But you usually already have an intuitive idea of what they are
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.
The point is that different classes of attackers have very different capabilities. Consider e.g. a crude threat model which posits five classes:
Script kiddies randomly trawling the ’net for open vulnerabilities
Competent hackers specifically targeting you
As above, but with access to your physical location
People armed with subpoenas (e.g. lawyers or cops)
Black-ops department of a large nation-state
A typical business might then say “We’re going to defend against 1-3 and we will not even try to defend against 4-5. We want to be sure 1 get absolutely nowhere and we will try to make life very difficult for 3 (but no guarantees)”. That sounds like a reasonable starting point to me.