Tony Martin-Vegue

  • Home
  • Blog
  • About/Contact
  • Cyber Risk Quantification Resources
  • Newsletter
exam.jpg

Recipe for passing the OpenFAIR exam

July 24, 2020 by Tony MartinVegue in Quantitative Risk

Passing and obtaining the OpenGroup’s OpenFAIR certification is a big career booster for information risk analysts. Not only does it look good on your CV, it demonstrates your mastery of FAIR to current and potential employers. It also makes a better analyst because it deepens one’s understanding of risk concepts that may not be often used. I passed the exam myself a while back, and I’ve also helped people prepare and study for it. This is my recipe for studying for and passing the OpenFAIR exam.

What to study

The first thing you need to understand in order to pass the exam is that the certification is based on the published OpenFAIR standard, last updated in 2013. Many people and organizations - bloggers, risk folks on Twitter, the FAIR Institute, me, Jack Jones himself - have put their own spin and interpretation on FAIR in the years since the standard was published. Reading this material is important to becoming a good risk analyst but it won’t help you pass the exam. You need to study and commit to memory the OpenFAIR standard. If you find contradictions in later texts, favor the OpenFAIR documentation.

Now, get your materials

The two most important texts are: 

  • Open Risk Taxonomy Technical Standard (O-RT) - free, registration required

  • Open Risk Analysis Technical Standard (O-RA) - free, registration required

Two more optional texts, but highly recommended:

  • OpenFAIR Foundation Study Guide  - $29.95

  • Measuring and Managing Information Risk: A FAIR Approach by Jack Freund and Jack Jones - book, $49.95 on Amazon

How to Study

This is how I recommend you study for the exam:

Thoroughly read the Taxonomy (O-RT) and Analysis (O-RA) standards, cover to cover. Use the FAIR book, blogs, and other papers you find to help answer questions or supplement your understanding, but use the PDF’s as your main study aid.

Start memorizing - there are only three primary items that require rote memorization; everything else is common sense if you have a mastery of the materials. Those items are:

The Risk Management Stack

You need to know what they are, but more importantly, you need to know them in order.

risk stack.jpg

Accurate models lead to meaningful measurements, which lead to effective comparisons - you get the idea. The test will have several questions like, “What enables well-informed decisions?” Answer: effective comparisons. I never did find a useful mnemonic that stuck like Please Don’t Throw Sausage Pizzas Away, but try to come up with something that works for you.

The FAIR Model

You are probably already familiar with the FAIR model and how it works by now, but you need to memorize it exactly as it appears on the ontology.

The FAIR model (source: FAIR Institute)

The FAIR model (source: FAIR Institute)

It’s not enough to know that Loss Event Frequency is derived from Threat Event Frequency and Vulnerability - you need to know that Threat Event Frequency is in the left box and Vulnerability is on the right. Once a day, draw out 13 blank boxes and fill them in. The test will ask you to match various FAIR elements of risk on an empty ontology. You also need to know if each element is a percentage or a number. This should be easier to memorize if you have a true understanding of the definitions.

Forms of Loss

Last, you need to know the six forms of loss. You don’t need to memorize the order, but you definitely need to recognize these as the six forms of loss and have a firm understanding of the definitions.

Productivity Loss

Response Loss

Replacement Loss

Fines and Judgements

Competitive Advantage

Reputation Damage

Quiz Yourself

I really recommend paying the $29.95 for the OpenFAIR Foundation Study Guide PDF. It has material review, questions/answers at the end of each chapter, and several full practice tests. The practice tests are so similar (even the same, for many questions) to the real test, that if you ace the practice tests, you’re ready. Also, check out FAIR certification flashcards for help in understanding the core concepts.

When you think you’re ready, register for your exam for a couple of weeks out. This gives you time to keep taking practice tests and memorizing terms.

In Closing…

It’s not a terribly difficult test, but you truly need a mastery of the FAIR risk concepts to pass. I think if you have a solid foundation in risk analysis in general, it takes a few weeks to study, as opposed to months for the CRISC or CISSP. 

Good luck with your FAIR journey! As always, feel free to reach out to me or ask questions in the comments below.

Related Posts
How a 14th-century English monk can improve your decision making
Jan 19, 2022
How a 14th-century English monk can improve your decision making
Jan 19, 2022
Jan 19, 2022
Black Swans and risk blindness
Feb 27, 2021
Black Swans and risk blindness
Feb 27, 2021
Feb 27, 2021
Probability & the words we use: why it matters
Aug 10, 2020
Probability & the words we use: why it matters
Aug 10, 2020
Aug 10, 2020
No, COVID-19 is not a Black Swan event*
Mar 21, 2020
No, COVID-19 is not a Black Swan event*
Mar 21, 2020
Mar 21, 2020
Improve Your Estimations with the Equivalent Bet Test
Oct 4, 2019
Improve Your Estimations with the Equivalent Bet Test
Oct 4, 2019
Oct 4, 2019
The Semi-Attached Figure: How to spot manipulative security advertising claims
Aug 7, 2018
The Semi-Attached Figure: How to spot manipulative security advertising claims
Aug 7, 2018
Aug 7, 2018
The Mad Men of Cyber Security Advertising
Jul 22, 2018
The Mad Men of Cyber Security Advertising
Jul 22, 2018
Jul 22, 2018
Will the Real “Year of the Data Breach” Please Stand Up?
Jan 4, 2018
Will the Real “Year of the Data Breach” Please Stand Up?
Jan 4, 2018
Jan 4, 2018
The Birth of a Ransomware Urban Myth
Apr 17, 2017
The Birth of a Ransomware Urban Myth
Apr 17, 2017
Apr 17, 2017
Selection Bias and Information Security Surveys
Mar 10, 2017
Selection Bias and Information Security Surveys
Mar 10, 2017
Mar 10, 2017





July 24, 2020 /Tony MartinVegue
Quantitative Risk
  • Newer
  • Older