Problem: If failed_login_attempt for application user is set then after failing specific number of login attempt user will be lock. If failed_login_attempt is unlimited then hacker can establish connection without any user connection and execute the loop for guessing username and password.
Solution: SEC __MAX_FAILED LOGIN_ATTEMPTS is a new feature in Oracle 11g. It specifies the number of authentication attempts that can be made by a client on a connection to the server process. This parameter target against brute force attacks. An intruder could start a server process first and then try to establish connection by guessing/Program generated password. Using that parameter it is possible to limit the number of failed login attempts. After the specified number of authentication attempts fails, the database processes drop the connection. Default value of SEC_MAX_FAILED_LOGIN_ATTEMPTS is 10. This initialization parameter is designed to stop intruder from attacking application, it does not apply to valid user. It is not a dynamic parameter.
SEC_MAX_FAILED_LOGIN_ATTEMPTS only works application uses OCI Program. It does not work in sqlplus so a user can try unlimited time with guessing password from sqlplus even though the parameter is set but usually intruder attack using OCI program.