Thanks for putting it so eloquently. To me when I hear the word threat, it indicates an immediate response is required where a risk or vulnerability we have time to remediate or lessen the impact. If I have an active insider threat, I need to be monitoring, auditing, intervening, and actively trying to shut it down. If it is just an uninformed executive who might click on a phishing email, then I have time to ensure my user education is improved, to install an anti-phishing product, to have a one-on-one security briefing, etc. Where I live, a hurricane is a threat, but not in November through April, and only when there is a named storm. Which then we usually have days to weeks to prepare. Any user is a threat to do something bad, whether malicious or not, to me an insider threat is something requiring an immediate response. Perhaps insider risk would be a better title.....
One of the reasons I got into this field is that I was appalled by how lightly security would often be taken in organizations I was with before.
2 examples from a single organization, where I was working as a system admin: -
1) A director had a dedicated WiFi channel with full intranet access & unrestricted internet access, of which he'd tend to share the WPA key with whoever visited him --- it would never be changed!
2) The GM once called me to check an issue on his Mac; while I was at it, he excused himself to grab his lunch --- leaving me with full access to his laptop, with the emails & all the info there. (Worse, he didn't bother to log off)
(Most ironic was that this organization got itself certified in ISMS)
Anyways, back to these examples, while I see anything that may compromise IT Security as a threat --- be it malicious or not --- we might consider these as vulnerabilities that have been created, & could potentially be exploited. In the case of 1, an outsider could get access to the internal network to launch an attack or carry out reconnaissance; with 2, the GM's system could be used to send out fake emails, or there may be data leakage / theft.
So the parties that have malicious intentions and take advantage of these vulnerabilities could be seen as the threat actors, rather than the executives themselves.