Career upgrade: Learn practical AI skills for better jobs and higher pay.
Level up
PracticeVideosBlogFlashcardsEspañol
All Practice Exams

100+ Free Open FAIR 2 Foundation Practice Questions

Pass your Open FAIR 2 Foundation (OGOF-101) exam on the first try — instant access, no signup required.

✓ No registration✓ No credit card✓ No hidden fees✓ Start practicing immediately
~75% Pass Rate
100+ Questions
100% Free
1 / 100
Question 1
Score: 0/0

In FAIR, which approach is recommended when an analyst lacks specific data for a factor estimate?

A
B
C
D
to track
Same family resources

Explore More TOGAF Enterprise Architecture Certifications

Continue into nearby exams from the same family. Each card keeps practice questions, study guides, flashcards, videos, and articles in one place.

TOGAF Enterprise Architecture

Practice Questions
1 blog

ArchiMate 3 Foundation (OGA-031)

Practice Questions

ArchiMate 3 Practitioner (OGA-032)

Practice Questions

DPBoK Foundation (OGD-001)

Practice Questions

IT4IT 3 Foundation (OGIT-101)

Practice Questions

Open Agile Architecture Practitioner (OGAA-001)

Practice Questions

More From This Family

Videos and articles for deeper review.

ArticleTOGAF Exam Guide 2026: FREE Foundation + Practitioner Study Plan28 min read
2026 Statistics

Key Facts: Open FAIR 2 Foundation Exam

40

Exam Questions

The Open Group OGOF-101 exam plan

60%

Passing Score (24/40)

The Open Group

60 min

Exam Duration

The Open Group

$200

Exam Fee

The Open Group 2026 retail schedule

Lifetime

Validity

The Open Group

Open FAIR 2

Body of Knowledge

O-RT and O-RA standards

The Open FAIR 2 Foundation exam (OGOF-101) has 40 multiple-choice questions in 60 minutes, with a 60% (24/40) passing score. The body of knowledge is the Open FAIR 2 standard set — the O-RT (Risk Taxonomy) and O-RA (Risk Analysis) documents from The Open Group — covering definitions of risk, the FAIR taxonomy (Risk = LEF x LM with LEF and LM each decomposed), threat communities and threat actions, the six forms of loss, FAIR control categories, the four stages of a FAIR analysis, calibrated estimation, PERT distributions, Monte Carlo simulation, and quantitative risk reporting. The credential replaces the legacy OG0-041 Open FAIR Foundation and aligns with the FAIR Institute's open-source FAIR 2 body of knowledge. Lifetime validity with no recertification. Exam is delivered at Pearson VUE test centers and via OnVUE remote proctoring; fee is $200 USD per The Open Group's 2026 retail schedule.

Sample Open FAIR 2 Foundation Practice Questions

Try these sample questions to test your Open FAIR 2 Foundation exam readiness. Each question includes a detailed explanation. Start the interactive quiz above for the full 100+ question experience with AI tutoring.

