Home page logo

basics logo Security Basics mailing list archives

What defines an "incident"?
From: Bob Radvanovsky <rsradvan () unixworks net>
Date: Sat, 11 Feb 2006 10:20:41 -0600

This debate, of course, is all in good fun and purely meant as a "learning experience".  I'm sure that other who read 
this will (no doubt) agree with me.

As such, what qualifies between something defined as an "event", versus an "occurence", versus an "incident", versus a 

Defined, an "event" is:

"In probability theory, an event is a set of outcomes (a subset of the sample space) to which a probability is 
assigned.  Typically, any subset of the sample space is an event (i.e. all elements of the power set of the sample 
space are events), but when defining a probability space it is possible to exclude certain subsets of the sample space 
from being events."

URL: http://en.wikipedia.org/wiki/Event_(probability_theory)

From what I've found the definition of "occurence" signifies a state or period in time that an event occurred.  Beyond 
that, nothing else seems to describe that definition.

Defined, an "incident" is:

"Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, 
or a reduction in, the quality of that service."

URL: http://www.dream-catchers-inc.com/White%20Papers/glossary_of_terms-AM.htm

Subsequently, "incident" is subset to "incidental" as defined as:

"((sometimes followed by `to') minor or casual or subordinate in significance or nature or occurring as a chance 
concomitant or consequence) "incidental expenses"; "the road will bring other incidental advantages"; "extra duties 
incidental to the job"; "labor problems incidental to a rapid expansion"; "confusion incidental to a quick change"."

URL: http://wordnet.princeton.edu/perl/webwn?s=incident

Consequently, people have interchangably used the word "situation" in lieu of "incident" or "event"; thus, the 
definition of "situation" is:

"A position or condition with regard to circumstances, the combination of circumstances at any given time, a difficult 
or critical state of affairs; any significant combination of circumstances developing in the course of an event. The 
objective conditions immediately affecting an individual."

URL: http://method.vtheatre.net/dict.html

NOTE: Mind you, this refers to actors in a play, and the course of events that lead to a climax within the plot; 
however, it can imply a course or series of events which may be applied to real-life scenarios, thus implicating an 
"act" (if you will).

In legal terms, the choice of a word can depend upon the severity (and its significance) of the event.  Having recently 
been chewed out by a superior officer last year about the incorrect use of the word "incident", law enforcement would 
prefer -- at least in public -- using alternative words such as "occurence" or "event" to describe whatever transpired. 
 An "incident", "situation" or "scenario" signifies importance towards an event that has transpired, and thus, if the 
culprit responsible for the event is watching television or listening to the radio, is being empowered by an officiant 
making claim to their "incident".  Additionally, identifying the course of circumstances which transpired to as an 
"event" or "events" unempowers the state of the condition following the circumstances leading to or from the event.  
Essentially, you've taken whomever's "wind out of their sails".

And, from a liability perspective, the choice of the words "event" or "occurence" provides little significance towards 
any acts committed as being a purposeful "attack" or act of violence.  If you were a stockholder to a larger company, 
and someone had maliciously attacked a server with a barrage of attack methods, your first role is "containment", 
attempting to "contain" the event.  This means calming down stockholders who may be upset about the attack.  Secondly, 
if the attack was successful, and you have determined it as such, if there was loss of property, financial information, 
or life, then changing to another word with greater significance will greater bearing esp. if/when the individual or 
group of individuals is apprehended.  If nothing has been determined, the attack attempt remains just that, an attempt, 
or "event".

Be careful in your choice of words, as they have significance and pose more bearing and meaning psychologically to most 
people.  If you misuse a word inappropriately, you can sometimes cause panic or states of confusion (or dismay) when 
there are no reasons for such conditions.  Thus, choose your words *carefully*.

Until an "attack attempt" has been: (1) proven as an "attack", (2) was successful, and (3) have an idea as to who is 
responsible for the attack attempt -- the current state leading from the course of circumstances would remain as an 
"event" -- nothing more.

I've included the previous comments from a "virus attack" in reference to his definition of an "incident".  Comments 
anyone (yeah, I know...I've got to be INSANE to ask, but I am...)


----- Original Message -----
From: Craig Wright [mailto:cwright () bdosyd com au]
To: dave kleiman [mailto:dave () davekleiman com]
Cc: security-basics () securityfocus com
Subject: RE: Forensic/Cyber Crime Investigator

Definately friendly. Please do not see anything in any other manner.
I am firstly enjoying the debate and secondly debate is the heart of
knowledge. Even if neither party comes to an agreement on terms at least a
good debate on the subject should give each party a better understanding of
their own perspective and a more logical manner of comprehension.
More on the other responses later this morning...

      -----Original Message----- 
      From: dave kleiman [mailto:dave () davekleiman com] 
      Sent: Fri 10/02/2006 3:44 AM 
      To: security-basics () securityfocus com 
      Subject: RE: Forensic/Cyber Crime Investigator
      I hope you are taking this as a friendly discussion
      Answers inline..
           -----Original Message-----
           From: Craig Wright
           Virus attacks etc as you put are incidents. The average
           (and all but maybe a rare exception) organisation will
           treat these as incidents. They do not take them to court
           nor have the intention of doing such. To take your Virus
           example. This is an incident, it requires a response. It
           does not require a forensic analysis of the system, nor
           would this be generally done..... etc

Liability limited by a scheme approved under Professional Standards
Legislation in respect of matters arising within those States and
Territories of Australia where such legislation exists.

The information contained in this email and any attachments is confidential.
If you are not the intended recipient, you must not use or disclose the
information. If you have received this email in error, please inform us
promptly by reply email or by telephoning +61 2 9286 5555. Please delete the
email and destroy any printed copy.  

Any views expressed in this message are those of the individual sender. You
may not rely on this message as advice unless it has been electronically
signed by a Partner of BDO or it is subsequently confirmed by letter or fax
signed by a Partner of BDO.

BDO accepts no liability for any damage caused by this email or its
attachments due to viruses, interference, interception, corruption or
unauthorised access.

The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]