Our industry experts share their top 10 tips for incident analysis – from establishing the basics to leveraging results to assess, manage and mitigate risk.
Before you can do any sort of analysis, you need to accurately record the relevant information. Document what happened, when it happened, where it happened, why it happened, who was involved, and how much was lost. Then, be consistent with your documentation across the board. With proper policies and procedures in place at the front end, you can go a long way in ensuring accurate and meaningful analysis on the back end.
The more data you have, the more you’ll be able to cross-reference and compare, and the more meaningful your conclusions will be. There’s tremendous value in going beyond one location, or one department, to get an enterprise-wide understanding of your incident and investigation activity.
Appreciating the sensitivity of this information, the most effective incident management systems allow you to segregate your data at various levels with some users restricted from reviewing (or analyzing) incident activity beyond their locations while others are granted access across the board.
When it comes to analysis, numbers talk… especially when they involve dollar signs. For example, one of the first steps in the risk assessment process is the creation of a Loss Event Profile.
It shows the incident that has occurred (the threat) and how much that incident costs your organization each time it happens (impact in dollars). Without a proper tracking system, generating a Loss Event Profile can be difficult… or impossible. Conversely, with an effective incident management
system, you can roll accurate incident data right into your security risk assessment program.
As you track incidents, you generate data. Then, to effectively analyze this data, you need to correlate it. This can be tricky and time-consuming, especially if you want to perform analyses across multiple parameters… say, for example, location, date, and classification. Doing it manually is almost impossible, and automated systems do it to varying degrees. Ensure that your system meets your analytical needs to minimize, or eliminate, any manual manipulation of the data.
Data mining, investigative queries… you need the power to determine who was involved and when, how something happened and why. Spend some time analyzing for investigative facts.
Scan your results for recurring patterns, names, or other investigative details that may help solve an open case.
Are we doing better, or worse, than last year? How do November’s numbers compare with December’s? In order to compare this year versus last year, or November 2015 with December 2015, you need to know what happened in the past — you need to be able to easily pull up that data, have the flexibility to work with any time frame, and be able to clearly illustrate upswings or downturns. For this type of analysis, numbers are great… but graphs and charts speak volumes.
You need to allocate resources based on known issues, and you need to place the appropriate countermeasures against recurring problems. But, first, you need to justify the funds. Take the time to produce reports, graphs, and statistics that demonstrate the effectiveness of your security department and your contribution to the bottom line. Then, present how you can become even more effective with additional investments in capital, operational, or human assets.
Spotting trends, tracking losses and threats, sharing information, performing analytical queries, and generating graphical reports… all of these activities help you make knowledge-based decisions, decisions that are backed by evidence, justified by real numbers and more readily accepted by management. Statements based on “I think” and “I believe” only get you so far… give them something they can’t argue with… give them hardcore statistics.
So, what types of information should you routinely “analyze”? Two things to frequently watch for are patterns and trends. What do your incidents have in common? Is it the time… the location… an employee? After all, when you can identify a common element, you can do something about it. Commit some time to reviewing your incident records and to running routine analyses that look for common threads… sometimes you’ll be surprised at what you see. Even an obvious pattern can be easily missed if no one takes the time to look for it.
The threat assessment process requires that you have access to previous history or reference to “empirical data.” And, in order to mitigate risk, you need to know what threats are occurring, how often they occur, where they are occurring, and how much they cost you each time they happen. With effective incident documentation, you lay the foundation for knowledge-based decision-making, and are equipped with the tools necessary to spot trends and measure performance… all of which assist you in the risk mitigation process.