The browser you are using is not supported by this website. All versions of Internet Explorer are no longer supported, either by us or Microsoft (read more here:

Please use a modern browser to fully experience our website, such as the newest versions of Edge, Chrome, Firefox or Safari etc.

Information Security

Further down this page you will find a glossary of words and terms.

Go directly to the Information Security Glossary

Why is Information Security needed? 

In order to carry out your work and duties as an employee, researcher or student, you both produce and have access to large amounts of information and data necessary for your particular role. It needs to be correct and accessible whenever you need it. If the University’s information security is lacking, you may experience problems or delays in your daily work. However, the consequences may be even greater than that. 

  • We may experience major delays in research and teaching
  • We risk producing incorrect research results
  • We risk fines due to contravention of the General Data Protection Regulation (GDPR), for example
  • We risk violating individuals’ privacy
  • Research may miss out on funding and external collaborations
  • We risk damaging trust in the University   

Systematic and risk-based information security efforts are therefore needed, both at management level and as a natural part of our daily routines.

Courses in Information Security

Here you will find courses for you who are employed at or affiliated with Lund University. They are designed to support secure handling of data and information in your daily work.

Some of the security measures requested in the courses are not yet in place at Lund University.

LUISA at Kompetensportalen at Staff pages

Do you want to learn more?

Cyber security related topics at National Cyber Secure Center's website (UK)


Employees and students

  •  You are responsible for handling information and data in a secure manner.
  • You store your documents securely.
  • You lock your computer and store it in a secure way.
  • You do not talk loudly about sensitive information on the train.
  • Information protection includes digital, written and spoken information. 


The University Board and vice-chancellor bear ultimate responsibility for information security. The vice-chancellor takes decisions on the University’s governance documents and management system for information security. These describe how the efforts are to be conducted and how risks are to be managed at the University. Roles and responsibilities must be clear, for example who can take decisions on risks, who owns different types of information and who is to implement and manage technical IT security measures and security on our premises. Management must regularly follow up on the information security efforts during the “management's review”.

CISO - Chief Information Security Officer

An independent role tasked with developing and managing information security efforts, e.g. setting requirements, coordinating, supporting, training and monitoring compliance. The CISO is to assist the management via regular reports, recommendations and guidance documents for decisions. 
The CISO-functions task involves regular collaboration with information owners, system administrators, lawyers, the data protection officer, IT services, the security division, building services, archive services, project offices and external authorities. 

Which laws apply?

The way information security work is to be conducted at the University, along with other requirements, is decided by the Swedish Civil Contingencies Agency. 

MSBFS 2020:6 Föreskrifter om informationssäkerhet för statliga myndigheter (Regulations on information security for public authorities) (External link. In Swedish. Opens in new tab)

MSBFS 2020:7 Föreskrifter om säkerhetsåtgärder i informationssystem för statliga myndigheter (Regulations on security measures in information systems for public authorities) (External link. In Swedish. Opens in new tab)

Read more on the Staff Pages about the Civil Contingencies Agency’s updated and new regulations published in October 2020. 
In addition, there are more than 20 laws that directly or indirectly require systematic and risk-based information security efforts to be made. 

Information Security Glossary

Terms and definitions on this page apply in the context of the University's information security work, governing documents (management systems) and other documentation and communication.

A / B / C / D / E



The hierarchy of rights in a computer system associated with tasks, positions and roles. Authorisation is linked to identity, so access control occurs after the user's identity has been verified (authenticated).

Access rights

The authorisation that a user must have to search, read, create, write, delete and execute in a program, system or network.


The property of protecting the accuracy and completeness of assets.

Action/security control

Action, procedure or technical arrangement that addresses an identified threat by reducing vulnerability. Examples of types of security measures:

  • Organisational: allocating responsibilities, roles and mandates in the organisation so that information is protected against improper handling (who does what to avoid things falling through the cracks)
  • Administrative: creating governing documents, procedures or similar and conducting training to support secure information management
  • Physical: having locks, alarms, doors, windows and the like to protect information and information systems from unauthorised physical access
  • Technical: the use of various IT solutions to protect information, such as anti-virus, authorisation systems, security logging and backup.

Administrator (IT system)

A user who has higher or different rights than an ordinary user, e.g., system administrator, security administrator.

Analysis object

An information asset to be analysed.

Asset value

An organisation's various values (assets) against which risks can be directed. This could be information, materials, reputation, buildings, orders, key people, dependencies, instruments, etc.


Confidence that the safety functions of a system or product fulfil specified safety requirements.


