Creating an Incident Response Classification Framework

Part 4 of our Field Guide to Incident Response series outlines a two-tiered framework for classifying security incidents to enable more efficient incident prioritization and response.

An Incident Classification Framework

Creating an incident classification framework is an important element in enabling the proper prioritization of incidents. It will also help you to develop meaningful metrics for future remediation. We recommend a two-tiered scheme that focuses on classifying the incident at the highest level (category, type, and severity) to prioritize incident management. Incident classification may change frequently during the incident management lifecycle as the team learns more about the incident from the analysis being performed.


  • Unauthorized access of the network
  • Malware
  • Denial of Service
  • Improper Usage by an IT administrator (accidentally or intentionally)
  • Unsuccessful Access Attempt


  • Targeted vs Opportunistic Threat
  • Advanced Persistent Threat
  • State Sponsored act of Espionage
  • Hacktivism Threat
  • Insider Threat


  • Critical Impact- Threat to public safety or life
  • High Impact- Threat to sensitive data
  • Moderate Impact- Threat to Computer Systems
  • Low Impact- Disruption of services

Incident Taxonomy

The second tier of this framework is incident taxonomy. Taxonomy focuses on detailing additional information about an incident that you need to identify root cause and trends. It can also provide you with information that is essential for incident response metrics. Classifying incidents for each of the following six criteria can give you detailed information on the incident that will be crucial in helping to find the best way to resolve the incident and prevent repeated incidents in the future. It is much easier to contain an incident when there is an understanding of that incident, and the correct protocol in handling it.

Direct Method

  • End User
  • 3rd Party Service Provider
  • Law Enforcement such as the FBI
  • Data Loss Prevention system, Firewall, Anti-Virus, Proxy, and Netflow

Attack Vector

  • Viruses
  • Email attachments
  • Web pages
  • Pop-up windows
  • Instant messages


  • Employee Dismissal
  • HR/ Ethics Violation
  • Loss of Productivity
  • Unauthorized Privileges
  • Brand Image
  • Lawsuit
  • Denial of Service


  • Malicious
  • Theft
  • Accidental
  • Physical Damage
  • Fraud
  • Espionage

Data Exposed

  • Public
  • Confidential
  • Export Control
  • Financial Reporting
  • Unknown

Root Cause

  • Unauthorized Action
  • Vulnerability Management
  • Theft
  • Security Control Failure/Gap
  • Disregard of Policy
  • User Negligence
  • Non-Compliance to Standards such as PII, PCI, HIPPA
  • Service Provider Negligence

Want to learn more about incident response? Keep an eye out for more posts to come in this series and in the meanwhile check out our eBook, The Incident Responder’s Field Guide – Tips from a Fortune 100 Incident Responder.

Read more in our Field Guide to Incident Response Series

  1. 5 Key Criteria for Creating an Incident Response Plan that is Practical for YOUR Organization
  2. The Do’s and Don’ts of Incident Response
  3. Building Your Incident Response Team: Key Roles and Responsibilities
  4. Creating an Incident Response Classification Framework
  5. The Five Steps of Incident Response
  6. 3 Tips to Make Incident Response More Effective
  7. Using Existing Tools to Facilitate Incident Response
  8. Learning From a Security Incident: A Post-Mortem Checklist
Tim Bandos


The Incident Responder's Field Guide

Tim Bandos

Tim Bandos, CISSP, CISA is senior director of cybersecurity at Digital Guardian. He has over 15 years of experience in the cybersecurity realm with a heavy focus on Internal Controls, Incident Response & Threat Intelligence.