1How does the FAIR methodology define risk?
A.The probable frequency and probable magnitude of future loss
B.The presence of a vulnerability that a threat could exploit
C.Any negative event impacting confidentiality, integrity, or availability
D.Uncertainty about future business outcomes
Explanation: FAIR defines risk as the probable frequency and probable magnitude of future loss. This definition is deliberately quantitative and forward-looking — risk is about HOW OFTEN loss is likely to occur and HOW BIG those losses are likely to be, not the mere presence of a threat or vulnerability.
2In the FAIR taxonomy, Risk is decomposed into which two factors?
A.Loss Event Frequency and Loss Magnitude
B.Threat Event Frequency and Vulnerability
C.Contact Frequency and Probability of Action
D.Threat Capability and Resistance Strength
Explanation: At the top of the FAIR taxonomy, Risk = Loss Event Frequency (LEF) x Loss Magnitude (LM). LEF answers how often loss occurs; LM answers how large each loss is. The other pairs listed are LOWER-level decompositions of LEF and Vulnerability.
3In the FAIR taxonomy, Loss Event Frequency (LEF) is the product of which two factors?
A.Threat Event Frequency and Vulnerability
B.Contact Frequency and Probability of Action
C.Threat Capability and Resistance Strength
D.Primary Loss and Secondary Loss
Explanation: LEF = Threat Event Frequency (TEF) x Vulnerability. TEF is how often a threat acts against the asset; Vulnerability is the probability that, given an action, a loss actually occurs. Multiplying them yields the rate of LOSS events.
4In the FAIR taxonomy, Threat Event Frequency (TEF) is decomposed into which two factors?
A.Contact Frequency and Probability of Action
B.Threat Capability and Resistance Strength
C.Primary Loss and Secondary Loss
D.Loss Event Frequency and Loss Magnitude
Explanation: TEF = Contact Frequency x Probability of Action. Contact Frequency is how often a threat agent comes into contact with the asset; Probability of Action is the conditional probability that, given contact, the agent acts in a way that could cause loss.
5In the FAIR taxonomy, Vulnerability is determined by the comparison of which two factors?
A.Threat Capability and Resistance Strength
B.Contact Frequency and Probability of Action
C.Primary Loss and Secondary Loss
D.Threat Event Frequency and Loss Event Frequency
Explanation: Vulnerability is the probability that a threat event becomes a loss event, derived from comparing Threat Capability (TCap — what the threat agent can bring to bear) with Resistance Strength (RS — what the asset and its controls can withstand). When TCap exceeds RS, a loss occurs.
6In the FAIR taxonomy, Loss Magnitude (LM) is decomposed into which two factors?
A.Primary Loss Magnitude and Secondary Loss Magnitude
B.Threat Event Frequency and Vulnerability
C.Contact Frequency and Probability of Action
D.Threat Capability and Resistance Strength
Explanation: LM = Primary Loss Magnitude + Secondary Loss Magnitude. Primary Loss is the direct impact on the organization in every loss event. Secondary Loss is the reactionary impact from other stakeholders (regulators, customers, etc.) and is only sometimes triggered.
7How many forms of loss does the FAIR methodology recognize?
A.Six
B.Four
C.Eight
D.Five
Explanation: FAIR recognizes six forms of loss: Productivity, Response, Replacement, Fines and Judgments, Competitive Advantage, and Reputation. Every loss in a FAIR analysis should map to one or more of these six forms.
8Which of the following is NOT one of the six FAIR forms of loss?
A.Compliance
B.Productivity
C.Response
D.Replacement
Explanation: The six FAIR forms of loss are Productivity, Response, Replacement, Fines and Judgments, Competitive Advantage, and Reputation. Compliance is not a separate FAIR form — regulatory fines fall under Fines and Judgments, and remediation costs fall under Response.
9In FAIR, which form of loss covers regulatory penalties and legal damages?
A.Fines and Judgments
B.Response
C.Replacement
D.Reputation
Explanation: Fines and Judgments is the FAIR form of loss that includes regulatory fines (HIPAA, GDPR, etc.) and damages awarded in civil judgments. Response covers the cost of REACTING to a loss event (forensics, outside counsel), and Replacement covers replacing or repairing damaged assets.
10In FAIR, which form of loss includes the costs of incident response activities such as forensic investigation and outside counsel?
A.Response
B.Replacement
C.Productivity
D.Fines and Judgments
Explanation: Response loss covers the costs an organization incurs while reacting to a loss event — forensics, legal counsel, public relations, internal investigation hours, notification costs. Replacement is for replacing damaged or stolen assets, and Productivity is the inability to deliver value during downtime.

About the Open FAIR 2 Foundation Exam

The Open FAIR 2 Foundation certification (OGOF-101) validates understanding of the Factor Analysis of Information Risk methodology and the FAIR risk taxonomy as formalized by The Open Group in the O-RT (Risk Taxonomy) and O-RA (Risk Analysis) standards. The exam covers core risk concepts, the full FAIR taxonomy tree, threat communities and actions, the six forms of loss, FAIR control categories, the stages of a FAIR analysis, calibrated estimation with PERT and Monte Carlo simulation, and how to articulate quantitative risk results in business terms.

Assessment

40 multiple-choice questions distributed across the Open FAIR 2 Body of Knowledge: risk concepts and terminology, the FAIR Risk Taxonomy (LEF, TEF, Vulnerability, LM), threat communities and actions, six forms of loss, control categories, the four stages of FAIR analysis, calibrated estimation and PERT, and risk reporting.

