Vulnerability Index Revisited:

Good News, Bad News

By Mike Tobin

The 1995 Vulnerability Index study identifies both positive and negative trends in LAN protection and business continuity planning. The nation’s largest users of technology still have work to do in rendering mission critical desktop systems recoverable.
The Vulnerability Index is a proprietary research study first published in 1993 by Comdisco Disaster Recovery Services, a disaster recovery provider.
In late 1994, Comdisco, together with the Palindrome Corporation, a leader in data backup technology, commissioned a reprise of the independent vulnerability study. The objective was to gauge progress in this critical area and establish a new measure against the benchmark data. The new study provides the first empirical measurement of trends in LAN and data center recovery preparedness. While the results indicate some encouraging trends, the conclusion is there are likely more vulnerable LANs today than two years ago.
It is the intent of this study to make responsible managers aware of these exposures within their organizations. By providing managers necessary information, along with a means for estimating their companies’ relative vulnerabilities, we can assist them in understanding and making a case for corrective action.

Study Design


The design and methodology of this year’s study were identical to the 1993 baseline study, and once again executed by ICR Survey Research, a nationally recognized independent survey research firm. The survey measured 300 organizations drawn randomly from a universe of the country’s 5,000 largest users of technology, as reported by the Computer Intelligence Corporation. Individual responses (one per organization) held vice president, MIS or equivalent titles with responsibility for business continuity planning and decision making.
Overall Findings

As shown in Figure 1, there is a significant decrease in LAN vulnerability over the past two years, indicating more companies are extending the fundamentals of business continuity planning to their PC/LAN environments. The decline in LAN vulnerability is consistent with a general increased awareness of LAN vulnerability as highlighted in analyst reports and the media coverage of the issue.
The bad news in this study is the absolute number of vulnerable LANS.The processing capacity of LANs doubled over the same two-year time frame (Figure 2). In addition, the portion of LANs designated by their owners as housing mission critical applications increased an estimated fourfold, to an average 43 percent. For one in five companies, fully 75 percent of LANs house data essential to the organization.
As a result of this explosive growth, the overall amount of critical data that remains vulnerable is greater than ever, in a way that may be going unnoticed in many organizations.

Detailed Findings

PC/LAN recovery budgets increasing. Not surprisingly, given the increasing number of mission critical LANs, the portion of business continuity budgets directed to LAN recovery was up substantially. Between 1993 and 1995, budgets rose from 10.3 percent to 29.6 percent of total dollars. Though budgets are not factored in the calculation of the Vulnerability Index, this increase is consistent with the decline in the Index (Figure 3).



Primary motivation: Management sanctions. Senior management mandates were a significant factor in more than 80 percent of business recovery initiatives (Figure 4). This is logical, since management has the most at stake in keeping the business operational. Marketplace experience further underscores this point; the only way to ensure the success of a business continuity project is by enlisting management support.

Financial Services Industry the best prepared. As was the case two years ago, the financial services industry registered the best performance for minimizing vulnerability (Figure 5). It’s important to note, however, that each of the five industries measured achieved reduced vulnerability scores. This finding corroborates Comdisco’s Workarea business development experience, which has been historically most utilized by the financial services industry, but has recently diversified substantially across industries.

Critical elements still ignored. Despite improvement, the overall LAN Vulnerability Index is still dangerously high. This results partly from the tendency of too many organizations to ignore elements of recovery that, experience shows, are essential. Figure 6 summarizes the four most heavily weighted of the fourteen index measures. Only one in three LAN organizations practice two of these measures (testing and evaluation and designation of an alternative site). Without these two practices, organizations cannot be sure of their recovery capabilities.

Companies very likely to experience disruption. Two of three organizations in the survey experienced significant disruptions to their technical infrastructure in the past year. More than half of these interruptions lasted more than eight hours, and one in five lasted twenty-four hours or more. The data also indicates business disruptions tend to be of lesser duration in companies with formal disaster recovery plans in place. This difference can dramatically translate into reduced business losses, both in terms of immediate revenue loss and customer retention.

Data on network most vulnerable. Respondents indicated their backup procedures include nearly all (94 percent) of the data on servers. But this only reflects a portion of all the data actually stored on LANs. When all the data stored on networks (both clients and servers) are taken into consideration, only half of the data is protected by standard backup procedures (Figure 7).
This significantly increases the actual levels of LAN vulnerability: Even if standard backup procedures are followed, only half the data can be recovered in the event of a disaster.
This study points out a number of trends that give rise to a growing concern for the stability of America’s LAN-based business functions.


The proliferation of data on LANs, the growing criticality of their use and an increasing likelihood of a prolonged disruption to an organization’s productivity-enabling computer technology, all contribute to increased vulnerability.
While more and more organizations are taking appropriate steps to protect themselves, others have yet to recognize the risk: Nearly one in four of the companies surveyed had LAN Vulnerability Indices of 100 — totally vulnerable in event of a disaster.
Companies that fail to take any of the numerous steps necessary to manage these risks leave themselves open to serious business loss.

Mike Tobin is vice president, market development for Comdisco Disaster Recovery Services.

Disaster Recovery Worldİ 1999, and Disaster Recovery Journalİ 1999, are copyrighted by Systems Support, Inc. All rights reserved. Reproduction in whole or part is prohibited without the express written permission form Systems Support, Inc.