After an attack, should the damaged asset be replaced or recovered?

Companies deal with information loss or damage, almost on a regular basis. The main question rises what to do next after the damage has been done. Companies try to find ways to minimise their damages and costs by appropriately taking measures to do so, they can choose to completely replace their damaged/lost information assets, leave the damaged asset as is or they can choose to repair the damage done to the asset. In order to make the most suitable decision the company has to estimate the value of the asset and cost for handling the damage. Various assessments methods for evaluating the worth of the asset are:

-Replacement cost

-Income lost while repairing

-Income lost while Replacing the asset

The replacement cost is considered when the asset is not worth too much to the company and it would cost less to replace the asset rather than repair the asset. We can explain this point better with an example. Big companies generally have big servers to manage their traffic, suppose the servers get damaged, in order to minimise the time that the servers are down the company can simply replace the servers. Although replacing servers costs a lot and maybe a smaller company would not choose this route, as it lacks the resources to do so. When the company takes this decision it usually takes into account two aspects when replacing the asset; first the cost of replacing the asset and the income lost wile replacing the asset. The company tried to minimise its server’s down time as the company would lose profitability if the servers are not continuously running. Replacement cost is simply the cost of replacing the asset but while the asset is non-functioning the company can lose its value as the asset has now become a liability and has stopped the operations of the company. Another reason (other than hinderance of operations of the company) could also be that the asset has been severely compromised and is a huge liability for the company. These factors may not affect the smaller companies as much as it would the bigger companies hence the smaller companies can choose alternative methods to deal with the situation.

Repairing the asset is generally considered when the asset’s information is worth a considerable amount to the company. Big companies usually have a plethora of important data and in most cases the data is invaluable to the company. The company may prioritise its data recovery and spend time and money recovering/repairing the information. This repairing process may cause the company to slow down its operations which can lower the profitability of the company hence companies choose this option if the information is worth more than the cost of damages and repairs ,or the company does not have money to replace the asset as is the case of smaller companies.

In summary we can see that a company may prioritise different things when coming up with a decision to replace or repair the asset. The companies look at: [1]

-Cost to replace the asset

-Cost to repair the asset

-liability issues if the asset is severely compromised

-value of the asset

-operational and productivity costs incurred if the asset is unavailable.

The companies take into account the points mentioned above when deciding the value of the asset and taking appropriate decisions. Also every company is different in their own regards and will choose a course of action that is most profitable to the company and most effective in dealing with the problem.

References:

[1] - retrieved from http://searchsecurity.techtarget.com/answer/How-to-determine-the-net-value-of-an-asset-for-risk-impact-analysis