Time Limit

60 minutes

Passing Score

60% (24/40)

Exam Fee

$200 USD (The Open Group / Pearson VUE)

Open FAIR 2 Foundation Exam Content Outline

15%

Risk Concepts and Terminology

FAIR definition of risk as the probable frequency and probable magnitude of future loss; precise definitions of threat, vulnerability, asset, and control; distinguishing risk from commonly conflated terms (threat, vulnerability, hazard, uncertainty).

25%

FAIR Risk Taxonomy

The core formula chain: Risk = Loss Event Frequency x Loss Magnitude; LEF = Threat Event Frequency x Vulnerability; TEF = Contact Frequency x Probability of Action; Vulnerability = Threat Capability vs Resistance Strength; LM = Primary Loss + Secondary Loss; Secondary Loss = Secondary Loss Event Frequency x Secondary Loss Magnitude.

10%

Threat Communities and Threat Actions

Threat community profiling (internal staff, contractors, partners, customers, cyber criminals, nation-states, activists, competitors, natural events); five threat action categories (Access, Misuse, Disclose, Modify, Deny Access) and how each maps to loss events.

15%

Loss Forms and Loss Magnitude

The six forms of loss: Productivity, Response, Replacement, Fines and Judgments, Competitive Advantage, Reputation. Distinguishing Primary Loss (direct, occurs in every loss event) from Secondary Loss (stakeholder reactions, only sometimes triggered).

10%

Controls

FAIR control categories: Avoidance (reduces Contact Frequency), Deterrent (reduces Probability of Action), Preventive/Resistive (reduces Vulnerability), Detective (reduces LM), Responsive (reduces LM). Introduction to FAIR-CAM as the Controls Analytics Model.

15%

Stages of FAIR Analysis

Four stages: (1) identify scenario components — Asset at Risk, Threat Community, Threat Action; (2) evaluate Loss Event Frequency; (3) evaluate Loss Magnitude; (4) derive and articulate risk. Calibrated estimation, 90% confidence intervals, PERT distributions, Monte Carlo simulation.

10%

Risk Reporting and Use

Quantitative reporting outputs: Annualized Loss Expectancy (ALE), loss exceedance curves, Return on Security Investment (ROSI); inherent vs residual vs future-state risk; risk register; mapping FAIR to ISO 27005, NIST 800-30, ISO 31000, and the NIST Cybersecurity Framework.

How to Pass the Open FAIR 2 Foundation Exam

What You Need to Know

  • Passing score: 60% (24/40)
  • Assessment: 40 multiple-choice questions distributed across the Open FAIR 2 Body of Knowledge: risk concepts and terminology, the FAIR Risk Taxonomy (LEF, TEF, Vulnerability, LM), threat communities and actions, six forms of loss, control categories, the four stages of FAIR analysis, calibrated estimation and PERT, and risk reporting.
  • Time limit: 60 minutes
  • Exam fee: $200 USD

Keys to Passing

  • Complete 500+ practice questions
  • Score 80%+ consistently before scheduling
  • Focus on highest-weighted sections
  • Use our AI tutor for tough concepts

