Threat actors are the entities (people, groups, organizations, and states) that cause or contribute to an incident. There can be more than one actor involved in the incident, and their actions do not need to be intentional. If involvement is only contributory (it did not directly cause the incident), the actor is not included. Otherwise, the list of actors involved may become so big as to mask the real threat. An example of this might be the software engineer who produces a product in good faith, but ends up vulnerable to an exploit that is then successfully breached by another actor. The threat is the second actor, not the software engineer.
Actors are labeled relative to their relationship with the affected organization: internal, partner, or external. Linked to their relationship with the affected organization is the implied trust or privilege that each category might have. It is here that the real value of these categories is realized.
An internal threat actor (for example, a disgruntled employee) is assumed to have some privilege (for example, physical access to the computer system) that an external actor would not. A partner organization shares a business relationship with the organization, and can be assumed to have some privilege or trust level between that of the internal and external actors. For example, a partner organization might have physical access to the building for deliveries, but wouldn't be expected to have a log-in for the corporate network.
The aim of VERIS is to use common language to help identify, compare, and manage risk. It is for this reason that while the labels appear to categorize based on relationship, the important distinction is based on privilege and trust level. A former employee is therefore classified as external as they shouldn't have that physical access to the computer system anymore. The opposite of this is a contractor, who would be classed as internal due to their day-to-day legitimate access.
Within each sub-element, a number of properties can be used to enhance analysis and search terms can be used. These are shown in the following screenshot:
Each property, barring the notes field (available for every VERIS element, which is free text), can be enumerated (picked from a fixed set of options), which helps the searchability of the data. All the boxes in dark blue allow multiple selections to be made; the industry property only allows single selection, or free text, and is generally drawn from the NAIC list of industries (available at https://www.census.gov/cgi-bin/sssd/naics/naicsrch).