Which scenario describes reputational risk when a public-facing website is defaced?

Reputational risk centers on how stakeholders view the organization after an incident. When a public-facing website is defaced, it sends a visible message that the site—and by extension the organization’s security—may be vulnerable. This can erode trust, invite negative press, and cause customers and partners to question the reliability and safety of engaging with the organization. The defacement directly affects public perception, which is the essence of reputational risk. The other scenarios describe different types of risk: a DoS affects availability and user access (an operational impact), an insider threat involves a trusted actor inside the organization, and data exfiltration concerns confidentiality and data loss. Those do not capture the visible, trust-damaging impact of a defaced public website.