The difference between threats and firstname.lastname@example.org
There is much confusion about the difference. It is important to get this clear as failing to do so may render your threat and risk assessments invalid. The difference is really quite simple.
Threats are an intended and malicious disruption to your assets (usually critical assets). In effect:
A person (threat actor) uses something (threat vector) to disrupt someone or something important (assets).
Assets enable us to achieve the immediate mission and our objectives.
Risks are events that can lead to adverse outcomes that may disrupt your objectives. Risk statements should always contain two key elements:
- An event
- An outcome
The diagram below explains the relationships.