A principal challenge many enterprises face is identifying exposures to their complex IT infrastructures. There are considerable business dependencies on this strategic resource and weaknesses within the IT-infrastructure may lead to serious business interruptions. It is not enough however, to merely identify weaknesses; the impact of those weaknesses must also be clearly understood and quantified. This is an important point because it is difficult to know how much to invest to strengthen the infrastructure unless there is a sense of the size of the risk to the organization.
IT infrastructures can fail due to a wide range of events. These events can be as simple as a process failure or as catastrophic as a full system crash. It is unrealistic and costly to eliminate each and every harmful event; therefore, a priority ranking based on the consequence of the event is very useful. Ranking the potentially damaging events based on their economic impact and likelihood of occurrence allows management to focus appropriate attention on the material weaknesses that reduce the overall exposure to the business.
In addition to a range of bad events, there is also a wide range of protection measures that can be applied to mitigate the bad events. These protection measures will each differ in terms of their features, functions and costs. The key benefit to measuring the economic impact/likelihood is that they also provide a method to evaluate the various options and appraise the investment-value based on the option’s ability to reduce the economic exposure for the organization.
A quantitative risk-based approach will identify the material exposures to the IT infrastructure and their relative economic impact. This approach identifies the material weaknesses in the IT-infrastructure, economically quantifies the relative impact of those weaknesses, and then identifies the optimal solutions that will reduce the overall exposure to your organization.