No classes scheduled at this time.

Measuring and Managing Cyber Risk Using FAIR

Course Syllabus  ·  24 CPEs  ·   Laptop Requirements

As the number and complexity of cybersecurity attacks continues to increase, it is more important than ever that organizations have the ability to measure risk from various scenarios and prioritize the scenarios with the largest forecasted losses for mitigation. Once a scenario is selected for mitigation, it is critical that the most cost-effective solution be chosen - that is, the solution that reduces the largest amount of risk per dollar spent in implementation. FAIR-based risk analysis enables these decisions and many more.

Empower Effective Risk Management

Effective risk management depends on your organization making well-informed decisions, which require effective comparisons. You cannot make effective comparisons if you don't have meaningful measurements. The subjective likelihood and impact matrices and heat maps of traditional risk management do not offer meaningful measurements - how do we know what "high" means? How can we trust that you understand what I mean when I say "medium risk?"

Luckily, risk can be measured and forecasted. Using ranges, calibrated estimation, and Monte Carlo simulation, it is possible to estimate how many times over a given time frame a bad thing is likely to occur and how much money it is likely to cost the organization each time it does. From those two values you can forecast a range of probable total losses your organization faces from that scenario. You can measure and forecast risk in a way that is meaningful and enables your organization to make effective comparisons and well-informed decisions that effectively manage risk.

Consistently Model and Measure Risk

Deriving meaningful measurements of risk in dollars requires an accurate model of risk. This course will teach you the fundamentals of the FAIR model, the international standard model for quantifying risk invented by Jack Jones and endorsed by The Open Group and many other organizations. You will master the foundational terms and definitions of quantitative risk analysis, understand the different factors of risk and how they interact, and be able to apply the FAIR model to real-life case studies to quantify risk using calibrated estimates and Monte Carlo simulation. This foundational knowledge and experience will prepare you to successfully attain the Open Group's OpenFAIR Certification.

Conduct Successful Risk Analyses

In addition to the foundational knowledge required to apply the FAIR model, the course features in-depth treatment of the Risk Management Process and the role FAIR plays in each of its five phases: Risk Identification, Risk Analysis, Risk Evaluation, Risk Treatment, and Risk Monitoring. Particular attention is paid to the risk analysis sub-process, providing learners with the concrete skills needed to successfully complete a FAIR-based analysis, including properly scoping the scenario, collecting data and estimates of the relevant factors of the FAIR model, running analysis and conducting quality assurance on the results, and presenting the results to decision-makers.

After completing this course, you will have the skills and resources necessary to measure the risk associated with scenarios of all types. This will prepare you to fundamentally change the way risk management is conducted in your organization and make huge contributions to the protection of your company's value.

Course Syllabus


We begin Day 1 with a discussion of what risk management should enable an organization to do. What are the goals of risk management? How does the risk management process work? After this, we'll explore traditional/qualitative risk management methods and identify why they are sub-optimal. From there, we will begin our exploration of FAIR by aligning on a common lexicon of risk, discussing foundational concepts of quantitative analysis, and learning about calibrated estimation. We will conclude the day by learning the components of the FAIR model itself.

CPE/CMU Credits: 6



  • Risk Management: Process and Goals
  • The Flaws of Traditional/Qualitative Risk Management
  • The Risk Lexicon
  • Effective Risk Management Using FAIR

FAIR Fundamentals Part 1

  • Foundational Concepts
  • Making Calibrated Estimates
  • The FAIR Model

Day 2 extends your knowledge of the FAIR model and how to use it to conduct quantitative risk analyses. We will discuss Monte Carlo simulation, a high-level overview of the risk analysis sub-process, and the role controls play in a FAIR-based analysis. We'll conclude the day with three case studies that will allow you to practice applying FAIR to real-life situations using the RiskLens software platform.

CPE/CMU Credits: 6


FAIR Fundamentals Part 2

  • Monte Carlo Simulation
  • The Risk Analysis Sub-Process
  • Considering Controls in FAIR Analyses

Applying FAIR

  • Case Study 1 and Discussion
  • Case Study 2 and Discussion
  • Case Study 3 and Discussion

Day 3 begins the portion of the training focused on honing your skills as a risk analyst. You are familiar with the FAIR model and can apply it to real-life situations, but how does that translate to conducting analyses in your organizations? Days 3 and 4 give you the boots-on-the-ground skills you need to properly scope an analysis effort, collect data and estimates for the variables of the FAIR model, perform quality assurance on your results, and present those results to decision makers.

