Understanding your businesses’ cyber vulnerabilities and assessing its data risks are major factors in determining your organization’s security response plan. For those in regulated industries, risks and responses are already established. Organizations that do not follow regulatory guidelines must come up with their own security policies based on their unique situations, such as the amount of personal client data that is stored, and for how long, as well as client relationships and security expectations. These factors, and more, are considered when drafting a security policy.

What Constitutes a Security Policy Violation?

The National Institute of Standards and Technology’s Special Publication 800-61’s guidelines suggest that a security incident is one that violates “explicit or implied security policy.” Whether a violation is deemed minor, major or critical depends on a number of factors that are established in the security policy.

Looking at Boston University, an institution that relies on digital resources for research, communication, record-keeping, archives and financial information, levels of security take on a less abstract meaning. Boston University’s IT Department lists security issues like compromised computing resources, email abuse, resource misconfigurations and network abuses as issues that violate various internal policies. The distinction of major incident vs critical incident is defined by the security breach’s magnitude of damage or potential damage.

Critical Incidents and Minor Incidents

If any one of the security issues outlined above affects the immediate physical safety of people or buildings, then it is defined as a critical incident. For example, the WannaCry virus that disrupted Britain’s National Health Service was a critical incident because it undermined the organization’s entire infrastructure and put people in harm’s way.

At the other end of the cybersecurity spectrum is a traditional IT incident. This could be something as banal as one person obtaining access to another person’s email account. Since it is a singular incident that doesn’t involve systemic privacy loss, it is minor incident in the eyes of IT, though the parties involved might view this differently.

Range of Major Incidents

In the spectrum’s fuzzy middle lies the major incident. Major incidents that increase in scale can become critical if left unchecked. One such major incident would be a violation of a law or contract. In regulated industries, these incidents can escalate to critical incidents depending on the severity of the breach and the extent of the law.

Another example of a major incident is one that interrupts service to a community. This scenario becomes critical when the community size increases. In the case of a university, a security breach that causes a library’s printers to turn out reams of nonsense papers while failing to print out items from library patrons is a major breach. When the situation occurs campus-wide, it could become a critical incident.

Financial losses are a useful benchmark in determining an incident’s severity. Financial losses can include lost revenue from customers and even reputation damage. These measures assist in establishing your organization’s security policy and subsequent response.