Internal Vulnerabilities, External Threats: A Grounded Framework for Enterprise Open Source Risk Governance

Abstract: Enterprise engagement with open source has evolved from tactical adoption to strategic deep integration, exposing them to a complex risk landscape far beyond mere code. However, traditional risk management, narrowly focused on technical tools, is structurally inadequate for systemic threats like upstream "silent fixes", community conflicts, or sudden license changes, creating a dangerous governance blind spot. To address this governance vacuum and enable the necessary shift from tactical risk management to holistic risk governance, we conducted a grounded theory study with 15 practitioners to develop a holistic risk governance framework. Our study formalizes an analytical framework built on a foundational risk principle: an uncontrollable External Threat (e.g., a sudden license change in a key dependency) only becomes a critical risk when it exploits a controllable Internal Vulnerability (e.g., an undefined risk appetite for single-vendor projects), which then amplifies the impact.The framework operationalizes this principle through a clear logical chain: "Objectives -> Threats -> Vulnerabilities -> Mitigation" (OTVM). This provides a holistic decision model that transcends mere technical checklists. Based on this logic, our contributions are: (1) a "Strategic Objectives Matrix" to clarify goals; (2) a systematic dual taxonomy of External Threats (Ex-Tech, Ex-Comm, Ex-Eco) and Internal Vulnerabilities (In-Strat, In-Ops, In-Tech); and (3) an actionable mitigation framework mapping capability-building to these vulnerabilities. The framework's analytical utility was validated by three industry experts through retrospective case studies on real-world incidents. This work provides a novel diagnostic lens and a systematic path for enterprises to shift from reactive "firefighting" to proactively building an organizational "immune system".