The determination of when an event officially becomes a security incident that requires escalation is typically subjective and should be avoided until it is certain that a significant breach has occurred.
The determination of when an event becomes a security incident should be based on predefined criteria and thresholds, which allows an organization to respond in a timely and organized manner to potential threats. It is not subjective and should not be delayed until absolute certainty is established because this can lead to unnecessary delays in responding to an incident. Organizations often use an incident response plan to establish these criteria and procedures for escalation.