Quiz Entry - updated: 2026.07.14
What is the standard FAIR template for stating a cyber-risk scenario, and why does the template matter?
"[Threat] impacts [asset] via [method], causing [effect(s)]." — a sentence template that forces every scenario to name all four moving parts.
Example: "Cyber Criminals impact Sensitive Personal Data via Ransomware with Data Exfiltration, causing Information Privacy Loss and Reputation Damage."
Each slot has a menu of standardised choices, so scenarios across an org are comparable:
| Slot | Sample options |
|---|---|
| Threat (intent: malicious / accidental) | Cyber Criminals, Nation-State, Privileged/Non-Privileged Insider, AI Agents, Hacktivists, Cyber Terrorists, Script Kiddies, Competitor-Driven, Sabotage Actors |
| Asset | Sensitive Personal Data, IP & Trade Secrets, Confidential Business Info, Business Process (revenue / cost), Product/Service, Cash, Physical Assets |
| Method | Ransomware (with/without exfiltration), Data Exfiltration, DDoS, Cryptomining, Account Takeover, Malware, System Outage, Data Corruption, Phishing, SIM Swapping, Deepfake attacks, LLM Prompt Injection, Credential Stuffing, Brute-force, USB Drop |
| Effect (Primary / Secondary) | Privacy Loss, Proprietary Data Loss, Business Interruption, Cyber Extortion, Network Security, Financial Fraud, Media Fraud, Hardware Bricking, Post-Breach Costs, Reputation Damage |
Why the template wins:
- No hand-waving. "We're worried about cyber" → forced to commit to a who/what/how/why.
- Comparable across the org. Same vocabulary → roll-up reporting works.
- Maps directly to FAIR factors. Threat → TEF inputs; Method → Vulnerability; Effect → Loss types.
Modern additions: AI Agents as threats, Deepfakes and LLM Prompt Injection as methods, ML Model Evasion and Training Data Poisoning — reflecting how the 2025 threat landscape has evolved.