Identify threats and vulnerabilities from users.
Identification should include differentiating between a threat and a vulnerability, as well as
- email usage
- insider threats
- employee errors
- poor management
- poor policy creation
- unused accounts
- poor password selection.