A vital component of a proactive security posture is an analysis and understanding of the threats facing an organisation. Unfortunately, the dialogue regarding information technology (IT) threats is riddled with
invocations of security clearance requirements, soundbite rhetoric and the lack of common threat
categorisation. As a result, the private sector is expected to make risk management decisions in the absence of a
valid threat context. Threat assessments must be conducted to complement vulnerability assessments
and enable organisations to make educated decisions to guide their security programmes and spending. The
purpose of this article is to provoke discussion regarding potential threats in the hope that more organisations will take the initiative of investigating the realistic threats facing IT infrastructures
In response to a frequently voiced concern, the threat of a large-scale critical infrastructure attack in today’s
environment can be characterised as follows:
• those with the intent lack the capability;
• those with the capability lack the intent; and
• both of the above are subject to change.
To make responsible risk management decisions, it is important to avoid overreaction and also important not
to systematically disregard the full spectrum of threats for lack of empirical evidence. The following sections
highlight key issues surrounding the identification and response to threats to IT and critical infrastructures and
provide some balance to current threat discussions.