One of the reasons I got into this field is that I was appalled by how lightly security would often be taken in organizations I was with before.
2 examples from a single organization, where I was working as a system admin: -
1) A director had a dedicated WiFi channel with full intranet access & unrestricted internet access, of which he'd tend to share the WPA key with whoever visited him --- it would never be changed!
2) The GM once called me to check an issue on his Mac; while I was at it, he excused himself to grab his lunch --- leaving me with full access to his laptop, with the emails & all the info there. (Worse, he didn't bother to log off)
(Most ironic was that this organization got itself certified in ISMS)
Anyways, back to these examples, while I see anything that may compromise IT Security as a threat --- be it malicious or not --- we might consider these as vulnerabilities that have been created, & could potentially be exploited. In the case of 1, an outsider could get access to the internal network to launch an attack or carry out reconnaissance; with 2, the GM's system could be used to send out fake emails, or there may be data leakage / theft.
So the parties that have malicious intentions and take advantage of these vulnerabilities could be seen as the threat actors, rather than the executives themselves.
What's your view on all this?