1. Introduction
In 1969, the United States Department of Defense launched ARPANET, one of the earliest packet-switched networks, linking research institutions and government agencies to share scarce computing resources. ARPANET became the proving ground for many of the technical principles that underpin today’s Internet.
The intellectual foundations of this network trace back to Paul Baran’s work at RAND in 1962, where he proposed distributed, packet-based communications as a means of ensuring nuclear command-and-control could survive a Soviet attack. While ARPANET itself was not designed for nuclear operations, its architecture reflected Baran’s principles of resilience, redundancy, and survivability under attack – concepts rooted in Cold War military strategy.
Because these early networks were funded by the Department of Defense, developed within defense agencies, and operated by research institutions carrying out government work, they naturally evolved within a military and national security frame of reference. Terms like attack, defense, command and control, and threat (drawn directly from martial vocabulary) were destined, from the outset, to be embedded in the way computer security was described.
As soon as sensitive computers were connected, security concerns followed. In a Cold War context, the risk was readily understood: an adversary might seek to penetrate these networks to disrupt operations, steal information, or compromise critical research with real-world consequences. The language used to describe such risks drew from the mindset of defense and warfare, setting the tone for how “cyber security” would be spoken about for decades to come.
This military framing did not fade with time, it became the default lens through which computer and network security was understood. As the Internet expanded into civilian and commercial use, the influence of defense culture remained embedded in the very tools and frameworks enterprises adopted: kill chains borrowed from Air Force targeting doctrine, command and control adapted from military hierarchies, and red team/blue team exercises drawn directly from war-gaming. Even today, widely used taxonomies such as MITRE ATT&CK preserve this adversarial, battle-oriented vocabulary. Yet this framing, while effective for external threats, cannot address the subtler, trust-centered dynamics of risk that unfold within organizations.
2. The Military Lexicon in Cyber Security
The influence of defense culture on early networking did more than shape architectures, it shaped the language. As computer security matured into a professional field, many of its most enduring terms were borrowed directly from military vocabulary, rooted in the defense origins of computer networking. The alignment ran deeper than history alone: the very nature of cybersecurity, a discipline centered on protection and defense, resonated naturally with martial concepts. Over time, this association was reinforced in the public imagination, where cybersecurity was often depicted through the lens of espionage, secrecy, and covert military activity.
This link between computer networks, cybersecurity, and the military is not incidental but inherent in the technology’s development. In the context of traditional cybersecurity, military terminology continues to provide a powerful lens, particularly for programs focused on external threat actors.
The persistence of this connection is evident in the language still used across modern cybersecurity. Core terms and frameworks draw directly from martial doctrine:
Kill Chain
Originating in U.S. Air Force targeting doctrine (find, fix, track, target, engage, assess), the model was adapted by Lockheed Martin in 2011 as the Cyber Kill Chain, mapping intrusion stages from reconnaissance through exploitation and exfiltration. The metaphor was deliberate: cyber attacks were cast as strikes to be intercepted before “engagement.”Command and Control (C2)
In military doctrine, “command and control” describes the hierarchical structures that direct forces in the field. In cybersecurity, the same term was applied to an attacker's infrastructure that issues instructions to compromised systems. The linguistic continuity reinforced the idea of intrusion as a contest between organized forces.Red Team / Blue Team
This construct comes directly from military war-gaming, where a “red team” role-played as an adversary force and a “blue team” defended. The model was adopted in cyber exercises as early as the 1980s, institutionalized by agencies such as the NSA, and remains standard practice in penetration testing and readiness assessments today.Threat Actor, Campaign, Weaponization
The lexicon of defense intelligence and ordnance entered cyber almost intact. Adversaries became “actors,” organized operations became “campaigns,” and the preparation of malicious code was described as “weaponization.” Each term carried an implicit framing of cyberspace as a battlespace.MITRE ATT&CK
First released publicly in 2013, MITRE ATT&CK built an exhaustive taxonomy of adversarial tactics, techniques, and procedures (TTPs). Its structure mirrors military intelligence doctrine: hierarchical, adversary-centric, and focused on how external forces maneuver through environments.
Together, these examples illustrate how military vocabulary became embedded in the professional DNA of cybersecurity. It has provided clarity, urgency, and familiarity, particularly valuable in contexts dominated by state-sponsored external intrusions. For that purpose, the martial lexicon remains effective: cyber incidents often do resemble military campaigns, with command structures, weaponization, and tactical engagements.
3. Strengths and Limits of Martial Vocabulary
The adoption of martial language in cybersecurity has been more than rhetorical. It has provided real operational value, especially in the fight against external adversaries. Military terms are concise, intuitive, and well-suited to describing adversarial activity in terms of campaigns, defenses, and engagements. In contexts where nation-states, organized crime groups, or other external actors attempt to penetrate networks, the metaphor holds: their activity resembles coordinated military operations, complete with reconnaissance, weaponization, command structures, and tactical maneuvers. For these threats, martial vocabulary gives defenders a shared, action-oriented lexicon.
Yet the same strengths also expose the limits of this framing. Martial language is oriented toward an external enemy; an opponent outside the perimeter, distinct from the organization being defended. It frames the defender’s role as one of resisting attack, rather than investigating trust. This framing falters when applied to insider risk, where the subject is not an external adversary but a trusted individual within the institution, a member of the population. Terms like kill chain or weaponization do little to explain behavioral drift, negligence, or conflicted loyalties. They risk obscuring the subtler dynamics at play: deviations from policy, breakdowns of trust, or the misuse of legitimate access.