The property of being accessible and usable upon request by an authorised entity such as a user.


A check on the identity of a user or system to ensure that they are really who they claim to be.

Authentication equipment

Equipment used to authenticate a user in addition to a username and password, such as smart cards, USB dongles, disposable code boxes or similar. When multiple forms of information are required to verify the user's identity, it is called multifactor authentication.




Determining the access rights of a user to various system resources.


Background check

An investigation where the purpose is to:

  • validate information (experience, credentials, etc.) provided by the person to be investigated.
  • depending on the position, examine whether there are any identifiable risk factors that should be followed up before employment. The investigation is done by collecting information from open sources.


A copy of an information set created to be used in the event of loss of all or part of the original information set. See also Mirroring.

Backup power

See Uninterruptible power supply.

Basic protection

A basic level of different security measures that the organisation has decided to implement. Basic protection can, for example, consist of requirements for training before certain information can be managed, background checks before employment or that an IT system must have certain technical security measures in place unless the information classification and risk assessment conclude that a lower level is sufficient.


A logical network of computers infected with malware that allows outsiders to control them remotely to sabotage or exploit them for their own benefit.

Business analysis

The business analysis is part of the risk process, where the purpose is to identify significant information assets and map the needs, expectations and conditions of internal stakeholders. Consideration should then be given to the design and classification of information assets.


Capacity management

The purpose of capacity management is to ensure that information management resources are sufficient to meet the organisation's requirements in a cost-effective manner.

Change management

A systematic way of managing changes to IT systems, services, applications or programs throughout their lifecycle from start to finish with the aim of minimising risk for the organisation.

Classified information

A prohibition on disclosing information, whether orally, by disclosure of a public document or by any other means. Confidential information for which confidentiality applies in an individual case, according to OSL, the Public Access to Information and Secrecy Act.

Cloud service

Service provided over the internet from a network of servers. No special operating system or software is required other than a web browser. The service is not designed for a specific customer. The number of users can be easily increased or decreased, and the customer's information is stored on the service provider's server.

Communication security

The implementation and maintenance of security measures that protect against unauthorised access to information transmitted over networks.

Computer centre

Also known as a server room. A room intended and designed for IT operations, where a large amount of IT equipment in the form of servers and systems etc. is stored.


The property that information is not made available or disclosed to unauthorised individuals, entities or processes. Note: Confidentiality does not automatically imply secrecy, although there may be a link. Therefore, the concepts of confidentiality and secrecy should be kept separate. Secrecy is only a term for the part of the information that falls under the OSL (Public Access to Information and Secrecy Act).

Confidential information

Information that could result in significant damage to either reputation/brand, research, teaching and/or administration if it falls into the wrong hands should be classified as confidential.

Confidential information requires exclusive access within the organisation and strong protection against unauthorised and accidental access and against sophisticated attacks to access the information.


Result of an event with a negative impact.

Consequence level

Refers to the level that applies from the three different perspectives – confidentiality, accuracy and availability. We normally use a four-level model, with 0 being the lowest and 3 the highest. 3 is only used in exceptional circumstances. 0 represents little or no major negative consequence on the organisation or its environment.

Continuity management

The ability and readiness to manage business interruptions, to reduce damage due to interruptions and to ensure the continuity of critical business processes at an accepted minimum level.

Crisis organisation

An appointed group close to management within the organisation that is activated in connection with a crisis, where the group has a clear division of roles, explicit responsibility and mandate. The crisis organisation must have the knowledge, resources and authority to solve the problems that cause the crisis.

Crisis plan

Describes how an organisation will manage a crisis based on different possible situations that could affect the organisation.


A device or program containing an encryption algorithm used for encryption and decryption of messages and functionality to authenticate the sender of a message and functionality to generate and manage encryption keys.


Text that has been encrypted. The opposite is plaintext.


A subset of information security where cybersecurity deals only with digital information. The concept of cybersecurity is more strategic and focuses more on national and international networks and threats from external antagonists. It should be noted that when we talk about digital information, it is a mix of information and carrier – while when we classify information, it is not the medium that is classified but only the information content.


The part of the information environment that consists of the interconnected and interdependent IT infrastructures that enable the communication of data and information. It includes the internet, intranets, telecommunication systems, IT systems and embedded processors and controllers.

Cyberspace is seen as the common technical infrastructure but not as information per se.


Data processor

Anyone who processes personal data on behalf of a data controller. A data processor with staff may only process personal data as instructed by the controller.

