In consulting with clients concerning their information security needs, one question that comes up often is, "What is the information security threat to our organization?"
To answer this question, we are best served in attacking it from both an internal and an external perspective. In other words, we want to know what a client's most sensitive or highest-value information assets are from their perspective as well as what types of threats are out there that could place those assets in jeopardy. This is a risk-based approach.
One often overlooked detail is that the goal should be to determine both the most likely and the most dangerous scenarios for the organization. These two are seldom the same, as the priorities of a bad actor targeting an organization -- what he thinks is valuable -- often will be different from what the organization sees as valuable.
Think of the person whose home is broken into and ransacked and comes home to find that $25,000 in cash has been stolen. However, the person might actually be relieved when looking around, because she finds that his three original paintings, valued at $100,000+ each, were untouched. Or perhaps his biggest worry on finding he'd been robbed was the draft of his patent application sitting out on his desk. He believes that it is worth millions and will make him rich soon, and the loss of a few thousand in cash is a mere annoyance by contrast. Perhaps the burglar didn't know it was there, perhaps he didn't realize its value, or perhaps he did and just wasn't interested in the effort required to monetize something of no immediate value to him.
So it's important to identify the priority targets from both perspectives, as well as to ensure that the client does not undervalue risks that are not the nearest and dearest to their heart. For instance, it is common for organizations to undervalue the risk to their reputation in a breach that might not compromise or destroy anything of tangible value.
From datadrivensecurity.info: Top 10 Threat Actions by Industry: