Identification should include differentiating between a threat and a vulnerability, as well as
email use
insider threats
employee errors
weak management
weak policy creation
unused accounts
weak password selection.