ISO 27005 defines risk as "potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization." ISO 31000 states that risk is the "effect of uncertainty on objectives."
A source of risk can be a person, internal or external to the organisation, acting accidentally or deliberately (e.g. IT administrator, user, external attacker, competitor), or a non-human source (e.g. water, dangerous materials, non-targeted computer virus) who may be the source of a risk.
Risk sources can be of different kinds:
Internal human source
This could be :
- a malicious employee, using his or her proximity to the system, skills, privileges and potentially high time availability, or committing negligence due to a possible lack of training and awareness.
- a careless or ill-intentioned user or those around them who have access to the service.
There may be many reasons for this: clumsiness, error, negligence, revenge, a desire to alert, malice, greed, espionage, etc.
External human source
This may be :
- a malicious or ignorant third party using their physical proximity to fraudulently access the service
- an attacker targeting a user by using his knowledge of the user and some of the information concerning him
- an attacker targeting one of the companies in charge of data processing, using their knowledge of the companies to damage their image
- an authorised third party using its privileged access to illegitimately access information. The motives can be multiple: gambling, nuisance, malice, revenge, espionage, greed, acquisition of data with a view to exploiting it, etc.
Non-human source
This could be an incident or disaster at one of the organisations in charge of processing (power cut, fire, flood, etc.).