RE: Business justification for pentesting

Gartner is the major provider of information regarding this type of
stuff. If you aren't able to get access it's a crap shoot on the web.

It is true that recovering from an incident costs more than preventing
it.

To get Pen-testing approved I generally use the fire sprinkler system
analogy.

We've invested this money in our security now we use pen testing to
validate we have achieved what we invested our money for.

Or just because you install a sprinkler system doesn't mean you don't
test it once a year. Simply because the cost of not having it exceeds
the cost of testing and the same is true for pen testing.

--Will


-----Original Message-----
From: sectraq@gmail.com [mailto:sectraq@gmail.com] 
Sent: Tuesday, August 30, 2005 9:30 AM
To: pen-test@securityfocus.com
Subject: Business justification for pentesting

hi all,

a few classic question that i would appriciate any answers for. 
1- i would like to briefly know how to quantify information assets. In
other words, i hear a pentester say: if a hacker breaks in ur network, u
will loose up to 40000$ for example. how can he come up with such
figures?

2- are there any other means to justify pentesting for management except
for $$$?

3- are there any official statistics, figures etc. for justifying
pentesting. ther more official it is the better.

4- any other information you guys might find helpful in justifying a
pentest would be appriciated.

thnx in advance for ur help.

T.N