3.1. Threat Actors and Motivations

💡 First Principle: Understanding who attacks you and why determines the defenses you need. A nation-state with unlimited resources and strategic patience demands a fundamentally different defense posture than an opportunistic script kiddie scanning for easy targets. Threat intelligence isn't academic — it directly informs your security budget, architecture, and incident response priorities.

What happens when you ignore the "who"? You overspend defending against threats that don't target you, and underspend against threats that do. A small retail business spending its budget on nation-state-grade defense while ignoring basic phishing training is misallocating resources. Conversely, a defense contractor treating all threats as basic is dangerously naive.

Consider a hospital: the most likely threat actor isn't a nation-state — it's a ransomware gang motivated by financial gain, knowing the hospital will pay because patient lives depend on system availability. That threat intelligence drives specific decisions: offline backups, network segmentation for medical devices, and incident response plans that prioritize availability over investigation.