No matter how big the incident or how small, it will eventually expand. When an incident expands, the complexity of that incident also changes. You might be wondering what does not affect the complexity of an incident? Well, this is a tricky question because there are many factors that can influence this answer. One thing to consider is cost consideration which can impact when and if an incident expands.
The time frame for incidents varies from seconds (such as a denial-of-service attack) to months (such as fraud). An analysis on complex incidents found four core elements: loss magnitude; probability; potential adverse consequences; and likelihood of detection/response effectiveness.[i] These elements play an important role in deciding which factor does not affect the complexity of an incident.
The factors that do not directly influence cost consideration are usually a lesser concern for those who have to assign priorities, such as internal and external stakeholders (such as customers). These people typically weigh complexities from different angles depending on their perspectives. Those with operational responsibilities might consider only how long it will take to fix the problem while users may be more concerned about data loss or access interruption.[ii] Another thing is where your organization stands geographically because this can impact response times when you need outside assistance.[iii]
The following graph illustrates what factors do not affect the complexity of an incident: [I]. For example, in IRS system attacks we see something called the “expanding incident”. This is when an incident or event grows in severity and scale as more information becomes available.
Cost is not only related to downtime costs but also how much it will cost your organization in terms of time and resources to get back up and running after an attack or outage has occurred.[iv][v] For example a natural disaster can have financial impacts on organizations other than just lost revenue for that period when they are unable to operate their normal functions.[vi]. Consideration should be given as to whether downtime can be planned for, or if an alternative site is available. The organization may also use a service-level agreement with their Internet provider that will allow them to pay for “extra” downtime hours.
How does risk consideration impact the incident?
Risk assessment and management should not only address hazards such as natural disasters but also consider vulnerabilities created by company decisions that could result in a threat of attack.[vii] For example, companies building new facilities on greenfield sites are at greater risk from flooding than those who have chosen brownfield sites which already contain roads, buildings etc., thereby reducing some risks associated with construction activities.[ix]. In other words, there are two aspects to any decision: what we need now (the short-term view) versus what we need in the future (the long-term view).
What is a threat analysis? A Threat Analysis or Risk Assessment will identify and rank threats to an organization’s assets: typically its people, information, facilities, equipment. The process of performing this type of assessment often identifies risks that are not readily apparent but may have significant implications for organizational performance.[x]
How does cost consideration impact incident complexity?
Factors that affect incident complexity include the time required to resolve it; who caused it; how many users are affected by it; what needs to be done during resolution; whether any data loss occurs as part of resolving the incident; and if so what can’t be recovered due to encryption keys etc. A company should also consider costs such as lost productivity, data recovery, and legal considerations. The complexity of the incident will determine which factors need to be considered as part of this assessment process.[x]
A company should also consider costs such as lost productivity, data recovery, and legal considerations. The complexity of the incident will determine which factors need to be considered as part of this assessment process. What does not affect the complexity of an incident? A factor that does not typically affect the complexity is how often a particular activity occurs because it’s likely no one in your organization has experience with these situations or they would have already been disclosed by others who know about them anyway.[x]