The instinct, when something goes wrong with security, is to look for a technical cause. A misconfigured system, an unpatched vulnerability, a device that should not have been there. These causes are real and they matter. But in our experience they are rarely the beginning of the story.
More often, a compromise begins with a person: someone who was placed under pressure, who was trusted beyond what the situation warranted, who saw a signal and did not know it was worth reporting, or who simply followed a habit that had quietly become a weakness. The technical event is the symptom. The human conditions around it are the cause.
This is not an argument against technical controls. It is an argument for treating people, process and technology as a single system rather than three separate ones. A threat and vulnerability assessment that examines only the technical layer will produce a tidy report and miss the pathway that actually matters.
Human factors are uncomfortable to assess. They involve judgement about behaviour, culture and trust, and they resist the clean metrics that technical controls offer. It is far easier to count unpatched systems than to notice that a reporting line is so cumbersome no one uses it.
The work of behavioural intelligence is to make those factors legible: to identify how vulnerabilities are created, exploited and sustained by behaviour, and to do so without overclaiming. The goal is not to predict who will fail, but to understand the conditions under which failure becomes likely, and to change them.
Begin by asking where a determined person would actually start, and you will usually find they would start with people, not systems. From there, the questions become practical. Who has access, and why. What would a person under pressure do. What signals would precede a problem, and who is positioned to notice them.
These are not questions a tool can answer. They are the reason the human side of security deserves the same rigour we apply to the technical side.
Threat Advisory is the threat and behavioural advisory practice of Jayde Consulting. Technical Surveillance Countermeasures are delivered by the parent practice.
