<a href="https://colab.research.google.com/github/guilhermelaviola/CybersecurityProblemSolvingWithDataScience/blob/main/Class15.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# **Security Incident Management**
Security incident management is a structured cybersecurity process focused on preparing for, detecting, responding to, and recovering from security incidents such as data breaches, cyberattacks, and malware infections. It relies on a well-defined incident response plan that includes preparation, detection and analysis, containment, recovery, and lessons learned. Key elements include incident classification and prioritization based on severity, urgency, business impact, and data sensitivity; coordinated communication among internal and external stakeholders; forensic analysis and post-incident assessment; and continuous improvement through testing, training, and plan updates. Together, these practices help organizations minimize impact, restore operations quickly, and strengthen resilience against future threats.

In [1]:
# Importing all the necessary libraries and resources:
from enum import Enum
from datetime import datetime

## **Incident Classification and Prioritization**
The following example demonstrates how an organization might programmatically classify and prioritize incidents to ensure critical issues are addressed first.

In [5]:
# Classifying incident priority based on severity and urgency:
def classify_incident(severity, urgency):
      if severity == 'High' and urgency == 'High':
        return 'Critical'
      elif severity == 'High' or urgency == 'High':
        return 'High'
      elif severity == 'Medium':
        return 'Medium'
      else:
        return 'Low'

# Example incident details:
incident = {
    'type': 'Data Breach',
    'severity': 'High',
    'urgency': 'High',
    'data_sensitivity': 'Confidential'
}

priority = classify_incident(
    incident['severity'],
    incident['urgency']
)

print(f'Incident Type: {incident['type']}')
print(f'Assigned Priority: {priority}')

Incident Type: Data Breach
Assigned Priority: Critical


## **Security Incident Management**
The example below demonstrates incident classification, prioritization, response workflow, communication, and lessons learned.

In [6]:
# Incident Classification Enums:
class Severity(Enum):
    LOW = 1
    MEDIUM = 2
    HIGH = 3
    CRITICAL = 4

class IncidentStatus(Enum):
    DETECTED = 'Detected'
    ANALYZING = 'Analyzing'
    CONTAINED = 'Contained'
    RECOVERED = 'Recovered'
    CLOSED = 'Closed'

# Incident Data Model:
class SecurityIncident:
    def __init__(self, incident_id, description, severity, data_sensitivity):
        self.incident_id = incident_id
        self.description = description
        self.severity = severity
        self.data_sensitivity = data_sensitivity
        self.status = IncidentStatus.DETECTED
        self.detected_at = datetime.utcnow()
        self.timeline = []

        self._log_event('Incident detected')

    def _log_event(self, message):
        self.timeline.append({
            'timestamp': datetime.utcnow(),
            'message': message
        })

    def analyze(self):
        self.status = IncidentStatus.ANALYZING
        self._log_event('Incident analysis started')

    def contain(self):
        self.status = IncidentStatus.CONTAINED
        self._log_event('Incident contained')

    def recover(self):
        self.status = IncidentStatus.RECOVERED
        self._log_event('Systems recovered')

    def close(self):
        self.status = IncidentStatus.CLOSED
        self._log_event('Incident closed and lessons learned documented')

# Incident Response Manager:
class IncidentResponseManager:
    def __init__(self):
        self.incidents = []

    def register_incident(self, incident):
        self.incidents.append(incident)
        self.notify_stakeholders(incident)

    def notify_stakeholders(self, incident):
        print(f'[NOTIFY] Incident {incident.incident_id} reported '
              f'(Severity: {incident.severity.name}, '
              f'Data Sensitivity: {incident.data_sensitivity})')

    # Higher severity incidents handled first:
    def prioritize_incidents(self):
        return sorted(self.incidents, key=lambda i: i.severity.value, reverse=True)

    def handle_incident(self, incident):
        incident.analyze()
        incident.contain()
        incident.recover()
        incident.close()

# Example Usage:
if __name__ == '__main__':
    manager = IncidentResponseManager()

    # Detecting a security incident (for example malware infection):
    incident = SecurityIncident(
        incident_id='INC-2025-001',
        description='Malware detected on finance server',
        severity=Severity.CRITICAL,
        data_sensitivity='High'
    )

    manager.register_incident(incident)

    # Prioritizing and responding:
    prioritized = manager.prioritize_incidents()
    for inc in prioritized:
        manager.handle_incident(inc)

    # Post-incident review:
    print('\n--- Incident Timeline ---')
    for event in incident.timeline:
        print(f'{event['timestamp']} - {event['message']}')

[NOTIFY] Incident INC-2025-001 reported (Severity: CRITICAL, Data Sensitivity: High)

--- Incident Timeline ---
2025-12-17 00:44:30.870911 - Incident detected
2025-12-17 00:44:30.870965 - Incident analysis started
2025-12-17 00:44:30.870970 - Incident contained
2025-12-17 00:44:30.870974 - Systems recovered
2025-12-17 00:44:30.870977 - Incident closed and lessons learned documented


  self.detected_at = datetime.utcnow()
  'timestamp': datetime.utcnow(),
