However, I decided not to stop there, but to further search for holistic and effective standards for cyber risk quantification and through that, I came across Factor Analysis for Information Risk (FAIR™), which I believe it is complementary to CRISC.
FAIR is the only international standard Value at Risk model for cybersecurity and operational risk. It provides a model for understanding, analyzing and quantifying information risk in financial terms. I started to get obsessed with FAIR after I realized its beauty and importance in risk quantification – it indeed makes sense to me scientifically and practically. So I decided to get certified with such a solid standard and to expand my knowledge into this interesting domain for further opportunities internationally.
Socrates said almost 2,500 years ago, “The beginning of wisdom is the definition of terms.” This quote has stuck in my mind for long time and I can relate it here to risk taxonomy.
To gain a general understanding, I started by reading the following:
For direct exam preparation, I strongly advise you to go to the Open Group official website and start reading about Open FAIR™ Certification.
I managed my preparation as self-study in the following order:
Free Resources:
Developed my study plan using an Excel sheet to go through all the available resources with reference notes for later review and to track my progress.
Premium Resources:
Editor’s Note:
For a guided learning experience led by instructors and including realistic analysis practice, many organizations choose to educate their teams on FAIR with the RiskLens Academy’s FAIR Analysis Fundamentals course, available online or in classroom settings at the annual FAIR Conference, through the SANS Institute and other venues. Students who complete the course receive a voucher to take the FAIR certification exam for free from the Open Group. Learn more about FAIR Analysis Fundamentals training.
Study these very well and focus on understanding and comprehension rather than memorizing everything:
I went through the official Open FAIR Study Guide and practiced the sample questions at the end of each chapter, and then took the Official Exam Paper – the results were reasonable with medium confidence and I did knowledge gap analysis. I decided to book the Open FAIR exam then make the final review and to fill the gaps that I had.
NOTE: For me, one of the difficult aspects of FAIR methodology was terms normalization for all the risk factors, I overcame this by reading each and every definition daily and related each factor to a practical example in my daily life.
The exam itself was like any other exam: If you are well prepared, you are going to clear it by practice and self-confidence. And the journey should not stop here.
I personally was satisfied with this major milestone in my professional life and that I passed it by self-study. I learned a lot of things that transformed my ability to apply critical thinking to risk, to understand the complex nature of risk and to optimize risk decision making – and most importantly not to be deceived by the subjective nature of any qualitative assessment.
I strongly recommend that you go for Open FAIR certification program, whether you have little or extensive experience.