FAIR Certification Exam Questions
Which of the following is classified as a malicious threat event? A An attempted theft B Entering the wrong command into a computer by mistake C High winds D Entering the correct command into a computer but the system failed to perform as intended
A - An attempted theft (where harm is intended) is classified as a malicious threat event.
Box #7 is comprised of which of the following: A Primary Loss and Secondary Loss B Secondary Loss Event Frequency and Secondary Loss Magnitude C Loss Event Frequency and Loss Magnitude D Risk and Vulnerability
A - Box #7 Loss Magnitude is comprised of Primary Loss (Box 8) and Secondary Loss (Box 9).
Which of the following best describes why it is necessary to identify the threat community? A. To break the analysis down into probable threat communities that might apply B. To establish the applicable Threat Event Frequency for the threat community C. To establish a suitable set of controls for the threat community D. To enable definition of a clear loss event
A - By identifying the threat communities that might apply, you can reduce the amount of analysis required, thus avoiding analysis paralysis.
Which of the following is a key point to the calibration process? A Challenging your assumptions B Communicating the results C Developing the business case D Estimating the resistance strength
A - Challenging your assumptions is one of the key points to the calibration process.
When making estimates, what is the purpose of decomposing high-level risk components? A To break them into smaller pieces that are easier to deal with. B To perform a subjective analysis. C To divide them amongst a team of analysts. D To test confidence using the wheel.
A - Estimation in risk analysis requires the analyst sometimes to decompose broad, high-level risk components into smaller pieces since they are easier to deal with. For example, if you were measuring the height of a building, you could decompose that problem into how many floors does it have and then how high is each floor.
Which of the following best describes the properties of "good data"? A Objective and tracked over a time period B Relative, captured from a one-time event C Acquired for an infrequent event D Data estimated based on a model
A - Good data is objective and tracked over a long period of time (shows trending).
Which of the following is a case for splitting a scenario into multiple simpler scenarios for analysis? A There are multiple distinct assets. B There are multiple threat actors in the scenario. C There are a mixture of objective and subject data measurements. D The scenario is based solely on subjective data.
A - If there are multiple assets, and each one is distinct, then the analyst should consider performing more than a single analysis. This can often reduce the time by performing multiple simpler analyses.
Complete the sentence: In order for a loss event to occur, a _________ has to act upon a(n) ______, such that loss results. A Threat agent, asset B Primary stakeholder, control C Secondary stakeholder, threat event D Loss flow, primary stakeholder
A - In order for a loss event to occur, a threat agent has to act upon an asset, such that loss results.
Risk is represented in Box #: A. 1 B. 2 C. 7 D. 8
A - Risk is represented in Box #1.
You are scoping the analysis for the Human Resources executive scenario identified at the start of this chapter. You have decided to exclude other HR workers, job applicants, and technical support staff from the analysis. What is the minimum number of scenarios you should analyze? A. One B. Two C. Three D. Four
A - Since the cleaning crew are a case of visitors to the HR executive's office, a single scenario should suffice.
Which of the following best describes the TCap continuum? A The full range of capability of an overall threat population. B The most likely capability of a threat community under analysis. C The 90% confidence interval of a threat community. D The 25th percentile on a TCap distribution.
A - The Threat Capability Continuum represents the full range of capability of the overall threat population; for example, for hackers this would include at one end the little skill, little experienced hackers to the other end with the highly skilled, experienced, and determined hackers.
What is the benefit of performing analysis at a higher level within the taxonomy? A. Increased efficiency. B. It is metrics-based. C. It is simple to revisit the scope. D. The analysis can be performed multiple times.
A - The benefit of working higher in the taxonomy is increased efficiency, and when there is data it is often more objective.
What is the primary advantage of using Monte Carlo simulations? A To enable an accurate depiction of probability using uncertain inputs. B To gauge and improve an analyst's ability to make good estimates. C To remove the analyst's personal estimating bias. D To recognize data values that are clearly not possible.
A - The primary advantage to using Monte Carlo simulations is to enable a more accurate and defensible depiction of probability given the uncertainty of the inputs.
