Guessing, or dictionary, attacks arise when an intruder exploits the fact that honest agents executing a security protocol exchange certain data like passwords that may have low entropy, i.e. stem from a small set of values. One way to model such attacks is to formalize a Dolev-Yao-style intruder model with inference rules to capture the additional capabilities of the intruder concerning guessable data. In this paper, we formalize a cost-sensitive intruder deduction system where information is available at a cost: to get hold of data he does not know, the intruder invokes an oracle rule, which associates a cost to each data the intruder deduces in this way. Our deduction system manipulates data items labeled with their costs, so that we can answer the question of what is the cost of deducing a particular data that was meant to remain a secret between honest protocol participants. We also investigate the complexity of this quantitative intruder deduction insecurity problem and show that it is NP-complete in the case of a finite number of protocol sessions (i.e. for a fixed number of interleaved protocol runs).