Once assets and dependencies have been identified, all the vulnerabilities that could potentially afflict the asset are associated with them.

Vulnerabilities can of course be classified according to their estimated relevance. This classification is also used to identify an order of urgency in the application of the most suitable countermeasures.

At this point, it is necessary to analyse which threats can use the identified vulnerabilities to damage the system. The objective is to identify which vulnerable assets are exposed to different types of threats.

Examples of possible threat agents:

• insiders: employees of the same company that owns the system;
• crackers;
• internal malware;
• external malware;
• organised groups: hackers, organised crime and so on.