Which of the following influences the choice of the abstraction level in an analysis? A. The data quality B. The number of attack vectors C. The size of the threat population D. The secondary risk
A - The quality of the data will guide the level of abstraction to use for the analysis.
Which of the following statements about the retake policy for Open FAIR Examinations is correct? A Candidates who fail cannot take an examination again within one (1) month. B Candidates who fail cannot take an examination again within five (5) days. C Candidates who fail cannot take an examination again within seven (7) days. D Candidates who fail cannot take an examination again within three (3) months.
A - The retake policy requires candidates who fail to wait at least one (1) month before another attempt.
How many certification levels are there currently in The Open Group FAIR Certification Program? A. 1 B. 2 C. 3 D. 4
A - There are two levels defined; Open FAIR Foundation and Open FAIR Certified. However, only the first is currently available for certification.
Consider a hungry bear entering a campsite looking for food. What Contact Frequency type best describes this event? A Intentional Contact B Random Contact C Regular Contact D Standard Contact
A - This is an Intentional Contact, as the bear is specifically seeking out food.
Which two factors have a direct influence on Loss Event Frequency? A Threat Event Frequency and Vulnerability B Primary Loss and Secondary Loss C Probability of Action and Random Contact D Threat Capability and Resistance Strength
A - Threat Event Frequency and Vulnerability are the two factors that directly influence Loss Event Frequency (as shown in the taxonomy diagram).
Threat Event Frequency is represented in Box #: A. 3 B. 4 C. 8 D. 9
A - Threat Event Frequency is represented in Box #3.
Why is it important to document the rationale for measurement estimates in an analysis? A. To defend the analysis if it is challenged B. To ensure that all assumptions for the analysis are supported by objective data C. To identify the scenario objectives for the analysis D. To remove all personal bias from the estimates
A - When creating a risk analysis, it should be anticipated that aspects of it will be challenged, and so it is important to document the rationale for all measurement estimates.
Which is the appropriate level of abstraction for use in an analysis for the case where the loss event we are measuring has occurred in recent times and we have historical data over the past five to ten years? A. At the highest level of abstraction-Loss Event Frequency B. At the lowest level of abstraction - Resistance Strength C. One layer down from the highest level of abstraction D. At the level which minimizes the scope of the analysis
A - Where we have historical data we likely have data showing the frequency of such events and thus the analysis can occur at the highest level of abstraction by leveraging the data and making LEF estimates directly.
What form of loss for an online retailer would occur when its retail website is unavailable due to a system outage? A Operational loss B Productivity loss C Replacement loss D Response loss
B - A retail website being unavailable would lead to a loss of revenue for the retailer. In the Open FAIR terminology, this is defined as a Productivity Loss.
Consider the following scenario: You accidentally trip over a system's power cord and the power cord becomes unplugged. The system has an uninterruptable power supply. Which of the following would best describe this? A Loss event B Non-malicious threat event C Malicious threat event D Non-malicious loss event
B - As this is an accidental incident it is non-malicious, and the act of tripping would be a threat event. As there was a UPS no actual loss event occurred assuming it was working.
Which of the following questions would elicit the more subjective response? A. Does XYZ Corporation follow best practice for mobile device usage? B. How many mobile devices do you think XYZ Corporation lost worldwide last year due to employee negligence? C. Do you recall if XYZ Corporation suffered reputation loss through mobile device loss last year? D. How much does it cost to replace the standard issue tablet at XYZ Corporation?
B - Asking for an estimate based on personal feelings and interpretations is a subjective risk measurement.
Box #9 is comprised of which of the following: A Vulnerability and Contact Frequency B Secondary Loss Event Frequency and Secondary Loss Magnitude C Loss Event Frequency and Probability of Action D Threat Capability and Contact Frequency
B - Box #9 Secondary Loss is comprised of Secondary Loss Event Frequency and Secondary Loss Magnitude.
Which of the following is a method used for improving an analyst's ability to make good estimates? A Business Scenarios B Calibration C Risk Identification D Scenario Parsing
B - Calibration is a method for improving an analyst's ability to make good estimates.
