What Is Threat Assessment?

Everything That Can Go Wrong, and What to Do About It

Not every threat becomes an attack. Your job is to figure out which ones might.

🦔

Bristles(Hedgehog)

"Right then. Before you go diagnosing every shadow as an assassin, let me clarify what we actually mean by 'threat.' Because not everything that worries you is a threat, and not every threat wants to hurt you. Some just want your lunch money."

Mission Briefing

Threat assessment is the systematic process of identifying, characterizing, and evaluating threats to determine what could cause harm and how likely that harm is to occur. It is the foundation upon which all security decisions are built. Without a proper threat assessment, you are guessing -- and guessing is how threats become attacks.

In this lesson, you will untangle the trio of terms everyone confuses (threat, risk, vulnerability), walk through the four-step assessment process, meet the cast of characters who might be targeting you, and understand why capability without intent is just expensive showmanship.

Fun fact: in the time it took you to read this sentence, three analysts somewhere argued about the difference between 'threat' and 'risk.' We aim to stop that.

Field Exercise

Scenario: Midnight Data Access

You are an analyst at a mid-sized defence contractor. The security team reports that a database containing design specifications for a sensitive component was accessed at 0245 hours over the weekend. The access used a legitimate employee credential. The credential belongs to a senior engineer who has been with the company for 12 years and has no history of policy violations. The engineering team says the data pull was not related to any active project.

Your task: Apply the principles from this lesson. Identify the threat actors who could be involved, characterise their capability and intent, evaluate the risk level, and recommend at least three actions the company should take.

Hint: Consider both insider and external possibilities. The credential was legitimate, but that does not mean the person holding it was.

Debrief — Key Takeaways

›Threats are actors or conditions with the potential to cause harm; vulnerabilities are weaknesses; risk is the likelihood and impact of a threat exploiting a vulnerability.
›The threat assessment process has four steps: Identify, Characterize, Evaluate, and Recommend. Do not skip the first one.
›Threat actors fall into categories -- nation-state, criminal, insider, hacktivist -- each with distinct motivations, capabilities, and TTPs.
›Both capability and intent are required for a threat to be serious. An actor with one but not the other warrants monitoring, not panic.
›Intent can change faster than capability. Watch for signals of shifting intent as a leading indicator.
›Analysis without actionable recommendations is a briefing, not an assessment.

TL;DR: Threats, vulnerabilities, risks -- they are different things. Your colleagues will still use them interchangeably. Accept this and move on.

Next Mission

Threat Assessment Models

Explore structured models like DHS NTAS, CARVER, and OCTAVE for systematic threat evaluation.

BeginnerThreat Assessments

10 min