Threat classification: external (cybercriminals, APTs, hacktivists, competitors), internal (employees, contractors), technical (malware, zero-days, misconfiguration), and accidental (configuration errors).
What is a cyber threat
A cyber threat is any event, action or entity with potential to compromise, damage or disrupt information systems, data or services. Includes: malicious actors (cybercriminals, hacktivists, APTs), attack types (malware, ransomware, phishing, DDoS), exploitable vulnerabilities, and internal threats (malicious or negligent employees). Threat classification and risk analysis is a critical CISO function to prioritise defensive investment. Threat = potential for harm; risk = threat combined with probability and impact; control = defensive measure to mitigate risk.
Why it matters
CISOs must understand the threat landscape to prioritise: if a nation-state APT targets your industry, defensive controls should focus on APT detection (EDR, hardening, threat hunting). If mass ransomware is the dominant threat, immutable backups and segmentation are priorities. Threat intelligence (collection of information about active threats) drives tactical decisions: which indicators of compromise (IoCs) to hunt for, which APT groups to monitor, which vulnerabilities are being exploited in the wild. Risk analysis structures the budget: you cannot defend everything; you prioritise critical assets against the most probable and impactful threats. Regulations demand threat analysis: ISO 27001 requires annual risk assessment; NIS2 requires understanding the threat landscape; DORA requires stress-testing against threats specific to the financial sector.
Key points
Attack chain: reconnaissance → initial access → persistence → lateral movement → privilege escalation → exfiltration. Interrupting at any point mitigates breach.
Threat intelligence: collection of information about threats (actively exploited CVEs, active APT groups, malware campaigns), shared among CISOs for collective defence.
Prioritisation: risk matrix (probability x impact) ranks threats. Limited resource = focused defence on highest-risk threats first.
Example: threat analysis guides control prioritisation
CISO at a software company analyses the threat landscape: 1) Mass ransomware (high probability, catastrophic impact), 2) Competing APT from China (medium probability, high impact on IP), 3) Insider attacker (low probability, medium impact), 4) DDoS (high probability, low impact). Risk-based prioritisation: first, immutable backups + segmentation (ransomware defence); second, EDR + threat hunting (APT detection); third, DLP + audit (insider + DDoS mitigation). Budget of 500K EUR allocated: 300K backups/segmentation, 150K EDR/hunting, 50K DLP. Structured method ensures maximum ROI on security.
Common mistakes
- Ignoring threat intelligence and implementing generic controls. If the primary threat is ransomware, focus on backups and segmentation, not advanced firewalls.
- Assuming all threats are equal. Ranking by probability and impact prevents overspending on defence against remote threats.
- Not reviewing threat analysis annually. The threat landscape evolves (new vulnerabilities, new APT groups, new tactics). Analysis must be dynamic.
Related services
This concept may be related to services such as:
Frequently asked questions
What is the difference between threat, vulnerability and risk?
Threat = actor or event with potential to cause harm (hacker, malware, APT). Vulnerability = weakness in a system that can be exploited (open port, weak password, unpatched software). Risk = threat + vulnerability + impact. Example: APT threat + unpatched vulnerability = high risk if data is sensitive. Without vulnerability, threat cannot cause harm.
How do I access threat intelligence?
Sources: 1) Commercial (CrowdStrike, Mandiant, Recorded Future paid), 2) Open (CVE databases, MITRE ATT&CK, SecurityFocus), 3) Community (abuse.ch, VirusTotal), 4) Vendors (Microsoft Threat Intelligence, Google Safe Browsing), 5) Sector ISACs/ISAOs (shared among industry CISOs). Combination of sources provides complete visibility.
What is a risk matrix and how do I use it?
2D matrix: Y-axis = probability (low/medium/high), X-axis = impact (low/medium/high). Threats in red quadrant (high probability, high impact) are prioritised first. Threats in green (low probability, low impact) are accepted or require minimal mitigation. Security budget allocated first to red, then yellow. Annual review updates the matrix as threat landscape evolves.