How should alarms and cyber incidents be treated in incident response planning?

• A. Alarms trigger formal response; incidents trigger investigation.
• B. Alarms are ignored; only incidents are managed.
• C. Cyber incidents should be contained in the asset itself.
• D. Alarms trigger investigation; cyber incidents trigger formal response.

Answer: (D)

Alerts are signals that something may be happening and should be quickly validated to determine whether this is a real incident. When an alert is confirmed as a cyber incident, you activate the formal incident response process with established playbooks, roles, containment steps, eradication, recovery, and communication. This approach keeps responses proportional: you investigate alerts to decide if an incident exists, and only then invoke the full formal response. That matches the idea that alarms trigger investigation and cyber incidents trigger formal response. The other ideas miss the mark: treating every alert as a full incident wastes resources, containing only within the asset ignores broader impact, and ignoring alarms leaves you blind to potential threats.