Have you ever tried to break a bad habit—only to find that, just before it disappears, it gets even worse? That’s an extinction burst in action. It’s a concept from behavioral psychology that describes the temporary increase in frequency, intensity, or variability of a behavior when reinforcement is suddenly removed.
Think about someone quitting caffeine. At first, they feel fine, but soon, the withdrawal kicks in—headaches, irritability, and an intense craving for coffee. They may even drink more soda or eat chocolate in a desperate attempt to get their fix. But eventually, their body adjusts, and the cravings fade. The same pattern shows up in organizations and even cybercriminals.
In risk management, extinction bursts are particularly important because they signal a critical transition point. Whether it’s phasing out a security vulnerability, implementing a new compliance measure, or countering an evolving threat, understanding this phenomenon can help organizations anticipate resistance and manage risk more effectively.
Extinction Bursts in Risk
1. Cybersecurity
When organizations harden their security posture—whether through multi-factor authentication, stricter access controls, or AI-driven anomaly detection—attackers don’t just give up. Instead, they may increase phishing attempts, test alternative entry points, or escalate their attacks before they finally move on to easier targets.
Risk Management Lesson: Anticipate an uptick in attack attempts when rolling out new security measures. Monitor closely for deviations and ensure your teams don’t misinterpret an increase in threats as failure but rather as a predictable reaction.
2. Compliance Changes
Whenever new regulations are enforced—such as data privacy laws or financial compliance measures—there’s often a sharp increase in non-compliance attempts. Organizations resistant to change may scramble to find loopholes or delay implementation, leading to more violations before new norms take hold.
Risk Management Lesson: Build compliance initiatives with the expectation that things may look worse before they improve. Use phased rollouts, real-time monitoring, and education to mitigate the resistance that drives extinction bursts.
3. Crisis Communications
During a crisis, misinformation often spikes right before credible information gains traction. This is because bad actors, bots, or even well-intentioned individuals try harder to push false narratives when they sense they are losing influence.
Risk Management Lesson: Crisis communication teams must recognize that the spread of misinformation may intensify before public trust shifts toward factual information. Stay the course, reinforce key messages, and avoid reactionary changes based on short-term surges in disinformation.
How to Navigate Extinction Bursts in Risk Management
Understanding extinction bursts can help risk leaders take a proactive approach rather than being caught off guard. Here’s how:
✔ Recognize the Pattern – Expect increased resistance or escalation before a threat subsides. Train teams to spot these bursts, so they don’t mistake them for failure and abandon critical security measures.
✔ Monitor for False Signals – A spike in incidents might be a sign that security measures are working, not failing. Use data to differentiate between a real crisis and a temporary burst.
✔ Communicate the Expectation – Leaders should explain that temporary escalation is normal and expected, helping teams stay the course. Equip employees with real-world training scenarios that simulate these bursts, so they are prepared to respond effectively.
✔ Strengthen Controls at the Right Time – Rather than relaxing measures in response to an extinction burst, double down on reinforcing compliance, security, and training. Use Microsimulations and hands-on exercises to ensure teams practice responding under pressure, preventing knee-jerk reactions that could weaken security.
By integrating continuous training into your risk strategy, you help teams build muscle memory, so they recognize and respond to extinction bursts with confidence rather than panic.
The Turning Point Matters
When implementing change, it’s easy to mistake an extinction burst for failure. But in reality, it signals that change is happening. Organizations that recognize and plan for this moment can respond with confidence instead of retreating under pressure.
In risk management, resilience means sometimes the storm rages hardest just before it clears.
How has your organization handled extinction bursts when managing change?