Which of the following best completes the sentence: An organization's capacity for loss is __________. A. Based on it leadership's subjective tolerance for loss B. An objective measure of how much damage it can incur and remain solvent C. Based on its stock market valuation D. Defined on a scale reviewed by management
B - Capacity for loss is an objective measurement of how much damage an organization can incur and still remain solvent.
Which of the following is classified as an error threat event? A An attempted theft B Entering the wrong command into a computer by mistake C High winds D Entering the correct command into a computer but the system failed to perform as intended
B - Entering the wrong command into a computer (where that act was not intended) is classified as an error threat event.
You estimate that the length of a Boeing 747 airliner is between 10 meters and 100 meters. (Note that the actual length of a 747-400 is 70.6 meters.) Which of the following best completes the sentence: This is an example of an estimate that is ______________? A. Accurate B. Accurate but not precise C. Precise D. Precise but not accurate
B - Estimating that the length of a Boeing 747 airliner is between 10 meters and 100 meters is an example of an estimate that is accurate but not precise.
Which of the following questions would elicit the more objective response? A. Does XYZ Corporation follow best practice for mobile device usage? B. How many mobile devices did XYZ Corporation lose last year? C. How much loss do you think XYZ Corporation suffered through mobile device loss last year? D. How secure are XYZ Corporation's mobile device usage policies?
B - How many mobile devices lost is the most objective question, asking for an unbiased statement of fact.
When deriving Vulnerability, what does it indicate when TCap is not greater than RS? A. The asset is vulnerable. B. The asset is not vulnerable. C. Monte Carlo should be used to check the calculation. D. The estimate of RS should be revised.
B - If TCap is not greater than RS, then in that case the asset is not vulnerable.
Which is the appropriate level of abstraction for use in an analysis for the case where we are performing an analysis multiple times to determine the effectiveness of a single new control? A. At the highest level of abstraction-Loss Event Frequency B. At the lowest level of abstraction - Resistance Strength C. If no existing data exists, then one layer down from the highest level of abstraction D. At the level which minimizes the scope of the analysis
B - If the analysis is to be performed multiple times to assist in determining the effectiveness of a new control, then we should work at a lower level (e.g. RS) where the change can be more objectively and accurately measured.
Complete the sentence: In order to have meaningful measurements we need ____________. A A logic flowchart B Accurate modeling C Effective comparisons D Effective management
B - In order to have meaningful measurements we need accurate modeling.
Which element of the risk management stack leads directly to being able to make well- informed decisions? A Accurate Risk Model B Effective Comparisons C Effective Management D Meaningful Measurements
B - In order to make well-informed decisions we need effective comparisons.
Which of the following is an example of a deterrent control in an information-security context? A Firewall filters B Logging and monitoring C Authentication D Reducing the number of personnel who are given access rights
B - Logging and monitoring are considered as deterrent controls.
Consider two wireless networks A and B. Network A is secured using the Wired Equivalent Privacy (WEP) encryption, which is an easily broken security algorithm for IEEE 802.11 wireless networks. Network B is secured using Wi-Fi Protected Access II (WPA2) encryption that is a more advanced encryption method. According to the FAIR risk taxonomy, which of the following statements best describes this situation? A Network A has a Vulnerability. B Network B has a higher Resistance Strength than Network A. C The Loss Event Frequency for Network A is higher than that for Network B. D The Loss Magnitude for Network B is lower than that for Network A.
B - Network security is a control. A wireless network secured by WPA2 will have a higher Resistance Strength than one secured by WEP.
Which of the following best completes the sentence: According to Open FAIR, qualifiers should be applied to the results of a risk analysis because _______________________. A. An organization's tolerance for loss is often related to its leadership's tolerance for loss. B. Quantitative results do not communicate everything needed to make a well-informed decision. C. Tolerance for loss is a subjective measure. D. Many decisions about risk issues have chained dependencies.
B - Often quantitative results do not communicate everything that may be necessary in order to make a well-informed decision; for example, a fragile qualifier might highlight that losses are kept low due to a single preventative control.
