Currently, the architecture of networks, such as storage networks, is largely designed around the fact that requirements for data storage, and thus storage systems themselves, are growing ever larger and need to accommodate incompatible systems supplied by different vendors. As systems are scaled up to accommodate rising processing needs, applications and services reliant on the network are exposed to increased risk. As more elements are deployed into a network the overall risk within that network increases. Thus, the larger the scale of the system, the greater the probability that a software failure, hardware failure or administration error can propagate itself across larger numbers of information technology (IT) system elements and thus impact a larger portion of a business.
There is at present no known design approach that systematically considers risk as a controlling factor in the design of network architectures. That is, there are no mechanisms for accurately quantifying the operational risk posed to a business by its IT infrastructure and for mitigating that risk in ways that are demonstrable. Without such a risk control mechanism, businesses are unable to consistently manage risk of failure except at the expense of over-investment and over-allocation of resources. Consequently, a high level of investment is made in business resiliency, some of which investment may be excessive or poorly-targeted.
It is known, for example from publication US2004/0054618, to Chang and Ashutosh, entitled “Software application domain and storage domain risk analysis process and method”, to use various techniques for assessing the technical risks of failure inherent in computing system elements such as software applications and data storage devices. However, the assessment techniques contemplated therein go no further than providing the user with information relating to the technical risk involved in using such computing system elements. The level of criticality to the business of the elements of risk is not considered, and the uses to which the information is put are left open.
It would thus be desirable to have technical measures for quantifying computing system risk with reference to both the business importance and the estimated probability of failure of the infrastructure elements and to have a technological apparatus, logic arrangement or method to incorporate appropriate risk-mitigation into systems at the design level.