision 5 provides the canonical control catalog used across federal agencies and widely adopted in private-sector compliance frameworks. The CNSS Instruction 4009 maintains the national-level glossary for information assurance and cybersecurity terms used in classified and unclassified government contexts.

Core definitional distinctions:

• Cybersecurity — Defined by NIST as "the ability to protect or defend the use of cyberspace from cyber attacks."
• Online safety — Broader in scope than cybersecurity; encompasses behavioral risks (e.g., harassment, exploitation, misinformation) alongside technical threats.
• Information security (infosec) — Focused on the confidentiality, integrity, and availability (CIA triad) of information assets, independent of medium.
• Information assurance (IA) — Includes infosec but extends to risk management and operational reliability; used predominantly in defense and government contexts.

The boundary between cybersecurity and online safety is codified differently across regulatory frameworks. The Children's Online Privacy Protection Act (COPPA), enforced by the Federal Trade Commission (FTC), addresses online safety for minors through a privacy and consent lens, not a technical security lens. This distinction shapes how service providers, attorneys, and compliance officers navigate sector-specific obligations. The Online Safety Listings on this domain reflect that regulatory bifurcation.

How it works

Standardized glossaries function as normative references — meaning compliance frameworks, contracts, and incident reports are interpreted against their definitions. A term like "breach" carries distinct legal weight under different statutory frameworks:

1. HIPAA Breach — Defined under 45 CFR §164.402 as an impermissible acquisition, access, use, or disclosure of protected health information (PHI). Notification is required within 60 days of discovery for breaches affecting 500 or more individuals.
2. State Law Data Breach — 50 U.S. states have enacted individual breach notification statutes, each with varying trigger definitions, timeframes, and covered data categories. California's notification standard, set under California Civil Code §1798.82, is among the most expansive.
3. Federal Breach Reporting (CIRCIA) — The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates that covered entities report significant cyber incidents to CISA within 72 hours and ransomware payments within 24 hours.

The operational impact of these distinctions means a single incident can trigger parallel obligations under federal and state frameworks simultaneously. Practitioners consult the NIST Cybersecurity Framework (CSF) 2.0 for a unified process architecture — organized across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. The purpose and scope of this directory reflects this layered regulatory structure.

Common scenarios

Terminology confusion most frequently surfaces in four operational contexts:

Vulnerability vs. Threat vs. Risk
These three terms are frequently conflated in non-technical communications. Per NIST SP 800-30:
- Vulnerability — A weakness in an information system or its environment.
- Threat — Any circumstance or event with the potential to adversely impact operations through unauthorized access, destruction, or disclosure.
- Risk — The probability that a threat will exploit a vulnerability, combined with the resulting impact magnitude.

Authentication vs. Authorization
Authentication verifies identity; authorization determines access privileges. NIST SP 800-63 governs digital identity guidelines for federal systems, establishing assurance levels (IAL, AAL, FAL) that structure how identity proofing and authentication strength are calibrated.

Encryption vs. Hashing
Encryption is a reversible transformation requiring a key; hashing is a one-way function producing a fixed-length digest. Confusing the two creates compliance failures — for instance, storing passwords as encrypted values rather than salted hashes violates modern security baselines such as those described in NIST SP 800-63B.

Phishing vs. Spear Phishing vs. Whaling
All three are social engineering vectors, but differ in targeting scope. Generic phishing casts a wide net; spear phishing targets a defined individual or organization; whaling specifically targets senior executives. CISA's Phishing Guidance distinguishes these vectors for incident classification purposes.

Decision boundaries

Selecting applicable terminology depends on regulatory jurisdiction, incident type, and professional role. Key decision boundaries include:

• Regulatory jurisdiction: HIPAA governs healthcare data; FERPA governs educational records; GLBA governs financial institutions. Each statute uses distinct security vocabulary.
• Sector vs. general applicability: NIST CSF is sector-agnostic; NIST SP 800-171 applies specifically to Controlled Unclassified Information (CUI) in non-federal systems.
• Civil vs. criminal framing: The Computer Fraud and Abuse Act (18 U.S.C. § 1030) defines "unauthorized access" for criminal prosecution purposes — a narrower standard than civil privacy frameworks use.
• Professional role applicability: Attorneys, forensic examiners, and IT administrators operate under different obligations when applying these terms in incident documentation. Practitioners navigating professional licensing contexts can reference the How to Use This Online Safety Resource page for directory-specific guidance.

References

• NIST SP 800-53, Rev. 5 — Security and Privacy Controls for Information Systems
• NIST Cybersecurity Framework (CSF) 2.0
• NIST SP 800-30 Rev. 1 — Guide for Conducting Risk Assessments
• NIST SP 800-63-3 — Digital Identity Guidelines
• CISA — Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA)
• CISA — Phishing Guidance
• FTC — Children's Online Privacy Protection Rule (COPPA)
• eCFR — 45 CFR §164.402 (HIPAA Breach Definition)
• U.S. House — 18 U.S.C. § 1030 (Computer Fraud and Abuse Act)
• CNSS Instruction 4009 — National Information Assurance Glossary