Behavioural Security Metrics and Illegitimate User Detection

Why behavioural security metrics like typing velocity matter when geofencing and zero trust assumptions fail.

This is a really interesting read and a genuinely innovative way of detecting illegitimate users on corporate devices.

Geofencing and heavily locked-down endpoints have limits — particularly when facing nation-state actors using proxy infrastructure, or supply-chain delivery of corporate laptops.

Without wishing to be dramatic, I think security professionals need to recognise that this is the environment we’re now operating in.

At that point, behavioural metrics like typing velocity begin to matter.

What should “normal” network behaviour look like?
What does the bulk of user activity look like?

  • Log on at 08:30, log off at 17:30.
  • Who stays online after that — and for how long?
  • Is that consistent with how they’ve worked historically?

Data transfer rates matter too. Kilobytes. Megabytes. Gigabytes. And occasionally… terabytes.

When the spike appears, does it fit the baseline at all.

Zero Trust has its own operating environment. Once that environment is breached, behavioural signals start to matter far more than controls.

Scope Creep

Scope Creep

I’ve always liked the phrase scope creep not the reality of it, just the wording.

Maybe it’s my fondness for zombie films. Whether it’s the slow, inevitable Romero-style shuffle or the newer, faster variants, they don’t announce themselves. You only realise what’s happening when they’re already too close.

That’s exactly how scope creep behaves in technical projects — and why it’s so damaging.

It rarely arrives as a formal decision. Instead, it slips in through side conversations, “small” assumptions, and unclear ownership — until a straightforward migration quietly turns into a transformation.

In security and infrastructure work, migration versus transformation isn’t semantics. It changes architecture, risk, timelines, and commercial commitments. When that distinction isn’t made explicit, the technical team is left trying to reconcile incompatible expectations.

The solution isn’t heroic engineering.
It’s governance.

Pause. Clarify. Write it down.

Clear scope, clear ownership, and phased delivery aren’t bureaucracy — they’re how you stop projects being overrun and protect both delivery quality and customer trust.


I like the phrase.
I just don’t like what happens when no one deals with it early enough.

Curious to hear others’ worst examples of scope creep or, failing that, favourite zombie films?

Defending Against Cyber Kinetic Attacks: Strategies for Teams

Cyber Kinetic

I came across a new term while reading This Is How They Tell Me the World Ends by Nicole Perlroth a brilliant deep dive into the cyber arms race.

It describes a cyberattack with kinetic (real-world) effects attacks that move beyond the digital realm to cause physical harm. Think dam gates opening, power grids failing, or emergency numbers going dark.

These are the nightmare scenarios and they’re becoming more common, and increasingly difficult to defend against.

So how do we, as smaller IT and security teams, defend against a motivated adversary with nation-state resources and patience?

Do we accept that everything networks, endpoints, even our assumptions is already compromised, and build around that reality?
A “not if, but when” mindset where resilience matters more than prevention?

Air-gapping, while useful, has its own gaps (Pun inteneted) especially in operational technology, where updates and maintenance often become the very vector for compromise.

Is end to end encryption, to inculded data at rest and data in motion a way to solve this.

Perhaps it’s time we shift the conversation: from stopping attacks, to surviving them and acknowledging what security professionals are truly up against.