Which of the following is not a type of internal attacker?

The correct identification of the external hacker as not being a type of internal attacker is based on the fundamental definitions of internal versus external threats in cybersecurity. Internal attackers are individuals who have legitimate access to an organization's systems and data, which includes employees, contractors, and other stakeholders within the organization.

A malicious attacker refers specifically to someone within the organization who deliberately seeks to harm the organization, such as stealing data or sabotaging systems. A careless worker, while possibly unintentionally causing issues, still falls under the category of internal threats due to their association with the organization. A system administrator typically has broad access and could potentially be an internal threat as well, either through negligent behavior or intentional malfeasance.

In contrast, an external hacker operates from outside the organization and relies on exploiting vulnerabilities without having authorized access. External hackers may use various techniques to compromise systems, but they do not belong to the group classified as internal attackers, as they lack the insider position required to qualify for that classification.

Therefore, understanding the distinctions between these roles helps clarify why the external hacker does not fit within the framework of internal attackers.