The Data Protection Act

The Swedish national supplement to the EU Data Protection Regulation.

Data protection officer

The role and function that checks that Lund University complies with the Data Protection Regulation.

Data subject

The person whose personal data you collect and/or process.


Conversion of a cryptotext, an unreadable text, into a readable plaintext using a cryptosystem and an encryption key.

DoS attack, DDoS attack

A Denial of Service (DoS) attack is a type of sabotage where someone overloads a server or router by sending massive amounts of erroneous data packets so that it eventually crashes.

A Distributed Denial of Service (DDoS) attack is where calls are made from many different computers, often remotely controlled by worms, viruses or Trojans that have infected these computers without the owners' knowledge.



Electronic identification document used for secure identification on the internet, e.g. e-ID, electronic ID, e-leg, eID, BankID.

Electronic signing, digital signature

A signature is the result of a mathematical calculation that validates the authenticity and integrity of a message or program and is attached to the message or program.


Transformation of plaintext into an unreadable cryptotext using a cryptosystem and an encryption key.

Encryption algorithm

A mathematical procedure used to encrypt and decrypt messages. It is based on treating letters in a message as numerical characters and replacing and rearranging them according to a mathematical pattern.

Environmental analysis

The environmental analysis is part of the risk process where the purpose is to identify everything that is outside the direct control of the organisation but that affects or is affected by the organisation's information security. The results are used to design information security so that the organisation complies with legal requirements by linking certain security measures to a certain type of information and using it in connection with information classification.

Equipment room

Also called wiring closet or telecommunications closet. A room where communication equipment such as switches, routers, firewalls, fibre connections and networks are connected. 

EU Data Protection Regulation

The Swedish translation of the General Data Protection Regulation (GDPR).

Exit interview

A conversation between the line manager and an employee who is leaving the organisation. During the interview, the employee is reminded about confidentiality and access cards and any equipment (e.g. computers, tablets, mobile phones, printers, instruments) that the employee has borrowed during their employment as well as printouts and notes with sensitive information to be returned.

F / G / H / I / J



Fax (short for telefax) is a machine that reads a piece of paper inserted into the machine and, using electrical signals via the telecommunications network, transmits the information to another fax machine that receives and prints the information on paper. The information read by the sender, sent, and printed by the receiver can be handwritten or typed text, a photo, or a hand-drawn image. It is also possible to send a fax from a computer either via a fax modem connected between the computer and the telecommunications network or via an email sent to a fax service connected to the telecommunications network. Fax is very rarely used. Today, it has been replaced by email in most places.

Federated identity

A user identity that can be used in different organisations because there is an agreement on how to manage identities across organisations. A user who has authenticated with one organisation can automatically be authenticated with another organisation that is part of the federation. The result can be a single sign-on that transcends organisational boundaries.


A network component that restricts and monitors traffic between networks according to a given configuration.

Forensic analysis

Forensic analysis is performed in connection with an incident where any deleted information is recreated, and evidence is collected and analysed.


Gap analysis

Identification of the difference between existing, implemented security measures and the identified need for security measures i.e. the level of protection. 

The General Data Protection Regulation

All organisations that manage personal data must comply with the General Data Protection Regulation (GDPR). This means, among other things, that the organisation needs to comply with the basic principles, ensure that the processing has a legal basis and inform the data subjects about how their personal data is processed.



A lie, false warning or solicitation that appears to be true.



Linking a person with a given identifier (name, social security number or similar) to a pre-registered identity. In most cases, some form of identity verification (authentication) is required.


Unique designation of a particular entity (person, process, physical entity or similar) in a particular system.

Identity theft

When someone uses another person's identity or login details (username and password) in a way that causes damage or inconvenience to the victim.


Knowledge about objects, such as facts, events, things, processes or ideas, including concepts, which have a specific meaning in a given context.

Information assets

All protectable information that the organisation handles, including the resources that process the information by receiving, storing, processing, displaying or communicating it.

Information classification

Assessing your information through impact assessment in terms of confidentiality, accuracy and availability (and traceability). This classification must be conducted by, or approved by, approved information risk owners.

Information management resource

Handles, stores or communicates information. For example: employees, premises and buildings, computers, telephones, IT systems and infrastructure, technical facilities and equipment, and  instruments. Other types of information management resources can be processes, activities or procedures, such as procurement and contracts, recruitment and projects. See also IT resources.

Information model

A graphical description of the information objects a particular organisation needs and how they relate to each other.