In short, martial vocabulary remains indispensable for traditional cybersecurity, but it cannot fully describe the insider threat domain. Where external intrusions can be treated as campaigns to repel, insider risk requires a language of investigation, context, and trust.
To address insider risk effectively, insider threat practitioners should not rely on the martial lexicon of externally focused cybersecurity, but instead adopt a vocabulary suited to their discipline, one designed to capture the dynamics of trust and institutional integrity that martial terms cannot.
4. The Investigative Alternative
Insider threat is not a problem that massed forces can be deployed against. It is a problem that arises within the population itself: the employees, contractors, and affiliates who make up the institution. This distinction matters. Militaries are designed to operate outside the host population, defending against external foes. Police, by contrast, operate within the host population, investigating and responding to risks that emerge from among the community itself.
This analogy is decisive for insider threat. The “population” in question is the workforce and its trusted partners. Within that population, individuals may become subjects of investigation, not because they are enemies to repel, but because their behavior, access, or circumstances raise legitimate concerns. To treat these cases as if they were military engagements is to misframe them from the start. The investigative paradigm, grounded in law enforcement practice, offers the more appropriate model.
The language we use is not incidental. Terminology creates a viewpoint; a lens through which problems are understood and acted upon. Martial vocabulary positions defenders as combatants, framing incidents as battles to win or lose. Investigative vocabulary positions practitioners as investigators, framing incidents as matters of trust, evidence, and context. Choosing the right lexicon is therefore not just descriptive; it is strategic. It sets the orientation of insider risk programs, informs how practitioners think, and shapes the institutional response.
The contrast between military and policing approaches reinforces why this matters in practice. Military operations focus on speed, force, and overwhelming an adversary. Police investigations focus on patience, neutrality, and evidence that can withstand scrutiny. Insider threat programs clearly fall into the latter category: what matters is not “winning” quickly, but documenting facts carefully, so that decisions about employees, data, and trust relationships are proportionate, defensible, and just.
Trust sits at the center of this distinction. Militaries do not need to preserve trust with their adversaries; police do need to preserve trust within the population they serve. Insider threat is inherently about trust, between organizations and their people. Investigative language reflects this reality, enabling programs to act proportionately and avoid alienating the very workforce they are designed to protect.
Investigative terminology also integrates insider threat programs into the broader governance ecosystem. HR, compliance, audit, and legal teams all operate with investigative, not martial, language. Adopting the same lexicon ensures insider threat programs align with these adjacent functions, rather than being isolated as “militarized” outliers inside the enterprise.
Crucially, insider threat cases must also be able to withstand scrutiny. Disciplinary processes, legal actions, and regulatory inquiries may all demand access to investigative records. Law enforcement and policing terminology has developed over centuries to meet this standard: language framed to be admissible in court, precise enough to survive cross-examination, and neutral enough to protect procedural fairness. By adopting the same style of vocabulary, insider threat programs ensure their records are credible, defensible, and capable of withstanding internal or external review.
This is why Forscie created the Forscie Glossary, to document and define insider threat terminology in an explicitly investigative frame. By standardizing terms such as
But the purpose goes beyond clarity or alignment. By deliberately adopting this terminology, Forscie seeks to shift the investigative lens itself, to embed insider threat investigation as a discipline defined by neutrality, evidence, and trust. Language becomes the foundation for how practitioners view their role: not as combatants fighting an enemy, but as investigators serving the institution by documenting, assessing, and resolving risks within its population. In this way, the lexicon does not simply describe the task at hand – it helps shape the discipline to best serve it.
This is part of a broader trend in cybersecurity: the maturation of specialized domains that require specialized lexicons. Digital forensics was one of the first to adopt law enforcement terminology because its role in criminal investigations demanded rigor, neutrality, and evidentiary defensibility. Insider threat is now following the same path. It has grown into a professional discipline in its own right, one that requires an investigative vocabulary tailored to risks that emerge within a population.
For these reasons, Forscie advances a lexicon modeled on investigative practice. Where martial vocabulary equips defenders to repel external adversaries, investigative vocabulary equips insider threat practitioners to operate within a population – neutral, precise, and procedurally sound. And by adopting it, insider risk programs position themselves correctly: not as combat units on a battlefield, but as investigative bodies safeguarding trust within the institution.
5. Conclusion
Cybersecurity inherited a martial vocabulary for good reason: it emerged from technologies developed by defense institutions during the Cold War, and for external threats that framing remains both effective and necessary. But insider risk is different. It arises from within the population, where the challenge is not to repel an enemy but to investigate trust. That difference demands a different language.
Forscie’s work, through the Glossary, the Insider Threat Matrix, training, software, and every element of our knowledge loop, deliberately defines insider threat in investigative terms. By adopting the lexicon of law enforcement and policing, we provide insider risk programs with the framing to operate with neutrality, precision, and evidentiary defensibility.
Language shapes how a field sees itself. By shifting the vocabulary of insider threat, we shift its lens: from combat to investigation, from adversaries to subjects, from breaches of the perimeter to infringements of trust. This is how insider threat matures into a true discipline, one that safeguards institutions by preserving the trust on which they depend.
The language we choose will set insider threat investigation on the path from practice to profession, from a nascent task in cybersecurity to a discipline in its own right.
