Availability
One of the three CIA triad pillars: the guarantee that systems and resources are accessible when authorized users need them. Expressed as an uptime percentage over a given period β "five nines" (99.999%) allows approximately 5 minutes of downtime per year. Organizations invest in monitoring, redundant systems, and failover mechanisms specifically to maximize availability. The security nuance: availability must be paired with access control β systems must be available to authorized users only, not to everyone including attackers. A DDoS attack is an attack on availability; excessive open access is a failure of access control alongside availability.
Resilience
The system's ability to maintain availability during disruptions and recover quickly when availability is lost. Resilience is determined by multiple variables: the nature of the failure (hardware vs. software vs. security incident), the speed of hardware replacement or software patching, and the readiness of redundant systems. A resilient system fails gracefully (other components continue to operate), detects failures quickly, and restores full service as rapidly as possible. High resilience is achieved through redundancy, automated failover, tested recovery procedures, and low MTTR.
MTTR (Mean Time to Repair)
The average time from when a system failure is detected to when the system is fully restored to operational status. MTTR is the primary resilience metric β lower MTTR means faster recovery and less total downtime. MTTR is determined by: root cause identification time + hardware replacement or patch deployment time + testing and validation time. Organizations reduce MTTR through pre-positioned spare hardware, pre-built system images for rapid deployment, documented runbooks for common failure scenarios, and trained incident response teams. Distinguished from MTTF (Mean Time to Failure β how long before the next failure) and MTBF (Mean Time Between Failures β reliability metric).
Scalability
The ability of a system to increase or decrease its capacity to handle workloads as demand changes. A scalable system can serve 100 users during off-peak hours and 10,000 users during peak hours without redesign or manual intervention. Scalability is achieved through horizontal scaling (adding more instances of the same component) or vertical scaling (increasing the capacity of a single instance). Security requirement: security monitoring must scale with the infrastructure β new instances added during a scale-out event must be covered by SIEM logging, IDS, and endpoint monitoring from the moment they are provisioned.
Elasticity
The specific cloud-native capability for automatic, rapid scaling in direct response to real-time demand β expanding resources as load increases and contracting them as load decreases, sometimes multiple times per day, without manual intervention. Elasticity is the cloud's answer to variable workload demand: rather than provisioning maximum capacity at all times (wasteful and expensive), the system automatically adjusts to actual demand. Security implication: the automated provisioning process must include security tool configuration β auto-scaling that provisions new instances without deploying monitoring agents creates invisible attack surfaces.
Responsiveness
The time between a user submitting a request and receiving a complete response from the system. Critical for interactive applications β humans perceive delays above approximately 100β200 milliseconds. Responsiveness is a composite of every component in the request path: network latency, application processing time, database query time, and caching effectiveness. The overall response time is limited by the weakest (slowest) component β optimizing a fast component has no effect if a different component is the bottleneck. Security appliances (WAF, IDS/IPS) that inspect every request add processing latency; this must be balanced against their security value.
Ease of Deployment
The simplicity and reliability of the process for provisioning and configuring a complete application stack across all required components. A complex application may require a web server, application server, database, caching layer, load balancer, firewall, and monitoring agents β all configured correctly and integrated with each other. Ease of deployment is improved through orchestration and automation (IaC tools that provision all components in the correct order with the correct configuration). Security significance: manual deployment processes are error-prone β forgotten firewall rules, uninstalled monitoring agents, and unconfigured certificates are common deployment security gaps.
Orchestration
The automated process of provisioning, configuring, and coordinating all components of a complex application deployment through code rather than manual steps. Orchestration tools (Terraform, Ansible, AWS CloudFormation, Kubernetes) define the entire infrastructure stack as code that can be executed automatically and repeatably. A single orchestration command deploys the web server, database, firewall rules, monitoring agents, and security certificates in the correct order with the correct configuration β consistently, every time. Security benefit: orchestrated deployments eliminate the manual-step omissions (forgotten security configs) that create vulnerabilities in manually deployed environments.
Risk Transference
A risk management strategy that shifts the financial consequences of a risk to a third party rather than bearing them internally. In cybersecurity, the primary mechanism is cybersecurity insurance β a policy that pays out financial losses resulting from security incidents. Risk transference does not reduce the probability or operational impact of an incident; it only limits the financial exposure. It is one of the four risk responses: accept, avoid, mitigate, and transfer. Cybersecurity insurance is particularly relevant for ransomware risk, business interruption coverage, and legal costs from customer-facing data breaches.
Cybersecurity Insurance
An insurance policy that provides financial coverage for losses resulting from cybersecurity incidents. Coverage typically includes: business interruption losses (revenue lost during downtime), incident response and forensic costs, ransom payments (for qualifying ransomware attacks), legal defense and settlement costs from customer lawsuits, and breach notification costs. Insurers now routinely require minimum security controls before issuing a policy β MFA, EDR, tested backups, and patch management are common prerequisites. These requirements effectively enforce baseline security standards on insured organizations. Cybersecurity insurance is a risk transference tool, not a security control β it does not prevent incidents.
Patch Management
The organized process of identifying, testing, and deploying software updates (patches) to fix bugs, address security vulnerabilities, and improve stability. A standard patch management cycle: vendor releases patch β IT team evaluates severity β patch is tested in non-production environment β validated patch deployed to production. Microsoft releases patches on the second Tuesday of each month ("Patch Tuesday") β a widely used reference cycle. Patch management is one of the most important security processes: the majority of successful exploits target known vulnerabilities for which patches exist but have not been applied. Delayed patching directly increases the window of exploitability.
UPS (Uninterruptible Power Supply)
A battery-backed power conditioning device that provides immediate, continuous power when primary utility power is interrupted β bridging the gap between a power outage and generator startup (typically 10β30 seconds). UPS also protects against power quality issues (voltage sags, surges, spikes, and electrical noise) that can damage servers and networking equipment. UPS is the first layer of power redundancy; generators provide the second layer for extended outages. In a data center, UPS systems are typically sized to provide 5β15 minutes of runtime β enough to start generators and, if generators fail, perform a graceful shutdown of critical systems.