Back to

Threat Assessment


This objective uses a variety of activities to identify possible attackers and gather background information about the capability of those attackers to threaten the organization. This consists of identifying a particular attacker's history of carrying out specific threats, their capability to carry out those threats currently, and proof that the threat has intent to leverage resources against the target.


Checking the assumptions both of the organization and of the auditor by researching the current threats will ensure that an auditor is basing their work on accurate assessments of the conditions the organization faces and that they are making informed operational security considerations. With greater ownership of the process the staff provides an opportunity to explore their threat landscape and become more engaged in addressing the threats identified when the audit is complete. By engaging with as many staff as possible the auditor is providing a framework for staff to explore threat identification processes when the auditor is gone.

Guiding Questions

    • Who are potential adversaries for the organization?
    • Do these threat actors have a history of attacks? Against whom?
    • What types of organizations have they targeted?
    • Does the threat actor have the means to leverage widespread threats against, or will they have to prioritize their targets? Is the organization a priority threat target?
    • Do they have the desire and ability to conduct an attack?

Operational Security

  • Data generated in this component is highly sensitive - in addition to standard practices of saving only in encrypted containers and destroying physical copy versions (stickies, etc.) ans using VPNs/Tor to conduct research, also take note of the physical location where you are conducting any exercises to prevent eavesdropping/viewing.


    • Threat Identification works best grounded against mapped out organizational processes or a data/asset map. See the Process Mapping and Data Assessment Methods for exercises to generate these.
    • Threat Identification discussions, where you facilitate group activities where staff identify possible adversaries and the threats that they have/can leverage against the group, can trigger strong emotions and be draining for the participants. Prepare accordingly to schedule this with downtime (i.e. not right before or after another intense exercise) and to have a plan to address the psychosocial needs of individuals.
    • Initial, limited conversations with senior staff should help scope and guide group exercises


    • A host driven threat-matrix including the following:
      • Adversaries (threat actors) with capabilities and willingness
      • Impacts of attacks against critical processes, ranked by severity
      • Likelihood of each (based on adversaries)
    • Latest general cyber-security threats
    • Identify existing in/formal security practices that the participants use to address risks.

References and resources for Threat Assessment