Designing for Real People: Neurodivergence Cognitive Load and Rethinking Cyber Security Training

by | Apr 22, 2026 | Uncategorized | 0 comments

by Stuart Sumner-Smith

Much cyber security training doesn’t change how people actually behave when it matters, not because people lack ability, but because it isn’t designed for how people process information under pressure.

In my work supporting individuals into digital and cyber careers, I’ve seen this first-hand. I recently worked with a young person. They are bright, capable, and highly motivated to build a career as a cyber security analyst. They struggle in structured learning environments. Not because they couldn’t understand the content, but because the way it was delivered created too much pressure.

Deadlines caused anxiety. Communication expectations felt overwhelming. Tasks were left unfinished. This was not through lack of effort, but because the environment itself made it difficult to engage.

This experience highlights a wider issue that applies just as much to workplaces as it does to education.

When training overwhelms, people switch off

Many organisations still rely on familiar approaches to security awareness

  • Long e-learning modules
  • Information-heavy slides
  • Time-bound completion targets
  • Assumptions about prior knowledge

From a compliance point of view, this works. It is structured, measurable, and easy to roll out.

But from a human point of view, it often doesn’t work

When too much information is delivered too quickly,combined with time pressure and expectations to “get it right”, people can become overwhelmed. When that happens, they don’t try harder. They switch off.

In real terms, that looks like:

  • Avoiding systems or tasks
  • Hesitating when unsure
  • Not reporting something that feels “off”
  • Relying on others to make decisions

In a cyber security context, these behaviours matter. They are often where risk begins.

What neurodivergence helps us see

The individual I supported is neurodivergent, with communication differences and anxiety linked to deadlines and performance pressure.

Working together made something very clear.

This wasn’t just about one person’s needs and it highlighted a wider issue in how learning environments are designed.

For some neurodivergent individuals, that feeling of being overwhelmed can happen more quickly. But under pressure, most people experience similar patterns: reduced confidence, hesitation, and a tendency to avoid getting things wrong.

Neurodivergence doesn’t create the problem, it helps us see it more clearly.

What changed when the environment changed

Instead of pushing through these challenges, I took a different approach.

We co-designed a series of sessions that reduced pressure and allowed confidence to build over time. This included:

  • A quiet, low-stimulation environment
  • Removing strict deadlines
  • Using visual and practical tasks instead of abstract instruction
  • Allowing communication to develop at the learner’s pace
  • Focusing on exploration rather than performance

One key shift was moving away from rigid, outcome-driven tasks and towards open-ended activities. This gave the learner space to engage without the fear of getting things wrong.

They were able to choose what they worked on and how they approached it, which increased both confidence and motivation.

Engagement leads to change

Over time, the difference was clear.

What started as minimal interaction developed into open communication. Confidence grew, not just in digital skills, but in engaging with other people.

The learner moved from low-pressure tasks to completing a real-world project, and then on to a more structured pathway with external support.

The ability was always there.

What changed was the environment around it.

Moving beyond “learning styles

It’s often suggested that training should be adapted to different learning styles. In reality, there’s limited evidence that fixed learning styles improve outcomes.

A more effective approach is to design training that offers multiple ways to engage and reduces overload.

In practice, that means combining:

  • Clear, simple written guidance
  • Visual examples
  • Hands-on tasks
  • Opportunities to explore without pressure

When people can engage with information in different ways and at their own pace,they are more likely to understand it and use it.

What this means for cyber security training

Security decisions don’t happen in ideal conditions. They happen:

  • Quickly
  • Under pressure
  • Sometimes with incomplete information

If training doesn’t reflect that reality, it’s unlikely to change behaviour when it matters.

There is often a view that people are the “weakest link” in cyber security. In my experience, it’s more accurate to say that systems and training are not always designed with real human behaviour in mind.

When people feel unsure, overwhelmed, or under pressure, they don’t always follow the process. They do what feels safest in the moment,which isn’t always the secure option.

Practical changes that make a difference

Small changes in how training is designed can have a big impact:

Break information down
 Keep content short and manageable rather than overwhelming.

Reduce unnecessary pressure
 Give people space to understand, not just complete.

Use real examples
 Help people recognise situations they might actually face.

Create a safe learning environment
 Make it clear that it’s okay to get things wrong while learning.

Focus on engagement, not just completion
 Finishing a course doesn’t mean someone feels confident using the knowledge.

A shift in thinking

The key lesson from this experience is simple:

The issue isn’t that some people struggle.

The issue is that many systems are not designed for how people actually think and behave,especially under pressure.

When we reduce overload and create space for people to engage in ways that work for them, we don’t just improve inclusion.

We improve outcomes.

In cyber security, that means reducing risk, not by adding more content, but by designing training that people can actually use in real situations.

If organisations want training to make a difference, the starting point isn’t more information.

It’s better design,for real people.

About The Author – Stuart Sumner-Smith

Stuart Sumner-Smith is a Wales-based community practitioner and social enterprise leader who is a member of the AI and Cyber Security Association’s Advisory Group. He has extensive experience in grassroots development, digital inclusion, and employability and has held senior roles within organisations such as Swansea MAD and currently serves as a director of community interest companies including Divergent Emergent CIC and People Can Do It CIC. With a strong track record in securing funding and delivering impactful programmes, his work focuses on creating accessible pathways into digital and creative industries, supporting individuals and communities across Wales to build skills, confidence, and opportunity.

Submit a Comment