No matter how well a system is protected, there is always some way to compormise it, so rapid detection & appropriate and rapid notification are the most important (?) parts of any security strategy.

Worse than having an incident is having an incident and not knowing it.

IDS intrusion detection system: monitor activity & notify
configuration changes
attack signatures
need to distinguish normal from mailicious activities

Intruder motives: needs: financial, social/political, personal: fun or revenge

insiders (know systems, value of info, already have access & authorization) vs. outsiders

Intrusion methods: technical, social, physical
path of least resistance / maximum payoff taken

Detection methods: profiles of normal activity vs attacks
offline: configuration errors & vulnerabilities
online: detect intruder during attack by effects of intrusion, or after the incident: lock out intruder or keep him busy while being tracked down

Difference between an incident and a disaster is detection.