A risk source describes the origin or high-level category from which threats emerge. Examples include state-sponsored actors, organised crime, insiders, natural events, and technical failure. Categorising by risk source helps you capture threats systematically and ensures that no relevant category is overlooked. In the Cenedril ISMS wizard you select the relevant risk sources first, from which specific threats are then derived. ISO 27005 recommends considering both intentional and unintentional sources.