2025-10-17 –, Tramshed Tech
We don't all think the same. Perhaps as many as one in three entrepreneurs
self-identify as neurodivergent. As engineers, managers, consultants, and
business leader our point of
reference is ourselves. By default, we will engineer a product or a
process to make sense to the way we experience the world. Two individuals
may process the events in very different ways
and both perspectives are equally valid. The nature of each
response may literally be part of their DNA and/or environmental
conditioning. This aspect of designing product and process is often overlook,
but becomes business critical when a
behavioural response, such as choosing not to click a phishing link, is
a organisations last and critical line of defence against cyber-attack.
We explore how expecting individuals to simulate an others
perceived preferences and responses, is tiring and error prone.
Expecting conformity fails to deliver a robust security response when
product and process are exposed to real world conditions.
A.I. (Large Language Models) are trained on a data set which is
produced in large part by neurotypical authors or writing in a
neurotypical style. We conclude by identifying where AI can skew the
real world security effectiveness of product and process when biased
with neurotypical assumptions in training.
For engineers, managers, consultants, and business leader our point of
reference is ourselves. By default, we will engineer a product or a
process to make sense to the way we experience the world. Our
intuition is that others do, or should, think the same way we do.
When they don't, our 1st and natural response is that any deviation
is fixed by training, modifying incentives or replacing staff. In
reality, how two individuals process the world can be very different
and both perspectives are equally valid. For example, some individuals
base their responses on importance of the goal of a task. Others find
their response is dictated by interest at that moment. The nature of each
response may literally be part of their DNA and/or environmental
conditioning. Often overlook, with perhaps as many as one in three entrepreneurs
self-identify as neurodivergent.
In this talk, we present a classification for product and process to
assist in determining robustness to individuals’ diversity of response
in a cybersecurity context. The author unscientifically estimates from
personal interaction that at as high as 40% of pen testers and
possibly a higher number of black hat hackers would be considered as
neurodiverse. They are still users of a product. Engineering should
mean building product and process which considers the use and abuse by
the full range of potential users, whatever the context, not just the
common and expected case. This becomes business critical when a
behavioural response, such as choosing not to click a phishing link, is
a company’s last line of defence against cyber-attack. We present 6
principles which developers of product and process may use a
baseline.
We discuss the expectation for masking, trying to simulate an others
perceived preferences and responses, which is tiring and error prone,
and how this approach fails to deliver a robust security response when
product and process are exposed to real world conditions.
A.I. (Large Language Models) are trained on a data set which is
produced in large part by neurotypical authors or writing in a
neurotypical style. We conclude by identifying where AI can skew the
real world security effectiveness of product and process when biased
with neurotypical assumptions. We present a checklist to assist in
identifying these assumptions.
Clive retired from 26 years as a UNIX kernel hacker, performance subject matter expert and fly and fix engineer for Oracle where he worked with the worlds largest and most demanding customers. working hard to be semi retired, splitting his time between Rock Climbing, being a kernel hacker for a Dutch Company, a management consultant as their AI, Cybersecurity and IT subject matter expert and a honorary lecturer at Aberystwyth University Computer Science department with a focus on helping student gets jobs in industry and teaching/coaching study/life skills.
He is the organiser of the fledgling BSidesAberystwyth and curated TEDxAberystwyth for 9 years before retiring.