Containment focuses on preventing the spread and effects of malware.
Containment is "the process of limiting the effects of a hostile action once it occurs."
Containment is important to prevent an incident from continuing to inflict damage or overwhelming a firm's resources. The strategy to contain a malware infection will be different than the strategy to contain a network intrusion. An essential part of containment is decision making, e.g., whether to shut down a system, disconnect it from a network or disable certain functions. Such decisions can be made quickly and effectively if there are predetermined strategies and procedures for containing the incident.