| AARO | Adjusted Annualized Rate of Occurrence |
| AC | Attenuated Capability |
| AF | Attenuation Factor |
| ALE | Annualized Loss Expectancy |
| AM | Attenuated Motivation |
| ANSSI | Agence Nationale de la Securite des Systems d’Information (National Agency for Information System Security) |
| ARO | Annual Rate of Occurrence |
| AV | Asset Value |
| BIMCO | Baltic and International Maritime Council |
| BSI | Bundesamt fur Sicherheit in der Informationstechnik (The Federal Office for Information Security) |
| C | Capability (Threat Actor) |
| CASES | Cyberworld Awareness and Security Enhancement Services |
| CEO | Chief Executive Officer |
| CIPAC | Critical Infrastructure Protection Advisory Council |
| CISA | Cybersecurity & Infrastructure Security Agency |
| CISO | Chief Information Security Officer |
| CLUSIF | Club de la Sécurité de l’Information Français (French Information Security Club) |
| CMS | Centers for Medicare and Medicaid Services |
| CRO | Chief Research Officer |
| DHS | Department of Homeland Security |
| EBIOS | Expression des Besoins et Identification des Objectifs de Sécurité (Expression of Needs and Identification of Security Objectives) |
| EF | Exposure Factor |
| ENISA | European Union Agency for Cybersecurity |
| ERM | Enterprise Risk Management |
| ETSI | European Telecommunications Standards Institute |
| FAIR | Factor Analysis for Information Risk |
| FC | Fully Compliant |
| GCC | Government Coordinating Council |
| H | High |
| HHS | Department of Health and Human Services |
| HIPAA | Health Insurance Portability and Accountability Act |
| HPH | Health and Public Health |
| I | Impact |
| IEC | International Electrotechnical Commission |
| IP | Internet Protocol |
| ISO | International Standards Organization |
| JTF | Joint Task Force |
| L | Low or Likelihood |
| LR | Lost Revenue |
| M | Medium, Moderate, or Motivation (Threat Actor) |
| MC | Mostly Compliant |
| MEHARI | Method for Harmonized Analysis of RIsk |
| MONARC | Method for an Optimised aNAlysis of Risks by CASES |
| N/A | Not Applicable |
| NC | Non-Compliant |
| NIST | National Institute of Standards and Technology |
| o/a | On or about |
| OCR | Office of Civil Rights |
| PC | Partially Compliant |
| PSI-Het | Purposive Sample of a Heterogenous Instance |
| PSI-Typ | Purposive Sample of a Typical Instance |
| QQRRA | Quasi-quantitative residual risk analysis |
| R | Risk |
| Rev | Revision |
| RM | Risk Manager or Risk Management |
| RMF | Risk Management Framework |
| RO | Rate of Occurrence |
| SC | Somewhat Compliant |
| SCC | Sector Coordinating Council |
| SCRM | Supply Chain Risk Management |
| SDLC | System (or Software) Development Life Cycle |
| SLE | Single Loss Expectancy |
| STD | Standard |
| TBD | To Be Determined |
| TPRM | Third-Party Risk Management |
| TS | Technical Specification |
| TVRA | Threat, Vulnerability, Risk Analysis |
| VH | Very High |
| VL | Very Low |
| Vol | Volume |