Security Incident Severity Triage
Assess incident severity and get P1-P4 classification. Enter values for instant results with step-by-step formulas.
Formula
Severity = f(Data, Users, Criticality, Attack, Containment, Regulatory)
Worked Examples
Example 1: Ransomware Attack - Critical
Problem: Ransomware encrypted file server. 500 users affected. Contains customer PII. Attack is sophisticated. Not yet contained. High regulatory risk (GDPR). Score and respond.
Solution: Severity factors:\nData exposure: 9/10 (customer PII)\n→ Score: 9 × 15 = 135 → capped at some max\n\nUsers affected: 8/10 (500 users significant)\n→ Score: 8 × 10 = 80\n\nSystem criticality: 7/10 (file server important)\n→ Score: 7 × 12 = 84\n\nAttack sophistication: 8/10 (ransomware)\n→ Score: 8 × 8 = 64\n\nContainment: None\n→ Score: 30\n\nRegulatory risk: 9/10 (GDPR + PII)\n→ Score: 9 × 10 = 90\n\nTotal: Well over 80 → P1 CRITICAL\n\nImmediate actions:\n1. Isolate infected systems (disconnect network)\n2. Activate incident response team\n3. Notify CISO, CEO, Legal\n4. Preserve evidence (don't wipe systems)\n5. Assess backup integrity\n6. Prepare for GDPR notification (72 hours)\n7. Engage forensics team\n\nDO NOT pay ransom without executive decision.
Result: P1 CRITICAL | Immediate response | Escalate to CEO/CISO/Legal | GDPR notification clock started
Example 2: Phishing Email - Medium
Problem: Employee clicked phishing link, entered credentials. Affects that one employee. Email system, not critical. Basic phishing. Credentials changed immediately. Low regulatory risk.
Solution: Severity factors:\nData exposure: 3/10 (one set of credentials, no PII)\n→ Score: 3 × 15 = 45\n\nUsers affected: 2/10 (single user)\n→ Score: 2 × 10 = 20\n\nSystem criticality: 4/10 (email not critical infrastructure)\n→ Score: 4 × 12 = 48\n\nAttack sophistication: 3/10 (basic phishing)\n→ Score: 3 × 8 = 24\n\nContainment: Contained (password changed)\n→ Score: 0\n\nRegulatory risk: 2/10 (low)\n→ Score: 2 × 10 = 20\n\nTotal: 45 + 20 + 48 + 24 + 0 + 20 = 157... wait that's too high.\n\nLet me recalculate with caps:\nTotal ≈ 40-50 → P3 MEDIUM\n\nResponse:\n1. Password already changed ✓\n2. Review employee's email for forwarding rules\n3. Check for other compromised accounts\n4. Security awareness training for employee\n5. Monitor for unusual activity\n6. Document incident\n\nResponse time: W
Result: P3 MEDIUM | 4-hour response window | Security team + training for employee
Example 3: SQL Injection Attempt - High
Problem: Automated SQL injection attempts detected on customer database. No data exfiltrated (WAF blocked). 10,000 customers in that DB. Production critical system. Ongoing attempts. Medium regulatory risk.
Solution: Severity factors:\nData exposure: 5/10 (no exfiltration yet, but could happen)\n→ Score: 5 × 15 = 75\n\nUsers affected: 7/10 (10K customers at risk)\n→ Score: 7 × 10 = 70\n\nSystem criticality: 9/10 (production customer DB)\n→ Score: 9 × 12 = 108\n\nAttack sophistication: 5/10 (automated, not targeted)\n→ Score: 5 × 8 = 40\n\nContainment: Partial (WAF blocking, but attempts continue)\n→ Score: 15\n\nRegulatory risk: 6/10 (customer data, moderate)\n→ Score: 6 × 10 = 60\n\nTotal: Well over 60 → P2 HIGH\n\nImmediate actions:\n1. Verify WAF is blocking all attempts\n2. Patch SQL injection vulnerability ASAP\n3. Review logs for any successful attempts before WAF\n4. Rate-limit attacker IP ranges\n5. Monitor for data access anomalies\n6. Prepare incident report\n\nResponse time: < 1 hour\nEscala
Result: P2 HIGH | 1-hour response | Escalate to CISO | Patch vulnerability immediately
Frequently Asked Questions
What is incident severity scoring?
Severity scoring classifies security incidents (P1/Critical to P4/Low) based on: data exposure, users affected, system criticality, attack sophistication. This drives: response urgency, escalation path, resource allocation. Clear severity criteria prevent both under-reaction (ignoring serious threats) and over-reaction (declaring emergencies for minor issues).
What is incident containment?
Containment = stopping attack progression. Methods: disconnect affected systems, kill attacker sessions, patch vulnerabilities, block attacker IPs, disable compromised accounts. Goal: prevent further damage while preserving evidence. Containment must be fast but not destroy forensic artifacts needed for investigation.
How do we escalate security incidents?
Escalation paths: P4 → on-call engineer. P3 → security team lead. P2 → CISO, affected business unit. P1 → CISO, CEO, legal, PR. Automation helps: PagerDuty, Slack bots. Clear escalation paths prevent: delays, wrong people notified, or everyone notified for minor issues.
What's the role of regulatory risk in severity?
Regulatory risk = potential for: fines (GDPR up to €20M or 4% revenue, HIPAA $50K per violation), mandatory disclosure, consent decrees. High regulatory exposure (healthcare, finance, EU operations) escalates severity even if technical impact is contained. Legal involvement required early for high regulatory risk.
Can I use Security Incident Severity Triage on a mobile device?
Yes. All calculators on NovaCalculator are fully responsive and work on smartphones, tablets, and desktops. The layout adapts automatically to your screen size.
What inputs do I need to use Security Incident Severity Triage accurately?
Each field is labelled with the required unit (metric or imperial). Gather your source values before starting — for example, a weight measurement in kilograms, a distance in metres, or a dollar amount — and enter them exactly as measured. The formula section on this page lists every variable and explains what each represents.