USING FAULT TREE ANALYSIS WITH COBIT 5 RISK SCENARIOS

Information System Audit and Control Association (ISACA) proposed a preliminary idea on applying fault tree analysis to look at the root reasons for the IT risks outlined in COBIT 5 Risk Scenarios. So far, there was no prescriptive procedure/ methodology, which could be used to build the fault tree. This research looked into various methodologies for building the fault tree and proposed a new methodology, which could be used for analysis of risks outlined in COBIT 5 Risk Scenarios document. The methodology has been developed specific to COBIT 5 processes to build the fault tree, which, in turn, can help to outline the common factors that lead to failure of the processes subsequently leading to a risk. Fault tree analysis, could help to improve processes and suggest potential mitigation strategy to improve management/governance of IT. The paper also includes a sample of using the proposed methodology on one of the risk scenarios in order to calculate minimal cut set of IT management practices that organization needs to focus on to address specific risks.