The point of listing the driving forces is to look past the everyday crises that typically occupy our minds and explore long-term forces that ordinarily work well outside our concerns. It is these powerful forces that will usually catch us unaware.
Organisations have traditionally been the target, but sophisticated threats are increasingly occurring via soft targets in individuals — individuals who are employees or volunteers of the organisation, people associated with the organisation, or its clients. Examples of individuals as the target include smartphone vulnerability exploitation and spear phishing for executive credentials.
Historically, governments use regulation to influence corporate behaviour (see GDPR for example), but increasingly, collectives of like-minded entities banding together drive organisational and individual behaviour. Examples of such collectives are (nation-state-sponsored) hacking groups.
Every organization in the world, whether in the public or private sector, depends on third-party software, which can include a wide-range of applications. Many of these programs were developed by small vendors that didn't have security in mind. And that includes the software used for developing and distributing software.
The lines between state-sponsored actors and privately-driven actors in hacking groups and in re-identification practices are increasingly becoming blurred. The impact of exploit proliferation as threat actors use commodity tools such as (open source) penetration-testing software and poisoned update packages to breach networks is likely to be immense.
For listing more driving forces for a particular organisation and context, we can explore systematic hacking, hacking forensics, adversary-centric threat modelling, and research into current digital events.