For reference I differentiated between Threat and Attack Models last year.
- Threat Modeling: Identifying parties with the capabilities and intentions to exploit a vulnerability in an asset
- Attack Modeling: Identifying vectors by which any threat could exploit an asset; i.e., the identity of the threat is irrelevant -- the method matters here
- Adversary Imagination and Simulation: The former involves thinking about how an adversary would act like a threat and perform an attack. The latter is actually acting as the threat upon production assets. The article mentions doing the latter for computer concerns.
I am not a big fan of adversary imagination as the end result of any activity. It's far too likely to rest on untested assumptions and you end up with defense or management by belief instead of by fact.
I thought it was helpful to see that a big company like Intel works to integrate personnel from across its business into these exercises to stimulate security awareness and guide resistance, detection, and response.
I found this excerpt interesting too:
Finally, we make it clear when we invite people to a war game that they are not required to fix the vulnerabilities they discover. Within Intel's corporate culture, we take pride in identifying a problem and then owning the solution, but telling participants "you find it, you fix it" could discourage them from speaking up.