How are cyber attackers typically categorised, and why does the category matter for risk planning?
Five tiers from random opportunists to nation-states — each has different motivation, resources, and "patience", which dictates how hard you have to defend.
The standard taxonomy (top of the threat pyramid = targeted, bottom = random):
| Tier | Motivation | Resources | Mode |
|---|---|---|---|
| Staatliche Organisationen (Nation-States / APT) | Geopolitical, espionage, sabotage | Effectively unlimited; long timelines | Targeted, custom zero-days |
| Terroristen | Ideological disruption | Moderate to high | Targeted symbolic attacks |
| Organisierte Kriminalität | Money (ransomware, fraud) | High; professional ops | Targeted high-value victims |
| Hacker/Cracker | Reputation, curiosity, hacktivism | Skilled individuals/groups | Mix — opportunistic and targeted |
| Script Kiddies | Bragging rights, mischief | Off-the-shelf tools | Random, opportunistic |
Why it matters: Your control choice depends on whom you're defending against. Patching and 2FA stop script kiddies and most criminals. An APT goes through anything except disciplined defence-in-depth + monitoring + segmentation. Pretending you can stop a nation-state with antivirus is a strategy error.
Tip: Each tier doubles as a question — can our controls plausibly withstand this group? If "Script Kiddies → yes, Org-Crime → maybe, APT → no", that's your honest risk posture.