Which one of the following is the entry-level certification for an individual? A Open FAIR Certified B Open FAIR Foundation C Open FAIR Professional D Open FAIR Architect
B - Open FAIR Foundation is the entry-level qualification. Options C and D do not exist as options within the program.
Resistance Strength is represented in Box #: A. 5 B. 6 C. 10 D. 11
B - Resistance Strength is represented in Box #6.
Complete the sentence: According to the FAIR risk taxonomy, risk is defined as the ___________________. A Potential of losing something of value, weighed against the potential to gain something of value B Probable frequency and magnitude of future loss C Probability or threat of quantifiable loss caused by internal or external vulnerabilities D Probability that an actual return on an investment will be lower than the expected return
B - The FAIR risk taxonomy defines risk as the probable frequency and magnitude of future loss.
Complete the sentence: The FAIR risk taxonomy has two main branches, Loss Event Frequency and ______________. A. Contact Frequency B. Loss Magnitude C. Threat Capability D. Vulnerability
B - The FAIR risk taxonomy has two main branches: Loss Event Frequency and Loss Magnitude.
An analyst estimates that the Resistance Strength for a set of preventative controls against the web hacker community is: Minimum: 50th percentile Maximum: 75th percentile Most Likely: 60th percentile What does the maximum value indicate in this example? A. The likely success rate for web hackers in attacking this asset is 75%. B. A threat agent with capability higher than the 75th percentile will be able to breach these controls. C. Most web hackers will be able to breach these controls. D. 25% of all web hackers will be able to breach these controls.
B - The maximum indicates the maximum level on capability the controls will withstand.
An analyst estimates that the web hacker community has a Threat Capability of: Minimum: 50th percentile Maximum: 75th percentile Most Likely: 60th percentile What does maximum value indicate in this example? A. The likely success rate for web hackers in attacking an asset is 75%. B. It is most unlikely that any web hackers are above the 75th percentile in capability. C. Most web hackers will be at the 75th percentile in terms of capability. D. 25% of all web hackers are the most highly skilled.
B - The maximum value indicates the maximum level of skills an attacker might have.
An analyst estimates that the web hacker community has a Threat Capability of: Minimum: 50th percentile Maximum: 75th percentile Most Likely: 60th percentile What does the minimum value indicate in this example? A. It is likely that 50% of all web hackers are above average in capability. B. It is unlikely that any web hackers are below the 50th percentile in capability. C. 50% of all web hackers are above the 50th percentile in capability. D. 50% of all web hackers are expected to have average capability.
B - The minimum indicates the minimum level of skills that we would expect an attacker to have. So in this estimate it is unlikely that the threat community includes those with below the 50th percentile in capability.
Which of the following best describes why threat profiling is advantageous? A It identifies the secondary stakeholders effected by events that occur to assets outside of their control. B It streamlines a risk analysis. C It describes how losses materialize succinctly. D It identifies the actors that have the potential to reduce the Loss Event Frequency.
B - The use of threat profiles helps to streamline and improve the consistency of analyses.
Which of the following best describes the purpose of using the wheel when making estimates? A To decompose a high-level risk component. B To help estimate a range of values with high confidence. C To recognize values that are clearly not possible. D To create estimates with absurd starting values.
B - The wheel is used to help strengthen confidence in an estimated range of values, to move them to the 90% confidence level that the actual value is within a min/max range.
You are scoping the analysis for access to confidential customer data including credit card information. The threat communities identified for this analysis are internal staff and cyber criminals. What is the minimum number of scenarios that should be analyzed? A. One B. Two C. Three D. Four
B - Two, as internal versus external threats are likely to have very different access methods.
Which of the following is a recommended technique when analysts disagree about the results of an analysis? A Check that only good sources of data have been used in the analyses B Combine the two analyses into a single scenario C Determine if any assumptions have been made that vary between the analyses D Start the evaluation by looking at factors related to Loss Magnitude
C - A recommended technique is to revisit the scoping or rationale within an analysis and determine whether an assumption has been made that varies between from the other analysts.
