Some hold that the word “threat” should be reserved for the agency responsible for an attack.
There is precedent to the contrary. The main NIST publication on risk assessment, SP 800-30 defines:
“A threat is any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.”
Agency, on the other hand, is more closely related to threat sources:
“A threat source is characterized as: (i) the intent and method targeted at the exploitation of a vulnerability; or (ii) a situation and method that may accidentally exploit a vulnerability. In general, types of threat sources include: (i) hostile cyber or physical attacks; (ii) human errors of omission or commission; (iii) structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); and (iv) natural and man-made disasters, accidents, and failures beyond the control of the organization.”
To be perfectly fair, despite the above definition of “threat”, SP800-30 frequently refers to the same concept as “threat event”.
I’m not arguing to use one word or another. Ideally everyone would agree on one-to-one mappings between words and meanings. We just don’t live in that reality… and maybe it’s more of a Borg nightmare anyway.