Final answer:
Lykke would argue against using internal employees for penetration testing due to potential biases, lack of expertise, and reluctance to disclose vulnerabilities. The point that 'They would have to stay overnight to perform the test.' is irrelevant to these concerns and would not be included in her memo.
Step-by-step explanation:
The subject of this question relates to the evaluation of using in-house resources for a penetration test within a company. Lykke is considering several factors that might impact the decision on whether internal security employees are suitable for this task. In her memo, she would likely highlight the following points:
- The internal employees could have inside knowledge of the network, possibly skewing the penetration test results because they might not explore unconventional attack vectors that an external party could uncover.
- There may be a lack of expertise in the specific skills required for a thorough penetration test, as internal staff may not be as up-to-date or specialized in current penetration testing methodologies compared to external specialists.
- Employees may exhibit reluctance to reveal vulnerabilities due to conflicts of interest or fear of repercussions, which could compromise the integrity of the penetration test.
One point that would NOT be part of Lykke's memo is the idea that 'They would have to stay overnight to perform the test.' This statement has no direct relevance to the quality or effectiveness of the internal penetration test and would be unrelated to the potential issues Lykke has with using internal staff for penetration testing. This reflects the notion of the insider-outsider model, wherein 'insiders' are the employees who already understand the company procedures, as opposed to 'outsiders' who would have a fresh perspective but would not have the company-specific knowledge.