Metadata

(1) Information used to describe specific characteristics, constraints, acceptable uses, and parameters of another data item such as cryptographic key. (2) It is data referring to other data; data (e.g., data structures, indices, and pointers) that are used to instantiate an abstraction (e.g., process, task, segment, file, or pipe). (3) A special database, also referred to as a data dictionary, containing descriptions of the elements (e.g., relations, domains, entities, or relationships) of a database. (4) Information regarding files and folders themselves, such as file and folder names, creation dates and times, and sizes.

Metrics

Tools designed to facilitate decision making and improve performance and accountability through collection, analyses, and reporting of relevant performance-related data. A “metric” is designed to organize data into meaningful information to support decision making (for example, dashboards).

Metropolitan-area network (MAN)

A network concept aimed at consolidating business operations and computers spread out in a town or city. Wired MANs are mainly used by cable television networks. MANs and LANs are non-switched networks, meaning they do not use routers. The scope of a MAN falls between a LAN and a WAN.

Middleware

Software that sits between two or more types of software and translates information between them. For example, it can sit between an application system and an operating system, a network operating system, or a database management system.

Migration

A term generally referring to the moving of data from an online storage device to an off-line or low-priority storage device, as determined by the system or as requested by the system user.

Mimicking

An attempt to gain access to a computer system by posing as an authorized user. Synonymous with impersonating, masquerading, and spoofing.

Min-entropy

A measure of the difficulty that an attacker has to guess the most commonly chosen password used in a system. It is the worst-case measure of uncertainty for a random variable with the greatest lower bound. The attacker is assumed to know the most commonly used password(s).

Minimization

A risk-reducing principle that supports integrity by containing the exposure of data or limiting opportunities to violate integrity.

Minimizing target value

A risk-reducing practice that stresses the reduction of potential losses incurred due to a successful attack and/or the reduction of benefits that an attacker might receive in carrying out such an attack.

Minimum security controls

These controls include management, operational, and technical controls to protect the confidentiality, integrity, and availability objectives of an information system. The tailored baseline controls become the minimum set of security controls after adding supplementary controls based on gap analysis to achieve adequate risk mitigation. Three sets of baseline controls (i.e., low-impact, moderate-impact, and high-impact) provide a minimum security control assurance.

Minor application

An application, other than a major application, that requires attention to security due to the risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application. Minor applications are typically included as part of a general support system.

Mirroring

Several mirroring methods include data mirroring, disk mirroring, and server mirroring. They all provide backup mechanisms so if one disk fails, the data is available from the other disks.

Misappropriation

Stealing or making unauthorized use of a service.

Mistake-proofing

It is a concept to prevent, detect, and correct inadvertent human or machine errors occurring in products and services. It is also called poka-yoke (Japanese term) and idiot-proofing.

Mobile code

(1) A program (e.g., script, macro, or other portable instruction) that can be shipped unchanged to a heterogeneous collection of platforms and executed with identical semantics. (2) Software programs or parts of programs obtained from remote information systems, transmitted from a remote system or across a network, and executed on a local information system without the user’s explicit installation, instruction, or execution. Java, JavaScript, Active-X, and VBScript are examples of mobile code technologies that provide the mechanisms for the production and use of mobile code. Mobile code can be malicious or nonmalicious.

Mobile commerce (MC)

Mobile commerce (m-commerce) is conducted using mobile devices such as cell phones and personal digital assistants (PDAs) for wireless banking and shopping purposes. M-commerce uses wireless application protocol (WAP). It is any business activity conducted over a wireless telecommunications networks.

Mobile-site

A self-contained, transportable shell custom-fitted with the specific IT equipment and telecommunications necessary to provide full recovery capabilities upon notice of a significant disruption.

Mobile software agent

Programs that are goal-directed and capable of suspending their execution on one platform and moving to another platform where they resume execution.

Mobile subscriber (WMAN/WiMAX)

A mobile subscriber (MS) is a station capable of moving at greater speeds and supports enhanced power of operations (i.e., self-powered) for laptop computers, notebook computers, and cellular phones.

Mode of operation

(1) A set of rules for operating on data with a cryptographic algorithm and a key; often includes feeding all or part of the output of the algorithm back into the input of the algorithm, either with or without additional data being processed (e.g., cipher feedback, output feedback, and cipher block chaining). (2) An algorithm for the cryptographic transformation of data that features a symmetric key block cipher algorithm.

Modem

Acronym for modulation and demodulation. During data transmission, the modem converts the computer representation of data into an audio signal for transmission of telephone, teletype, or intercom lines. When receiving data, the modem converts the audio signal to the computer data representation.

Moderate-impact system

An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a potential impact value of moderate and no security objective is assigned a potential impact value of high.

Modular design

Information system project design that breaks the development of a project into various pieces (modules), each solving a specific part of the overall problem. These modules should be as narrow in scope and brief in duration as practicable. Such design minimizes the risk to an organization by delivering a net benefit separate from the development of other pieces.

Modular software

Software that is self-contained logical sections, or modules, which carry out well-defined processing actions.

Modularity

Software attributes that provide a structure of highly independent modules.

Monitoring

Recording of relevant information about each operation by a subject on an object maintained in an audit trail for subsequent analysis.

Moore’s law

States that that the number of transistors per square inch on an integrated circuit (IC) chip used in computers doubles every 18 months, the performance (microprocessor processing speed) of a computer doubles every 18 months, the cost of a CPU power is halved every 18 months, or the size of computer programs is increased in less than 18 months, where the latter is not a Moore’s law.