What are the seven steps of the threat-and-impact modelling exercise taught in this approach?
(1) Identify your industry, (2) identify your core/high-value asset, (3) identify a relevant threat actor using the Threat Matrix, (4) develop a realistic adversary scenario with their tactics/techniques/procedures, (5) estimate the potential damage, (6) determine current and desired-state measures, (7) draft the improvement roadmap.
* The seven-step exercise — industry, asset, threat actor, scenario, damage, measures, roadmap. *
The sequence moves deliberately from context to action: first where you operate and what matters most, then who would come after it and how, then how bad it would be, and finally what to do about it. WHY this order: you cannot rate impact (step 5) or pick controls (step 6) until you have a concrete attacker and scenario (steps 3–4) tied to a real high-value asset (step 2). Skipping to "buy a tool" without steps 1–5 is how organizations spend money on the wrong risks.