How can you determine at what point in a piece of IT hardware’s lifecycle it should be updated? Using FAIR, the international standard for quantitative cyber and technology risk management, it is as simple as a three-step process.
An example from IT asset management at a manufacturing operation would be to determine if and when outdated hardware in the production facilities should be replaced. In order to understand this, the company must first understand how much risk it is currently facing as a result of having outdated hardware and how much (if any) would be reduced by the investment. By performing a cost benefit analysis of the two, the company can then understand if it is in its best interest to go forward with the replacement.
1. How much risk are we currently facing as a result of having outdated hardware?
To answer this question, begin by identifying the scenario(s) that are likely to result because of outdated hardware in the manufacturing facility. For example, identifying different types of server failures (inadequate storage, inadequate processing, chassis failure, etc.) that may result in disruptions in the manufacturing process that could then delay production and impact delivery expectations/contractual requirements.
An alternate method is to begin by inventorying the critical servers in the facility that impact key manufacturing processes. Based on the inventory, run analyses on the amount of risk associated with an outage of the given process as a result of a server failure.
By comparing these analyses, the organization can then determine which process or process(es) require hardware updates in the short term and which may be less time sensitive. Additionally, by aggregating these analyses, the organization can understand how much risk is associated with hardware related server failures causing manufacturing outages across a given facility.
Aggregate Annualized Loss Exposure Results
Independent Scenario Results
Scenario A Results
Scenario B Results
[ For more information on how to calculate aggregate risk, read the following post by FAIR co-founder, Jack Jones: How to Measure Aggregate Risk. ]
2. How much will risk be reduced by replacing outdated hardware?
After you have an understanding of the current state loss exposure, you can then consider how the proposed hardware upgrades would impact the frequency and/or magnitude of the events. For example, replacing an outdated server may significantly decrease the number of times per year a server failure causes a disruption of a specific manufacturing process. You can model this by reducing the Loss Event Frequency of that event and re-running the analysis to evaluate the future state Annualized Loss Exposure.
Current vs. Future State Results Comparison
3. What is the cost of replacing outdated hardware?
Before you can make the decision on whether or not to go forward with the hardware replacement, the final variable would be understanding the amount of capital investment required. This value can then be compared to the decrease in Annualized Loss Exposure from the current to future state scenarios to determine if the hardware should be replaced.
Based on the results, you may ultimately come to the conclusion that given the aggregate loss exposure you are facing from the scenario(s) and the total investment cost to upgrade the hardware it would not be cost-efficient to perform the upgrade at this time. Similarly to how you can run a future state analysis to evaluate the hardware investment, you can also run additional assessments to evaluate at what point the investment would be necessary. For example, if you anticipate the number of disruptions to double in the next five years as a result of the aging hardware, you can calculate what the aggregate loss exposure will be at that point and if the investment in new hardware would make sense. By doing so, you can focus efforts on an upgrade and mitigation plan to be rolled out at a future date.