Cyber Strategy Management – 1D. Review threat landscape (5/5)

Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.


The constantly evolving threat landscape makes it impractical for organizations to invest equally in all cybersecurity areas. The purpose of reviewing the threat landscape is to pinpoint the most significant risks to the organization and prioritize protection measures accordingly.


Identify key risk themes
Develop a strategic overview of the biggest threats with the potential to impact your mission-critical assets.
Prioritize cybersecurity domains
Prioritize cybersecurity domains according to your threat landscape to ensure efficient resource allocation. Focus on areas that yield the most value.


Business landscape
Summary of the business environment in which the company operates and its business model, including customer segments, products and services, sales, distribution and communication channels. Developed as part of “1b. Review internal factors” activity.
Technology landscape
Summary of IT operating model, IT architecture, an overview of key technologies used by the company and critical infrastructure components. Developed as part of “1b. Review internal factors” activity.
Security landscape
An outline of the security landscape featuring the organizational structure, operating model, and the key frameworks in use.
Business and technology objectives
List of business and technology objectives, their prioritization, supporting initiatives and definition of common interests. Developed as part of “1b. Review internal factors” activity.
External factors
List of the market, technology, cyber and regulatory trends affecting your organization and cyber strategy, their impact and cyber implications. Developed as part of “1c. Review external factors” activity.

Choose your approach

The first step in a threat landscape review is choosing a practical risk management approach. By adjusting traditional risk assessment methods, we can perform a broader evaluation, helping to prioritize security areas and guide strategic planning, as detailed in part 1 of this article – “1D. Review threat landscape (1/5)“.

Prepare for assessment

In preparing for a threat landscape assessment, aligning the scope with your cybersecurity strategy and identifying relevant internal and external threat sources is crucial. As part 1 of this article outlines, adequate preparation is the foundation for a robust threat landscape review – “1D. Review threat landscape (1/5)“.

Identify crown jewels

The process of conducting a threat landscape review begins with the identification of your organizational crown jewels. These are assets whose compromise could have a significant impact on your business. The detailed procedure for identifying them is documented in part 2 of this article – “1D. Review threat landscape (2/5)“.

Assess threat sources

Threat sources are anything that can cause harm to your information assets. Understanding potential threat sources to your organization is vital. Comprehensive listing, probability and strength assessment of these threats allow prioritizing risks. The approach for this is detailed in Part 3 of this article – “1D. Review threat landscape (3/5)“.

Assess threat events

A threat event is an event or situation initiated by a threat source, which may lead to undesirable consequences for your information assets. Understanding cybersecurity risks requires a detailed assessment of potential threat events, their sources, origin and affected assets. Steps for identifying these threat events is detailed in Part 4 of this article – “1D. Review threat landscape (4/5)“.

Assess inherent likelihood

Inherent likelihood quantifies the frequency at which a specific threat source might initiate a particular threat event against your organization, regardless of the robustness of controls implemented to mitigate the risk. This factor is instrumental in calculating the criticality of your risk.

To evaluate the inherent likelihood of identified threats:

Review the threat source probability. Start by reviewing the threat source probability rating you previously assigned in step “4. Determine threat sources”, which suggests how often a threat source might initiate threat events that affect your organization. Generally, your inherent likelihood will be consistent with the threat source probability. However, it might be lower when adversaries deploy certain techniques more often than others.

Review threat source characteristics. Review the threat source characteristics assessed earlier. For adversarial threats, these may influence the choice of techniques used and the varying likelihood of initiating specific threat events. For instance, individual hackers with lower motivation levels are unlikely to devote time to launching Advanced Persistent Threat (APT) attacks using custom-developed malware or exploiting zero-day vulnerabilities. However, this scenario may differ for nation-state actors with higher motivation.

Examine historical data. Your organization’s historical data can guide you in determining the frequency of specific threat events. Since you are assessing inherent event likelihood, consider all detected attempts, not just successful ones.

