The National Institute of Standards and Technology defines a threat as:

Any circumstance or event with the potential to adversely impact organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service (NIST 2012).

The systemigram in Figure 2.1 narrows this definition to cyber threats. The mainstay declares that threats embolden adversaries who exploit vulnerabilities which expose assets that enable adversary objectives. That is the basic idea behind a cyber threat. The threat itself is a circumstance or event that the adversary believes will enable objectives to be achieved.

2.1 Threat Actors

The most important thing to know about cybersecurity threats is that the actors who enact them may be dangerous adversaries. The second most important thing to know is that there is an interaction between an adversary and its target whether or not the target chooses to actively participate. A corollary is that: if the target is not actively combatting the adversary, then the adversary has an advantage. In the “Art of War,” Sun Tzu brought transparency to this situation by saying: