Threat objectives for the function are identified, at least in an ad hoc manner
Context and Guidance: Threat objectives are the potential outcomes of threat actor activities that are of concern because they would have negative impacts on the organisation. For example, an organisation that does not process confidential data may not be concerned about data theft but may be very concerned about an incident that causes an operational outage. Threat actors may leverage multiple tactics or techniques like those defined in the MITRE ATT&CK frameworks (for Enterprise or Industrial Control Systems) to achieve their goals. Threat objective examples may include data manipulation, IP Theft, damage to property, denial of control, loss of safety, or operational outage.
Related Practices • Input From: Implementing THREAT-2b provides input that may be useful for implementing this practice. • Progression: This practice is part of a practice progression. Practice progressions are groups of related practices that represent increasingly complete or more advanced implementations of an activity. The practices in this progression include: THREAT-2c, THREAT-2e, THREAT-2i.