Adversaries are broken down in various ways, most of our experience has shown there are three types, as shown in the diagram to the left.
The majority of them are less likely to cause an organization major harm. The top 30% present a more formidable problem. Incident response becomes far more difficult with attackers who do not leave an obvious trail, as does detecting their activities. A wider range of response options may be required. Training becomes imperative if an organization is to effectively handle an attack of this nature. In all instances the ability to learn from incidents at all levels can provide an advantage.