How do real ransomware incidents (e.g. the City of Antwerp and the TalkTalk breach) help populate the "criminals" and "script kiddies" rows of a Threat Matrix?
They give documented, real-world examples of each adversary type — criminals disrupting a city's services (Antwerp/Digipolis), and young "script-kiddie" hackers breaching customer data (TalkTalk).
In the 2022 Antwerp case, criminals' ransomware disrupted the city's IT, email and phone services — a "criminals → government, disruption" entry. The earlier TalkTalk breach saw young, relatively unsophisticated hackers cause a major customer-data incident — a "cyber vandals/script kiddies → private, disruption" entry. WHY pair the matrix with real cases: it shows the same target can be hit by very different adversaries (a sophisticated criminal gang vs. teenagers), and each demands a different response. Sourcing every cell keeps the model grounded in evidence rather than fear.
Go deeper:
TalkTalk-Datenpanne 2015 (Wikipedia, TalkTalk Group) — Der reale Angriff 2015 mit Zugriff auf bis zu 4 Mio. Kundendaten als belegtes Fallbeispiel.