Identifying vulnerabilities and exploits within a professional penetration test project is often not enough. Clients want to know the impact vulnerabilities have in their network environment not just their existence. However, client risk is not the only risk that should be measured in a PenTest project – there are inherent risks to the successful completion of the project itself, which project managers need to be aware of and plan for.

Unfortunately, when compared to the insurance industry, risk analysis within the Information System Security field is still in its youth. Although statistical data is available that can be ...