View on GitHub


Repository for the Open Information Security Risk Universe

Sources of Risk

These are the various sources that cause a risk event to occur.

Internal vs External Sources

Internal sources are within the trust and control boundary of the organisation whereas External sources exist outside the trust and control boundary of the organisation.

Malicious vs Non-Malicious

Malicious sources are those with intent to cause harm whereas Non-Malicious sources do not have intent to cause harm.

Source Internal/External Malicious/Non-Malicious
Disgruntled Internal Malicious
Accidental Internal Non-Malicious
Ineffective Internal Non-Malicious
Criminal Internal Malicious
Coerced Internal Malicious
Criminals External Malicious
Hacktivists External Malicious
Compromised suppliers External Non-Malicious
State-Sponsored External Malicious
Competitor External Malicious
Press External Non-Malicious
Researcher External Non-Malicious
Regulator External Non-Malicious


It can be useful to consider characteristics of each source when analysing risks, the following charcteristics can be useful to bear in mind: