| Metric | Description |
| Internal (I) | Attacks with an internal origin originate from within the organization’s internal network or systems. These attacks may leverage trusted access privileges, insider knowledge, or compromised internal assets to carry out malicious activities. |
| External (E) | Attacks with an external origin originate from outside the organization’s network or systems (eg: DDoS). These attacks are typically launched by external threat actors targeting the organization’s external-facing assets (eg: websites, servers, or network infrastructure). |
| Mixed (M) | Mixed attacks involve elements from both internal and external sources. These attacks can be complex and challenging to detect, as they may involve insider threats collaborating with external actors or compromised internal systems being used to launch attacks against external targets. |
| Unknown (U) | Attacks with an unknown origin cannot be definitively attributed to either internal or external sources. The origin of the attack may be obscured by factors such as sophisticated evasion techniques, insufficient logging and monitoring capabilities, or incomplete forensic analysis. |