The last couple of days, I have been having some discussion with colleagues about questions, such as "What is an incident?" and "When is an incident a security incident?"

We came up with the following set of rules-of-thumb:

1. If you know or suspect that the incident was caused intentionally, it is a security incident.

2. If you know or suspect that the incident affects your counter measures or security control systems, it is a security incident.

3. If you know or suspect that the incident constitutes a breach of compliance (e.g., a criminal act or a breache of corporate security policy, standards, guidelines or procedures), it is a security incident.

4. And finally, since the customer is always right, when a customer or other relevant party requests that the incident be handled as a security incident, it is to be treated as such.

While these guidelines can be useful in narrowing the focus of an incident to a security incident, it still has not answered the question what an incident really is.