Containment strategies vary based on the type of incident. For example, the strategy for containing an email-borne malware infection is quite different from that of a network-based DDoS attack. Organizations should create separate containment strategies for each major incident type, with criteria documented clearly to facilitate decision-making. Criteria for determining the appropriate strategy include:

• Potential damage to and theft of resources

• Need for evidence preservation

• Service availability (e.g., network connectivity, services provided to external parties)

• Time and resources needed to implement the strategy

• Effectiveness of the strategy (e.g., partial containment, full containment)

• Duration of the solution (e.g., emergency workaround to be removed in four hours, temporary workaround to be removed in two weeks, permanent solution).

There are several reasons, main ones are:

• categorization directly helps improve incident management;

• it also helps event/incident long-term analysis;

• it supports incident information exchange;

• categorization helps automate event/incident reporting and response.