Gartner Blog Network


Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?

by Anton Chuvakin  |  July 8, 2013  |  3 Comments

Here are some real-world examples of what some organizations consider to be a security incident (most of these are taken off Universities’ publicly posted security incident plans – these are great bedtime reading, if you are into that sort of thing):

  • “An IT Security Incident (“Incident”) is any activity that harms or represents a serious threat to the whole or part of […] computer, telephone and network-based resources such that there is an absence of service, inhibition of functioning systems, including unauthorized changes to hardware, firmware, software or data, unauthorized exposure, change or deletion of PHI, or a crime or natural disaster that destroys access to or control of these resources.” (source)
  • “A security incident can have the following definitions: Violation of an explicit or implied security policy, Attempts to gain unauthorized access, Unwanted denial of resources, Unauthorized use of electronic resources, Modification without the owner’s knowledge, instruction, or consent, Theft or displaced University IT property” (source)
  • “An information systems security incident is any event, suspected event, or discovery of a vulnerability that could pose a threat to the confidentiality, integrity, or availability of supporting systems, applications, or information.” (source)
  • “An incident is the act of violating an explicit or implied security policy.” (source)
  • “An information security situation that potentially poses a significant risk or could cause significant impact to University systems, assets or personnel would be classified as an incident” (source)
  • “The term “incident” refers to an adverse event in an information system and/or network or the threat of the occurrence of such an event.” (source)

BTW, I really like a clear definition reportedly used by the Verizon team in VERIS: “violation of one or more of the Parkerian hexad attributes.” On the other hand, “for many enterprises, the perception is that “[we] know an incident when [we] see it” (source: “Acting on Security Monitoring: Incident Response and Forensics”).

What do we learn here? RELATIVITY RULES!

What else do we learn? Based on one definition, you may have an incident every day! Based on another one, you have an incident once a year!

P.S. A bonus question: if 2-3% of your systems (that’d be 200-600 systems out of a pool of 10,000 machines) are always compromised and running malware (viruses, RATs, PUPs, etc), is that really an incident today? Can your daily norm ALSO be an incident at the same time? Or maybe it is an incident with an action plan of “nothing”…

Posts related to the same research project:

Category: incident-response  policy  security  

Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry

Anton Chuvakin is a Research VP and Distinguished Analyst at Gartner's GTP Security and Risk Management group. Before Mr. Chuvakin joined Gartner, his job responsibilities included security product management, evangelist… Read Full Bio


Thoughts on Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?


  1. Mark Kedgley says:

    We try and explain this all the time to our clients when installing FIM and SIEM technology – in our book, if it happens all the time then either fix it at source to stop it happening, or change your definitions/alerts. We advocate a philosophy that the aim of security monitoring is to learn what normal/regular looks like. That way you can then spot the unusual/irregular – security incursions are not meant to be detected so you need to be tuned in to spot subtle irregularities.

  2. @mark Thanks for the comment! Indeed, “irregular/abnormal + actionable = incident” at many places where a formal definition is lacking

  3. […] Prevention FAILS: just look at anti-virus tools and contrast their 99%+ deployment rates with known ongoing malware infection rates. […]



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.