Incident documentation in Cybersecurity - Time & Space Complexity

When documenting security incidents, it's important to understand how the effort grows as the number of incidents increases.

We want to know how the time to document changes when more incidents happen.

Analyze the time complexity of the following incident documentation process.

for incident in incidents:
    record_basic_info(incident)
    for event in incident.events:
        log_event_details(event)
    summarize_incident(incident)

This code records basic info for each incident, logs details for each event within the incident, then summarizes the incident.

Look at the loops that repeat work:

• Primary operation: Looping through each incident and then each event inside it.
• How many times: The outer loop runs once per incident, the inner loop runs once per event in that incident.

As the number of incidents and events grows, the work grows too.

Input Size (n incidents)	Approx. Operations
10 incidents (each 5 events)	About 60 operations (10 basic + 50 event logs)
100 incidents (each 5 events)	About 600 operations (100 basic + 500 event logs)
1000 incidents (each 5 events)	About 6000 operations (1000 basic + 5000 event logs)

Pattern observation: The total work increases roughly in proportion to the number of incidents and their events combined.

Time Complexity: O(n * m)

This means the time to document grows with both the number of incidents (n) and the number of events per incident (m).

[X] Wrong: "Documenting incidents takes the same time no matter how many events each has."

[OK] Correct: Each event inside an incident adds extra work, so more events mean more time needed.

Understanding how documentation effort grows helps you plan and communicate clearly in security roles.

"What if we only logged summary information for each incident instead of every event? How would the time complexity change?"