What is the difference between "Incident", "Attack" and "event"?

Assuming that you have looked up the official terms and wanted further help:

An event is something that has triggered notice. An event need not be an indication of wrongdoing. Someone successfully logging in is an event.

An incident is something that indicates a problem, however you define "problem". It carries from an event but has a layer of interpretation on top. Someone successfully logging in when they are on long-term sick leave and should be unable to use a computer is an incident.

An attack is an incident with malicious intent. Someone brute-forcing the credentials of someone on long-term sick leave is an attack. A manager asking the person on long-term sick leave for their password so that they can gain access to the person's work product for the benefit of the business is not an attack. It might be an incident, depending on your policies.

A threat is anything that has the potential to cause an incident. People, weather, machines, etc.


While schroeder's answer is certainly correct, it might not be formal enough. In the the terms and definitions of the ISO/IEC 27000 you will find the following:

threat

potential cause of an unwanted incident1, which can result in harm to a system or organization

information security event

identified occurrence of a system, service or network state indicating a possible breach of information security, policy or failure of controls, or a previously unknown situation that can be security relevant

information security incident

single or a series of unwanted or unexpected information security events that have a significant probability of compromising business operations and threatening information security

attack

attempt to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an asset

An information security incident will always also be an information security event, but not all information security events will be information security incidents.


1: Not all incidents have to be information security incidents.

All quotes taken from: ISO/IEC 27000:2018: Information technology - Security techniques - Information security management systems


There are a lot of discussions up here and also talked with a professor of mine later on. However, in the taxonomy context following may help to understand the question,

Incident = (attacker) + ATTACK + (objective)

Attack = (tools) + (vulnerability) + EVENT + (unauthorized result)

Event = (action) + (target)

From the book "A Common Language for Computer Security Incidents" by John D. Howard and Thomas A. Longstaff following illustration would make the concept clear,

Computer and network security incident taxonomy