EnglishBlitz

TOEIC Link Vocabulary — Cybersecurity and Information Security Cluster: The Eighty-Term Operating Set That Covers 90% of Incident-Response and Compliance Discourse

Cybersecurity vocabulary is one of the densest and fastest-growing verticals in TOEIC Link business-context items, driven by the rising frequency of breach-response, audit, and zero-trust discourse in real workplace English. This cluster guide groups the eighty operating terms a candidate must control for incident-response, compliance, and architecture contexts.

EnglishBlitz Editorial Team·

TOEIC Link Vocabulary — Cybersecurity and Information Security Cluster: The Eighty-Term Operating Set That Covers 90% of Incident-Response and Compliance Discourse

Cybersecurity vocabulary is one of the densest verticals in the TOEIC Link business-context vocabulary distribution, and its frequency in test items has increased materially in the post-2024 item set as breach-response, zero-trust, and supply-chain attack discourse has become routine in real workplace English. A candidate who controls the eighty operating terms in this cluster can read a breach-disclosure email, an incident-response status update, an audit-findings report, or a zero-trust architecture brief at near-native speed; a candidate who does not control these terms will lose three to five points on band-22-plus reading-module responses simply from vocabulary friction.

This guide groups the eighty operating terms into five functional sub-clusters (threats, controls, incident lifecycle, compliance frameworks, and architecture concepts), gives the productive-recall definition for each term, and outlines a four-week drill routine that installs the cluster. The cluster also pairs naturally with the vocabulary IT and engineering cluster and the vocabulary legal and compliance cluster, and the candidate who masters all three together has near-complete coverage of the technical-business overlap that the test increasingly probes.

Sub-cluster 1 — Threats and threat actors (sixteen terms)

The threat sub-cluster covers the actors, the methods, and the categorical labels that appear in incident-response and threat-intelligence discourse.

  • Threat actor — an individual or group conducting malicious activity; preferred over hacker in formal contexts.
  • Adversary — a more formal synonym for threat actor, used in threat-modeling discourse.
  • Nation-state actor — a threat actor sponsored or operated by a national government.
  • Insider threat — a threat originating from a current or former employee, contractor, or partner with authorized access.
  • Phishing — credential-harvesting attack via deceptive email or message.
  • Spear phishing — phishing targeted at a specific individual or organization.
  • Whaling — spear phishing targeted at senior executives.
  • Smishing — phishing via SMS.
  • Vishing — phishing via voice call.
  • Ransomware — malware that encrypts data and demands payment for decryption.
  • Wiper malware — malware designed to destroy data rather than monetize it.
  • Supply-chain attack — an attack that compromises a vendor or upstream component to reach the target.
  • Zero-day — a vulnerability unknown to the vendor at the time of exploitation.
  • N-day — a vulnerability known and patched but exploited against unpatched systems.
  • Lateral movement — an adversary's progression across systems after initial access.
  • Dwell time — the duration between initial compromise and detection.

Sub-cluster 2 — Controls and defensive measures (sixteen terms)

The controls sub-cluster covers the defensive measures discussed in security-program and audit contexts.

  • Multi-factor authentication (MFA) — authentication requiring two or more independent factors.
  • Single sign-on (SSO) — a session in which one authentication grants access to multiple applications.
  • Privileged access management (PAM) — controls governing access to administrative accounts.
  • Least privilege — the principle of granting the minimum permissions required for a role.
  • Role-based access control (RBAC) — access governed by assigned roles rather than individual permissions.
  • Attribute-based access control (ABAC) — access governed by attributes of the user, resource, and context.
  • Encryption at rest — encryption applied to stored data.
  • Encryption in transit — encryption applied to data moving across a network.
  • Key management — the lifecycle of cryptographic keys (generation, storage, rotation, retirement).
  • Network segmentation — division of a network into isolated zones to limit lateral movement.
  • Microsegmentation — fine-grained network segmentation, often per-workload.
  • Endpoint detection and response (EDR) — endpoint-resident detection and remediation capability.
  • Extended detection and response (XDR) — detection and response spanning endpoints, network, and cloud.
  • Security information and event management (SIEM) — centralized log collection and correlation for detection.
  • Security orchestration, automation, and response (SOAR) — workflow automation for detection-response operations.
  • Data loss prevention (DLP) — controls that detect and block unauthorized data exfiltration.

Sub-cluster 3 — Incident response lifecycle (sixteen terms)

The incident-response sub-cluster covers the phases and artifacts that appear in incident postmortems and status updates.

  • Indicator of compromise (IOC) — observable evidence that a system has been compromised.
  • Indicator of attack (IOA) — behavioral evidence of an ongoing or attempted attack.
  • Triage — initial assessment to determine incident severity and scope.
  • Containment — actions taken to prevent further spread or damage from an incident.
  • Eradication — removal of attacker presence and malicious artifacts from affected systems.
  • Recovery — restoration of normal operations after incident remediation.
  • Postmortem — written analysis of an incident's causes, timeline, and lessons.
  • Blast radius — the scope of systems or data affected by an incident.
  • Mean time to detect (MTTD) — the average duration from incident start to detection.
  • Mean time to respond (MTTR) — the average duration from detection to containment or recovery.
  • Tabletop exercise — a discussion-based simulation of incident response.
  • Red team — an authorized adversary simulation team testing defenses.
  • Blue team — the defensive team responsible for detection and response.
  • Purple team — collaborative engagement between red and blue teams.
  • Forensics — investigative analysis of compromised systems for evidence and attribution.
  • Chain of custody — documented control of evidence to preserve admissibility.

