Autism and Cybersecurity: A Natural Fit?

By Paul Watters

There is a lot of very welcome discussion in the media and workplaces at the moment around the value of diversity – the idea that there is inherent business value in the characteristics and traits that make each of us unique. This is such a great shift away from the “scientific management” view of talent selection, where employers developed “cookie cutter” profiles of employees to fit a very mechanistic view of the enterprise. Unsurprisingly, this very dim view of the potential of human capital has been sent to the dustbin, along with the preferred stereotypes that dominated modernist life in the 20th century.

One of the huge changes in engaging a broader spectrum of people to undertake work has been a changing awareness of the value of employees on the autism spectrum. People on the autism spectrum tend to have restricted or narrow interests, strong sensory preferences, some differences in communication, and different ways of social interaction. Like the name suggests, the “spectrum” of autism means that no two autistic people are the same! However, while the “deficit” model of autism prevails, some employers and advocates have recognised the value that autistic employees can bring to the enterprise – especially in the field of cybersecurity.

Cybersecurity involves designing and managing systems, networks and data to prevent and/or repel cyber attacks. Governments, organised crime groups and individuals engage in cyber attacks for profit, to enhance their geopolitical power, obtain some advantage, or simply for fun. Identifying attacks and stopping them in their tracks requires eternal vigilance. In many high profile cases where hackers have been caught in recent years, it is unsurprising that many have turned to the “autism defence” – the notion that hackers are more likely to have autistic traits that diminish their responsibility for offending.

There are certainly many traits with autism that are inherently suitable for working in cybersecurity – an often obsessive level of attention to detail, a fixation on numbers and complex data, a restricted set of interests and an almost single-minded capacity to focus on one thing for a long period of time. Long after others may become tired or bored, an autistic person will chug on through work which may be tedious or repetitive to others. Creating a safe, supportive and productive environment for autistic people to thrive can have enormous payoffs in terms of productivity and capacity.

As a cybersecurity expert, professor and academic, and as a parent of two autistic daughters, I have had ample opportunity to investigate and reflect on this in my own lived experience. Let me share an example – a lot of “cracking” activities involve devising clever algorithms to search in high dimensional space for the answer to some problem – a password that has to be guessed, a cryptographic key that needs to be broken. Sheer brute force is not enough – heuristics are often employed to speed up the process; in some (if not all) cases, it is computationally infeasible to compute and test all combinations. This is what keeps our communications safe, after all! I’ve noticed that my youngest daughter is exceptionally good at devising heuristics for highly motivating searches, eg, if I have hidden a toy, a chocolate, or some other item of value. She will then use a range of data and approaches to determine the most likely hiding place, and often execute a highly non-linear, non-sequential search process. In fact, I usually don’t bother to hide things, as her persistence usually overcomes my creativity in finding new hiding places!

Given the right supports at work, it is easy to see how an autistic person’s positive traits and characteristics can be fruitfully applied to solving problems in cybersecurity.