- Threat identification is the review of technical and technical events that may damage a system
- System characterization is the review of system and data criticality and sensitivity
- Control analysis is the review of current and planned countermeasures against security requirements checklists.
- Vulnerability identification is the review of system security procedures, design, implementation, or internal controls that may fail during attacks.