mailing list archives
Re: Business justification for pentesting
From: rmeijer () xs4all nl
Date: Wed, 31 Aug 2005 14:46:31 +0200 (CEST)
a few classic question that i would appriciate any answers for.
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such figures?
This is not something for a pentester to be concerned with in most cases.
The value of assets should be evaluated only in the context of a risk
assesment done by a skilled statistician, not by a skilled infosec
In the past I've tried to bring together some of the
statistician/technisian/management infosec issues in a whitepaper on
risk assesment and incident response, but it has turend out to be
close to impossible to bring together these distinct views on infosec
in a way that not everyone thinks: 'that is the other guys specialty'.
You may wish to check out 'Security Incident Policy Enforcement' at
isecom.org to get somewhat of a grasp on this. The document focusses
on risk assesment in a IR context, but much of it can be seen in a
wider scope also.
2- are there any other means to justify pentesting for management except
Pentesting is just one of a wide range of security measures, there are
three ways to justify any security measures:
1 The projected financial footprint of the diverted risk is substantialy
higher than the projected cost of the security measure.
2 The potential financial footprint of diverted risk would be very high
and the projected cost of the measure not very substancial.
3) There is insufficient data to asses if either 1 or 2 is true, and the
measure could supply this data.
As you see, only the third does not directly involve money as argument, but
I dont think pentesting could be categorized in that section very often.
3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.
In my research I have found no sign of any statistic information with
any usefull span that crosses company borders. This is very unfortunate,
as it makes risk assesments yield rather high spreads in their risk
densities, that makes building solid pollicies from them very dificult.
I personaly believe that this lack of statistics could be responsible for
a very large portion of overall infosec incident costs.
4- any other information you guys might find helpful in justifying a
pentest would be appriciated.
thnx in advance for ur help.