Sub-cluster 4 — Compliance frameworks and audit terminology (sixteen terms)

The compliance sub-cluster covers the framework names, audit artifacts, and certification vocabulary that appear in audit-related test items.

  • SOC 2 — a service-organization control report on five trust-service criteria.
  • ISO 27001 — an international standard for information-security management systems.
  • ISO 27701 — a privacy-management extension to ISO 27001.
  • NIST CSF — the U.S. National Institute of Standards and Technology Cybersecurity Framework.
  • PCI DSS — the Payment Card Industry Data Security Standard.
  • HIPAA — the U.S. Health Insurance Portability and Accountability Act.
  • GDPR — the EU General Data Protection Regulation.
  • CCPA — the California Consumer Privacy Act.
  • Attestation — a third-party assertion of control effectiveness.
  • Audit scope — the systems, processes, and time period covered by an audit.
  • Material weakness — a deficiency severe enough to threaten the reliability of controls.
  • Significant deficiency — a control gap less severe than a material weakness but still requiring remediation.
  • Compensating control — an alternative control that achieves the objective of a missing primary control.
  • Risk register — a documented inventory of identified risks and their treatment plans.
  • Gap assessment — a comparison of current state to a target framework or standard.
  • Remediation plan — a documented plan to address audit findings or identified gaps.

Sub-cluster 5 — Architecture and program concepts (sixteen terms)

The architecture sub-cluster covers the design and program concepts that appear in security-strategy and architecture-review contexts.

  • Zero trust — an architecture that assumes no implicit trust based on network location.
  • Defense in depth — layered controls providing redundancy if any single layer fails.
  • Attack surface — the sum of points at which an adversary can attempt entry.
  • Threat model — a structured representation of threats, assets, and mitigations.
  • Vulnerability management — the lifecycle of identifying, prioritizing, and remediating vulnerabilities.
  • Patch management — the operational process of applying vendor updates.
  • Security baseline — a documented minimum configuration for a system or class of systems.
  • Hardening — configuration changes that reduce a system's attack surface.
  • Bastion host — a hardened jump server used to access internal systems.
  • Honeypot — a deliberately vulnerable system deployed to detect or study adversary activity.
  • Air gap — physical isolation of a network from external connections.
  • Resilience — the ability to maintain or recover function under adverse conditions.
  • Continuity of operations — the program ensuring critical functions continue during disruption.
  • Tabletop — short form for tabletop exercise (cross-listed for high-frequency usage).
  • Tabletop scenario — the narrative used to drive a tabletop exercise.
  • Lessons learned — the documented outcomes of a postmortem or after-action review.

The four-week drill routine

Week 1 — Recognition drill

The candidate works through 200 short passages (each two to four sentences) containing one to three cluster terms each, and identifies each term by underlining it and writing a one-line gloss. The week's output is a recognition-accuracy log; target: above 95% across all five sub-clusters.

Week 2 — Productive-recall drill

The candidate works through 100 short prompts requiring the production of cluster terms in context. Each prompt asks the candidate to complete a sentence or fill in a gap with the appropriate cluster term. The week's output is a productive-recall log; target: above 85%.

Week 3 — Sub-cluster boundary drill

The candidate works through 60 passages containing terms from two or three sub-clusters mixed, and classifies each term to its correct sub-cluster. This drill is critical because the test frequently combines sub-cluster contexts (e.g., a SOC 2 audit finding referencing an IOC and a containment action), and the candidate who can navigate the boundaries reads at near-native speed.

Week 4 — Free-response production

The candidate writes 30 short responses (each 100 to 150 words) to security-context prompts, deploying at least five cluster terms per response. The week's output is a free-response log graded for term-appropriate usage. The week also serves as a stamina check: the candidate confirms that the cluster has reached productive-recall depth and is not slowing composition pace.

How the cluster pairs with adjacent vocabulary work

The candidate who completes this cluster should immediately pair it with the vocabulary IT and engineering cluster, because the boundary between IT-infrastructure vocabulary and cybersecurity vocabulary is thin and the test routinely combines them. The candidate who controls both clusters has roughly 160 high-frequency technical-business terms, which covers virtually all technical-context items at band 22 and above.

The cluster also pairs with the vocabulary legal and compliance cluster, because compliance-framework terminology (SOC 2, ISO, GDPR, etc.) sits at the intersection of both clusters and appears in both legal-context and security-context items. Pairing the two clusters reduces redundant drilling and produces faster mastery than treating them in isolation.

Finally, the cluster reinforces the broader vocabulary essentials foundation: a candidate cannot reach productive recall on cybersecurity vocabulary without first having productive recall on the underlying business-action verbs (mitigate, implement, document, escalate, remediate) that the cluster builds on. The candidate who skips the essentials and jumps directly to specialty clusters finds the specialty terms degrade rapidly because the connective vocabulary that holds them together has not been installed.