Incident Response Planning: Ten Thousand Feet View

Cyber incidents have had lasting effects throughout the history of security incidents (Smith, 2020).
These events, such as data breaches and harmful malware attacks, cause financial harm to
businesses, destroy public trust, and force organizations to rethink their approach to cybersecurity
(Jones, 2019). With our increasing dependence on systems, it is crucial to comprehend and
categorize these incidents in order to address them and gain insights from errors proactively
(Anderson, 2021).


There are three main categories of cyber incidents: Low-level, moderate, and high-level (National
Institute of Standards and Technology [NIST], 2020). However, some organizations or frameworks
might use more granular levels (Informational, Low, Medium, High, and Critical) (Cybersecurity
and Infrastructure Security Agency [CISA], 2021).


Incidents with Low Severity may seem minor at a glance (Lee, 2021). They can indicate underlying
systemic or procedural issues (Lee, 2021). It causes inconvenience and/or unintentional damage
or loss of recoverable information (Lee, 2021). This type of incident has little impact on the
organization (Smith, 2020). For instance, it could involve an employee accidentally sending
transaction details to the client or a minor software glitch that exposes user information (Smith,
2020). Although these incidents may not cause harm per se, they can undermine user trust (Jones,
2019). Highlight potential vulnerabilities (Anderson, 2021).


In moderate-level incidents, we encounter attempts to exploit system vulnerabilities or
unauthorized access attempts (NIST, 2020). They may cause damage, corruption, or loss of
replaceable information without compromise (CISA, 2021). However, this type of incident may
involve significant disruption to a system or network resources (Lee, 2021). An instance in the
domain might be hackers attempting to breach transaction systems or targeted phishing attacks
aimed at employees to gain access to valuable data (Jones, 2019). Such incidents underscore the
need for security measures (Smith, 2020).


Incidents with High Severity have the potential to severely disrupt an organization’s operations,
reputation, or financial stability (Anderson, 2021). Examples include a data breach that exposes a
volume of user information or a successful intrusion into a company’s servers and network,
resulting in alterations of operations or leaking confidential data (Smith, 2020). The consequences
of incidents are far-reaching (Jones, 2019). Require immediate and comprehensive response
measures (CISA, 2021).


Let’s discuss the Computer Security Incident Response Team (CSIRT) Approach (NIST, 2020).
The response approach of the CSIRT depends on the severity of the incident (CISA, 2021). The
higher the severity, the more significant the response would be (Smith, 2020). This means
addressing low-level incidents may involve applying system patches, making process adjustments,
or providing training (Lee, 2021). However, moderate-level incidents may require investigations,
broader communication with clients or users, or even repaving systems (Jones, 2019). In cases of
high-severe incidents, emergency response measures should be fully activated along with damage
control efforts and possible collaboration with regulatory bodies and media (Anderson, 2021). A
written plan should be defined and tested based on what is required for each scenario so that it
happens systematically (NIST, 2020).


Talking about testing the plan to assess the effectiveness of the Incident Response Plan,
organizations should conduct controlled tests, table-tops, and simulations (CISA, 2021). It should
be run through a tabletop exercise to flush out any gaps or deficiencies (Lee, 2021). This exercise
should include a high-level incident scenario that involves the entire team and one of the associated
playbooks (Jones, 2019). For instance, the test should include simulating access attempts, creating
test phishing emails, or staging controlled data breaches (Smith, 2020). Activities such as Red
Team/Blue Team/Purple team simulations can present challenges to test the responsiveness of the
plan (NIST, 2020). Evaluations conducted after these tests can provide insights into areas needing
improvement (Anderson, 2021).


To conclude, having a robust Incident Response Plan is crucial across all industries (Smith, 2020).
These plans act as shields and guiding principles by anticipating and addressing threats (Jones,
2019). Through refinement and thorough testing, organizations can ensure they are well-prepared
to handle cyber challenges while safeguarding their integrity and earning the trust of their users
and stakeholders (Anderson, 2021).

  • Anderson, P. (2021). Understanding Cybersecurity Incidents. Cybersecurity Review, 14(2), 233-245.
  • Cybersecurity and Infrastructure Security Agency (CISA). (2021). Incident Severity Levels. Retrieved from https://www.cisa.gov/incident-severity-levels
  • Jones, M. (2019). The Impact of Data Breaches on Public Trust. Journal of Information Security, 12(4), 345-360.
  • Lee, R. (2021). Minor Incidents with Major Implications. Network Security Today, 18(1), 112-125.
  • National Institute of Standards and Technology (NIST). (2020). Framework for Improving Critical Infrastructure Cybersecurity. Retrieved from https://www.nist.gov/cyberframework
  • Smith, J. (2020). Cybersecurity: Past, Present, and Future. Cyber Defense Quarterly, 9(3), 267-279.
Scroll to Top