Which of the following would be considered a fragile qualifier? A. Risk associated with a rogue system administrator B. The situation where no preventative controls exist to manage loss events C. A single control preventing malware-related losses D. When an organization's capacity for loss exceeds their tolerance for loss
C - A single control preventing malware-related losses is said to be a fragile condition.
Complete the sentence: A tornado can be considered a(n) _______________. A. Asset B. Risk C. Threat D. Vulnerability
C - A tornado is a threat, as it applies the force (water and wind) against an asset that can cause a loss event to occur.
An organization has drawn up the following scales for translating quantitative values into qualitative ranges: Severe = Greater than $5,000,000 High = Between $1,000,000 to $4,999,999 Medium = Between $200,000 to $999,999 Low = Between $20,000 to $199,999 Very Low = Less than $20,000 If a risk analysis resulted in an average annualized loss exposure of $4.75 million, how would that be interpreted on this scale? A. Low risk B. Medium risk C. High risk D. Severe risk
C - An annualized loss exposure of $4.75 million would fall into the high risk classification according to the scale given.
Consider a hacker who unsuccessfully attacks a web server. What type of event would best describe this? A. A loss event B. A contact event C. A threat event D. A risk event
C - An unsuccessful attack on a web server would be considered a threat event, but not a loss event (as it was unsuccessful).
Where in the taxonomy do avoidance controls play a role in reducing Loss Event Frequency? A Loss Magnitude B Vulnerability C Contact Frequency D Probability of Action
C - Avoidance controls affect the frequency and/or likelihood of encountering threats and play a role in Contact Frequency.
Where in the taxonomy do avoidance controls play a role in impacting Threat Event Frequency? A. Loss Magnitude B. Vulnerability C. Contact Frequency D. Probability of Action
C - Avoidance controls impact the Contact Frequency.
Box #2 is comprised of which of the following: A Loss Event Frequency and Threat Event Frequency B Risk and Vulnerability C Threat Event Frequency and Vulnerability D Threat Capability and Resistance Strength
C - Box #2 Loss Event Frequency is comprised of Threat Event Frequency (Box 3) and Vulnerability (Box 4).
Boxes #2 and #7 combine to determine the: A. Threat B. Vulnerability C. Risk D. Loss
C - Boxes #2 (Loss Event Frequency) and #7 (Loss Magnitude) combine to determine risk.
Which of the following best describes why scenario scoping is important? A It determines whether value or liability exists. B It answers the question: "Risk is associated with what threat?". C It results in an overall saving in time. D It enables derivation of the Loss Event Frequency
C - Careful scenario scoping will result in an overall saving in time on the analysis due to better clarification of the requirements and les time troubleshooting and revising the analysis.
Why is it important to clearly document the key assumptions in an analysis? A. To adhere to the principle of diminishing returns B. To clearly identify the scenario objectives for the analysis C. To be able to defend the analysis if its challenged D. To ensure that all assumptions for the analysis are supported by objective data
C - Challenging assumptions is key when estimating, so it is important to clearly document all assumptions so you can defend an analysis when challenged.
Consider the following loss types: 1 Competitive Advantage 2 Fines & Judgments 3 Productivity 4 Replacement Which of them are most commonly associated with Secondary Loss? A 1 and 3 B 2 and 4 C 1 and 2 D 3 and 4
C - Competitive Advantage and Fines & Judgment Losses are commonly associated with Secondary Loss.
Which of the following is an example of an asset? A. A computer virus B. Cyber criminal C. Data D. Earthquake
C - Data is an example of an asset. A geological event such as an earthquake is a threat; similarly malicious agents such as a cyber criminal and a computer virus are also threats.
When choosing the abstraction level for an analysis, what should you do if you do not have available data on past loss events? A Estimate loss event frequency directly B Identify and interview the threat community C Step down a level and work at the Threat Event Frequency and Vulnerability levels D Work at the lowest level; for example, Resistance Strength
C - If we do not have data on past loss events, we should step down one level and attempt to work at Threat Event Frequency and Vulnerability.
