Very good post from Alex Hutton, one of the best security posts of the past months, for sure.It really seems that ABA has its place in the infosec field. I'm just curious about why Alex is talking about systems and network traffic as behaviour, when ABA theory has a better place for that, the "environment". Even when we start thinking about actions to change behaviour (from the attackers? "users"?), that's usually done through manipulating the environment. And if we end up finding that those subjects usually have similar behaviours, we'll probably find out that the differences are mostly in the diverse environments they interact with, the organizations.The interesting thing about ABA is that it drives us to experimental control for attempts to change behaviour. The implications would certainly force us into finding ways to verify if our controls can really induce behaviour change. That's one of the key issues we have in our field. If the attackers are behaving "accordingly" (i.e. not performing successful attacks), is that due to our attempts to change their behaviour or because of other external stimuli? One of Richard Bejtlich favorite ideas, the continuous testing by a "red team", seems to be a good away to assess if the stimuli we are generating are really successful in causing behaviour change.Certainly a lot of food for thought. What kind of behaviour change we want to produce and how can we test if the stimuli we generate are appropriate for that?