Computer Security Incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices. Examples of security incidents that may require action are: 

• An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
• Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
• An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
• A user provides or exposes sensitive information to others through peer-to-peer file sharing services.
• A system alarm or similar indication from an intrusion detection tool;
• Suspicious entries in system or network accounting (e.g., a UNIX user obtains privileged access without using authorized methods);
• A compromised account or system covered by one or more compliance areas;
• Accounting discrepancies(e.g.,someone notices an 18-minute gap in the accounting log in which there is no correlation);
• New user accounts of unknown origin;
• New files of unknown origin and function;
• Unexplained changes or attempt to change file sizes, check sums, date/time stamps, especially those related to system binaries or configuration files;
• Unexplained addition, deletion, or modification of data;
• Denial of service activity or inability of one or more users to login to an account (including admin/root logins to the console);
• Unauthorized operation of a program or the addition of a sniffer application to capture network traffic or usernames/passwords; and,
• Unusual usage patterns (e.g. programs are being compiled in the account of a user who does not know how to program).