Why inaccessible security is a hidden risk to organisational resilience

Cyber-resilience is often described as a shared responsibility, yet many security programmes still assume that everyone processes risk, instructions and digital interfaces in broadly the same way. 

 

That assumption creates a quiet but persistent weakness. When security controls are confusing, overwhelming or time-pressured, people behave predictably. They delay, work around them, or disengage altogether.

 

The UK’s National Cyber Security Centre has been clear that accessibility is not separate from security effectiveness. If controls are hard to use, the likelihood of error and unsafe workarounds increases. These are precisely the conditions attackers rely on. Inaccessible security is therefore not a behavioural issue, but more of a  design and risk management failure.

 

Neurodiversity, a term which includes ADHD, autism, dyslexia and other cognitive differences, does not describe a single user group. However, cyber-security systems routinely require cognitively demanding actions.

 

Users are expected to interpret ambiguous warnings, switch context quickly, remember multi-step processes and make decisions under urgency. When security design relies heavily on memory, speed and dense language, it risks excluding neurodivergent colleagues. That exclusion directly weakens organisational resilience.

 

When security friction turns into risk

 

A functioning security culture depends on reporting. Suspicious emails, accidental clicks and near misses only reduce risk if people feel able to report them quickly and without fear. Reporting breaks down when routes are unclear, responses feel unpredictable or mistakes are implicitly penalised. Neurodivergent colleagues can be disproportionately affected by environments that rely on unwritten norms, vague instructions or high-pressure simulations that prioritise urgency over understanding.

 

Accessibility standards increasingly reflect this reality. WCAG 2.2, finalised in 2024, explicitly includes cognitive, learning and neurological disabilities within its scope. The W3C’s cognitive accessibility guidance translates these principles into practical design approaches, including reducing distraction, supporting comprehension and designing error recovery that helps users correct mistakes without stress.

 

In 2025, WCAG 2.2 also progressed through an ISO and IEC adoption pathway, reinforcing its relevance to governance and assurance rather than user experience alone.

In security environments, the most damaging failures are rarely complex. They appear in everyday controls. MFA enrolment assumes uninterrupted focus. Password resets punish mistakes with unclear messages.

Phishing simulations reward speed rather than comprehension. Policy guidance is written for legal defensibility rather than human understanding. These frictions lead to predictable outcomes such as delayed enrolment, password reuse, warning fatigue and under-reporting. Attackers actively exploit these behaviours.

 

Designing protection that works for real people

 

Protecting neurodiverse users from active cyber-threats starts with reducing ambiguity and time pressure. Many modern attacks, including phishing, credential theft and MFA fatigue, succeed by forcing rushed decisions in uncertain contexts. The most effective and inclusive defences are often those that remove the need for perfect human judgement altogether.

 

This shift is visible in modern identity strategy. NIST’s Digital Identity Guidelines state clearly that passwords are inherently vulnerable and encourage the use of stronger authenticators that reduce reliance on user interpretation.

 

Vendors are increasingly operationalising this approach. In May 2025, Microsoft announced that new consumer accounts are now passwordless by default, using passkeys and other phishing-resistant methods as the standard experience. The FIDO Alliance has similarly positioned passkeys as a scalable way to eliminate entire classes of phishing attacks rather than relying on user vigilance.

 

When implemented well, phishing-resistant authentication can be both more secure and less cognitively demanding. When implemented poorly, without clear recovery options or alternatives to biometrics, it simply shifts exclusion elsewhere.

 

Inclusive security is therefore not about weakening controls. It is about implementing them in ways that reduce cognitive load rather than increasing it.

 

The same principle applies to security awareness. Evidence consistently shows that sustainable security behaviour depends on culture and clarity, not compliance theatre. Training that overwhelms, shames or relies on surprise may create short-term vigilance, but it often suppresses reporting and erodes trust. Recent professional and academic work has begun to explicitly link neurodiversity with the effectiveness of security awareness design, warning that one-size-fits-all approaches can unintentionally increase risk.

 

There is also a governance dimension. Updated 2025 ACAS guidance reiterates that employers are expected to consider reasonable adjustments for neurodiversity, with or without formal diagnosis. Cyber-security teams may not own employment law, but they do own many of the systems that determine whether secure behaviour is realistically achievable across an organisation.

 

For CISOs, the conclusion is practical rather than ideological. If security controls rely on perfect attention, rapid processing and confident interpretation of ambiguous prompts, they will fail some users.

 

 When controls fail users, they fail the organisation. Neuroinclusive security is not a niche DEI concern. It is a way to reduce human error pathways, increase reporting and ensure modern controls deliver their intended risk reduction benefits.

 

The question is no longer whether neurodiversity belongs in cyber-security strategy.

 

It is whether organisations are prepared to continue treating predictable design failures as a human problem, while attackers continue to benefit from them.

 

This topic will be explored in depth at teiss London 2026 – join the discussion here: www.teiss.co.uk/teisslondon2026-agenda/is-your-cyber-security-approach-leaving-neurodiverse-colleagues-behind