UnixTime

Research Note

RISK-0004 Uncoordinated Incident Response Allows Compromise to Spread

Because confirmed incidents are handled without a documented response record and authority model, containment may be delayed or inconsistent across teams.

On this page

RISK-0004

Risk summary

Likelihood
3
Impact
5
Score
15
Level
High
  1. 01

    Asset

    Production systems, identity infrastructure, endpoint fleet, cloud accounts, and response decision records.

    Business object or system that needs protection.
  2. 02

    Threat

    Active attacker activity after initial compromise, including privilege escalation, lateral movement, data access, or destructive action.

    Event, actor, or condition that can create harm.
  3. 03

    Vulnerability

    Response procedures are too generic, response decisions are made in informal chat, action ownership is unclear, and legal/privacy/evidence decisions are delayed.

    Weakness that makes the threat relevant.
  4. 04

    Risk

    Because confirmed incidents are handled without a documented response record and authority model, containment may be delayed or inconsistent across teams, allowing compromise to spread.

    Scenario evaluated with likelihood, impact, and ownership.
  5. 05

    Treatment

    Mitigate through documented response procedures, incident action logs, ownership of containment and recovery, communication decisions, evidence decisions, and management approval for high-impact actions.

    Decision path for reducing, accepting, transferring, or avoiding risk.

Assessment Rationale

Likelihood

The likelihood is medium because confirmed incidents require multiple teams to act under time pressure. Without a response record and authority model, action quality depends on who happens to be available.

Impact

The impact is critical because containment delay can increase affected systems, data exposure, recovery time, evidence loss, and stakeholder impact.

Residual Risk

After treatment, residual risk is estimated as medium if response records show timely containment, assigned owners, evidence decisions, and recovery validation.

Review Notes

Review after every confirmed incident and after tabletop exercises that expose response coordination gaps.

Software Object Mapping

  • risk
  • incident_response
  • control
  • evidence
  • Iso27005
  • Risk
  • Iso27001
  • Incident management

Note Metadata

Aliases: RISK-0004

Source: 05-Risk-Knowledge-Base/RISK-0004-Uncoordinated-Incident-Response.md