ABSTRACT
Threats, along with assets, vulnerabilities, and safeguards, are the essential elements of risk management in an information system. Threat represents one of the four major elements of the risk assessment process. Understanding and considering the full spectrum of both human and environmental threat is pivotal to effectively implementing and managing a cost-effective security program for information resources. Too often, analysts employ simplistic anecdotal threat concepts or merely use broad, ill-defined labels such as “hackers” to define the threat environment. Either approach will negatively impact the effectiveness of a security program.