Which of the following best describes the online retailer whose retail website is unavailable due to a system outage? A Asset holder B Loss agent C Primary stakeholder D Secondary stakeholder
C - In this risk scenario related to a retail website being unavailable, the owner of the asset at risk is known as the primary stakeholder.
Loss Magnitude is represented in Box #: A. 2 B. 4 C. 7 D. 8
C - Loss Magnitude is represented in Box #7.
Primary Loss is represented in Box #: A. 2 B. 7 C. 8 D. 9
C - Primary Loss is represented in Box #8.
An analyst estimates that the Resistance Strength for a set of preventative controls against the web hacker community is: Minimum: 55th percentile Maximum: 75th percentile Most Likely: 60th percentile What does the minimum value indicate in this example? A. 45% of all web hackers will be able to breach these controls. B. 55% is the likely success rate for web hackers to breach these controls. C. A threat agent with capability lower than the 55th percentile will not be able to breach these controls. D. Most web hackers will be able to breach these controls.
C - The minimum value indicates the minimum capability value below which all attempts to breach the controls should fail.
An analyst estimates that the web hacker community has a Threat Capability of: Minimum: 50th percentile Maximum: 75th percentile Most Likely: 60th percentile What does the most likely value indicate in this example? A. The likely success rate for web hackers in attacking an asset is 60%. B. It is most likely that 60% of all web hackers are above average in capability. C. Most web hackers will be at the 60th percentile in terms of capability. D. 60% of all web hackers are the most highly skilled.
C - The most likely value indicates the skill level of the most likely level - in this case it indicates that the most likely attackers will be at the 60th percentile in terms of capability.
Which of the following best describes the principle of "diminishing returns"? A. A trade-off between definition of metrics and provision of a model for applying data B. A trade-off between good data tracked over a long period of time, and poor data that is one-time captured C. A trade-off between precision in results and the level of analysis effort D. A trade-off between revisiting the scope and reviewing the assumptions
C - The principle of diminishing returns often applies when choosing the abstraction level; often the deeper you go in the level of analysis, the results are not significantly better than a rougher measurement. So it is a trade-off between precision in results and level of the analysis effort.
What is the recommended technique for defining a threat community? A Threat agent parsing B Threat analysis C Threat profiling D Threat vector analysis
C - The recommended technique for defining a threat community is threat profiling.
Which of the following best describes the phase in which losses would occur as a result of customers and shareholders reacting negatively to the news that a retailer has suffered a major loss event? A Operational Loss B Primary Loss C Secondary Loss D Tertiary Loss
C - The second phase from a loss flow perspective is known as the Secondary Loss and occurs as a result of secondary stakeholders (customers, shareholders, regulators, etc.) reacting negatively to the Primary Loss event.
Which of the following best describes an unstable qualifier? A. The level of risk is based on a single point of failure. B. A qualitative scale is being used to represent risk tolerance. C. No preventative controls exist to control the frequency of loss events. D. The qualifier is based on a subjective assessment.
C - The unstable qualifier represents conditions where there are no preventative controls to manage the frequency of loss events and LEF is low solely since TEF is low.
What is the value that appears most often in a set of data known as? A The average value B The median C The mode D The standard deviation
C - The value that appears most often in a distribution is known as the mode.
Which one of the following describes three principles of The Open Group FAIR Certification Program? A Integrity, Scalability, Flexibility B Objectivity, Robustness, Simplicity C Openness, Fairness, Quality D Knowledge-based, Valuable, Simplicity E All of these
C - These match the principles stated in the Certification Policy document.
Consider the following statement: The odds of rolling "snakes eyes" when rolling a pair of dice is 1 in 36. What is this statement an example of? A. Possibility B. Prediction C. Probability D. Prophecy
C - This is an example of a statement of probability.
Threat Capability is represented in Box #: A. 3 B. 4 C. 5 D. 8
C - Threat Capability is represented in Box #5.