Information risk owner

Responsible for information assets and decides on information management within the framework of existing legislation and internal regulations. Information risk owners are responsible for ensuring that their own information has the correct classification and is adequately protected through risk assessment and by setting requirements for the management of the information. The owner is also authorised to make decisions on risk acceptance.

Information security

Preserving the confidentiality, accuracy and availability (and traceability) of information. Information security is a combination of administrative and technical security, where physical security and IT security are part of technical security.

Information security incident

A single incident or a series of unwanted or unexpected information security events that have a high probability of compromising information security or have adversely affected information security.

Information security requirements

The "what" requirements that the respective owners and managers of information carriers must consider fulfilling the requirements for an individual object. The status of requirement fulfilment/compliance forms the basis for an action plan on what should be addressed.

Information set

A grouping of information containing several types of information, e.g. in the form of a document or a database. 

Information systems

Applications, services or other components that manage digital information. The term also includes networks and infrastructure. Ref. MSB's definition in MSBFS2020:7.

Information type

A specific type of information, e.g. personal data, research data, drawings, source code, etc.


Inviolability with the ability to maintain its value by protection against unwanted change, interference or access. Can refer to both a technical system (system integrity) and a person (personal integrity).

Internal information

Information that could result in moderate damage to either reputation, brand, research, teaching and/or management if it falls into the wrong hands should be classified as internal information.

Internal information can normally be disseminated internally within the University provided that the recipient is active within the University and has signed a confidentiality agreement. If internal information is shared with an external party, there must be a clear purpose for this, and a confidentiality agreement must be signed.

Internal information requires protection against unauthorised and accidental access and against sophisticated attacks to access the information.


The ability and capability of systems, organisations or business processes to work together and communicate with each other by following agreed rules.


Obtaining unauthorised access to information in computers or unauthorised modification, deletion or addition of information.

Intrusion detection systems

A system that detects attempted intrusions into a network.

IT attack

Also known as a cyberattack, an attack via the internet where criminals use vulnerabilities or information to gain unauthorised access to servers and/or computers to obtain, delete or encrypt information. In the latter case, hostage programs are used.

IT infrastructure

IT infrastructure consists of hardware (servers, mobile devices, desktops) and software either on premises or in the cloud, as well as networks needed to run IT systems.

IT resource

Refers to any hardware, software, interconnected systems or subsystems of equipment used to process, manage, access or store electronic information.

IT security

IT-related technical security measures aimed at maintaining information security, i.e. with the ability to prevent unauthorised access and unauthorised or accidental alteration or disruption of communication, storage and processing of data. 

IT system/information system

A system for collecting, storing, processing and disseminating information for a specific purpose. Inherits classification from the information content. The system perspective helps to find ownership. However, the focus is on the information managed in the system. Set of applications, services, information technology assets and other information management components.

IT system management

The activities undertaken to manage a system in operation so that it effectively contributes to the fulfilment of business objectives. A system management model is a framework that describes how management work can be conducted and organised. The model provides a normative view of the activities performed to control, administer, change and support the use of a management object.

Information security management system (ISMS)

System (not IT system) to establish an organisational process for the governance and management of information security. It includes basic principles for managing the work, how to set objectives and strategies to achieve these objectives, organisation, resources, and technical and administrative security measures. The ISMS is a support for how information security work is controlled by the management of organisations.

A central part of a management system is the management's explicit support. The top level is the policy adopted by the board for the information security work. In steering documents, guidelines and the like, senior management can then provide guidance to managers and other employees.

Ref: Standard SS-ISO/IEC 27001:2017, which sets out the requirements that an organisation needs to meet in terms of information security management systems.

IT system manager/IT system owner

IT specialist responsible for the day-to-day functionality and security level of the system.

K / L / M / N / O


Key logger

A program or hardware that covertly records all keystrokes on a computer. Used to collect user details and passwords and which web pages have been visited. It can be a program or a small connector that connects the computer to the keyboard.


Level of protection

A set of security measures that provides sufficient protection for information classified to a certain consequence level. The level of protection helps the organisation to know which security measures should be used and are already approved, instead of having to propose new appropriate security measures.


List of events, and various attributes associated with them, recorded in the order in which they occur.

Logical interface

Part of a service description that describes interfaces to be implemented by producer and consumer in terms of calls, messages and sequences. See also Technical interface.

Loss of availability

Transition to a state of a system where it is unable to deliver the desired services to the required extent or within the desired time.


The University's central directory of persons and addresses; the system also controls authorisations to various IT services and systems (e.g. email, the Eduroam wireless network, access to buildings, etc.) to which people working at the University need access.


