How to create a threat profile, with template

Read five key steps on how to create a threat profile, and get started making them customized to your organization with our free template.

Threat profiles are more important than ever. Today's highly distributed workforce, applications and services have expanded the threat landscape, creating more opportunities for threat actors to attack organizations.

Creating a threat profile helps organizations identify threat actors, their likely targets and which types of attacks they're likely to use. By tracking potential threats, organizations are better suited to manage risk. Organizations can also use these profiles to improve the accuracy of their threat modeling tools and processes.

Here, learn the five basic steps involved in creating a threat profile.

1. Identify the scope

A threat profile is usually created for a cyber asset -- such as a system or application -- that you are concerned about protecting. Choose a cyber asset that's easy to define and one that attackers would want to target.

Keep in mind that each threat profile must be created manually; creating threat profiles at scale is impractical.

2. Characterize the asset

Your organization should have descriptions of the asset's components, architecture and other information on what comprises it and how the pieces interact. Build on that in your threat profile by gathering additional information relevant to cyber risks, such as the following:

  • physical/geographical location of each component of the asset;
  • types of sensitive data the asset uses, stores or transmits;
  • types of users -- both regular and admins -- of the asset, including employees, contractors, vendors, partners, customers and nonhuman users;
  • value of the asset to the organization relative to the company's mission, goals and objectives;
  • cybersecurity and privacy laws, regulations and policies that apply to the asset; and
  • existing controls used to protect the asset.

3. Identify potential threat actors

Threat actors are individuals, organizations and nation-states that may attack your cyber asset. Insider threats are a particularly big risk, both those who act maliciously and those who might mistakenly cause a breach.

It's impossible to identify all potential threat actors, so focus on identifying those most likely to attack or cause the most harm. Information on threats and threat actors is available from many sources, including threat intelligence services and reports, as well as incident reports from your organization and other organizations in your sector.


Use this threat profile template to create your own profiles.

4. Document threat scenarios

A threat scenario is a brief description of how a successful attack against the cyber asset might occur. Each entry in the threat profile should include a unique identifier, a threat type and the scenario description at an absolute minimum.

5. Review the threat profile

Threat profiles can almost always be improved through review. Have colleagues review the drafts of your threat profiles once completed. Alternatively, collaborate with colleagues, and review each other's work throughout the process.

The U.S. Department of Energy recently published the publicly available report "A Cybersecurity Threat Profile for a Connected Lighting System." Written by experts from the Pacific Northwest National Laboratory, it's a fantastic example of how to create a formal threat profile for a system, and the threat findings table in the appendix demonstrates how to mitigate identified risks.

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing