Despite the toxicity that certain meetings carry, I’ve decided to try and make the most out of them. In a meeting that I attended the other day the question arose:
– What is an Incident?
So how does one define a security incident? The easy way out is “an incident is when I say it is”. Would you easily define as an incident every policy violation? Do automated ssh scans count as incidents? Or do we care for the interesting ones only?
How do you define an incident as such?
Managing organized complexity 
I’d consider as a security insident anything that results extra attention and/or interaction from the staff.
I prefer the more abstract definition:
“Incident is anything which adds interesting information into the system.”
Two reasons:
1. The definition of “interesting” is not shared across all types and levels of Security; an automated ssh scan is easily (and aggressively) dealt within a SOHO through a temporary network black-list whereas that same ssh scan receives (or should receive, in theory) greater attention in a nation-wide NSP, as it would require a little bit more analysis over the source and type of the offending node. i.e. Think of a worm-infested PC that belongs to a bank or a state organization; for the NSP black-list is a “no-no” and further technical/non-technical action may be required (get clearance from management, inform the network administrator of the offensive network).
2. Bayesian Logic. The definition of “interesting” gets more specific as time passes and a tendency is created to examine those issues that pose only a serious threat to the infrastructure. All else can be delegated to lower-rank staff.
My $0.2
Incident = Anything that is not handled automatically and therefore takes up time.
Major Incident = Anything that threatens the system as a whole.