Malicious programs (malware)

Malicious programs refer to all types of unwanted computer programs such as viruses, Trojans, worms, rootkits, ransomware and spyware. These programs use vulnerabilities in services, other programs and systems to be installed on computers, tablets or mobile phones and later spread to other devices on a network. The goal of these programs could be to cause damage or disruption to someone else's computer or IT system, map the user's behaviour, collect information, use the computer's computational and network capacity to generate cryptocurrency, or encrypt important information on the computer and then extort money from the victim or attack other targets (computers or IT systems).


An umbrella term for unwanted computer programs, especially viruses, worms, Trojans, rootkits, key loggers and hybrids. See Malicious programs.

Management object (see also Analysis object)

One or more IT systems that are jointly managed, covering both application and IT technology. In the case of IT infrastructure management, the management object usually consists only of IT technology. Management object, IT system and system have the same meaning in this context.

Another management object can be a property or a process.

Management organisation

A group of people who manage a specific management object in an organised manner.

Management plan

Annual governing document for the management of a specific management object.


Describes the content and/or structure of a particular data collection from some perspective.


Mirroring involves continuously creating an identical copy of a hard drive, server or system and the data contained therein, thus ensuring that the copy is up to date. Mirroring is primarily a solution for availability as you always have an identical copy of a system, while a backup is a solution for accuracy.

The term mirroring can also be used for hardware where all components are duplicated to increase reliability.

Mobile device

Mobile devices refer to portable equipment such as laptops, tablets, mobile phones, USB sticks, voice recorders/pocket drives, external hard drives and CD/DVD/Blu-ray discs.

Mode of operation

An arrangement of how a task is performed in the organisation, why and by whom. The approach should be deliberately chosen by the organisation and described in governing documents and should be applied in all relevant situations. The application and results of the approach should be regularly monitored and evaluated. Finally, the approach should result in the specific task being performed in the same way throughout the organisation, i.e. there is an organisation-wide model for the task.

Multifactor authentication

The authentication of a user requiring two or more forms of information to prove the user's identity in addition to the username and password, such as smart cards, BankID, USB dongles, disposable code boxes or similar.


Network segmentation

The division of networks into smaller sub-networks where each part is a separate network segment with as little contact with other segments as possible.

Non-disclosure agreement

A non-disclosure agreement (also known as a confidentiality agreement) is a legal contract in which two or more parties agree not to disclose information about the subject matter of the agreement. Its purpose is to protect sensitive information, the disclosure of which would have a negative impact on part or all of the organisations. 


Preventing the sender of an electronic message from denying that they are the sender and the recipient from denying that they have received the same message.


Operations security

Involves ensuring that information management resources operate correctly and securely according to the requirements set by the organisation.

Outsourced development

An organisation enters into an agreement with a supplier where the supplier manages the development of, for example, systems, services, programs or applications for the organisation.


An organisation enters into an agreement with a supplier where the supplier carries out parts of the activities for the organisation.


The outsourcing of any part of an internal activity, process or IT-related service that was previously performed internally, to an external provider.


Open Worldwide Application Security Project, a global non-profit organisation working to improve software security, primarily in web applications. 

P / Q /R / S / T



A combination of characters entered together with a username to verify a user's identity.

Personal data

Any information that can be directly or indirectly linked to a living natural person (3 categories):

  1. Ordinary personal data. Examples of ordinary personal data are name, address, telephone number, email address. This is  personal data not included in categories 2 or 3.
  2. Sensitive personal data. What constitutes sensitive personal data is regulated by law. It includes data on ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, a person's sex life or sexual orientation, genetic data and biometric data used to uniquely identify a person.
  3. Additional personal data requiring additional protection. Examples of personal data requiring additional protection are personal identification numbers and evaluative data about a person, such as data from performance reviews or data on the results of personality tests. This is personal data that has been deemed more worthy of protection than ordinary personal data but is not included in category 2.

Personal data breach

A security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Personal data controller

The organisation responsible for the processing of personal data. With few exceptions, Lund University is always the data controller.


An attack that uses email to lure the recipient to visit a seemingly genuine website (e.g. of a bank or credit card company) and asks for login information or other sensitive data.

Physical security

Implementation and maintenance of security measures that together detect, deter, protect, and manage unauthorised physical access to information assets.

PIN code

Short for Personal Identification Number, which is a numerical password.


Overall intent and direction formally expressed by management.

