by Keith McCammon

I’ve long viewed incidents as one of an organization’s very best tools for measuring everything from cybersecurity effectiveness, to overall operational maturity. Unsurprisingly, I’d also recommend using incidents to define and understand security outcomes (i.e., whether your costly security-related investments are getting the job done).

Here are three relatively simply incident-centric cybersecurity outcomes to consider:

  • The one security outcome to rule them all is the material cybersecurity incident. Although this term was popularized by the U.S. Securities and Exchange Commission, every organization—regulated or not—defines “materiality” for itself. This creates a neat, tidy, binary condition: either you have had a material cybersecurity incident or you have not.

  • Beyond material incidents, incidents at-large can be categorized using organization-specific definitions or common severity (SEV) levels (e.g., SEV-1 being most severe, and SEV-2+ being increasingly less so). If using a standard SEV model, some or all SEV-1 incidents will be material, and all material incidents should be classified as SEV-1.

  • A third outcome is cost per incident, which encompasses the expenses of technical controls, personnel, and external partners. Typically, lower-severity incidents incur lower costs, while costs rise exponentially with severity.

Categories:

Updated:

You May Also Enjoy

Known exploited vulnerabilities by market cap

It’s easy to criticize vendors for the number of known exploited vulnerabilities in their software, but raw counts lack context. A company with 100 software products will naturally have more vulnerabilities than one with a smaller portfolio. However, product count alone doesn’t account for a company’s size or resources.