Most Incidents Start With a Behavior, Not a Vulnerability
The Story of Two Companies Under Attack
Friday 3:47 PM: Both companies get hit by the same ransomware campaign.
Company A: React, Recover, Repeat
3:47 PM: Employee clicks a link in a fake invoice email. 3:52 PM: Ransomware begins encrypting shared drives. 4:15 PM: IT scrambles to isolate systems. Monday: Systems restored from backups. Post-mortem identifies the phishing email. Next quarter: The same employee clicks another phishing link. Different campaign, same behavior.
Result: $250,000 in cumulative losses. The technical response was solid. The root cause was never addressed.
Company B: Respond and Correct the Behavior
3:47 PM: Employee clicks a link in a fake invoice email. 3:50 PM: Automated detection isolates the infected machine. 4:00 PM: Incident response team follows their playbook. Monday: Systems restored. But here’s the difference: they also analyzed why the employee clicked.
What they found: The employee had never received guidance specific to invoice-based phishing. Their SaaS audit showed a pattern of risky email behavior across the finance team.
What they did: Deployed targeted nudges about invoice verification to the finance team in Slack, anchored to their security policy. Spaced repetition quizzes reinforced the lesson over the next 6 weeks.
Six months later: Zero phishing incidents from the finance team.
The difference? Company B treated the incident as a behavior signal, not just a technical event.
The Behavioral Root Cause Problem
Why Most Post-Mortems Miss the Point
Traditional incident response follows a clear playbook: detect, contain, eradicate, recover, and learn. It’s well-understood and necessary.
But the “learn” phase almost always focuses on technical gaps:
- “We need better email filtering”
- “Our detection was too slow”
- “The backup restore took too long”
These are valid. But they miss the upstream question: why did the human behave in a way that allowed the attack to succeed?
The data is clear:
- 82% of breaches involve a human element (Verizon DBIR)
- 78% of employees can pass a security quiz but still engage in risky behaviors
- The same behavioral patterns that cause one incident tend to cause the next one
If you don’t address the behavior, you’re just waiting for the next incident with better technical controls.
The Incident Lifecycle, Reframed
| Traditional View | Behavioral View |
|---|---|
| Attack happens | Risky behavior pattern exists |
| Detect and contain | Attack exploits the pattern |
| Eradicate and recover | Detect, contain, eradicate, recover |
| Document | Identify and correct the behavior |
| Done | Reinforce over time |
The behavioral view doesn’t replace the technical response. It extends it to address why incidents keep happening.
The Emergency Scale (When Behavior Data Changes the Response)
Not all incidents are equal. But behavioral context changes how you respond to each one.
Code Red: Active Attack in Progress (15-minute response)
Technical response: Isolate, contain, call your security team.
Behavioral context that matters right now:
- Which employee’s account was compromised?
- Was this a known risky behavior pattern flagged in previous audits?
- Are other employees in the same team showing similar patterns?
This isn’t about blame. It’s about understanding scope. If the compromised employee’s entire team shares the same risky habits, your containment perimeter needs to be wider.
Code Orange: Confirmed Breach, Attack Contained (1-hour response)
Technical response: Investigate, change credentials, assess damage.
Behavioral analysis to start immediately:
- Review the last 90 days of SaaS audit data for the affected user
- Identify what policy the behavior violated
- Check whether other employees have the same pattern
- Determine whether existing nudges or guidance covered this scenario
Code Yellow: Attempted Attack, No Damage (4-hour response)
This is where behavior correction has the highest ROI. The attack failed, but the behavior that would have enabled it still exists.
- What did the employee do (or almost do)?
- Does your PSSI cover this specific scenario?
- Can you deploy a targeted nudge to the affected team this week?
- Can you turn this into a micro-quiz for the broader organization?
Code Green: Policy Violation, No Attack (24-hour response)
Behavioral signals without an incident are prevention opportunities:
- Employee sharing credentials in a chat channel
- Sensitive data uploaded to an unapproved tool
- MFA prompt approved from an unusual location
These aren’t emergencies. But they’re the precursors to emergencies. A contextual nudge delivered in Slack within hours of the behavior is worth more than a training module delivered months later.
Building a Response Plan That Fixes Root Causes
Step 1: Prepare (Before Anything Happens)
Technical preparation (standard practice):
- Assign incident response roles
- Document response procedures
- Set up detection and alerting systems
Behavioral preparation (what most organizations skip):
- Deploy SaaS audit tools that observe real employee behavior
- Ingest your PSSI to generate tailored nudges and quizzes
- Establish behavioral baselines so you can spot anomalies
- Map your most common risky behaviors to policy sections
Step 2: Detect and Analyze
Technical detection:
- Alerts from SIEM, EDR, or email security tools
- Unusual network traffic or access patterns
Behavioral detection:
- SaaS audit flags a pattern of risky behavior before an attack lands
- Correlation between behavioral trends and incident frequency
- Early warning signals: credential sharing uptick, shadow IT adoption spike
The behavioral layer can catch problems before they become incidents.
