Identify threats and vulnerabilities from users.
Identification should include differentiating between a threat and a vulnerability, as well as
- email use
- insider threats
- employee errors
- weak management
- weak policy creation
- unused accounts
- weak password selection.