Risk Profile

“Know your enemy and know yourself” – Chinese military strategy Sun Tzu about 500 years before Christ


Everyone has an idea of what cybercrime is. Most of all, it is about criminals trying to steal money, which is also correct. However, many companies underestimate that the most important thing they have is data. Without data, you are blind to billing, research, customer database, logistics, employee relations, etc.

However, there are other groupings than those, who are only looking for economics. If your business is doing mostly research, then your opponents in the cyber world may be strange states. If you run a small craft business, you are hardly an obvious goal for a foreign intelligence service.

Therefore, all IT security needs to be built around the company’s risk profile. To make it easier to understand who might be interested in your business, we have built the following model:

When we look at attacks, we can divide it into the following categories:

Spredehagls campaign

A campaign that affects anyone who either visits a hacked website or has their email standing in a database for which the criminals have access.

Semi-Targeted Campaign

An email that comes as spreading hail, it is usually the most simple one.

Targeted campaign

A campaign, such as affects an industry such as Architects who all receive an email with a link or attachment about a house for which the “person” wants architectural assistance. The mail seems more credible, because it is specific to this industry. Often, this category will be termed ATP (Advanced Persistent Threat) and is traditionally associated with intelligence services and criminal organizations that have high resources.


For a number of years, we have seen an increasing tendency for malware to be used in combination with, for example, telephone, social media, and methods are constantly evolving. The more a targeted attack becomes, the more attacking angles will be used in the same attack.

If a company is vulnerable to spredehagls and semi-targeted campaigns, the company is very in defense of targeted attacks, where the attacking party has both competence, resources and will spend a lot of time on reconnaissance before the attack starts.

It is therefore important, that your company knows your risks and builds IT security based on best practices in comparison with your profile and strategy.