The organization protects the information system from harm by considering mean time to failure rates for an organization-defined list of information system components in specific environments of operation.