Open FAIR 2 Foundation Study Tips from Top Performers

1Draw the FAIR taxonomy tree from memory on a single sheet every morning during prep: Risk at the top, branching to LEF and LM, then LEF to TEF and Vulnerability, TEF to Contact Frequency and Probability of Action, Vulnerability to Threat Capability and Resistance Strength, and LM to Primary and Secondary Loss with Secondary further decomposing into SLEF and SLM.
2Master the LEF vs TEF distinction. Threat Event Frequency is how often a threat ACTS against an asset; Loss Event Frequency is how often that action actually produces loss. The difference is Vulnerability — only when Threat Capability exceeds Resistance Strength does a threat event become a loss event.
3Memorize the six forms of loss in order: Productivity, Response, Replacement, Fines and Judgments, Competitive Advantage, Reputation. Be ready to classify a specific cost (e.g., outside counsel fees = Response; HIPAA penalty = Fines and Judgments).
4Distinguish Primary Loss from Secondary Loss precisely. Primary Loss occurs in every loss event (the immediate impact on the organization). Secondary Loss is the reactionary impact from other stakeholders (customers, regulators, partners) and is gated by Secondary Loss Event Frequency — not every primary loss triggers secondary loss.
5Learn the four stages of a FAIR analysis in order: (1) scenario components — Asset, Threat Community, Threat Action; (2) evaluate LEF; (3) evaluate LM; (4) derive and articulate risk. Foundation questions often test stage ordering.
6Calibrated estimation is built on 90% confidence intervals — a calibrated estimator is one whose 90% intervals contain the true value 90% of the time. PERT distributions take a min, most-likely, and max estimate and produce a smooth probability curve that Monte Carlo simulation samples.
7Know the FAIR control categories and where each one acts in the taxonomy: Avoidance reduces Contact Frequency; Deterrent reduces Probability of Action; Preventive (Resistive) reduces Vulnerability by raising Resistance Strength; Detective and Responsive reduce Loss Magnitude.
8Practice expressing FAIR outputs as loss exceedance curves and Annualized Loss Expectancy, not as red/yellow/green heat-map cells. FAIR proponents view heat maps as a distortion of underlying probability information.

Frequently Asked Questions

What is the Open FAIR 2 Foundation certification?

OGOF-101 is The Open Group's foundation-level certification for the Factor Analysis of Information Risk (FAIR) methodology. It validates understanding of the FAIR risk taxonomy as defined by the O-RT and O-RA standards, plus the practical steps of running a FAIR analysis from scenario definition through quantitative results. It is the entry credential for FAIR practitioners and a recognized signal for risk-quantification competence in cyber and operational risk teams.

How is OGOF-101 different from the legacy OG0-041 Open FAIR?

OGOF-101 is built on the Open FAIR 2 body of knowledge, the updated taxonomy maintained jointly by The Open Group and the FAIR Institute. The legacy OG0-041 Open FAIR Foundation exam is retired. Holders of OG0-041 may continue to use the credential, but new candidates should sit OGOF-101 to certify against the current standard.

How is the OGOF-101 exam structured?

40 multiple-choice questions in 60 minutes; passing score is 60% (24 correct). Closed-book. Questions cover risk concepts and terminology, the full FAIR risk taxonomy (LEF, TEF, Vulnerability, LM with sub-decompositions), threat communities and threat actions, the six forms of loss, FAIR control categories, the four stages of a FAIR analysis, calibrated estimation, and risk reporting. Delivered at Pearson VUE test centers or remotely via OnVUE.

How much does OGOF-101 cost?

Per The Open Group's exam fee schedule for 2026, OGOF-101 costs USD $200 (retail voucher). Accredited training providers may bundle exam vouchers with their courses at a discount. There is no application fee — just the exam fee.

How hard is the OGOF-101 exam?

Foundation-level — well-prepared candidates pass on the first attempt at a high rate. The challenge is in mastering precise FAIR terminology and distinguishing easily conflated factors: Threat Event Frequency vs Loss Event Frequency, Threat Capability vs Resistance Strength, Primary vs Secondary Loss, Vulnerability vs Risk. Plan for 25-40 hours of study with the Open FAIR 2 BoK and 100+ practice questions.

What study materials are recommended?

The Open Group's O-RT (Risk Taxonomy) and O-RA (Risk Analysis) standards, both available as free PDFs. The FAIR Institute provides a public Open FAIR 2 Body of Knowledge and community study resources. Supplement with calibration training materials in the Hubbard tradition for the estimation portion, and practice 100+ scenario and taxonomy questions before sitting the exam.

Is OGOF-101 valid for life?

Yes — lifetime validity with no recertification or continuing-education requirement. If a future FAIR taxonomy version is released, The Open Group typically offers a bridging exam so existing credential holders can update without retaking the full exam.

Who should take Open FAIR Foundation?

Cyber risk analysts, GRC and ERM practitioners, internal auditors, CISO-office staff, security architects, and business architects who need to defend risk decisions in dollar terms. FAIR is also relevant for executive risk reporting because it produces ranges and distributions rather than heat-map colors.