Good news from Europe: the ENISA 2022 Cybersecurity Threat Landscape Methodology

Now ENISA seeks to provide the relevant stakeholders a clear Cybersecurity Threat Landscape Methodology to support risk mitigation, promote situational awareness and proactively respond to future challenges.

On July 2022, The EU Agency for Cybersecurity (ENISA) has published a document titled “Cybersecurity Threat Landscape Methodology[1]. This is following a yearly publication of threat cybersecurity threat landscape since 2013 and the Cyber Posture 2022 which enhance the
ability to prevent cyberattacks through capacity building and by responding firmly to cyberattacks against the EU and its Member States using all available EU tools[2]. The 2013 reports were based on Open-Source information aiming to help policy makers and decision-makers to apply security measures and develop the knowledge of the public and the private sector.

Now ENISA seeks to provide the relevant stakeholders a clear Cybersecurity Threat Landscape Methodology to support risk mitigation, promote situational awareness and proactively respond to future challenges.

ENISA 2022 Cybersecurity Threat Landscape Methodology: the Proposed Methodology

ENISA proposes a baseline for the transparent and systematic delivery of horizontal, thematic, and sectorial cybersecurity threat landscapes. The following threat landscapes could be considered as examples. The methodology aims to address what is the structure of a threat landscape, how should the targeted audiences be determined, how should the data be collected and analyzed, how should the products be disseminated and what is the process for collecting feedback. Three layers are proposed:

  • Horizontal threat landscapes, covering holistically a wide range of sectors and industries;
  • Thematic threat landscapes, focusing on a specific theme (for example supply chain threats), but covers many sectors, and
  • Sectorial threat landscape, providing focused information for a particular constituent or target group.

The overall focus of the methodological framework involves the identification and definition of the process, methods, stakeholders, and tools as well as the various elements that, content-wise, constitute the cyberthreat Landscape (CTL). The document proposes several considerations when generating and disseminating cyber threats, amongst are:

  • Actionable: intelligence should increase awareness and support decision-making processes and improve defense
  • Timely: Time influences intelligence used for tactical or operational actionability and
  • Accurate: accuracy depends on the information received, processed, correlated, and analyzed.

The ENISA proposed methodology consists of five steps: Direction, Data Collection, Processing, Analysis and Production, Dissemination. ENISA aims to provide added value for various users of intelligence:

  • Strategic users for information about general risks or developments associated with threats that can be used to drive a high-level strategy.
  •  Tactical users for information about tactics, techniques and procedures used by threat actors to conduct their attacks.
  • Operational users for information about precursory and indicatory signals of impending attacks
  •  Technical users to observe objects associated with specific threats, usually identified during response to an incident or through forensic processes and typically feeds preventive and monitoring solutions.

My personal Thoughts

The initiative of ENISA is extremely important and useful and will provide all stakeholders with valuable know-how and methodology regarding the threat assessment parts. However, I have few constructive remarks. As can be seen the document gives importance for the collection process. This is because any assessment and recommendations may only be based on the information collected. Therefore, it is critical to define specifically the type of information we are looking for, enabling the information collectors to be focused, otherwise it would be difficult to build useful cyber risks scenarios.

For that very reason, it is important to start the process by reviewing first the threat actors and their specific motivations in the EU. I would define four groups of actors, each with specific interests and pausing specific threats:

  • States and non-states political actors including terror groups;
  • Criminal actors motivated by money and control;
  • Hybrid actors combining political and criminal motivation (for example North Korea and Iran)
  • Ideological actors aiming for global achievements (for example Anonymous).
  • All these threat groups should be analyzed, and definition of the collection requirements should be done accordingly. The documents aim to enable other entities to be able to produce their own threat landscape products. These activities may be useful for the potential activities of the EU Joint Cyber Unit that may complete the EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. Furthermore, we should have in mind that many of the entities working in cybersecurity come from the private and business sector, therefore it would have been wise to provide this sector ways to enable collecting and assessing their data threats, or even providing them tools to assess intelligence (particularly in the actual context of skills shortages), as they purchase from intelligence gathering companies. Or at least, it would have been useful to propose a sectoral-driven cooperation with critical and essential infrastructures.

ENISA’s vision for increased AI automated threats generation and assessment is blessed, however, I do not see how we could eliminate the human input and the need for a coordinated communication strategy. This is because intelligence assessment is always about understanding minor nuances and the separation of “signal to noise”. All in all, I congratulate ENISA for this important work.


[1] https://www.enisa.europa.eu/publications/enisa-threat-landscape-methodology

[2] May 22nd 2022, Council conclusions on the development of the European Union’s cyber
posture, https://www.consilium.europa.eu/media/56358/st09364-en22.pdf

Prof. Annita Sciacovelli is Professor of International law and a cybersecurity specialist in the Law Department University of Bari Aldo Moro. She is a Researcher fellow on Cybersecurity, Institute of National Security Studies, Jerusalem, a Member of the Advisory Board International Institute for Peace, Vienna, (Austria); a Member of the Cyber Security&Warfare Commission of the Italian Society of studies on intelligence and a Member of the International Institute of Humanitarian Law of Sanremo. She is a lawyer, and she also teaches International law in the University of international studies in Rome (UNINT); she is Member of the editorial board of the review Sicurezza e Intelligence.

Related Posts

Ultime news