Cyber Strategy Management – 1D. Review threat landscape (3/5)

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.


The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.


Identify key risk themes
Develop a strategic overview of the biggest threats with the potential to impact your mission-critical assets.
Prioritize cybersecurity domains
Prioritize cybersecurity domains according to your threat landscape to ensure efficient resource allocation. Focus on areas that yield the most value.


Business landscape
Summary of the business environment in which the company operates and its business model, including customer segments, products and services, sales, distribution and communication channels. Developed as part of “1b. Review internal factors” activity.
Technology landscape
Summary of IT operating model, IT architecture, an overview of key technologies used by the company and critical infrastructure components. Developed as part of “1b. Review internal factors” activity.
Security landscape
An outline of the security landscape featuring the organizational structure, operating model, and the key frameworks in use.
Business and technology objectives
List of business and technology objectives, their prioritization, supporting initiatives and definition of common interests. Developed as part of “1b. Review internal factors” activity.
External factors
List of the market, technology, cyber and regulatory trends affecting your organization and cyber strategy, their impact and cyber implications. Developed as part of “1c. Review external factors” activity.

Choose your approach

The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.

Prepare for assessment

In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.

Identify crown jewels

The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.

Assess threat sources

Threat sources are anything that can cause harm to your information assets. To effectively manage risk, it is crucial to identify and understand the characteristics of threat sources relevant to your organization.

This understanding will help you identify later potential threat events that threat sources can initiate, assess their likelihood of initiation and gauge their inherent impact.

As an outcome of this activity, you should produce a list of threat sources relevant to your organization with ratings of two key parameters – threat source probability and threat source strength, which we will explain later in this article.

Create a table for threat sources

To organize information about threat sources, construct a table with the following columns:

Name of the threat source.
Classification of the threat source based on intent.
The likelihood of threat source initiation determined through the process described in the section “Assess threat source probability”.
Threat source strength determined through the “Assess threat source strength” action outlined below.
Threat source criticality based on strength and probability, discussed in detail in the “Assess threat source criticality” section.

Identify threat sources

To identify threat sources, you can leverage resources available within your organization or use taxonomies provided in the following standards:

NIST SP 800-30. Appendix D to NIST SP 800-30 offers a threat source taxonomy, including adversarial, accidental, structural and environmental categories, their description and attributes that you can assess.

IRAM2. Appendix C to IRAM2 includes a common threat list grouped by adversarial, accidental and environmental categories. It covers the threat source and its origin, which can be internal or external.

ISO 27005. Annex C to ISO 27005 presents examples of typical threats. However, this list is limited and mixes threat sources with threat events.

Market reports. Market reports collected during the “Identify information sources” activity should supply you with the latest insights into existing and emerging threat sources.

NIST, ISF and ISO categorize the threat sources based on their intent. While the naming conventions or the number of categories may vary slightly, they serve as a foundation for defining threat source characteristics:

Adversarial. Individuals, groups, organizations, or states with deliberate intentions to exploit or damage your information resources.

Accidental. Sources responsible for erroneous or unintentional actions that may negatively impact information assets.

Environmental. Natural disasters, man-made hazards, and failures of critical infrastructure, all of which are beyond your organization’s control.

Structural. Failures in equipment, software, or environmental control that could affect supporting applications for information assets.

By reviewing available resources, you can construct an initial list of threat sources, including threat source category, title, and origin.

Then, you can assess their relevance to your organization, considering your business model, your industry, and various factors such as political, economic, regulatory, social, technological, and other that impact your organization.

TS001Hacking groupAdversarialExternal
TS002Individual hackerAdversarialExternal
TS004Privileged insiderAdversarialInternal
TS005Power supplyStructuralInternal
TS010Privileged userAccidentalInternal
TS011Environmental controlsStructuralInternal
TS012FireEnvironmentalInternal / External

Assess threat source probability

Threat source probability is the likelihood that a particular threat will act against your assets by initiating one or more threat events. Various risk management frameworks employ this parameter (e.g., Threat Event Frequency in FAIR, Likelihood of Initiation in IRAM2, and Likelihood of an Attack Initiation in NIST).

