Understanding Threat Actors For Better Cyber Incident Response

Date: 27 May 2020

Featured Image

In any discussion on cyber incident response & resilience, it is imperative to deliberate upon the subject of threat actors. After all, if you can’t identify who could potentially harm your business, how will you anticipate the kind and scale of damage they can cause? 

In this blog, we cover:

What/who are threat actors?

As the name suggests, threat actors or agents can be any individual/ group that is capable of causing harm to your business and data security. Their inherent ability to cause harm, despite what their intentions may be, justifies the tag ‘threat actors’ and it is advisable to stick to one uniform term when discussing such agents instead of creating too many verbal categorizations.

While this blog aims to offer a surface-level understanding of the importance of knowing one’s threat actors, Cyber Management Alliance's NCSC-Certified Cyber Incident Response & Planning Course delves into the subject deeply and will help the management and technical teams agree on a threat library.  In fact, our module on Threat Actors is currently available free of charge on our training platform. You can click on the link below to access this free module and get an in-depth understanding of who your potential business adversaries can be. 

Free Online Information Security Training

Why is understanding your threat actors imperative for good CIPR?

Quite simply, if you don’t know who your threat actors are, you’ll not be able to get any clarity on their motivations, their modus operandi, their capabilities or what assets they may be after.

Further, clearly identifying the threat agents will allow you to effectively allocate resources (budgets and time) to the most relevant risks and threats.

So how do you go about enlisting your threat actors? The idea is to have the technology and management teams reach a consensus about who the possible threat actors are and what their attributes are like. This simple exercise on its own can be a huge step forward in enabling everyone to better understand the business’s threat landscape and build a solid response strategy.

Common threat actor types

  • Hacktivists
  • Cyber-criminals
  • Disgruntled insidersbillionphotos-1180860-1
  • Careless employees
  • Nation states


Threat Actor Attributes

Enlisting the threat actors, however, isn’t enough and the organisation will need to evaluate their attributes to correctly assess the threat to the business. A cursory understanding of attributes can be gathered on the basis of the following considerations:

  1. Intent - Depending on whether a threat actor harms the business intentionally or accidentally, he/she is classified as a hostile or a non-hostile agent, respectively.
  2. Access – This refers to whether the threat actor had internal access or was able to gain access externally.
  3. Skill Level – This classification is based on the skill level of the threat actor and can range from ‘none’ to ‘adept’.
  4. Resources - This determines the resources available to the agent for use in an attack.
  5. Visibility – Visibility refers to the extent to which the agent wishes to reveal his/her identity.
  6. Objective – As the name suggests, here we try to identify the objective of what the threat actor is doing - is it to make a copy of an asset, destroy it, take control of it or if the agent has no defined motive at all?
  7. Outcome – Outcome means the primary goal of the attack. It can range from theft or gaining a competitive market advantage to simply causing embarrassment to the business. In many cases, if the threat actor is non-hostile the outcome could be totally unintentional.

These classifications and considerations offer a preliminary understanding of the vast and highly relevant subject of Threat Actors.

Our NCSC-Certified course on Cyber Incident Planning & Response covers this topic in great detail and is an excellent way for organisations to not only identify threats to their business but also prepare to combat them successfully.

The good news is that for a limited period of time, you can access our module on Threat Actors, from our NCSC-Certified course, free of charge.   

New call-to-action

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422