This is a 🌶️ take probably, but I don’t like to see actor intent discussed when threat modeling.
For example, it’s much harder to justify that an actor *wants to* do something than it is to justify that an actor has privileges to do something therefore it eventually happens.
I also find the convention of calling some threat actors malicious implies others are by nature benign, which makes it harder to talk about insider threats and the types security problems that happen by accident or without malicious intent, especially in conversation with folks who are not used to thinking about security.
Totally agreed on motivations of attackers.
One reason why I think talking about malicious actors makes sense is that in some scenarios you will have actors who unwittingly help the attacker. Their expected range of behaviour is part of the threat model, so they should be mentioned somehow while being distinguished from the attackers (who are unconstrained in their range of behaviour save for things they can't do).
@robryk absolutely! I really like scenarios with multiple actors such as a phisher and an internal employee for just that reason