CPE/CMU Credits: 6


The Risk Analysis Sub-Process

Scoping Analyses

  • Elements and Importance of Scoping
  • Scoping Multiple Scenarios
  • Prioritizing Scenarios for Analysis

Collecting Data and Estimates

  • Data Collection Spectrum
  • Context-Specific Questions
  • Identifying SMEs
  • Conducting Calibrated Estimation Sessions

On Day 4 we'll conclude our study of the skills required to competently perform a risk analysis. We will wrap up the course with a comprehensive review of the material covered on the OpenFAIR Certification Exam using an exam study guide and mock assessment questions.

CPE/CMU Credits: 6


Performing Quality Assurance on Analysis Results

  • Quality Assurance Checklist
  • Validating Results and Rationale
  • Validating Analysis' Purpose
  • Conducting Comparative Analyses

Presenting Results

  • Planning and Delivering Results Presentations
  • Preparing Written Reporting

Course Review/Exam Preparation

  • OpenFAIR Certification
  • Exam Study Guide/Practice Questions
  • Course Evaluation

Additional Information

A laptop with a modern web browser (e.g. new versions of Chrome, Edge, Firefox) is required to access web-based exercises. Internet access will be provided using a dedicated wireless network. Therefore, student laptops must be capable of accessing wireless networks and students should have the ability to configure all wireless network settings on their machine.

If you have additional questions about the laptop specifications, please contact

This course will benefit anyone who needs to understand how to measure and manage cyber risk, including:

  • Chief Risk Officers
  • Chief Information Security Officers
  • Chief Information Officers
  • Enterprise Risk Management leaders and analysts
  • Information Risk Management leaders and analysts

There are no prerequisites for this course, although familiarity with the FAIR model and quantitative risk analysis methods may be helpful.

  • 4 days of hands-on instruction delivered by an experienced FAIR practitioner from RiskLens
  • Course manual and exercises
  • Access to the RiskLens software platform so you can complete case studies
  • A study guide to prepare you for the OpenFAIR Certification Exam offered by The Open Group
  • A voucher to completely defray the cost of your certification exam

Throughout the course learners will participate in activities that will reinforce the concepts being taught and give learners the opportunity to apply new knowledge and skills. These exercises include, but are not limited to:

  • Three case studies where learners will apply the FAIR Model to real-life analysis topics such as DDoS and phishing attacks.
  • Role-playing exercises designed to give learners practice applying the skills necessary to successfully complete quantitative risk analyses.
  • Examination and critique of artifacts from quantitative risk analyses. Learners will identify flaws or failures to properly execute on the risk analysis sub-process and make recommendations for correcting issues.

Author Statement

"In order to effectively manage risk, an organization has to make well-informed decisions. Making decisions involves making comparisons. Which risk scenario should we seek to mitigate? Which remediation plan will reduce risk in the most cost-effective manner? These comparisons require meaningful measurement.

Today, risk is measured on 1-5 scales and given high, medium, or low labels. These "measurements" aren't rational or logically defensible and suffer from the subjective biases of both the analyst and the consumer. How do you know what someone means when they say "this is a medium risk?" Which high/red risk is higher/more red? Is reducing a high risk to a medium risk worth the cost of the mitigation strategy? Without meaningful measurements we can't make well-informed decisions in the risk management space.

To meaningfully measure risk you need a logical framework and repeatable process that provides more objective results in the form of a range of possible loss over a given timeframe. Only then can you compare and see which scenario presents more risk to your organization or which mitigation strategy you should go with.

I'm very excited to share that logical framework and repeatable process with you over the four days of this course. Learning about FAIR changed the trajectory of my career and allowed me to implement a successful risk management program, completely based on quantitative analysis, at one of the largest financial services firms in the country. I'm thrilled to share my knowledge and experience with you and can't wait to see the impacts you will have in your organizations after you put the knowledge and skills you gain from this course into practice."

David Musselwhite

Risk Consultant and Training Lead

RiskLens, Inc.