Privacy filter

A privacy filter is a thin layer of plastic that is placed in front of external screens or screens for laptops, tablets and mobile phones. Using so-called microlouver technology, the layer of plastic blocks views from the sides. The screen appears darkened from certain angles, while the user sitting directly in front of the screen has a clear view.

Privileged access

Extended access rights given to a specific role or group of users within an organisation that ordinary users do not have. The access rights are used in the management of information processing resources (e.g. premises or IT systems).

Privileged users

Users who have privileged access.


One or more logically interrelated steps that contribute to the delivery of a result.

Processing (of information)

Any operation or set of operations performed on information, whether by automatic means, such as collection, registration, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Please note that data protection law applies to any wholly or partly automated processing of personal data and to manual processing of personal data included or intended to be included in a filing system.

Procurement requirements

Procurement requirements related to information security based on the "what" requirements established based on information classification and requirements analysis.


Effect of actions, procedures and technical arrangements aimed at reducing vulnerability. Opposite of vulnerability.

Protective security
(Ref: Protective Security Act)

Protective security means:

  • protection against espionage, sabotage and other offences that may threaten national security,
  • protection in other cases of information covered by secrecy under the Public Access to Information and Secrecy Act and relating to national security, and
  • protection against terrorist offences under section 2 of the Criminal Responsibility for Terrorist Offences Act even if the offences do not threaten national security.

Public information

Information that does not result in any damage to reputation, brand, research, teaching and/or administration if it falls into the wrong hands shall be classified as public. Public information has no access restriction requirements and can be freely disseminated. However, sometimes both review and decision are required for open information to be published, for example on external websites such as and



Also, extortion program, extortion virus, hostage program, hostage virus or crypto virus. Malicious code that encrypts all or part of the contents of the system. This can be the encryption of certain types of files (crypto ransomware) or the encryption of all files and the inability to boot the computer (locker ransomware). The attacker demands a ransom to release the password that unlocks the encryption.

Records check

Part of a broader security clearance that is conducted before an individual engages in security-sensitive activities. The register check includes, for example, information from the criminal record register, the trade ban register, etc.


Recovery plan

It is developed to ensure how to restore mission-critical systems and other resources to normal after an interruption or major disruption.

Regulatory authority

A public authority that ensures that organisations use their resources and money properly, that laws and regulations are followed, and that laws and regulations are influenced so that organisations can improve. A regulatory authority provides advice within a specific area of responsibility and receives and investigates reports of misconduct within organisations.


Recovering and restoring critical functions, such as IT systems, to an acceptable level within a specified time after a serious disruption or interruption.


A systematic weighing of the expected probability and consequence of an undesirable event occurring because of a particular threat, linked to a defined activity, a specific asset worthy of protection and a specific scale of consequences.

The organisation identifies the existing risks (sometimes the term gross risk is used) and assesses the impact of the risk occurring (probability x consequence). Next, existing controls/measures are identified and evaluated to assess the residual risk (sometimes referred to as net risk). An action plan is established to mitigate the net risks that are deemed too high, despite implemented controls/measures. Once the gross and net risks have been identified, the organisation needs to decide what current levels of risk can be accepted or whether mitigating controls need to be strengthened (this step is included and fully described in the information security risk management methodology).

Risk acceptance

One of several ways to manage a risk. In this case, it means that nothing is done about the risk, e.g. because the impact is minimal, the measures are too costly, or the risk cannot be addressed because it is exclusively due to external events. This is also known as retaining the risk. The information risk owner has the mandate to make decisions.

Risk analysis

Process that identifies threats to the organisation and estimates the magnitude of related risks.

Risk appetite

Level of risk that an organisation considers acceptable before implementing countermeasures to, for example, limit, transfer or eliminate the risk.

Risk assessment

Overall process of risk identification, risk analysis and risk evaluation.

Risk elimination

One of several ways to manage a risk. In this case, it means completely removing the risk, i.e. eliminating it.

Risk evaluation

Process of comparing the results of the risk analysis with the risk criteria to determine whether the risk and/or its magnitude is acceptable.

Risk identification

Process of detecting, mapping/recognising and describing risks.

Risk management

Coordinated activities to assess (identify, analyse and evaluate) and handle risks. When handling risks, preventive measures are created to reduce the risk.

Two main approaches are used:

  1. Risk reduction by creating a preventive measure. Here, the cost can be calculated, the type specified, who is responsible for the measure, the link to other risks that this measure reduces, and the timeframe.
  2. Risk reduction by linking to a safety measure. The measure is selected from a set of security measures decided for the organisation. 
    Once the risk has been managed, it is possible to conduct a new risk assessment after the planned measures have been implemented. This is sometimes called net risk and the original assessment is called gross risk.