Step 3: Contain and Correct
Technical containment:
- Isolate affected systems
- Revoke compromised credentials
- Block malicious activity
Behavioral correction (start during containment, not after):
- Identify the specific behavior that enabled the attack
- Deploy a targeted nudge to the affected individual and their team
- Reference the specific section of your PSSI that was violated
- Schedule spaced-repetition follow-ups to reinforce the correction
Step 4: Learn and Reinforce
Technical lessons:
- Update detection rules
- Patch vulnerabilities
- Improve response times
Behavioral lessons:
- Add the scenario to your nudge library
- Create a micro-quiz based on the real incident (anonymized)
- Update spaced-repetition schedules to cover the gap
- Track whether the specific behavior decreases over the next 90 days
Your Incident Response Team: Adding Behavioral Roles
The standard IR team includes a commander, a technical investigator, a system administrator, a communications lead, and a legal advisor. All of these remain essential.
But consider adding one more perspective:
The Behavior Analyst
Their job during and after an incident:
- Reviews SaaS audit data to understand the behavioral pattern
- Maps the incident to specific PSSI sections
- Designs targeted nudges and quizzes for the affected team
- Tracks whether the corrective intervention actually changes behavior
- Reports on behavioral trends that predict future incidents
This doesn’t need to be a dedicated hire. It can be your security champion, your CISO, or your compliance lead armed with the right tools. What matters is that someone owns the behavioral root-cause analysis.
Communication During Incidents: Honest, Not Punitive
What to Tell Your Team
The worst thing you can do after a behavior-related incident is shame the person involved. That creates a culture where people hide mistakes instead of reporting them.
Good communication:
“We experienced a security incident that started with a phishing email. Our response team contained it quickly. We’re now deploying additional guidance to help everyone recognize this type of attack. You’ll see new nudges and quizzes in Slack this week focused on invoice verification. Please engage with them - they’re short and directly relevant to what happened.”
Bad communication:
“Someone clicked a phishing link and caused a major incident. Everyone must complete a 2-hour training module by Friday.”
The first approach treats the incident as a learning opportunity and delivers targeted guidance. The second approach punishes everyone and changes nothing.
The Reporting Culture You Need
Employees who report suspicious behavior quickly are your most valuable defense. To get this culture:
- Never punish someone for reporting, even if they caused the problem
- Respond quickly when people flag concerns
- Close the loop by telling reporters what happened as a result
- Recognize people who catch things early
Practicing Response: Simulations With Behavioral Context
Monthly Tabletop Exercises
Walk through scenarios as a team, but add the behavioral dimension:
“An employee in sales clicked a phishing link. Our SaaS audit shows that 4 other people in sales have similar email-handling behaviors. How do we scope our response? What nudges do we deploy afterward?”
Quarterly Simulations
Run realistic simulations, but measure behavioral response alongside technical response:
- Did employees report the simulation quickly?
- Did people follow the verification procedures from recent nudges?
- Which teams responded best, and does that correlate with higher nudge engagement?
Annual Full-Scale Tests
Test everything, including your behavioral correction workflow:
- Can you deploy a targeted nudge within 24 hours of an incident?
- Does your team know how to trace the behavioral root cause?
- Are your spaced-repetition follow-ups actually happening?
The Post-Incident Behavioral Playbook
After every incident (or near-miss), follow this behavioral checklist:
Within 24 Hours:
- Identify the specific behavior that enabled or nearly enabled the attack
- Map the behavior to the relevant section of your PSSI
- Deploy an immediate nudge to the affected individual and team
- Check SaaS audit data for similar patterns across the organization
Within 1 Week:
- Create a micro-quiz based on the incident scenario (anonymized)
- Deploy the quiz to all employees in Slack/Teams
- Schedule spaced-repetition follow-ups at 1 week, 2 weeks, and 6 weeks
- Update your behavioral baseline metrics
Within 1 Month:
- Analyze whether the targeted nudges produced measurable behavior change
- Identify any remaining gaps between policy and practice
- Update your nudge library with the new scenario
- Share behavioral trend data with leadership
The Bottom Line
The companies that survive cyber attacks aren’t just the ones with the best firewalls and fastest response times. They’re the ones that fix the human behaviors that cause incidents in the first place.
Your incident response plan is essential. But if it stops at “restore systems and write a post-mortem,” you’re treating symptoms while the disease persists.
Don’t just respond to incidents. Prevent the next one by fixing the behavior that caused this one.
The behavioral layer means:
- Observing the real behaviors that create risk through SaaS audits
- Connecting each incident to specific policy gaps
- Correcting behaviors with targeted nudges delivered where people work
- Reinforcing corrections using spaced repetition and the forgetting curve
Sources
- Verizon 2024 DBIR - https://www.verizon.com/business/resources/reports/dbir/
- RAND - Beyond Technicality - https://www.rand.org/content/dam/rand/pubs/research_reports/RRA3800/RRA3841-1/RAND_RRA3841-1.pdf
- UChicago - Gaps in cybersecurity training - https://cs.uchicago.edu/news/new-study-reveals-gaps-in-common-types-of-cybersecurity-training/
Ready to add a behavioral layer to your incident response? Contact EnGarde and let us help you turn every incident into lasting behavior change.