In an age when most companies invest to become data-driven, the value of data is increasingly a key criteria for making IT decisions, and the protection of the data becomes paramount to those decisions
When making backup-related decisions, price justification involves the potential capital loss to the organization when a data loss or unavailability occurs. Understanding the value of data and access to that data is key when prioritizing backup technology or even for deciding which infrastructure to protect during a cyber-attack. However, estimating this price is not trivial.
I recently worked on a research project with a team of academic partners at Ben-Gurion University for prioritizing data replication to minimize the monetary loss in the case of a disaster. The method we derived can limit the costs of data loss, and could provide a high return on investment (ROI) of up to one million dollars per incident.
The rapid growth of organizational data volumes raises major concerns with respect to data completeness. The generation and processing of those huge volumes of data, combined with the vulnerability of many organizations to different sorts of disasters (e.g. power outages, communication failures, virus attacks) increases the chance of losing business-critical data. Many potential damages are associated with data loss – operational failures, employee time and productivity, reputation damages, liabilities, and so on.
At the bottom line, such damages may lead to major revenue losses. A cost study commissioned by EMC that surveyed 67 data centers in the U.S. found that the cost per disaster in 2013 ranged from $74,223 to $1,734,433, with an overall average of $627,418 per incident.
Most organizations invest in Disaster Recovery (DR) solutions that replicate data to remote locations (e.g., EMC’s RecoverPoint). But while such solutions may reduce the risk of data loss, they cannot always eliminate it altogether. Some loss may still occur if data is deleted or corrupted before replication, particularly with asynchronous replication that permits a certain time-lag. This risk mandates configuration and prioritization of DR processes, toward minimizing the loss of data items of greater business importance.
Today, DR configuration efforts are driven primarily by technical characteristics (e.g., data volumes, transfer frequencies, and capacities), and less by assessment of business needs. Business-related factors are often regarded only at a high level, based on managers preferences, and are rarely based upon data-driven quantifications.
Value-driven Assessment of Data Loss Costs
To better understand how to shape a data-driven assessment framework for data loss costs, we conducted a case study with one of our customers, a mid-sized insurance firm. Case study interviews revealed that loss costs are rarely monolithic and usually can be separated into two criteria:
- Significant tangible ingredients. If a payment transaction was lost, the assured tangible cost will be the financial value of the specific transaction. We quantified these from the organizational database.
- Restorable data. For instance, Data Warehouse systems provide high monetary benefits for the organization since they affect organizational reports, predictions, marketing strategy and more. However, Data Warehouse content can be easily reproduced by running a relevant batch operation which is naturally generated every once in a while. In cases where a lost data item is restorable, restoration costs are the ones that should be considered rather than tangible and intangible costs of eternal loss.
Using these two criteria, we derived a model of the tangible costs of data loss based on the cost of each case in the affected system and the domino effect on other systems. Figure 1 illustrates schematically data loss costs ingredients.
Two complementary evaluation approaches can be applied toward obtaining the parameters in the formulation above: fact-driven and heuristics-driven assessments. Fact-driven assessment is based on analyzing data that already exists in organizational databases and can be relevant to a specific business context. The heuristics-driven approach complements the evaluation process for parameters that cannot be fully estimated from existing data and allows Subject Matter Experts to tune the model with business rules.
Let’s look at an example for parameters estimation: what is the cost assessment of a lost insurance policy?
We broke down this question using the graph: how many of the policies issued can be restored manually? What is the average revenue per policy (this is the tangible cost)? What is the cost of restoring a policy (calculated from agent’s time)? What is the cost of unrestored policy (in the form of lost legal action)?
We simulated these answers with datasets with business scenarios such as online sales, offline sales, attendances, etc. The results showed the proposed methodology is feasible for application and parameter estimation, as well as the potential benefits, considering the high variability in the value of data between systems when configuring a replication process. For example, we found that online sales are peer-to-peer (p2p) while offline sales are mostly business-to-business (b2b) and, therefore, produce greater revenues. As a result we would probably prefer offline sales data to be stored before online sales data so loss would be minimized.
Figure 2 illustrates an example for the value difference between online sales and offline sales.
As pointed out by case study participants, fact-based quantification is highly important for justifying IT investments. A reliable assessment of savings will help IT managers justify investment in DR solutions. This methodology can help determine the implications of data loss for different Information systems, analyze data loss damages per business process, and highlight inter-dependencies among IS and business processes. This data-driven approach to protecting our data-driven organization will increase its reliance on facts and quantitative methods rather than proxies or heuristics-driven methods so that in the future an assessment of data loss damages is a fully structured process.
Our Analytical Approach
Considering the factors described in figure 1, the cost Vi associated with data loss of an item from business process [i] can be formulated as:
These parameters can be estimated using the company’s historical data when combined with understanding of the business process. According to case study’s interviewees, an insurance policy can be restored only if produced by an internal agent. From this question we can calculate RPi , the restoration probability for last year’s transactions (the proportion of previous insurance policies that were produced by an internal agent). Similarly, TCi , tangible costs would be computed as an average sum of revenues per insurance policy, given a dataset of past insurance policies.
In case of losing a restorable policy, restoration costs (RCi) can be derived from the relevant internal agent wage multiplied by restoration duration since the internal agent is the one who responsible for policy restoration. An example for a propagated damage ( in case of losing an insurance policy is the loss of future lawsuits related to this policy, loss of important financial data and probably other overlooked business effects.
For more information, read the full research paper: Sagi, O., Yiftachel, P., Even, A. et al. “Value attribution in complex information-system settings toward minimizing the damage of data loss”. MCIS 2014.