← All ServicesConsultancy

Accessibility & Security

Security that excludes people is security that fails. We help organisations embed accessibility into their security and compliance programmes — using the frameworks from Access Denied, written by our founder.

Discuss Your NeedsAbout the Book →
The problem

Accessibility is a security imperative

Most security controls were never designed with diverse users in mind. The result? People bypass them — and your organisation pays the price.

01

Inaccessible Controls Create Risk

Complex MFA, CAPTCHAs, and rigid timeouts weren't built with diverse users in mind. When people are forced to bypass controls, your organisation becomes more vulnerable.

02

Compliance Doesn't Mean Inclusive

Meeting WCAG or ISO standards on paper doesn't mean your security works for everyone. Real compliance requires understanding how people actually interact with your systems.

03

Shadow Systems Emerge From Exclusion

Shared credentials, personal cloud storage, password spreadsheets — these shadow systems exist because official tools don't work for everyone. Each one is an unmanaged risk.

04

Vendor Claims Don't Hold Up

Most security vendors self-certify accessibility. Independent testing routinely reveals gaps between marketing claims and real-world usability with assistive technology.

The book

Access Denied

The Security Risk of Ignoring Accessibility: Embedding Accessibility into Security and Compliance

Written by Culture Gem founder Jemma Davis, Access Denied exposes the hidden risks of inaccessible security systems and provides 12 practical frameworks for fixing them. The book bridges the gap between security, accessibility, and compliance — offering tools that organisations can apply immediately.

Our consultancy service brings these frameworks to life inside your organisation, with hands-on assessment, strategy, and implementation support.

Buy the book on Amazon →
AD

Access Denied

by Jemma Davis

"A book that bridges the technical and the human with clarity and purpose."

— Cyber Security Unity

The frameworks

12 Frameworks From Access Denied

Each framework comes straight from the book and is designed to help organisations cut through performative accessibility and build systems that work for everyone. We apply these as part of our consultancy engagements.

01

Security-Accessibility Maturity Model

Assess how far your organisation has come in embedding accessibility into culture, design, and risk management. Score across seven domains — authentication, incident response, monitoring, physical security, training, shadow systems, and alternative control pathways.

02

Accessibility–Security Maturity Model

Evaluate how well accessibility and security are integrated across governance, controls, teams, metrics, and outcomes. Five defined levels from Initial to Optimised, with implementation guidance for each.

03

The Integrated Security-Accessibility Framework

A five-step governance framework that positions accessibility as a security fundamental. Embed accessibility criteria in risk assessments, integrate into security testing, and elevate to board-level reporting.

04

The Integrated Policy Framework

Move from prescriptive policies that fail to outcome-based policies that flex. Design equivalent security pathways — multiple methods that achieve the same security goal through different mechanisms.

05

Shadow System Risk Assessment Framework

Identify, categorise, and prioritise the hidden systems people create when official tools exclude them. Assess organisational need, security impact, and the accessibility barrier that caused each one.

06

Vendor Accessibility Verification Questionnaire

Ask the right questions before you buy. Expose hidden accessibility risks, weak answers, and vendor lip service — with clear red flag, acceptable, and best practice benchmarks for every response.

07

Vendor Security Product Accessibility Assessment

Test whether accessibility claims hold up under real use. Systematic assessment across screen reader compatibility, keyboard navigation, visual design, error handling, time constraints, and independent verification.

08

Security-Accessibility Metrics Framework

Enhance traditional security metrics with accessibility considerations. Identify where exclusion creates risk — from authentication failures by assistive technology to shadow systems with accessibility causes.

09

The Measure–Improve–Benchmark Framework

A repeatable four-phase cycle for quantifying security accessibility ROI. Baseline measurement, ROI calculation, improvement implementation, and results benchmarking — with clear timelines and ownership.

10

The Outcome-Based Security Framework

Shift from compliance theatre to measured security outcomes. Replace documentation with verified control effectiveness, policy adherence with actual security outcomes, and certification cycles with continuous monitoring — across a structured four-phase transformation.

11

The Inclusive Awareness Framework

Security training that actually works. Five pillars: respect-based foundations, universal design, personalised learning pathways, psychologically safe environments, and outcome-based measurement. Designed for diverse minds, not compliance tick-boxes.

12

Training Trauma Risk Scorecard

Score your programme across 12 risk dimensions — from shaming and psychological pressure to sensory considerations and cultural appropriateness. Any high-risk rating requires immediate remediation. Built to protect neurodivergent and trauma-affected learners.

Who this is for

Built for security leaders who want to do better

CISOs and security leaders
Security architects and IAM specialists
Security awareness and culture teams
UX, compliance, and accessibility professionals
Procurement and vendor management teams
Any team that wants security to work for everyone

Accessibility is security

Security that doesn't work for everyone ultimately fails everyone. Let's fix that together.

Discuss Your NeedsExplore the Book