Actionable information is any information that an analyzer receives that can be examined, expanded and compared, leading to solid observations and conclusions. This can be used in any part of an organisation (like making a sound business decision), but in the field of incident management it is often related to events that can be acted upon.

Examples of this is anomalies in the network traffic, lists of IP addresses identified as C&C-servers, or known/identified malware that circulate the internet.

There are certain properties that makes information actionable, here are some points:

  • The information must have relevance. Example: does the target goals of the malware compare with anything we handle?
  • It must be timely, and adequacy of timeliness will vary. In some cases a few hours may be too late, and the information can be considered irrelevant.
  • The information must be accurate to be considered actionable. Depending on the source, how it was collected and so on.
  • The information should be able to stand on its own, and independently provide the recipient with appropriate context. However there should be a consideration that it might not be complete due to legal or privacy reasons.
  • It must be ingestible, meaning it should be provided to the recipient in a format that allows straightforward import and immediate extraction of important indicators.