The terms I most often see conflated or misused for each other are:
Privacy and Confidentiality
Vulnerability scan and Penetration test
You can often get a vuln scan as part of a pen-test, but they really aren't the same thing. The tip-off should be the word "penetration" which means someone is actually breaking in instead of just looking at you. One usually costs a lot more than the other as well. Bonus: a port scan is part of a vulnerability scan, but not the whole thing.
Vulnerability/Threat/Impact and Risk
I'm a proud member of SIRA, where a bunch of nerds sit around to argue about different risk models and which fits/works best in what situation. But you know what? I'd be happy if the entire industry just started using the most basic simplistic formula for risk: Risk = Threat × Probability × Impact. Sadly, what I see folks doing is:
- "We need to stop doing this because APTs are dangerous" -> Risk = Threat
- "We need to shut down email because half our messages have malware in them" -> Risk = Probability
- "We need to do something about DDOS because our site could go down." -> Risk = Impact
Disaster Recovery and Business Continuity
Again, the tip-off is in the words themselves. Disaster recovery is about recovering the IT systems after a disaster. Just the IT systems. Business continuity involves recovering the entire business process. BC can include DR but not the other way around.
2 factor and additional authentication
You know when you login to your web banking from a new computer and it suddenly asks you what high school you went to? That's not 2-factor authentication... because that's just more of "something you know." It's layered or risk-based or adaptive authentication. But it's not a different factor so it's not as strong. So stop thinking that it is.
What do you see security professionals mixing up all the time?