Sources of Risk
These are the various sources that cause a risk event to occur.
Internal vs External Sources
Internal sources are within the trust and control boundary of the organisation whereas External sources exist outside the trust and control boundary of the organisation.
Malicious vs Non-Malicious
Malicious sources are those with intent to cause harm whereas Non-Malicious sources do not have intent to cause harm.
| Source | Internal/External | Malicious/Non-Malicious |
|---|---|---|
| Disgruntled | Internal | Malicious |
| Accidental | Internal | Non-Malicious |
| Ineffective | Internal | Non-Malicious |
| Criminal | Internal | Malicious |
| Coerced | Internal | Malicious |
| Criminals | External | Malicious |
| Hacktivists | External | Malicious |
| Compromised suppliers | External | Non-Malicious |
| State-Sponsored | External | Malicious |
| Competitor | External | Malicious |
| Press | External | Non-Malicious |
| Researcher | External | Non-Malicious |
| Regulator | External | Non-Malicious |
Characteristics
It can be useful to consider characteristics of each source when analysing risks, the following charcteristics can be useful to bear in mind:
- Goals (Curiosity, Personal Fame, Personal Gain, National Interests, Revenge, etc)
- Skills (No technical skills, End user, Power user, Developer, Researcher)
- Knowledge (External to organisation, Ex-Organisation insider, Organisation partner, Customer, Employee, Other insider)
- Opportunity (Connected to Internet, Physically nearby, Access to connected partner, Access to organisation, Access to specific network / system)
- Deterrability (Unconcerned criminal, Careful criminal, Careless law-abiding, Careful law-abiding)