Before we start, we need to briefly review a few key concepts: threat, attack, vector, and payload.

• Threat refers to the potential of an agent to cause adverse effects on an asset.
• Attack is the realization of a threat.
• Vector is the pathway that a threat takes to compromise an asset.
• Payload is the actual way that the compromise is effected.

And, as per the wise people at NIST: The threat source (agent) initiates the threat event (attack); the threat event (attack) exploits one or more vulnerabilities that cause adverse impact (you got hacked!); the end result produces organizational risk. And migraines. Painful, splitting migraines.

As we discussed, a cyberthreat has three core attributes: the kind of threat agent, the probability of occurrence, and, of course, its impact. During our threat assessment, our goal is to determine all three attributes on a per‐asset basis. To do this, we'll need to know what the assets are (which we have already accomplished), what their value is to us (our definition of impact), who the threat agents might be (the bad people out to get you), their motives, and any pertinent threat intelligence and historical data out there.

Regarding the part about people out to get you: As you recall, anything that is of value to you, is of value to someone else. If it is your personal data that is of value, then yes, in that sense they are after “you.” Your digital “you.” If it is corporate data that is of higher value, then they're after ...