To assess threat source probability, evaluate the characteristics summarized below.
The table includes the most often used attributes, their description, applicability based on threat category and reference to frameworks that use these attributes and will provide you with more details:

TitleDescriptionThreat CategoryFrameworks
01HistoryHistory of the threat initiating threat events against your organization or your industry peers in case they have similar business models and operate using similar information assets.Adversarial, Accidental, Structural, EnvironmentalIRAM2 (History)
02MotivationThe level of threat motivation to conduct the attack. This is usually impacted by the objective of the threat source (intent), attractiveness of your organization to achieve this objective, and perceived strength of your control environment which translates into effort that the attacker needs to take.AdversarialIRAM2 (Motivation), NIST (Intent), CompTIA Security+ (Intent / Motivation)
03TargetingThe extent to which threat source targets specifically your industry, organization or specific functions or people in your organization.AdversarialNIST (Targeting)
04CompetenceThe level of skills and experience of the threat actor related to their job role and working with your information systems. The less skilled and competent the threat actor, the bigger likelihood of human mistakes.AccidentalIRAM2 (Competence)
05CultureThe extent to which threat actors are risk aware, act responsibly during their activities and are compliant with security policies and procedures. The less they care abour cyber risk and more often bypass security controls, the higher rating.AccidentalIRAM2 (Culture)
06PredispositionThe extent to which your environment is susceptible to specific threat without taking implemented controls into consideration. Some geographical locations may be more prone to hurricanes. Power interruptions will happen more often in a data center with outdated infrastructure.Structural, EnvironmentalIRAM2 (Predisposition)

IRAM2 proposes a complete approach to evaluate the combination of selected attributes and a set of Threat Profiling Reference Tables that define each attribute, a question you need to ask to assess the attribute level and comprehensive additional guidelines. NIST provides qualitative ratings related to their attributes as well.

If you need a simple approach, estimate the level of each attribute. Generally, the higher level each attribute has, the higher the threat source probability. For an adversarial threat source, the more events it initiated in the past (History) and the higher Motivation, the higher the threat source probability will be.

It is important to note that if you have data and are considering the history of events, your rating scale should correspond to a number or range of events within a defined period.

In addition to this, for adversarial threat sources, you have the option to assess and list their intents. It allows for predicting the types of potential threat events they might initiate. A nation-state actor, for example, might pursue objectives like political or economic gains, different from a cybercriminal group that primarily aims for financial profit. Their possible intents could range from financial gains, espionage, disruption, reputation damage, competitive advantage, political influence, cyber warfare, ideological or religious beliefs, personal vendetta, and exploration to simple curiosity. However, motivations can be tricky to determine and might only become apparent following a thorough investigation.

After considering the above attributes, assign a qualitative rating to each threat. This rating describes the threat source probability, for example, 1 – Very Low, 2 – Low, 3 – Medium, 4 – High, and 5 – Very High.

Assess threat source strength

IRAM2 defines Threat Strength as “how effectively a particular threat can initiate and/or execute threat events” against your environment. This parameter helps to prioritize threat sources, assess the likelihood of a successful threat event and derive a residual business impact rating. FAIR has a similar concept called Threat Capability, defined as “the capability of a threat agent.”

In this article, I use a threat source strength name as this is related to the threat source. I also use this parameter to prioritize threat sources when conducting a strategic threat landscape assessment to keep things simple.

To evaluate threat source strength, consider the characteristics outlined below. The table includes frequently used attributes, their descriptions, applicability based on threat category, and references to frameworks that employ these attributes for further details:

TitleDescriptionThreat CategoryFrameworks
01CapabilityRefers to the level of skills, experience in conducting cyber attacks and available resources that the threat actor can use. The resources can include people, technology, facilities and funding.AdversarialIRAM2 (Capability), NIST (Capability), CompTIA Security+ (Sophistication), Skills (FAIR), Resources (FAIR)
02CommittmentIndicates the level of effort including time and resources the threat actor is ready to spend to conduct successful attack and achieve its objectives. Threat sources with high commitment are able to initiate and conduct APT attacks including extensive reconnaissance, identification of zero-day vulnerabilities or development of customized malware. Threat sources with low level of commitment will use general hacking tools and invest much less of their time and resources.AdversarialIRAM2 (Commitment), NIST (Capability), CompTIA Security+ (Resources / Funding), FAIR (Resources)
03AccessThe level of authorized access of the treat. Employee with privileged access to the systems or with physical access to sensitive areas can do more harm than the standard system user or person with general access to the premises.Adversarial, AccidentalIRAM2 (Privilege), CompTIA Security+ (Access)
04SeverityThe level of strength of assessed threat, e.g. hurricane grade or scope of the flooding. It can be usually assessed on historical data about similar events in the past.Structural, EnvironmentalIRAM2 (Severity), NIST (Range of Effects)