Review market data. Your internal data might not fully capture the extent of threat events launched against your organization. Therefore, reviewing market reports related to threat events, particularly those specific to your industry, can be beneficial. We have listed examples of these reports in the “Identify information sources” activity description.

Determine inherent likelihood. Based on the steps above, decide on the inherent likelihood of your threat event. Then, you can record this rating in the inherent likelihood column of your Threat Events table.

As a result of this activity, every threat event in your Threat Events table should have an assigned inherent likelihood.

Assess inherent impact

Inherent Impact gauges the potential consequences if a threat source successfully initiates a threat event against your information assets. Similar to inherent likelihood, it does not consider the strength of controls in place to mitigate potential impacts. This factor is crucial in calculating your risk criticality.

To assess the Inherent Impact of identified threats:

Select the threat event. Choose the threat event from your Threat Events table that you wish to analyze for impact.

Examine Impacted Assets. Review your Threat-Assets table that maps threat events to potentially impacted assets. Filter by the threat event and evaluate overall impact ratings that you assigned based on impacted information attributes – confidentiality, integrity and availability. NIST suggests analyzing inherent impact per asset as potential impact levels may vary across different assets. However, given that this assessment occurs at a strategic level, a simpler approach of considering the global impact is recommended. Therefore, you can opt for the highest impact among your impacted assets. However, the risk impact may accumulate if multiple assets are affected, justifying a higher rating.

Consider threat source strength. The higher the threat source strength, the more assets it can affect, or to a greater extent before detection, resulting in a higher impact. In the case of adversarial threats, the more capable and committed cyber criminals are, the more damage they can inflict.

Determine inherent impact. Decide on the inherent impact of the threat event. This value should consider the maximum impact on your affected information assets. Record this value in the inherent impact column of your Threat-Events table.

Identify key impacted assets. Choose the top three assets based on their overall impact stored in the Threats-Assets table and add their names to the Key Impacted Assets column in your Threat Events table. This information will be helpful later when presenting an overview of the threat landscape and will help substantiate the Inherent Impact rating.

Provide a risk example. If possible, provide a representative example of a situation in which a specific threat source successfully initiated a threat event. At the very least, include a year, target organization, and estimated financial losses. This information helps stakeholders comprehend that the discussion extends beyond potential risks to events that have already transpired in your organization or industry.

Repeat this process for each threat event in your Threat Events table.

As a result of this activity, each threat event in your Threat Events table should have an assigned inherent impact.

Calculate inherent risk

Inherent risk is a crucial factor that aids in prioritizing threat events, thus facilitating the effective allocation of your efforts. Given the constraints of organizational resources, this rating is vital in determining your crucial cybersecurity focus areas.

After completing this activity, you should have a prioritized list of threat events. Here is how you can achieve this:

Choose your approach. If your organization already utilizes an established method and risk matrix for calculating risk ratings, it is best to follow them for consistent risk communication. If not, you can adapt the process outlined below.

Determine inherent risk rating. Risk is a combination of likelihood and impact. Typically, the inherent risk rating is derived using a matrix that highlights risk criticality areas based on the likelihood and impact of the threat event. The matrix usually appears as shown in the example below. Some organizations also assign numeric values to likelihood and impact ratings and multiply them to produce a numeric value for the risk rating. However, I do not recommend it when the inputs are qualitative.

Prioritize threat events. To ensure effective risk presentation, you can sort your threat events in descending order using the inherent risk rating column. This ordering draws attention to the most significant risks.