The following is a partial list of threat communities: A. Cyber-criminals B. Contractors C. Employees D. Partners E. Malware Which of these would typically be classified as internal threat communities? A. a, b, and c B. b, c, and e C. b, c, and d D. a, c, and e
C - Typically contactors, employees, and partners would be seen as internal threat communities, whereas cyber criminals and malware are viewed as external threat communities.
Complete the sentence: The probability that an intentional act will take place is driven by three primary factors: Level of Effort (LoE), risk of detection, and __________. A. Activity B. Availability C. Value D. Vulnerability
C - Value (return on effort) is the other factor driving Probability of Action.
Which qualifier would be used to describe a lightning strike risk scenario? A. Fragile B. High Risk C. Random D. Unstable
D - A lightning strike is an example of an unstable qualifier as the LEF is low solely because the TEF is low and there are no preventative controls.
Which of the following is defined as a subset of a threat population sharing key characteristics? A Primary stakeholder B Secondary stakeholder C Threat agent D Threat community
D - A threat community is defined as a subset of the overall threat population that shares key characteristics.
Box #1 is comprised of which of the following: A Risk and Vulnerability B Risk and Loss C Threat Capability and Loss Frequency D Loss Event Frequency and Loss Magnitude
D - Box #1 Risk is comprised of Loss Event Frequency (Box 2) and Loss Magnitude (Box 7).
Box #4 is comprised of which of the following: A Secondary Loss Event Frequency and Secondary Loss Magnitude B Loss Event Frequency and Loss Magnitude C Risk and Vulnerability D Threat Capability and Resistance Strength
D - Box #4 Vulnerability is comprised of Threat Capability (Box 5) and Resistance Strength (Box 6).
Which of the following best describes the purpose of starting with absurd estimates? A To calculate the maximum likely values. B To determine best and worse-case-scenarios. C To obtain precise estimates of less exposure. D To recognize values that are clearly not possible.
D - Calibration starts with making absurd estimates to enable the risk analysts to recognize starting values that are clearly not possible. It is also an attempt to break any bias an analyst might have.
Which of the following is most likely to be data that is more subjective in nature? A Data that is based on facts. B Data that helps to inform the estimate of risk. C Data gathered by multiple interviews. D Data that is based on one person's opinion.
D - Data based solely on one person's opinion is most likely to be more subjective in nature.
Where in the taxonomy do deterrent controls play a role in reducing Loss Event Frequency? A Loss Magnitude B Vulnerability C Contact Frequency D Probability of Action
D - Deterrent controls affect the likelihood of a threat acting in a manner that can result in harm, and play a role in Probability of Action.
Which of the following best completes the sentence: Distributions for which analysts have a high degree of confidence in the most likely value will be _________________. A Accurate but not precise B Based on objective data C Flat D Peaked and narrow
D - Distributions for which analysts have high confidence in the most likely value will be very peaked and narrow, whereas where there is a low confidence in the most likely value the distribution will be flat.
You estimate that the wingspan of a Boeing 747 airliner is exactly 33.2 meters. (Note that the actual wingspan of a 747-400 is 64.4 meters.) Which of the following best completes the sentence: This is an example of an estimate that is ______________? A. Accurate B. Accurate but not precise C. Precise D. Precise but not accurate
D - Estimating that the wingspan of a Boeing 747 airliner is exactly 33.2 meters is an example of an estimate that is precise but inaccurate.
Which is the appropriate level of abstraction for use in an analysis for the case where you are evaluating several different control options and need to identify the most effective? A. At the highest level of abstraction-Loss Event Frequency B. At the lowest level of abstraction - Contact Frequency C. One layer down from the highest level of abstraction, TEF by deriving CF and POA D. At the lowest level, analyzing RS and TCap to derive Vuln
D - If we are evaluating several different control options and are looking to identify which is most effective from a risk reduction perspective, then deriving Vuln by analyzing RS and TCap is often most appropriate.
Which of the following best describes Loss Event Frequency? A The probable frequency that a threat agent will act against an asset once contact occurs. B The probable frequency that a threat event will become a loss event. C The probable frequency that a threat agent will act against an asset within a given timeframe. D The probable frequency that a threat agent will inflict harm upon an asset within a given timeframe.
