The aim of this study is to propose initiating threats and their bounding groups in order to identify initiating cyber threats, and to further apply the initiating threats to cyber risk assessment in nuclear power plants (NPPs). NPP are generally thought to be secure from cyber-attacks, as the control/monitoring network and business network in a NPP are separate from the external network. However, consecutive incidents at nuclear facilities have revealed the necessity of cyber risk assessment for NPPs. To determine initiating threats and their bounding groups for NPP, Operational experience report (OER) and repository of industrial security incidents (RISI) database were utilized. Each of the chosen incidents was documented with descriptions based on the following five characteristics: 1) type of attacker, 2) intentionality, 3) access method, 4) access type, and 5) purpose of the attack. The proposed organization of initiating threats and their bounding groups for NPPs represent a valid first attempt to determine such threats based on actual industrial incidents. This advance can also be further applied to describe scenarios and models of NPP cyber-risk assessments.