Penetration Testing: Re: Business justification for pentesting

[Jan van Rensburg <jan.van.rensburg () epiuse com>]

Hi,

On 31 Aug 2005, at 1:54 AM, Michael Scheidell wrote:
> hi all,
>
> a few classic question that i would appriciate any answers for.
> 1- i would like to briefly know how to quantify information
> assets. In other words, i hear a pentester say: if a hacker
> breaks in ur network, u will loose up to 40000$ for example.
> how can he come up with such figures?
I prefer to evaluate risk with disaster scenarios this way (obviously  
simplified):
1. Construct a couple of scenarios of what might happen
2. Look at what the bottom line effect of each scenario is vs the  
status quo
3. The difference is what you are looking for

If some hacks say you billing server, the company will not  
necessarily go under, and neither will all the employees come to a  
standstill. They will use other, perhaps less efficient, ways to  
still do some part of their jobs. They might revert to using Excel  
instead of Accpac, or use faxes instead of electronic invoicing. Some  
customers might get wrongly invoiced, get upset and go to another  
vendor, but most likely not all of them, etc, etc. This approach  
takes some time and assumes you understand the business - which  
should be the starting point for any pentester in any case.
There's a very good paper by Kevin J Soo Hoo that touches on many of  
the cost quantification in infosec issues:
http://iis-db.stanford.edu/pubs/11900/soohoo.pdf

No doubt much more research is needed and will probably be driven by  
the insurance industry
Hope this helps,
Jan