IDThreat EventInherent LikelihoodInherent ImpactKey Impacted AssetsInherent Risk RatingRisk Example
TE001Phishing4 - High5 - Very High
  • A006 Authentication data
5 - Very High2016 - Crelan Bank - 76 mln USD
TE002Ransomware4 - High5 - Very High
  • A004 Client data
5 - Very High2017 - Maersk - 300 mln USD
TE003Data leakage - accidental4 - High5 - Very High
  • A004 Client data
5 - Very High
TE004Data leakage - theft3 - Medium5 - Very High
  • A004 Client data
  • A005 Platform code
  • A006 Authentication data
5 - Very High
TE005Vulnerability exploitation3 - Medium5 - Very High
  • A002 Sales pipeline
  • A004 Client data
  • A005 Platform code
5 - Very High
TE006Insufficient vendor oversight3 - Medium5 - Very High
  • A002 Sales pipeline
  • A004 Client data
5 - Very High
TE007Denial of service3 - Medium5 - Very High
  • A004 Client data
4 - High2021 - Bandwidth Inc. - 12 mln USD
TE008Misconfiguration2 - Low5 - Very High
  • A004 Client data
  • A005 Platform code
  • A006 Authentication data
4 - High
TE009Power failure2 - Low5 - Very High
  • A004 Client data
4 - High
TE010Ineffective security design2 - Low5 - Very High
  • A002 Sales pipeline
  • A004 Client data
4 - High
TE011Regulatory incompliance2 - Low5 - Very High
  • A004 Client data
4 - High
TE012Fire1 - Very Low5 - Very High
  • A004 Client data
3 - Medium

Summarize the threat landscape

During stakeholder discussions, referring to your organization’s threat landscape can be beneficial. However, you should communicate it in a straightforward and easily digestible manner. Yet, it is crucial to relay this information in an easily comprehensible and concise manner. The goal is to help stakeholders grasp the critical risks that could impact their areas of responsibility. You also want to convincingly present your cybersecurity strategy as the solution to these challenges.

Create an initial summary

To convey your message effectively, concentrate on the top ten risks, detailing as follows:

Risk category and description. It is essential to present the risks in a language that business leaders can easily understand. Each risk should have a title and description that reflects its nature without resorting to technical jargon. Consider leveraging the organizational risk taxonomy to ensure consistency and clarity.

Threat source. Identifying the highest priority threat source helps to illustrate its characteristics and the efforts needed to prepare for risk mitigation. For instance, organizations often targeted by advanced hacking groups require significantly more resources to counter these threats.

Threat source intent. For adversarial threat sources, you can include the intent of the threat source to demonstrate its motivation.

Impacted assets. Identify the top three assets that would face the highest impact. Pinpointing the assets most at risk allows stakeholders to comprehend each risk’s potential consequences and severity.

Risk rating. Provide your risk rating. Sharing a risk rating provides a snapshot of its severity relative to others.

Risk example. It is helpful to use real-world examples to bring these risks to life. Include the most recent instances where similar risks materialized, whether within your company or the industry. Provide the company’s name, the year, and, if available, the financial impact value to help stakeholders appreciate the reality of the risks.

Group similar risks

Upon analysis, you may find that some risks are overly detailed, or you might notice clusters of similar threat event categories.

In these scenarios, aim to aggregate similar risks into broader categories. Remember, this is a strategic-level assessment intended for high-ranking stakeholders. They should understand the nature of these risks, perceive their importance, and you need to convince them to act on them. Your cybersecurity strategy will be the solution to these problems.

Risk TitleRisk DescriptionThreat SourceIntentKey Impacted AssetsRatingExample
PhishingExternal attackers can send emails prerenting to be from a legitimate source to our employees to reveal their credentials or introduce malware into our systems to obtain initial access into our organization.TS001 Hacking groupFinancial gains, DisruptionA006 Authentication data5 - Very High2016 - Crelan Bank - 76 mln USD
RansomwareExternal attackers can deliver and install malware into our systems to steal our sensitive information or spread ransomware for financial gains.TS001 Hacking groupFinancial gains, DisruptionA004 Client data5 - Very High2017 - Maersk - 300 mln USD
Data leakage - accidentalInsiders can leak our confidential data by mistake, by loosing data storage devices or by not following information handling guidelines.TS006 UserA004 Client data5 - Very High


Threat landscape summary
Summary of prioritized organizational threat landscape presenting key risks, their description, criticality rating and most important attributes.
Cybersecurity Strategy Management Framework

This article is part of the Cybersecurity Strategy Management Framework. The work on it is currently in progress. You can read more about the framework in this article.