Incident scope is the range or depth of a computer security incident. In particular, it refers to the scope of the attack, such as the number of hosts affected, the data that could have been accessed, and the intended purpose of the attacker.
When a security incident is detected, the first step is to determine what part of the system or network has been affected. This is called “incident scoping” and it requires an understanding of the overall security posture of the network or system.
The scope of the incident provides a window into the extent of the attack. Knowing the scope of the incident enables an organization to understand the magnitude of the attack and to evaluate the severity of the damages.
In addition to the extent of the incoming attack, incident scope may also refer to the size of the response. While incident scoping is done to determine the magnitude of the attack, it can also be used to determine the scale of the security response. This includes the number of people and systems involved in the incident response process, as well as any authority or jurisdiction that will be involved in the investigation and response.
Knowing the scope of the attack and the response allows an organization to make a more informed decision about how to proceed and what steps are necessary to mitigate the attack. This information can also be used to determine how other elements of the security posture, such as policy and procedure, should be changed to better protect the organization in the future.