Quantifying Threat Actor Assessments

The cyber threat landscape is a complex mix of adversaries, vulnerabilities, and emerging capabilities. Within this environment, Chief Information Security Officers (CISOs) must prioritize resources and projects to maximize their defenses against the most significant threats. The challenge, though, lies in assessing threats to an organization in a meaningful way. By assessing threat actors' intent to target a specific organization for certain attack types, information security leaders can determine which malicious actors are most likely to target their enterprise. The assessment of the threat actors' documented capabilities for those specific attack types allows leaders to wade through the fear, uncertainty, and doubt (FUD) of vendor marketing and nation-state saber-rattling to prioritize capabilities for defensive posturing. This paper introduces the Threat Box, a Cartesian coordinate system, which portrays threat actors' intent and capabilities as an executive communication tool for information security leaders to depict the prioritization of threat actors.