1) Threats & Motives

Threat – a person or thing likely to cause damage or danger
“hurricanes poses a major threat to many coastal communities”

Motive – a reason for doing something
“jealousy was the motive for his murder”

To build an effective security program, you need to start with the reasons for having a program in the first place. There are a variety of people and groups who can and will cause harm to your business if you do not defend your organization against them. You need to understand which of these threats are most relevant to your business and use this understanding to prioritize the counter measures you implement, otherwise you will be wasting time and money on protections against low risk events in one area while exposing your information and operations in others.

The threat actors (the person’s behind the threat) that you need to protect your company’s information and operations against include:

  • Nation States
  • Criminals & Criminal Organizations
  • Activists
  • Terrorists
  • Competitors
  • Malicious Insiders
  • Employees
  • Regulators
  • Plaintiff’s Attorneys

Each of these groups may have multiple and overlapping motivations, however I believe that they all boil down to one or more of the following motives:

  • To steal information, for purposes of resale, blackmail or espionage
  • To steal processing resources, to support malicious activities against others and to mine cryptocurrency
  • To modify information or systems, for purposes of blackmail or sabotage
  • To extort money from the victim
  • To commit fraud against the victim
  • To disrupt or destroy the organization’s operations, including inflicting loss of life (industrial sabotage to war)
  • To harm the brand or reputation of the organization (brand sabotage)
  • To impose fines or sanctions on business due to the failure to follow law or regulation (nonfeasance)
  • To sue you for failure to meet contractual obligations (breach of contract)
  • To do their job (employees), but in doing so due to carelessness, negligence, accident or lack of protections, enable one of the other threats to attack the organization

While the motives attributable to these threats are not absolute, in reviewed events over the past decade the following patterns seems to be the most common:

Motives >
Threats V
TheftFraudEspionageSabotage BlackmailFines/SanctionsLawsuitsProductivity
Nation StatesXXX
Malicious InsidersXXXX

Another perspective for viewing threats, and one which directly drives the controls organization should focus on, is to look at which threats are most likely to occur based on what the organization does. While any threat can attack/occur for any victim, there are patterns to threats that can help guide the most appropriate response. The chain of liquor stores down the street with their limited IT is unlikely to be a target for nation-state espionage and operational technology sabotage. As bank robber Willie Sutton reportedly replied to a reporter’s inquiry as to why he robbed banks, “because that’s where the money is.”, you need to determine your most likely attacks based on the value your organization has to attackers.

Targets >
Motives V
Limited Data & Processing, LocalLarge Scale Data & Processing, National or RegionalInternational Data & Processing, Critical Infrastructure
TheftDevices+ IP, Financial and Sensitive data for resale+
FraudRansomware, Cryptojacking, External Financial Fraud+ Internal Financial Fraud+
Espionage+ IP, Sensitive Data for Nation-State purposes+
SabotageDisgruntled Employee+ OT Sabotage+
BlackmailFinancially Motivated or Reputational Harm Blackmail based on sensitive data theft+
Fines/Sanctions+ National regulation nonfeasance + International regulation nonfeasance
LawsuitsFailure to meet contractual obligations+ Failure to meet regulatory requirements, shareholder damage+
ProductivityAccidental contribution to breaches+ Deliberate contribution to breaches due to non-malicious control bypass+
  • The “+” in the columns indicates all the reasons in the column(s) to the left in addition to the reasons listed