Good Practice Guide Reporting Security Incidents
Resilient e-Communications Networks
29
3.3.3
Reporting Thresholds
The previous sections helped to clarify the array of reporting parties and to set the legal status of
reporting (obligatory or not). But behind every scheme, there should be a clear idea of what incidents
should be reported, what threshold should trigger the reporting mechanism. Whether the scheme's
organizers wish to make these thresholds formal and binding, or not, we strongly recommend that
there be a detailed idea of the criteria that make an incident eligible for reporting.
Defining thresholds is a very difficult task. Below, we just present a number of important insights that
might influence the decision on the appropriate thresholds.
Questions for the Organizers
In order to define the thresholds after which incidents should be reported, three types of factors need
to be taken into consideration:
What is the purpose and area of reporting?
What is the organizers' capacity to handle the reports?
What burden does the threshold impose on reporting parties?
These will be discussed in more detail as follows:
1.
Purpose and area of reporting as defined above directly influence the reporting thresholds. If
the plan is to rectify major incidents, there is no use for reports of small-scale incidents. If the
scheme aims at preventing failures through statistical analysis of trends, incidents of all sizes
may need to be reported. In order to meet different priorities, some interviewed
organizations use real-time reports for larger incidents, and aggregate statistical reports on
smaller incidents.
FICORA
Finland
: The Finnish Regulatory Authority currently considers setting
differentiated thresholds. The topmost category would require an almost immediate
reporting (within one hour) while the lowest category would only be included in
periodical reports.
Theodore Puskas Foundation [Hungary] operates two duty services: CERT-Hungary for
cybersecurity incidents, and the National High-Level Service for Communications and
Informatics for communication incidents (on behalf of the national Regulatory
Authority, NHH). Both duty services operate 24/7, receiving instant reports on
communication service failures and periodical reports on cybersecurity related
incidents. Instant reporting would concern much lower number of incidents, but would
result in immediate follow-up action such as issuing alerts, escalation to the NHH,
contacting emergency response authorities, etc. Periodical reports are used for
statistical analysis, evaluation of trends etc.
2.
The organizing authority's capacity to handle the reports is important, too. Many reporting
schemes use only a small number of staff, who might be unable to prioritize incidents if
inundated with low-threshold reports. It is not advisable to invite a large volume of reports