Day 01
Introduction to Incident Handling & Security Concepts
Welcome to Week 1. This interactive module translates the core principles of incident management from the industry directly into actionable classroom knowledge.
The 3 a.m. Sunday Problem
Real incidents never happen at 10 a.m. on a Tuesday. Panic is not a process. We use the hospital ER model: triage, not improvisation.
Key Takeaway: A boring incident is a well-handled incident. Process is the product. Every minute of delay equals money, trust, and regulatory risk.
π― What you will learn today
- βΈ Definition and business drivers of IR
- βΈ CIA triad, threats, and risk management
- βΈ Incident types and severity classification
- βΈ SOC, CSIRT, and stakeholder structures
- βΈ GDPR, HIPAA, and regulatory clocks
Ready to begin?
Explore the interactive lessons using the navigation menu. Each lesson builds on the previous one. Skip none.
Lesson 1
Define Incident Handling
Understand the strategic role of incident handling, differentiate fundamental terminology, and explore the standard response lifecycle.
Event vs. Alert vs. Incident
Only an incident starts the legal stopwatch.
| Term | Definition | Example |
|---|---|---|
| Event | Anything that happens on a system | A login, a file write |
| Alert | An event worth a human's attention | "Impossible travel" login |
| Incident | A confirmed policy violation | Confirmed credential theft |
Why Employers Pay for This
- π° Money Mature IR saves $1β2M per incident.
- βοΈ Regulation Missed deadlines = fines on top of breach costs.
- π€ Trust Transparent handling protects brand; coverups destroy it.
The NIST SP 800-61 Lifecycle
Incident handling is a loop, not a sprint. Click each phase to reveal the disciplined response process.
Preparation
Policies, tooling, and training. Getting ready before the 3 a.m. call happens.
Lesson 2
Core Security Concepts & Risk
Explore the foundational properties of security (CIA), understand the terminology executives use, and actively calculate risk.
Confidentiality
"Only authorised parties can read this." Preventing disclosure.
Integrity
"Nobody has altered this without authorisation." Invisible until consequences arrive.
Availability
"Authorised users can get in when they need to." Operations continuity.
The Executive Vocabulary
Anything that can cause harm (adversary, storm, insider). Threats are potential.
A weakness the threat can use (unpatched server). Vulnerabilities are present.
The specific method or tool used (Metasploit, phishing).
The business consequence. Risk is measured.
Interactive Risk Calculator
Risk = Likelihood Γ Impact. A score on a slide beats a feeling in a meeting.
Lesson 3
Types of Security Incidents
Learn how to classify an incident using a multi-dimensional approach to determine immediate escalation paths.
The Seven Incident Families
High Volume
- 1. Malicious code (viruses, ransomware)
- 2. Social engineering (phishing, BEC)
- 3. Denial of Service (DoS/DDoS)
- 4. Unauthorised access (stolen creds)
High Impact (Career makers/breakers)
- 5. Data exposure (exfiltration)
- 6. Insider threats (malicious/accidental)
- 7. Supply-chain (vendor backdoor)
The Decision Map (Severity Γ Scope)
Click a cell in the grid to see the escalation path. Patterns across many users are almost always an attacker.
Lesson 4
Response Team Structures
Identify the key players in an incident, from the front-line SOC to the executive stakeholders, and how to test coordination.
π§ The SOC (Front Line)
The emergency call centre of cybersecurity. Operates 24x7. Main tool: SIEM.
- Tier 1 First-pass alert triage.
- Tier 2 Deeper analysis, threat hunting.
- Tier 3 Forensics, malware reverse-engineering.
π₯Ό The CSIRT (Surgery Dept)
Takes over when an alert becomes a confirmed incident. May sit inside or outside the SOC.
- βΈ Uses memory forensics & disk imaging
- βΈ Analyzes malware and packet captures
- βΈ Coordinates with external law enforcement
The Tabletop Exercise
The cheapest, highest-impact investment in IR. A 2-hour meeting, no keyboards. A facilitator reads a scenario, and everyone answers: "what do you do next?"
If you remember one thing from Lesson 4: run tabletops.
Lesson 5
Legal & Regulatory Clocks
The clock starts before you fully understand what happened. Missing deadlines means fines on top of breach costs.
πͺπΊ GDPR 72 HOURS
General Data Protection Regulation. Applies globally to anyone processing EU residents' data.
- βΈ Clock starts: At awareness.
- βΈ Penalties: Up to β¬20M or 4% global turnover.
- βΈ Action: Notify lead supervisory authority.
πΊπΈ HIPAA 60 DAYS
Health Insurance Portability & Accountability Act. Governs Protected Health Information (PHI).
- βΈ Clock starts: At discovery.
- βΈ Penalties: Up to $1.5M per violation category/year.
- βΈ Action: Notify individuals and HHS.
Visualizing the Regulatory Urgency
Internal clocks must always be tighter than external clocks. Calendar the deadlines the moment the incident is confirmed.