LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the standard FAIR template for stating a cyber-risk scenario, and why does the template matter?

"[Threat] impacts [asset] via [method], causing [effect(s)]." — a sentence template that forces every scenario to name all four moving parts.

Example: "Cyber Criminals impact Sensitive Personal Data via Ransomware with Data Exfiltration, causing Information Privacy Loss and Reputation Damage."

Each slot has a menu of standardised choices, so scenarios across an org are comparable:

Slot Sample options
Threat (intent: malicious / accidental) Cyber Criminals, Nation-State, Privileged/Non-Privileged Insider, AI Agents, Hacktivists, Cyber Terrorists, Script Kiddies, Competitor-Driven, Sabotage Actors
Asset Sensitive Personal Data, IP & Trade Secrets, Confidential Business Info, Business Process (revenue / cost), Product/Service, Cash, Physical Assets
Method Ransomware (with/without exfiltration), Data Exfiltration, DDoS, Cryptomining, Account Takeover, Malware, System Outage, Data Corruption, Phishing, SIM Swapping, Deepfake attacks, LLM Prompt Injection, Credential Stuffing, Brute-force, USB Drop
Effect (Primary / Secondary) Privacy Loss, Proprietary Data Loss, Business Interruption, Cyber Extortion, Network Security, Financial Fraud, Media Fraud, Hardware Bricking, Post-Breach Costs, Reputation Damage

Why the template wins:

  • No hand-waving. "We're worried about cyber" → forced to commit to a who/what/how/why.
  • Comparable across the org. Same vocabulary → roll-up reporting works.
  • Maps directly to FAIR factors. Threat → TEF inputs; Method → Vulnerability; Effect → Loss types.

Modern additions: AI Agents as threats, Deepfakes and LLM Prompt Injection as methods, ML Model Evasion and Training Data Poisoning — reflecting how the 2025 threat landscape has evolved.

From Quiz: ISF / Risk Management | Updated: Jul 14, 2026