Skip to main content

Creating an Incident Response Classification Framework

by Tim Bandos on Wednesday December 28, 2022

Contact Us
Free Demo

Part 4 of our Field Guide to Incident Response series outlines a two-tiered framework for classifying security incidents to enable more efficient incident prioritization and response. This video clip is taken from our webinar, Incident Responder's Field Guide - Lessons from a Fortune 100 Incident Responder. Feel free to watch the full webinar here.

An Incident Classification Framework

Creating an incident classification framework is an important element in enabling the proper prioritization of incidents. It will also help you to develop meaningful metrics for future remediation. We recommend a two-tiered scheme that focuses on classifying the incident at the highest level (category, type, and severity) to prioritize incident management. Incident classification may change frequently during the incident management lifecycle as the team learns more about the incident from the analysis being performed.


  • Unauthorized access of the network
  • Malware
  • Denial of Service
  • Improper Usage by an IT administrator (accidentally or intentionally)
  • Unsuccessful Access Attempt


  • Targeted vs Opportunistic Threat
  • Advanced Persistent Threat
  • State Sponsored act of Espionage
  • Hacktivism Threat
  • Insider Threat


  • Critical Impact- Threat to public safety or life
  • High Impact- Threat to sensitive data
  • Moderate Impact- Threat to Computer Systems
  • Low Impact- Disruption of services

Incident Taxonomy

The second tier of this framework is incident taxonomy. Taxonomy focuses on detailing additional information about an incident that you need to identify root cause and trends. It can also provide you with information that is essential for incident response metrics. Classifying incidents for each of the following six criteria can give you detailed information on the incident that will be crucial in helping to find the best way to resolve the incident and prevent repeated incidents in the future. It is much easier to contain an incident when there is an understanding of that incident, and the correct protocol in handling it.

Direct Method

  • End User
  • 3rd Party Service Provider
  • Law Enforcement such as the FBI
  • Data Loss Prevention system, Firewall, Anti-Virus, Proxy, and Netflow

Attack Vector

  • Viruses
  • Email attachments
  • Web pages
  • Pop-up windows
  • Instant messages


  • Employee Dismissal
  • HR/ Ethics Violation
  • Loss of Productivity
  • Unauthorized Privileges
  • Brand Image
  • Lawsuit
  • Denial of Service


  • Malicious
  • Theft
  • Accidental
  • Physical Damage
  • Fraud
  • Espionage

Data Exposed

  • Public
  • Confidential
  • Export Control
  • Financial Reporting
  • Unknown

Root Cause

  • Unauthorized Action
  • Vulnerability Management
  • Theft
  • Security Control Failure/Gap
  • Disregard of Policy
  • User Negligence
  • Non-Compliance to Standards such as PII, PCI, HIPPA
  • Service Provider Negligence

Download the Incident Responder's Field Guide

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist

Tags:  Incident Response

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.