From the Corporate Safety & Security Playbook: the five categories of corporate threat.

This is an excerpt from The Corporate Safety & Security Playbook, Book One of the Shadow Playbook series. It is reproduced here because the question it answers is the first question every protection program has to answer: what, exactly, are we protecting against?

Every threat the modern enterprise faces falls into one of five operational categories. The categories overlap, and most real-world events involve more than one. But for the purpose of building a protection program, these are the buckets that matter.

The five categories.

Cyber. Anything that targets the digital surface: networks, applications, identities, data, and the people who have access to them. Phishing, ransomware, credential theft, insider data exfiltration, account takeovers, and supply-chain compromise all live here.

Physical. Anything that targets the physical surface: people, facilities, vehicles, and the spaces the organization occupies or moves through. Workplace violence, unauthorized access, theft, assault, kidnapping, and hostile surveillance all live here.

Reputational. Anything that targets the perception of the organization or its leadership. Disinformation campaigns, coordinated harassment, deepfake content, executive impersonation, and orchestrated regulatory leaks all live here.

Insider. Anything that originates from within the organization itself: employees, contractors, vendors with privileged access, board members, and household staff. Insider threats can be malicious, or they can be the ordinary consequence of access without discipline.

Environmental and geopolitical. Anything in the operating environment that creates exposure regardless of intent. Civil unrest, natural disaster, pandemic, infrastructure failure, sanctions regimes, and war all live here, along with their second-order effects.

Why they have to be read as one picture.

The most dangerous feature of the modern threat landscape is not the threats themselves. It is the way they compound across categories. A cyber breach exposes home addresses. The exposed addresses become a physical threat to an executive's family. The family's distress leaks into the press, which becomes a reputational event. A regulator sees the coverage and opens an inquiry. One event, four categories, and a program that handled each in isolation is already behind.

Compounding has three properties worth understanding. It is non-linear: two threats at once do not produce twice the exposure, they produce many times more, because each one consumes the attention the other requires. It is cross-domain by nature: a cyber event metastasizes into a physical one, a physical one into a reputational one. And it is exploitable: an adversary who understands compounding will deliberately stack events to overwhelm the response.

The program that treats these five categories as separate problems will be overrun by the second compound event. The program that treats them as a single picture — where cyber telemetry, physical observation, reputational signals, insider indicators, and environmental conditions are read together — can see the compound forming and act before it does. That single picture is the whole point. The methodology that maintains it — sense, advance, decide, learn — is built to operate on whatever threat picture is current. The picture changes. The discipline does not.