Risk matrix

The risk matrix is a visual aid to assist in risk management.

For each threat, the consequence of the threat occurring is assessed using a defined consequence scale (y-axis) and the probability of the threat occurring is similarly assessed using the probability scale (x-axis). Once the impact and probability are determined, the threat can be plotted in the risk matrix. 

Risk mitigation

One of several ways to manage a risk. Mitigation is achieved by, for example, implementing damage prevention or mitigation measures.

Risk owner

Person responsible for a risk and authorised to manage it.

Risk sharing/risk transfer

One of several ways to manage a risk. Means that the risk is transferred to one or more other stakeholders who are more able or willing to take on the risk, or alternatively insurance can be taken out (the insurance then takes care of the consequence).

NOTE. The responsibility for a risk can never be transferred to someone else.

Role-based access

A user's access to a network or system is governed by their role within the organisation.


See Malicious programs.



A rootkit allows attackers to take over a computer or network by installing the program in a way that is undetectable to the owner of the computer and then collecting usernames and passwords. The collected data is then sent to the attacker via the computer's internet connection. Once the program has found the login details of a system administrator, the attacker can take over the network.


Equipment that connects different networks by reading network traffic and assessing which traffic goes to which network. To know where to send incoming network traffic, the router uses a routing table that lists the locations of different computers and networks.


Recovery point objective, the longest time that the organisation can accept loss of information in the event of an incident or simply the longest time between two backups.


Recovery time objective, the maximum time allowed for recovery after a disruption.

Rule-based access

A user's access to resources and information on a network or system is governed by predetermined rules, e.g. a system administrator is only allowed to view information required to resolve an error in a system.



A property or condition that provides protection against harm to life and limb (personal safety).


Microsoft Security Development Lifecycle (SDL) is a framework that supports the development of secure software and is used internally at Microsoft.

Secure areas

Within information security refers to wiring closets, computer/server halls, office spaces and archives or similar used for communication equipment (fibre connections, switches, routers, firewalls, etc.), computers/servers or where sensitive information is managed by humans.

Secure development environment

This environment includes all elements involved in system development and integration such as people, technology and processes. 


A property or condition that provides protection against the risk of unwanted access, loss or interference. Usually associated with deliberate attempts to exploit potential weaknesses/vulnerabilities.

Security logging

Registration of events on servers, in networks, applications or services that are important for security, for example in connection with the investigation of incidents.

Security clearance

A check of a person before they are given access to activities or information that has or may have an impact on national security. The purpose is to identify whether the person can be assumed to be loyal to the object to be protected and is otherwise reliable from a security point of view. The security assessment is administered by the Head of Security (LU Estates).

Security control

An identified set of measures to address an organisation's risks. A security measure can be organisational (roles, responsibilities, mandates), administrative (governing documents such as policies, guidelines, instructions), physical (locks, alarms, doors, windows) or technical (antivirus, logs, backups).


A packaged service or solution offered to fulfil a need.

Service message

The information conveyed between participants in a service interaction.

Service catalogue

A logical place to search, find, access, publish, manage and store descriptions of services.

Shared mailbox

An account that is linked to:

  • a function, e.g. ansvarig [at] organisationen [dot] se (ansvarig[at]organisationen[dot]se), where the email address remains intact even if the person holding the service changes.
  • an activity where several users share the account, for example in IT or HR support or similar where accessibility is more important than dependence on a particular person.


Shell protection

Shell protection or perimeter protection is a complete external protection of a building or premises that prevents unauthorised entry. It consists of walls, roofs, doors, windows and locks, but can also include alarms with various sensors and camera surveillance.

Single sign-on

A method of managing users with respect to authentication and authorisation, so that these users only need to log in once to several password-protected applications or web pages during a working day to access the systems dedicated to the service.


Device or program that collects data sent over a network.

Social engineering

Manipulation by using various social tricks to gain trust and later access to sensitive or secret information.


Mass sending of unwanted, unsolicited emails or text messages (SMS), often with a commercial message and without the recipient's consent. Junk mail.



A spyware program that runs on a computer without the user's consent, collecting and forwarding information (user details, passwords, web pages visited, etc.) to another party.



NIST (National Institute of Standards and Technology) Secure Software Development Framework, a framework for developing secure software. The framework is independent of technology, platform, programming language, development tools, etc.

