s can be identified as well. They can also be investigated regarding their intentions and capabilities. Roper sets forth methods of identifying threats, including discussions with peers and managers inside an organization. The risk manager must have access to managers' information that is developed independent of organizational operations. Equally, however, line and staff personnel may have information available because of their areas of specialization. Risk managers should also talk with so-called "threat specialists and organizations that specialize in researching historic and current threat information in relation to products, organizations, and research that is on-going" (p. 47). Roper recommends obtaining industry-trend information from security and intelligence organizations that have expertise in risk analysis and information gathering methods. He also cites the need for attentive review of internal documents of an organization to get a picture of the range of threats that may have already been identified via intelligence or that are sensitive to an organization's security. Previous threat assessments should be consulted as a benchmark against which to measure the level of vigilance in place at a site.
Adversarial intent goes to the issue of how much information the adversary may have about the asset, how much the asset is needed, how interested the adversary has been in the asset, and how much the adversary has revealed about current efforts to acquire it. This involves decoding the motivations of adversaries and determining how capable they are of acting on
...