From an academic perspective, events and incident are closely related and defined. An event is anything that can be measured within your environment, and an incident is an unscheduled or out-of-the-ordinary event. However, this definition might not provide sufficient practical description of incidents; the following additional explanation may be used to clarify the point.
A security incident is an event that did the following:
- Had a negative impact on an IT system: This is the type of security incident that gets the most attention. The obvious implication is that the affected system is supporting one or more business processes or missions, and those are the things that are truly affected by the incident. For example, a worm infecting a dozen machines may delay payroll processing, or a distributed denial-of-service (DDoS) attack keeps customers from performing web transaction.
- Potentially had a negative impact on an IT system: If your organization’s tools and processes have detected events and indicators that suggest there is an incident but it hasn’t yet manifested itself as, say, an outage or degradation of service, it is obviously still worth investigating and resolving. There could be impacts that are either not visible without digging or could still be prevented.
- Violated or presented an imminent threat of violating a security policy or procedure: Imagine, for example, an insider is using unauthorized software, mishandling privacy data, or doing any number of things that could have negative impacts, but just through luck, that negative impact hasn’t manifested yet. These are things that are violations of policies and procedures and are worth declaring as an incident even if nothing happened. That is because the subsequent investigation and lessons learned will discover gaps where controls, training, and policies could be refined and improved.