D - Loss Event Frequency is the probable frequency that a threat agent will inflict harm upon an asset within a given timeframe.
Consider the following loss types: 1 Competitive Advantage 2 Fines & Judgments 3 Productivity 4 Replacement Which of them are most commonly associated with Primary Loss? A 1 and 3 B 2 and 4 C 1 and 2 D 3 and 4
D - Productivity and Replacement Losses are commonly associated with Primary Loss.
Complete the sentence: Resistive controls affect the ___________________. A Frequency and likelihood of encountering threats B Likelihood of a threat acting in a manner that can result in harm C Amount of loss that results from a threat's action D Probability that a threat's action will result in loss
D - Resistive controls affect the probability that a threat's action will result in loss.
What should you do when developing a business case based on risk analysis? A. Make decisions on prioritization, risk acceptance, and budgeting B. Compare the issues, as well as the options and available solutions C. Take measurements in order to make comparisons D. All of the above
D - Risk management is about making decisions - decisions about which risk issues are most critical (prioritization), which issues can be accepted (risk acceptance), and how much to spend on managing risk issues (budgeting). To make effective decisions, you need to be able to compare the issues, options, and solutions, and in order to compare you need to take measurements.
Secondary Loss Magnitude is represented in Box #: A. 2 B. 5 C. 7 D. 11
D - Secondary Loss Magnitude is represented in Box #11.
Which of the following best completes the sentence: Since risk is invariably a matter of future events there is always some amount of _______________. A. Impossibility B. Prediction C. Probability D. Uncertainty
D - Since risk is invariably a matter of future events there is always some amount of uncertainty.
Which of the following best describes why Open FAIR makes extensive use of distributions for measurements and estimates? A. A distribution can be analyzed using Monte Carlo. B. A distribution is the best way to test confidence. C. A distribution is the best way to define a loss event. D. A distribution is more defensible than a single discrete value.
D - The advantage of using distributions versus attempting to derive discrete values is that it is easier to defend the range rather than a single value. For example, when estimating the Threat Capability of hackers, we typically see a range of capability, so using a range is more accurate.
Complete the sentence: When creating a distribution the analyst is required to provide four parameters: the confidence level, the minimum likely value, the maximum likely value, and the ______________. A Absurd starting value B Actual value C Estimated range of values D Most likely value
D - The four parameters for creating distributions in Open FAIR are: minimum likely value, most likely value, maximum likely value, and confidence level.
Which of the following is often the cause when analysts produce different results for an analysis? A. A different interpretation of the taxonomy B. A difference in experience C. Higher quality data D. Different assumptions
D - The most common cause of differences in results of an analysis is differences in the assumptions made by each analyst.
The results of a quantitative FAIR risk analysis have been computed using Monte Carlo and are presented as follows: Primary Loss Events per Year Minimum: 0.1 Average: 0.25 Mode: 0.2 Maximum: 0.5 Given these results, what is the most likely value? A. The Primary Losses would occur once in 10 years. B. The Primary Losses would occur 50 times in 100 years. C. The Primary Losses would 25 times in 100 years. D. The Primary Losses would occur 10 times in 50 years.
D - The most likely value is the mode, which in the example provided is 10 times in 50 years (0.2).
Which of the following are the two factors that a threat agent can bring to bear against an asset? A Action and Contact B Capability and Strength C Effort and Threat D Time and Material
D - The two factors that make up the resources that a threat agent can bring to bear against an asset are time and material.
What are the two factors that determine Vulnerability? A Threat Event Frequency and Vulnerability B Primary Loss and Risk C Probability of Action and Random Contact D Threat Capability and Resistance Strength
D - The two primary factors that determine Vulnerability are Threat Capability and Resistance Strength.
Vulnerability is represented in Box #: A. 2 B. 7 C. 3 D. 4
D - Vulnerability is represented in Box #4.
Which of the following topic areas is not included in the Open FAIR Foundation certification syllabus? A Measurement B Terminology C Analysis Process D Results E Architecting Risk
E - Architecting risk is not part of the Open FAIR Foundation certification syllabus.
