mailing list archives
Re: Business justification for pentesting
From: Jan van Rensburg <jan.van.rensburg () epiuse com>
Date: Wed, 31 Aug 2005 14:26:20 +0200
On 31 Aug 2005, at 1:54 AM, Michael Scheidell wrote:
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information
assets. In other words, i hear a pentester say: if a hacker
breaks in ur network, u will loose up to 40000$ for example.
how can he come up with such figures?
I prefer to evaluate risk with disaster scenarios this way (obviously
1. Construct a couple of scenarios of what might happen
2. Look at what the bottom line effect of each scenario is vs the
3. The difference is what you are looking for
If some hacks say you billing server, the company will not
necessarily go under, and neither will all the employees come to a
standstill. They will use other, perhaps less efficient, ways to
still do some part of their jobs. They might revert to using Excel
instead of Accpac, or use faxes instead of electronic invoicing. Some
customers might get wrongly invoiced, get upset and go to another
vendor, but most likely not all of them, etc, etc. This approach
takes some time and assumes you understand the business - which
should be the starting point for any pentester in any case.
There's a very good paper by Kevin J Soo Hoo that touches on many of
the cost quantification in infosec issues:
No doubt much more research is needed and will probably be driven by
the insurance industry
Hope this helps,