A “FAIR” Ending To A Tumultuous Year

3 min read

Following is a summary of a personal goal accomplished in a year that wasn’t.


In a few days, this year will be coming to an end that we all wish had never happened. As we wait for the new year to bring a sense of relief and hope, 2020 left us a lot (pandemic, social unrest, US elections, breaches) to reflect, learn, adapt at a pace we were not previously accustomed to. 

When this year began, I had set few personal goals and one of them was to get certified in Factor Analysis of Information Risk (FAIR). I had this on my radar for a couple of years but did not prioritize it. All this was instigated years ago, when I started performing Cybersecurity assessment(s) using heat maps – my immediate reaction was mixed with feelings of discomfort, unfulfillment and a sense of putting in a CRAPpy effort. I believed that there’s probably a better way to do this, and then I stumbled upon the FAIR framework in 2012. This was back when FAIR Institute was “Risk Management Insight”.

It wasn’t until 2016 when I embarked on a journey to learn and apply quantification of Cybersecurity risk. Thanks to Douglas Hubbard and Richard Seiersen for their work on risk and Jack Jones and Jack Freund for FAIR. Ever since, I have been learning, contributing, and evangelizing the FAIR model. There was no better time to get certified and close this year in “FAIR” terms, especially when the FAIR Institute had reached a 10,000 member milestone. I had completed this goal last week – check!

Why It Is Fair To Adopt FAIR?

Before I rationalize why we need to adopt a model like FAIR, since this has been the year of the pandemic – I would like to provide some context around the occurrence of COVID-19 that was very commonly and erroneously categorized as a Black Swan event. Michele Wucker, in her book – The Gray Rhino: How to Recognize and Act on the Obvious Dangers We Ignore, mentions that Black Swan events should in fact be categorized as Gray Rhino events. FAIR Institute President Nick Sanna points that the difference between the two – Black Swan versus Gray Rhino: a rare, unpredictable event with serious and unavoidable effects versus a highly probable, high impact yet neglected event. COVID-19 is a Gray Rhino and not a Black Swan. The FAIR model provides risk professionals extra tools – risk conditions, to treat such events. 

If your organization is looking to leverage the FAIR model, the first step is to get your entire security team, including managers and directors FAIR certified as the Highmark Health CISO Omar Khawaja suggests.

David Musselwhite provides three reasons you should get FAIR certified. I concur with all of those but would like to add three more.

  1. FAIR framework offers a baseline knowledge that is essential to speak a common risk language and inculcate that critical thinking approach wherever you are in the organizational food chain
  2. If you are a Cybersecurity professional, irrespective of experience, learning and getting FAIR certified only improves how you approach, manage, and communicate risk – both at your workplace and your daily life
  3. The knowledge gained by preparing and attempting this certification is eternal, even if you decide not to leverage FAIR or adopt a different risk analysis framework

Preparation And Certification

Over the years, there have been various posts on how to prepare and pass the Open FAIR certification. I have provided that list below:

  1. Recipe for passing the OpenFAIR exam 
  2. 4 tips to prepare for the Open FAIR certification exam
  3. Tips to prepare for the Open FAIR certification exam
  4. How to prepare for the Open FAIR certification exam
  5. Key terms in Cyber Risk analysis – Test your knowledge 
  6. 6-step guide to becoming FAIR trained

I took the Open FAIR certification from the comfort of my home, late in the night when its quite. If I had to do it again, I would probably go to the test center. Mainly because of the overall time it took to complete the exam. The amount of waiting time for the online proctor to perform all verifications, checks, and finally releasing the test was awfully long (or it probably seemed like it as you cannot move away from the camera once the live monitoring begins!) when compared to the time it would take if you were at a test center.

Looking forward to a FAIRer 2021!

A “FAIR” Ending To A Tumultuous Year

by Indrajit (Indy) Atluri time to read: 3 min