Open FAIR for The Open Group FAIR certification exam
2023 with complete solution
Action
An act taken against an asset by a threat agent. This requires first that contact occurs
between the asset and threat agent.
Asset
Anything that may be affected in a manner whereby its value is diminished or the act
introduces liability to the owner. Examples include systems, data, people, facilities,
cash, etc.
Broad Spectrum Risk Analysis
Any analysis that accounts for the risk from multiple threat communities against a single
asset.
Contact
Occurs when a threat agent establishes a physical or virtual (e.g., network) connection
to an asset.
Contact Frequency (CF)
The probable frequency, within a given timeframe, that a threat agent will come into
contact with an asset.
Control
Any person, policy, process, or technology that has the potential to reduce the Loss
Event Frequency (LEF) and/or Loss Magnitude (LM).
Control Strength (CS)
The strength of a control as compared to a standard measure of force.
FAIR
Factor Analysis of Information Risk
Loss Event
Occurs when a threat agent's action (threat event) is successful in negatively affecting
an asset.
Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a threat agent will inflict harm
upon an asset.
Loss Magnitude (LM)
The probable magnitude of loss resulting from a loss event.
Multi-level Risk Analysis
Any analysis that accounts for the risk from a single threat community against a layered
set of assets (e.g., defense in depth).
Primary Stakeholder
The person or organization that owns the asset at risk. For example, The Open Group
would be the primary stakeholder in risk scenarios related to its assets.
Probability of Action (PoA)
The probability that a threat agent will act against an asset once contact occurs.
Probable Loss Magnitude (PLM)
The probable magnitude of loss resulting from a loss event.
Resistance Strength (RS)
, The strength of a control as compared to a baseline measure of force.
Risk
The probable frequency and probable magnitude of future loss.
Secondary Stakeholder
Individuals or organizations that may be affected by events that occur to assets outside
of their control. For example, consumers are secondary stakeholders in a scenario
where their personal private information may be inappropriately disclosed or stolen.
Threat
Anything that is capable of acting in a manner resulting in harm to an asset and/or
organization; for example, acts of God (weather, geological events, etc.), malicious
actors, errors, failures.
Threat Agent
Any agent (e.g., object, substance, human, etc.) that is capable of acting against an
asset in a manner that can result in harm.
Threat Capability (TCap)
The probable level of force that a threat agent is capable of applying against an asset.
Threat Community
A subset of the overall threat agent population that shares key characteristics.
Threat Event
Occurs when a threat agent acts against an asset.
Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a threat agent will act against an
asset.
Vulnerability (Vuln)
The probability that a threat event will become a loss event.
What is the risk management stack?
Effective Management
is enabled by
Well-informed Decisions
are enabled by
Effective Comparisons
are enabled by
Meaningful Measurements
are possible due to an
Accurate Risk Model
All risk assessment approaches should include the following 5 attributes:
1. An effort to clearly identify and characterize the assets, threats, controls, and
impact/loss elements at play within the risk scenario being assessed.
2. An understanding of the organizational context for the analysis; i.e., what is at stake
from an organizational perspective, particularly with regard to the organization's
leadership perspective.
3. Measurement and/or estimation of the various risk factors.
4. Calculation of risk.
2023 with complete solution
Action
An act taken against an asset by a threat agent. This requires first that contact occurs
between the asset and threat agent.
Asset
Anything that may be affected in a manner whereby its value is diminished or the act
introduces liability to the owner. Examples include systems, data, people, facilities,
cash, etc.
Broad Spectrum Risk Analysis
Any analysis that accounts for the risk from multiple threat communities against a single
asset.
Contact
Occurs when a threat agent establishes a physical or virtual (e.g., network) connection
to an asset.
Contact Frequency (CF)
The probable frequency, within a given timeframe, that a threat agent will come into
contact with an asset.
Control
Any person, policy, process, or technology that has the potential to reduce the Loss
Event Frequency (LEF) and/or Loss Magnitude (LM).
Control Strength (CS)
The strength of a control as compared to a standard measure of force.
FAIR
Factor Analysis of Information Risk
Loss Event
Occurs when a threat agent's action (threat event) is successful in negatively affecting
an asset.
Loss Event Frequency (LEF)
The probable frequency, within a given timeframe, that a threat agent will inflict harm
upon an asset.
Loss Magnitude (LM)
The probable magnitude of loss resulting from a loss event.
Multi-level Risk Analysis
Any analysis that accounts for the risk from a single threat community against a layered
set of assets (e.g., defense in depth).
Primary Stakeholder
The person or organization that owns the asset at risk. For example, The Open Group
would be the primary stakeholder in risk scenarios related to its assets.
Probability of Action (PoA)
The probability that a threat agent will act against an asset once contact occurs.
Probable Loss Magnitude (PLM)
The probable magnitude of loss resulting from a loss event.
Resistance Strength (RS)
, The strength of a control as compared to a baseline measure of force.
Risk
The probable frequency and probable magnitude of future loss.
Secondary Stakeholder
Individuals or organizations that may be affected by events that occur to assets outside
of their control. For example, consumers are secondary stakeholders in a scenario
where their personal private information may be inappropriately disclosed or stolen.
Threat
Anything that is capable of acting in a manner resulting in harm to an asset and/or
organization; for example, acts of God (weather, geological events, etc.), malicious
actors, errors, failures.
Threat Agent
Any agent (e.g., object, substance, human, etc.) that is capable of acting against an
asset in a manner that can result in harm.
Threat Capability (TCap)
The probable level of force that a threat agent is capable of applying against an asset.
Threat Community
A subset of the overall threat agent population that shares key characteristics.
Threat Event
Occurs when a threat agent acts against an asset.
Threat Event Frequency (TEF)
The probable frequency, within a given timeframe, that a threat agent will act against an
asset.
Vulnerability (Vuln)
The probability that a threat event will become a loss event.
What is the risk management stack?
Effective Management
is enabled by
Well-informed Decisions
are enabled by
Effective Comparisons
are enabled by
Meaningful Measurements
are possible due to an
Accurate Risk Model
All risk assessment approaches should include the following 5 attributes:
1. An effort to clearly identify and characterize the assets, threats, controls, and
impact/loss elements at play within the risk scenario being assessed.
2. An understanding of the organizational context for the analysis; i.e., what is at stake
from an organizational perspective, particularly with regard to the organization's
leadership perspective.
3. Measurement and/or estimation of the various risk factors.
4. Calculation of risk.
