Back to all activities

Threat Identification


These activities build off of a process or data mapping exercise to connect actual processes or assets and data of the organization with potential threats, then drilling down into specific, likely threats the organization faces, adversaries who might take advantage of them, and the impact of this happening.

The goal is to be able to answer the following questions:

Threat History

  • What history of attacks does the threat actor have?
  • What techniques have they used? Have they targeted vulnerabilities that the organization currently has?
  • What is known about the types of threats used by an threat actor to attack similar organizations?

Threat Capability

  • Does the threat actor have the means to exploit a vulnerability that the organization currently has?
  • Does the threat actor have the means to leverage widespread threats against all similar organizations, or will they have to prioritize their targets?

Threat Intent

  • Have they targeted similar organizations?
  • Does the threat actor currently have the desire to conduct an attack against this type of organization?
  • Is the organization a priority threat target for the threat actor?


    • Treat threat and adversary data with the utmost security.
    • Ensure that any physical notes/drawings are erased and destroyed once digitally recorded.
    • Ensure that any digital recordings of this process are kept secure and encrypted.
    • Consider who has physical and visual access to the room where this process takes place, and if the room can be secured if this activity may span long/overnight breaks.

Walk Through

    • Requires a process or data mapping exercise's outputs

      Threat Identification (30 minutes per process):

    • Give participants a "cheat sheet" of threats.

    • Explain the types of threats.

      • Confidentiality: If unauthorized individuals find out an asset/process exists.
      • Control: If an asset/process can be accessed by unauthorized individuals.
      • Integrity: If an asset/process is changed without permission.
      • Availability: If an asset/process becomes unavailable.
      • Consistency: If an asset/process becomes unreliable. (Some use Identity instead or in addition to Consistency, if an asset/process can be spoofed to appear as owning/coming from someone else.)
    • Auditability: If you cannot verify that an asset/process is secure.

    • Identify a "interaction line" from the process map to start with.

    • Generate a list of threats that would cause that interaction to fail.

    • Mark the back of the post-it with the interaction name or number.

    • Write the threat and their impact on post-its and arrange them in an orderly way.

    • If multiple risks cause the same consequence create a new post-it near the new risk.

    • Continue doing this for all the interactions in the critical process'.

    • Discuss and rearrange threats as groupings emerge.

    • Label threat clusters that appear.

    • NOTES:

      • If any of the impacts identified in the pre-mortum or other process-mapping exercises are not covered ask participants where they would go.
      • Take photos of the threats once you have finished enumerating them.
      • Write risks on one set of post-its and impacts on another color of post-its to make it easy to keep track.
      • Look at the "CVSS v3 Base Metrics" for an example of the severity of different threats.

      Impact Identification (30 minutes per process): This exercise has the trainee lead the participants on a brainstorming of hypothetical consequences (impacts) when the threats identified earlier occur.

    • Give participants a pen and three sticky note pads.

    • Explain the topic and the categories. [2]

      • Staff/People - (which includes families, friends, and beneficiaries): temporary or permanent physical injury, temporary or longer-term psychological damage, death, legal costs, cost of medical treatment, loss of morale or trust in management.
      • Organization - loss of or damage to assets, operational inefficiency, loss of program quality or outright suspension; loss of reputation; loss of funding.
      • Program - reduced program quality, temporary suspension of the program, forced termination of the program.
    • Instruct each person to generate DIRECT impacts based upon the exiting threat clustering from Threat Identification.

    • Include only one impact per sticky note.

    • Have one participant quickly describe then place an impact on the board writing along side it the threat that causes it.

    • Invite others to place similar/the same impacts in proximity and quickly describe how it can occurs.

    • Repeat the process until all impacts are included.

    • Have participants add stickies for any secondary/cascading impacts

    • Discuss and rearrange impacts as groupings emerge.

    • Label impact clusters that appear.

    • NOTES:

      • Tell participants to write multiple impacts per color.
    • Look for opportunities to create sub-groups.

    • Limit the time frame for discussion.

      • Take photos of the impact clusters once you have finished enumerating them.

      Adversary Exploration (Likelyhood):

    • Explain the topic and the categories. [1]

      • "History – a past incidence or pattern of attacks on similar organizations."
      • "Intent – specific threats, a demonstrated intention or mindset to attack."
      • "Capability – the wherewithal to carry out an attack."
    • Brainstorm adversaries who have demonstrated likelihood to impact their work or one of the process'.

    • Pick an adversary and write their name on the board.

    • Write specific instances of adversary history, intent, and capacity announced by the participants.

    • Repeat the process until all adversaries are completed.

    • NOTES:

    • Limit the time frame for discussion.

      • Take photos of the adversary lists.

      Impact Ranking: The goal of this exercise is to have the trainee lead the host organization in classifying the severity of the possible impacts from the threats they have just explored.

    • Create a post-it for each impact.

    • Place two points on the wall. On one side are "Inconvenient" impacts that disrupt the organization in a very small way. On the other side are "critical" impacts that may pose life-safety risks to employees, partners, or the general public.

    • The low end of the scale may include a fire alarm may cause the staff to lose a half an hour of work time, but does not impact any short or long-term activities.

    • The high end of the scale would include events such as a fire that destroys the organizations headquarters and endangers staffs lives or legal issues that cause termination of the program.

    • Place each item along the severity line from least to most severe impact.

    • Give each item its own place on the scale. No two items can be the same severity.

    • NOTES:

    • Listen carefully to every point of deliberation.

      • As risks are placed on the wall, the trainee can use other already ranked risks to help participants identify the right place. "Is a robbery more or less likely than a fire?"
      • Take photos of the impact scale once you have finished it.