Skip to content

Threat Sources

Threat sources (also known as threat agents or threat actors) represent entities that may attempt to exploit vulnerabilities in your system. Predefined threat sources can be configured and referenced in your threat model for consistent characterization of potential attackers.

Basic Settings

Each threat source includes the following configuration options:

  1. Name: A descriptive identifier (e.g., "Script Kiddie", "Nation State Actor", "Insider Threat")
  2. Motive: Additional context why the threat source would attack your system
  3. Capabilities: The technical expertise, resources, and access levels available to the threat source
  4. Likelihood: The probability that this threat source will target your system

Motive

Common motives include:

  • Financial gain (theft, fraud, ransom)
  • Espionage (stealing intellectual property, sensitive information)
  • Sabotage (disrupting operations, damaging reputation)
  • Ideology (advancing political, social, or religious beliefs)
  • Revenge or competition

Understanding motive helps predict which assets and attack vectors a threat source might prioritize.

Capabilities

Topics to consider:

  • Technical skills: Programming ability, security knowledge, system expertise
  • Resources: Funding, tools, infrastructure, and time available
  • Access levels: Physical access, network access, insider privileges
  • Sophistication: Ability to develop custom exploits, conduct advanced persistent threats, or use zero-day vulnerabilities

Capability levels typically range from Low (limited skills, uses available tools) to Very High (expert-level capabilities, state-sponsored).

Likelihood

Factors include:

  • Value of assets to the threat source
  • Visibility or profile of your organization
  • Industry sector and geopolitical factors
  • Historical targeting patterns
  • Existing security controls

Likelihood is typically rated on a scale ((Very) Low to (Very) High) based on your organization's specific context.

Usage in a Project

When analyzing attack scenarios, you can associate them with threat sources. This helps:

  • Validate attack scenario realism based on the threat source's capabilities
  • Assess likelihood based on the threat source's motivation
  • Prioritize remediation efforts based on relevant threats

Info

Mapping threat sources to attack scenarios is deactivated in new projects by default. To activate it, go to Project Information and activate the setting Mapping: threat source to attack scenario (see Project Settings).

For further details, see also modeling of Threat Sources.

Common Examples

  • Script Kiddie: Low capability, opportunistic attacks
  • Cybercriminal: Medium to high capability, financially motivated
  • Insider (Malicious): Variable capability with privileged access
  • Nation State: Very high capability, espionage or strategic objectives
  • Hacktivist: Medium capability, motivated by ideology