The Motivation of Cyber Threat Actors: Who’s after your stuff?

Credit: Azamat E

One way to approach the daunting task of how to protect cyber assets is to look at it from the standpoint of ‘Who is after my stuff’? Once we can identify threat actors’ motivations, we can learn a lot that can inform our priorities for cybersecurity.  

What motivates a cybercriminal?

Often, we can use an acronym called M.I.C.E to do a quick analysis.

M – Money

I – Ideology

C – Compromise

E – Ego

While this acronym had its genesis in trying to ferret out potential spies, it also can equate to cybersecurity.  


Money as a motivation maybe the most common but also easiest to deal with of the four. Someone motivated by money will likely cast a wide net and look for easy targets. If this is the primary reason why someone might be after our data, by simply doing basics maybe enough to get threat actors to decide to move on. It’s like putting an alarm sticker on your door, even though it might be only a sticker the burglar my decide to try a different house because why risk having to overcome one more hurdle when there are plenty of easier targets. 

One of the most common ways that cybercriminals earn money is by selling data on the black market. A lot of companies are not aware that they have been compromised and their data has been stolen until it’s too late. This can lead to a ransom situation where hackers demand money from the company in exchange for not releasing their data onto the internet or for unlocking their systems. 

While money is typically the motivation of lone wolf or hacker collectives, nation states have been getting in on this action as well. After several years of sanctions, paired with the COVID-19 pandemic, North Korean hackers have been found to target companies in cryptocurrency exchange or intellectual property seeking financial gain.  


Ideology is a motivation that makes the threat a little trickier. These individuals are targeting us because what we do offends them. While there may be other groups they want to target also, they tend to be more persistent. The goal of this type of threat actors is often to shame or embarrass. If we feel we are the target of these groups, it’s good to look at protecting websites and production as defacement and shut down is what they are going for. This can also be particularly difficult because these types of threat actors may not have a clear set of demands.  

It pays to examine your business considering many hot button factors. One client was shocked to find they were on an anonymous hit list because the pet food they produced came from animals so animal rights hacktivists were targeting them. 

Also, ideology as a motivator could mean your group is the target of nation states. Why does this matter? Because nation states are well funded and super determined. This type of motivation calls for vigilance and for you to understand the exact data they maybe after and going above and beyond to protect it. 

According to a recent study by Trellix and the Center for Strategic and International Studies (CSIS), 86% of organizations believe they have been targeted by a nation-state threat actor. While many state-sponsored threat actors engage in spear phishing, ransomware is the preferred weapon of these cybercriminals.  

The 2021 Microsoft Digital Defense Report found that most nation state actors continue to focus operations and attacks on government agencies, intergovernmental organizations (IGO)s, nongovernmental organizations (NGO)s, and think tanks for traditional espionage or surveillance objectives. In recent years, private industry’s role in supporting remote workers, increase health services, and COVID-19 vaccine research and distribution have also made them more common targets for these sophisticated attackers.  


Compromise usually refers to insider threats. Is it possible that we may be causing our own employees to turn on us based on new mandates or business changes? Sometimes we just are a business that has a product that leads to threat of compromise.  

Take the case of a research and development firm. intellectual property is their product. However, even though the employees work for you they may feel the company’s property belongs to them not the business and may feel justified in theft. In this case you want to put your cybersecurity dollars into watching your own. 

The increasing usage of “bring your own device” (BYOD) in hybrid work environments has changed the technology landscape for organizations. While some of this risk can be unintentional, it is wise for businesses to use a framework of common factors and patterns typically seen to help enable proactive threat detection to identify potentially malicious intent.  


Ego as a motivator can cover a variety of grounds. As a cybersecurity company, cyber criminals may target us because of an advertisement. When a certain computer manufacturer gained fame as being impervious to computer viruses, perpetrators went out of their way to prove they were not. 

Another area where we may want to consider this motivation is the human factor. Companies with high turnover or a particularly contentious separation may find ex-employees have an axe to grind over dismissal. These types of threat actors will be attempting to cause the most embarrassment and/or pain to prove we cannot do without them. If this is a potential threat vector for our organization, dual controls need to be put in place. 

A survey conducted by security firm OneLogin found that only about half of IT decision makers were “very confident” that former employees were no longer able to access corporate applications. Additionally, 20% said they had experienced data breaches by former employees.  

Using motivation to prevent cybersecurity breaches

Looking at the motivations of hackers and cybercriminals is just one possible way to look at how we can dictate our cybersecurity priorities. By looking at the most likely perpetrators, we can ask who would be motivated to come after us, what are their tactics, techniques and procedures and priorities, and what defenses do we need.  

Tristin Zeman
+ posts

Tristin Zeman is the Digital Marketing Manager at Foresite. For the past 10 years, she has helped organizations of all sizes create and scale marketing programs through digital and traditional marketing channels and efficient marketing operations.

Sign up for our Newsletter

Receive weekly emails for the latest cybersecurity news

Expand your team with Foresite

Enterprise-level cybersecurity and risk management for mid-sized businesses. Prioritize your security tasks and reduce the complexity of cybersecurity.