Emerging Risk and Threat Landscape

Key Takeaways

Information Security Risk Management is 20% of the CISM exam; risk identification begins with assets, threats, vulnerabilities, and the threat actors that connect them.
A threat is a potential cause of an unwanted incident; risk only exists when a credible threat can exploit an actual vulnerability against a valued asset.
Emerging threats (AI-enabled phishing, ransomware-as-a-service, supply-chain compromise) are tracked through structured threat intelligence, not ad hoc headlines.
The information security manager establishes a repeatable risk identification process and feeds it into the risk register rather than reacting to individual threats.

Last updated: June 2026

The Threat Landscape in CISM Terms

The Information Security Risk Management domain is 20% of the CISM exam (roughly 30 of the 150 scored questions). Risk management always begins with risk identification, and risk identification begins with understanding the threat landscape — the set of threats, threat actors, and threat events that could realistically harm the enterprise's assets.

CISM is precise about vocabulary, and the exam punishes loose usage. Memorize these distinctions exactly:

Term	Definition	Common trap
Asset	Anything of value (data, system, process, reputation)	Treating only servers as assets; data and reputation count
Threat	A potential cause of an unwanted incident	Confusing the threat with the event that already happened
Threat actor	The entity (insider, criminal group, nation-state) behind a threat	Assuming all actors have the same capability and motive
Vulnerability	A weakness that a threat can exploit	A vulnerability with no threat is low priority, not zero risk
Risk	The effect of uncertainty on objectives — threat exploiting a vulnerability against an asset	Reporting a threat as a risk before confirming exposure

A threat alone is not a risk. Risk exists only when a credible threat can exploit an actual vulnerability affecting a valued asset. This is why CISM scenario questions reward managers who confirm exposure before escalating.

Emerging Threats the Exam Expects You to Recognize

The 3 November 2026 outline keeps emerging-threat awareness in scope. The current high-frequency categories are:

Ransomware and ransomware-as-a-service (RaaS) — extortion through encryption plus data-theft double extortion; the manager's concern is recovery capability and backup integrity, not just prevention.
AI-enabled social engineering — deepfake voice/video and large-language-model phishing that defeats spelling and grammar cues; awareness training and verification controls must evolve.
Supply-chain and third-party compromise — trusted software updates or vendors as the attack path (the manager's response is vendor risk assessment and contractual control requirements).
Cloud misconfiguration and identity attacks — exposed storage, over-privileged tokens, and credential stuffing in shared-responsibility environments.

Threat Intelligence Tiers

Managers do not chase headlines; they consume threat intelligence at three levels that CISM expects you to differentiate:

Strategic — board-level trends and motivations; informs risk appetite and investment.
Operational — campaigns, actor tactics, techniques, and procedures (TTPs); informs control selection.
Tactical — indicators of compromise (IOCs) like hashes and IP addresses; informs detection rules.

Worked Scenario

A peer firm in your sector suffers a RaaS attack via a managed-service-provider tool. As the manager, the strongest first action is assess whether your enterprise uses the same exposure and update the risk register and treatment plan — not patch a single server, and not wait for a vendor advisory. The exam rewards a repeatable, asset-linked identification process feeding the risk register over a one-off technical fix. Common trap: choosing "buy a new EDR tool" before you have confirmed which assets are actually exposed.

Building a Repeatable Identification Process

CISM does not want a manager who reacts to every headline; it wants a process that systematically surfaces risk. The standard cycle, drawn from ISO 31000 and the ISACA Risk IT framework, is:

Establish context — business objectives, asset inventory, and the criteria that define a risk worth tracking.
Identify threats and threat events — internal and external, deliberate and accidental, technical and physical.
Identify vulnerabilities — weaknesses that the threats could exploit (from assessments, audits, and incident history).
Identify existing controls — so analysis reflects reality, not a control-free baseline.
Record in the risk register — with owner, description, and provisional rating.

Internal Versus External and Deliberate Versus Accidental

Threat identification must be comprehensive. The exam expects you to consider insider threats (malicious or negligent employees), environmental threats (fire, flood, power loss), and accidental threats (misconfiguration, fat-finger deletion) alongside external attackers. Over-focusing on external nation-state actors while ignoring the negligent insider is a frequent blind spot the test probes.

Threat source	Example	Often-missed point
External deliberate	Criminal ransomware crew	Capability varies by actor sophistication
Internal deliberate	Disgruntled admin exfiltrating data	Privileged access amplifies impact
Internal accidental	Employee misconfigures cloud bucket	Most common real-world breach cause
Environmental	Data-center flood	Needs continuity, not just cyber controls

Connecting Identification to Governance

Every identified risk should trace back to a business objective and forward to an owner. A risk with no plausible business impact does not belong on the executive register; a risk with no owner cannot be treated. The manager's value is converting a noisy threat landscape into a prioritized, owned, business-relevant set of entries — the input that the rest of this domain (assessment, treatment, monitoring) depends on. When a question asks what to do with newly identified threats, the best answers almost always integrate them into the existing risk identification process and register rather than treating each as a standalone fire drill.

Test Your Knowledge

A security publication reports a new exploit affecting a software product. The information security manager confirms the product is not used anywhere in the enterprise. How should this be treated?

Logged as threat intelligence but not added to the risk register as enterprise risk because no exposed asset or vulnerability exists

Escalated to the board immediately as a critical enterprise risk

Patched on all systems as a precaution within 24 hours

Ignored entirely and removed from any tracking

Test Your Knowledge

Which level of threat intelligence is MOST useful for informing the enterprise's risk appetite and security investment decisions?

Tactical intelligence such as malicious file hashes

Vendor marketing about new security products

Raw packet captures from the network

Strategic intelligence describing sector-wide actor motivations and trends

Up Next

Vulnerability and Control Deficiency Analysis

Continue learning

CISM Study Guide

1Chapter 1: CISM Orientation and 2026 Exam Facts

2Chapter 2: Information Security Governance

3Chapter 3: Information Security Risk Management

4Chapter 4: Information Security Program Development

5Chapter 5: Program Management and Control Execution

6Chapter 6: Incident Management Readiness

7Chapter 7: Incident Management Operations

8Chapter 8: Supporting Governance Tasks

9Chapter 9: Cross-Domain Risk and Program Decisions

10Chapter 10: External Parties Data and Emerging Technology

11Chapter 11: CISM Practice Strategy

12Chapter 12: Final Review and Exam Day Readiness

CISM