5 exercises on adjective–noun collocations from cybersecurity and secure systems design: the fixed terms that appear in security policies, threat models, and compliance documents.
Key security collocations in this set
zero-trust (model/architecture) — never trust, always verify; not "no-trust"
least privilege — minimum permissions; fixed phrase, not "minimal privilege"
end-to-end encryption (E2EE) — only communicating parties can decrypt
hardened system — attack surface reduced; not "secured" or "locked"
sandboxed environment — isolated execution; not "quarantined"
0 / 5 completed
1 / 5
A security architect presents a new policy:
"Under our ___ model, every request must be authenticated and authorised — regardless of whether it originates inside or outside the corporate network. There is no implicit trust."
Which hyphenated adjective describes a security model that trusts nothing by default?
Zero-trust is the established security model, coined by John Kindervag at Forrester Research in 2010. The core principle: "never trust, always verify." In a zero-trust architecture, every user, device, and network connection is treated as untrusted, even inside the corporate perimeter. Access is granted on a per-request basis, with continuous verification.
Why the others fail:
no-trust model — not the industry term; though semantically similar, it is not used professionally
minimal-trust model — not a recognised security framework
distrust model — not used in this technical context
Common collocations:
zero-trust architecture (ZTA)
zero-trust network access (ZTNA)
implement zero-trust
zero-trust policy
zero-trust vs perimeter security
2 / 5
A security policy document states:
"Each service account must operate with ___ privilege — it should have only the exact permissions needed to perform its function, and nothing more."
Which adjective phrase describes granting only the minimum permissions required?
Least privilege (also: principle of least privilege, PoLP) is the canonical security term. It states that every process, user, or service should operate with the minimum level of access rights needed to perform its legitimate function. This limits the blast radius if credentials are compromised.
Why "least" is the fixed word:
minimal privilege — descriptively similar but not the established term; "minimal" implies reducing rather than starting from the minimum
reduced privilege — describes an action (reducing existing rights), not a design principle
limited privilege — generic; could describe any restriction
Common collocations:
principle of least privilege
least-privilege access
enforce least privilege
role-based access control (RBAC) implements least privilege
service account with least privilege
3 / 5
A product specification requires:
"All messages between the client app and the server must use ___ encryption — no intermediary, including our own infrastructure, should be able to read the message content."
Which adjective phrase describes encryption where only the communicating parties can read the data?
End-to-end encryption (E2EE) is the fixed technical term. It means data is encrypted on the sender's device and only decrypted on the recipient's device — no server or middleman in between can read it. This is used in Signal, WhatsApp (E2EE), and iMessage. It contrasts with transport encryption (TLS), where the server decrypts and re-encrypts.
Why the others fail:
full encryption — not a standard term for this model; could mean "all data is encrypted" without implying E2EE properties
complete encryption — same issue; descriptive but not the technical phrase
total encryption — not used professionally
Key distinctions:
End-to-end encryption — even the service provider cannot read content
Transport encryption (TLS) — encrypted in transit but the server can read it
At-rest encryption — encrypted when stored
4 / 5
A DevSecOps engineer describes a deployment configuration:
"Our production servers run a ___ system configuration — unnecessary services are disabled, default accounts removed, and all ports are closed except those explicitly required."
Which adjective describes a system that has been secured by removing all non-essential components and attack surface?
Hardened system is the established security term. System hardening is the process of securing a system by reducing its attack surface: disabling unused services, removing unnecessary software, closing open ports, applying security patches, and enforcing strict access controls. It is a standard part of CIS Benchmarks, DISA STIGs, and PCI-DSS compliance.
Why the others fail:
secured system — generic; does not convey the specific practice of removing attack surface
locked system — implies access restriction, not the hardening process
sealed system — not a standard security term in this context
Common collocations:
hardened server
hardened image (a pre-hardened OS image)
system hardening guide
CIS hardened benchmark
hardening checklist
5 / 5
An incident response plan explains a containment strategy:
"Untrusted third-party plugins run inside a ___ environment — they cannot access the file system, network, or other processes on the host."
Which adjective describes an isolated execution environment that restricts a process's access to host resources?
Sandboxed environment is the canonical term. A sandbox is an isolated environment where untrusted or potentially malicious code can run without affecting the host system. The term originates from the idea of a children's sandbox — a contained space where actions have no consequences outside it. Sandboxing is used in browsers (each tab is sandboxed), mobile OSes (iOS/Android app sandboxes), PDF readers, and malware analysis tools.
Why the others are not canonical:
isolated environment — accurate but generic; "isolated" describes a property, not the specific security pattern
contained environment — could be confused with containerisation (Docker containers); not the security-specific term
quarantined environment — "quarantine" implies something already identified as malicious and being held; different concept
Common collocations:
sandbox environment
run in a sandbox
browser sandbox
sandbox escape (a vulnerability that breaks out of the sandbox)