Statement of applicability (SoA)

A report containing the aggregated results of the environmental, business, risk and gap analysis, showing the current information security status, the measures to be applied, the rationale for applying them, their status, and whether they are working satisfactorily to ensure good information security.

Surge protection

Used between the equipment to be protected and the power grid. It protects against sudden surges, such as during a thunderstorm, which could otherwise cause computers, servers, or other sensitive equipment to fail. 


A switch is like a network power strip and is used to connect multiple network devices together and allow them to communicate with each other.

System administrator

A person responsible for both the administration and operation of one or more IT systems.

System manager

The system manager works on behalf of the system owner to manage the system. The system manager works based on the objectives and activities defined in approved plans and within the framework allocated for the period. The system manager shall conduct activities to collect requirements and needs from the organisation and report these to the system owner. The system manager leads the work in the management group and reference groups.


System owner

The person who is responsible for the organisation (dean, head of department, etc.) is normally appointed as the system owner to automatically establish a link between the benefits of the organisation and the requirements of the system. The system owner has overall responsibility for visions and frameworks and is responsible for ensuring that the system supports the organisation and its processes in an appropriate manner. The system owner must ensure resources are in place and make decisions within the system's budget. Furthermore, the system owner is responsible for initiating development projects. The system owner is responsible for ensuring that the information system fulfils the set information security requirements. These requirements are set through the designated information risk owner's classification of the information for which the system is used.


Technical installation

A technical installation is used for the production, distribution, conversion, or management of, for example, electricity, telecommunications, data traffic, heating, cooling, water and sewage.

Technical interface

Part of a service description that describes the technology choices for different implementations, such as protocols and standards.


Something that causes or contributes to causing an incident to occur.

Unintentional threat: exists despite absence of malicious intent.
Intentional threat: aims to harm the organisation.
Internal threat: caused by individuals within the organisation.
External threat: originates from outside the organisation.

Threat profile

Threats assessed to exist against a particular organisation and its assets and resources.


The ability to unambiguously attribute activities performed in the system to an identified user at a specific point in time.

Transfer to third countries (Ref. IMY, GDPR)

A transfer of personal data to a third country is when personal data becomes available to someone in a country outside the EU/EEA. This happens at the University, for example when:

  • we send documents containing personal data by email to someone in a country outside the EU/EEA
  • we engage a data processor in a country outside the EU/EEA
  • we give someone outside the EU/EEA access, such as read-only access, to personal data stored within the EU/EEA
  • we store personal data in a cloud service based outside the EU/EEA
  • we store personal data, for example on a server, in a country outside the EU/EEA.


A program that pretends to be useful or enjoyable but is malicious code.

Two-factor/multifactor authentication

Identity control through two (or more) of the factors – something you have, something you know and something you are (e.g., card, password, biometrics). Individually, the card, password or biometric information is useless for login purposes but two of them together provide authentication.

U / V / W / X / Y / Z


Unauthorised access

Access to a system, resource, or other object in violation of authorisation rules.

Uninterruptible power supply

Also called uninterruptible power source or backup power. Power supply that also works in the event of an interruption in the electricity grid. It can be a power supply via UPS (battery) or diesel generator.

User (IT, information)

A person who uses information or a service.


A username is what a user enters along with a password to identify themselves (log in) and to access an IT resource such as a computer network, system, computer program or website.

User rights

A user's rights to perform various actions on a computer or in a network. These rights include running, installing and deleting programs, downloading, reading, modifying and adding information, changing settings, and accessing, using and distributing information over the network and the internet.



Malicious code that spreads by placing a copy of itself without a user's involvement inside other programs, host programs, in such a way that the code runs when the host program is running.

VPN tunnel

VPN is an abbreviation for virtual private network. A VPN tunnel is an encrypted connection between a user and a VPN server. The VPN server in turn manages the communication between the VPN user and a local/internal network. VPN tunnels are used over open networks (internet) where you want to keep the communication and who communicates with each other secret. 



Weakness or absence of something that could prevent an incident from occurring, and undesired consequence of an incident. Vulnerability refers to an asset or group of assets that can be exploited by one or more threats.



A website where all users can freely add, change, or delete information via their web browser. The idea is that errors and vandalisation are corrected by serious users.



Program that replicates itself in a distributed system, filling all memory spaces in affected computers with copies of itself until both computers and networks become overloaded and stop working. A worm does not destroy anything.


Questions about information security.

Fredrik Bexell
Chief Information Security Officer
informationssakerhet [at] lu [dot] se