ABSTRACT
After reading this chapter, students are expected to achieve an understanding of:
How FTA works How ETA works How IFEAR works How to compute probabilities in FTA How to compute probabilities in ETA How to manage risks using FEA-integrated methodology How to mitigate risks using simulation
8.1 Introduction This chapter proposes a layered security assessment and enhancement methodology intended to provide information continual security for an organization. This methodology is not intended to replace the security risk management approach required
by ISO 27001 as a part of the technical audit performed to develop an Information Security Management System (ISMS). This methodology integrates the fault tree analysis (FTA) and the event tree analysis (ETA) [1] approaches to link detectionfailure episodes and their effects on harmful consequences caused by events generated by system failures. The integrated approach will be called, throughout this book, the fault event analysis (FEA). The FTA approach generates information about the consequences of undesired incidents caused by system failures [2,4,6]. We apply an incident response approach to plan any corrective actions to alleviate the effects of undesired events. The security assessment and enhancement methodology we are proposing is called Integrated Fault Event Analysis and Response framework (IFEAR). Findings from applying IFEAR are also useful in defining information security requirements produced in security planning.