Similar to the assessment of threat source probability, after considering the factors specified above, assign a qualitative rating to each of your threat sources to describe their threat source strength. For example, 1 – Very Low, – Low, 3 – Medium, 4 – High, 5 – Very High.

Assess threat source criticality

Once you have determined your ratings related to threat source probability and threat source strength, you can evaluate threat source criticality to identify which threats to prioritize for further analysis. When assessing the threat landscape at a strategic level, considering all threat sources may not be feasible, as this could be too time-consuming and not necessarily valuable.

One approach recommended by IRAM2 is to sort the threat sources first by their likelihood of initiation and then by their strength. The next step would be to sequentially number the list, establishing the threat source priority for further analysis.

However, if you are concerned about overlooking threat sources that seldom initiate attacks against your organization but possess greater strength, you can adopt an alternative approach.

You can multiply threat source probability and threat source strength numeric values to calculate the threat source criticality. Use this value to rank your threat sources in descending order. The higher the threat source criticality, the higher the priority it should have in your analysis.

As shown in the following example, you can also represent it by a simple matrix that considers both ratings. The most critical threats are in the top right section of the matrix.

As a result of this activity, you should end up with a list of your threat sources ordered by threat source criticality, starting with those with the highest values.

IDTitleIntentTS ProbabilityTS StrengthTS Criticality
TS001Hacking groupFinancial gains, Disruption4 - High5 - Very High20
TS002Individual hackerFinancial gains, Disruption, Personal vendetta, Exploration5 - Very High3 - Medium15
TS003Nation-stateFinancial gains, Espionage, Political influence, Cyber warfare2 - Low5 - Very High10
TS004Privileged insiderFinancial gains, Personal vendetta, Exploration3 - Medium3 - Medium9
TS005Power supply2 - Low4 - High8
TS006User4 - High2 - Low8
TS007InsiderFinancial gains, Personal vendetta, Exploration3 - Medium2 - Low6
TS008CompetitorCompetitive advantage, Reputation damage2 - Low3 - Medium6
TS009SupplierFinancial gains2 - Low3 - Medium6
TS010Privileged user2 - Low3 - Medium6
TS011Environmental controls2 - Low3 - Medium6
TS012Fire1 - Very Low5 - Very High5
TS013Flooding1 - Very Low5 - Very High5
TS014Hurricane1 - Very Low5 - Very High5
TS015Supplier2 - Low2 - Low4

Assess threat events

A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.

Estimate the inherent likelihood

The process of assessing inherent likelihood revolves around gauging how frequently a specific threat source could initiate a threat event against your organization, irrespective of risk mitigation measures. This process estimates the frequency of a threat source initiating an event based on the evaluation of likelihood, characteristics, historical data, and market reports. The approach is explained in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Estimate the inherent impact

From the likelihood, we shift to “Inherent Impact” – the potential consequences of a successful threat event, without considering mitigation controls. The assessment involves analyzing potential effects on assets and identifying key ones at risk. The procedure is outlined in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Calculate inherent risks

Upon understanding inherent impacts, we proceed to calculate inherent risks. These guide us toward the most significant cybersecurity areas, enabling a prioritized listing of threat events by combining likelihood and impact. The method for this calculation will be described in Part 5 of this article – “1D. Review threat landscape (5/5)“.

Summarize the threat landscape

Effectively summarizing the threat landscape involves outlining the top ten risks in comprehensible language for stakeholders. The approach for creating this summary will be detailed in Part 5 of this article – “1D. Review threat landscape (5/5)“.


Threat landscape summary
Summary of prioritized organizational threat landscape presenting key risks, their description, criticality rating and most important attributes.
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.