Open FAIR Foundation Practice Test

Open FAIR Foundation focuses on clear, quantitative risk-analysis language: risk scenarios, loss event frequency, loss magnitude, assumptions, uncertainty, and defensible communication.

These 12 original questions are a public preview, not official Open Group questions.

What these questions test

• separating risk, threat, vulnerability, asset, loss event frequency, and loss magnitude
• framing risk scenarios clearly enough to analyze
• avoiding vague high/medium/low risk language when quantitative reasoning is needed

Official-source check

Verify current exam names, exam policies, and certification requirements with The Open Group Open FAIR certification page .

Sample Exam Questions

Question 1

Topic: risk scenario

What makes a risk scenario useful for analysis?

• A. It clearly describes asset, threat, effect, and loss context
• B. It says only “cyber risk is high”
• C. It avoids naming the event
• D. It guarantees a loss will occur

Best answer: A

Explanation: Quantitative analysis needs a clear scenario. Vague labels make frequency, magnitude, and assumptions hard to evaluate.

Question 2

Topic: loss event frequency

What does loss event frequency estimate?

• A. The exact number of employees
• B. The final legal settlement only
• C. The color of a risk heat map
• D. How often loss events are expected to occur in a defined scenario

Best answer: D

Explanation: Loss event frequency concerns how often loss events may occur. It is separate from the size of loss when they occur.

Question 3

Topic: loss magnitude

Which question is most directly about loss magnitude?

• A. How many diagrams exist?
• B. If the event occurs, how large could the financial or operational impact be?
• C. Which team owns the website color?
• D. Is the password long?

Best answer: B

Explanation: Loss magnitude estimates the size of loss given an event. It may include productivity, response, replacement, liability, reputation, or other loss forms.

Question 4

Topic: risk terminology

Why is “risk equals vulnerability” a weak statement?

• A. Vulnerability always means guaranteed loss
• B. Risk never involves threats
• C. Risk depends on a scenario involving threat, asset, frequency, and magnitude, not vulnerability alone
• D. Magnitude is irrelevant

Best answer: C

Explanation: A vulnerability can contribute to risk, but risk analysis must consider the broader loss scenario and event likelihood.

Question 5

Topic: assumptions

Why should assumptions be documented in a FAIR-style analysis?

• A. They prove the estimate is perfect
• B. They explain uncertainty and make the analysis reviewable
• C. They replace all data
• D. They hide weak evidence

Best answer: B

Explanation: Risk estimates rely on assumptions. Documenting them makes the analysis transparent and easier to challenge or improve.

Question 6

Topic: uncertainty

Why use ranges instead of one false-precision number?

• A. Ranges prevent analysis
• B. Ranges are always illegal
• C. Ranges better reflect uncertainty in frequency and magnitude estimates
• D. Ranges remove the need for data

Best answer: C

Explanation: Quantitative risk analysis often works with uncertainty. Ranges can communicate plausible values better than a single arbitrary number.

Question 7

Topic: control effect

If a new control reduces the chance that a threat succeeds, which factor is most directly affected?

• A. Loss event frequency
• B. Office rent
• C. Brand color
• D. Employee title

Best answer: A

Explanation: Controls may reduce frequency, magnitude, or both. A control that reduces successful threat action primarily affects event likelihood.

Question 8

Topic: magnitude categories

Which item could be part of loss magnitude?

• A. The number of slide headings
• B. The preferred programming font
• C. The name of the risk analyst
• D. Response cost after an incident

Best answer: D

Explanation: Loss magnitude can include response, productivity, replacement, fines, liability, competitive impact, or reputation-related effects depending on the scenario.

Question 9

Topic: communication

Why is “high risk” alone usually insufficient for decision makers?

• A. It is always mathematically exact
• B. It includes every calculation
• C. It removes uncertainty
• D. It does not explain frequency, magnitude, assumptions, or decision tradeoffs

Best answer: D

Explanation: Decision makers need context. Quantitative risk language should clarify likelihood, impact range, confidence, and assumptions.

Question 10

Topic: data quality

What is a strong response when loss data is sparse?

• A. Invent exact numbers with no rationale
• B. Stop documenting the scenario
• C. Use transparent assumptions, expert judgment, ranges, and sensitivity review instead of pretending certainty
• D. Remove all risk analysis

Best answer: C

Explanation: Sparse data does not eliminate analysis. It increases the need for transparent assumptions and uncertainty ranges.

Question 11

Topic: decision use

What is a good use of Open FAIR-style analysis?

• A. Choosing controls only by popularity
• B. Comparing risk reduction options against cost, uncertainty, and expected loss
• C. Removing all business judgment
• D. Guaranteeing no future loss

Best answer: B

Explanation: Quantitative analysis helps compare tradeoffs. It informs decisions but does not guarantee outcomes.

Question 12

Topic: common trap

Which is the weakest risk statement?

• A. “Risk is bad.”
• B. “Our customer portal faces credential-stuffing risk that could lead to account takeover and fraud losses.”
• C. “A supplier outage could interrupt order fulfillment and reduce revenue.”
• D. “A ransomware event could disrupt claims processing and create response costs.”

Best answer: A

Explanation: “Risk is bad” is not a risk scenario. The other options name an event and potential effect, making analysis possible.