Part 2 of the EIOC Series
Last week, we walked through a meeting that felt wrong in a way you couldn’t quite name—a subtle, structured erosion of clarity and boundaries that mapped cleanly onto a cybersecurity kill chain.
This week, we formalize the model behind that experience.
If Part 1 showed you the pattern, Part 2 gives you the detection system.
Why We Need a Detection Framework
Emotional compromise is real, but it’s rarely recognized as such.
People walk out of destabilizing interactions thinking:
- “Why did I freeze?”
- “Why did I agree to that?”
- “Why can’t I think straight?”
But if you mapped the same signals onto a network, you’d call it what it is:
A correlated compromise event.
EIOC—Emotional Indicators of Compromise—gives you the vocabulary and structure to detect these events with the same clarity you’d apply to a technical system.
The Five Categories of EIOCs
EIOCs are grouped into five categories.
You saw all of them in the meeting from Part 1.
1. Cognitive Drift Indicators
Fog, confusion, over‑explaining, loss of narrative coherence.
2. Boundary Integrity Indicators
Pressured agreement, inability to exit, emotional numbness during violations.
3. Autonomic Stress Indicators
Tight chest, shallow breathing, sudden exhaustion.
4. Relational Distortion Indicators
Guilt spikes, hypervigilance, emotional shrinking.
5. Identity Disruption Indicators
Feeling “unlike yourself,” dissociation, emotional flattening.
One category firing is normal.
Two is concerning.
Three or more is a pattern.
That’s where Detection Logic 2.0 comes in.
Detection Logic 2.0: The Human‑Layer SIEM
In cybersecurity, SIEM systems correlate multiple weak signals into a meaningful alert.
EIOC uses the same logic.
This is the heart of the framework.
Single‑Category Activation: Noise Layer
One EIOC category firing is normal fluctuation.
Interpretation:
Monitor, but don’t escalate.
Dual‑Category Activation: Elevated Risk Layer
Two categories firing means something is clustering.
Interpretation:
Heightened vigilance.
This may be the early stage of compromise.
Triple‑Category Activation: Correlated Compromise Event
Three categories firing in proximity is a High‑Severity Emotional Compromise.
Interpretation:
Initiate containment.
A breach is underway.
Four‑to‑Five Category Activation: Critical Compromise
Four or more categories firing is a Critical Emotional Compromise.
Interpretation:
Immediate intervention required.
The Severity Matrix
| EIOC Categories | Severity | Meaning |
|---|---|---|
| 1 | Low | Noise / normal fluctuation |
| 2 | Medium | Elevated risk / monitor |
| 3 | High | Emotional compromise likely |
| 4–5 | Critical | Active boundary breach |
Correlation Rules
Detection Logic 2.0 introduces explicit correlation rules—the emotional equivalent of SIEM logic.
Rule 1—High Severity
Three or more categories → High Severity (SEV‑2).
Rule 2—Critical Severity
Four or more categories → Critical (SEV‑1).
Rule 3—Persistence
Repeated activation of the same category → Kill Chain Stage 4 (Persistence).
Rule 4—Time Windowing
Interpret clusters based on temporal proximity:
- Minutes–hours: acute compromise
- Days: relational pattern
- Weeks: systemic issue
Applying Detection Logic 2.0 to the Scenario from Part 1
During the high‑pressure meeting, you experienced:
- Cognitive Drift
- Boundary Integrity breach
- Relational Distortion
→ Three categories activated
→ High‑Severity Emotional Compromise
If you also felt:
- Autonomic Stress
→ Four categories activated
→ Critical Compromise
This is not “being sensitive.”
This is a correlated emotional breach.
Why This Framework Matters
EIOC reframes emotional overwhelm as:
- detectable
- structured
- non‑pathologizing
- operational
- actionable
It turns “I feel awful and I don’t know why” into:
“A multi‑category EIOC event occurred.
Severity: High.
Containment required.”
That shift alone restores agency.
Coming Next Week—Part 3
EIOC Guard™ Runbook: SOC‑Style Emotional Incident Response
If Part 1 showed you the pattern
and Part 2 gave you the detection system,
Part 3 gives you the playbook.
You’ll get:
- trigger conditions
- severity classification
- containment procedures
- eradication procedures
- recovery steps
- post‑incident review
- long‑term hardening
Everything you’d expect from a SOC runbook—but for the human layer.
Top comments (0)