1.4. DEFINING THREATS

Returning to the crime show analogy, you now know the victims, perpetrators, motives, and modus operandi. If any one of the perpetrators could use one of the MOs to achieve a goal, then there is the potential for a crime to be committed. The threat of crime hangs over your application.

1.4.1. What Is a Threat?

A threat is the risk that one of your attackers could use an entry point of the app in order to damage or take the asset the attacker willfully or accidentally targets. As with any risk, there are two important dimensions: the likelihood that this threat will actually occur and the impact, or amount of damage, that would happen if it did occur. There's no reason to go into very fine-grained analysis of either impact or likelihood; ratings of low, medium, and high will be sufficient to compare the threats with each other and identify those that should be dealt with first.