Incident Impact Analysis
Categorizing Incidents
- Damage incurred during an incident can include:
- Damage to data integrity and information system resources
- Unauthorized changes and configuration of data or information systems
- Theft of data or resources
- Disclosure of confidential or sensitive data
- Interruption of services and system downtime
After detecting an incident, a triage process should classify the incident based on an established classification framework.
- can categorize by:
- impact
- defines incident categories by severity
- e.g., emergency, significant, moderate, low
- taxonomy
- defines incident categories by types
- e.g., worm outbreak, phishing attempt, DDoS, account compromise, internal privilege abuse
- includes subcategories
- e.g., attack vectors, threat actor type, etc.
- impact
Impact Analysis
Impact analysis is the process of assessing what costs are associated with an incident.
- considers the scale of an incident
- by number of systems affected
- or percentage of users affected by unavailability
- benefits from previous risk assessments and business impact assessments
- can approach impact analysis by comparing various categories of impact
Organization Impact vs. Local Impact
- can assess impact by the scope of an incident
- localized impact means that the scope is limited to a single department, small user group, or one or two systems
- organization impact is one that affects mission essential functions
- meaning that the organization cannot operate as intended
- duration of the impact will have a substantial effect on costs
- scope and duration of an event might not be obvious
- reevaluate the impact as new facts emerge
- escalate response procedures if the scope or duration seem likely to expand
Immediate versus Total Impact
Immediate impact refers to direct costs incurred because of an incident.
- e.g., downtime, asset damage, fees, penalties, etc.
Total impact relates to costs that arise following the incident.
- e.g., damage to the company’s reputation and brand value