Digital systems are often designed with two powerful priorities in mind: protecting information and ensuring access. Yet in practice, cybersecurity and accessibility are frequently addressed in separate conversations. One focuses on safeguarding data and limiting exposure; the other ensures that technology works for people with diverse needs. When treated independently, these priorities can unintentionally create friction.
Accessible IT (AIT) and the Information Security Office (ISO) brought these perspectives together in the “Is Your Security Accessible? Is Your Accessibility Secure?” session on Feb. 26. In the session, they explored how cyber protection and usability intersect—and how overlooking either can introduce unintended risk.
The event was structured as an interactive session, inviting participants to reflect on real-world scenarios and engage in a myth-versus-truth activity around cybersecurity and accessibility practices. The featured speakers in the interactive activity were:
- Sean Keegan, director, Stanford Office of Digital Accessibility
- Shawn Kim, director of cybersecurity governance, risk, and compliance, Information Security Office (ISO)
- Annie Stevens, senior information security officer, Information Security Office (ISO)
The speakers challenged a common assumption: that stronger security always means tighter restrictions. In reality, security controls that are difficult to use can lead people to bypass them altogether. When systems are inaccessible or overly complex, users may resort to shortcuts that weaken safeguards. Building systems that are both secure and usable is not a compromise, but rather a strategy for lowering risk while expanding equitable access.
Password complexity vs. real-world security
One discussion focused on password practices, challenging the idea that complexity alone improves security. Participants explored how password length is more important than complexity, with longer, more unpredictable passphrases often being both more secure and more usable than shorter, complex passwords. The conversation also highlighted the value of using password management tools to support strong, unique credentials across systems. The takeaway: usability and security can work together, not against each other.
Risk, workarounds, and human behavior
That lesson extends beyond password practices. Throughout the session, speakers emphasized that when security measures are difficult to navigate, people often find ways around them—sometimes introducing greater risk than the original vulnerability.
For this reason, cybersecurity and accessibility should not be treated as one-time compliance efforts, but as ongoing practices that require thoughtful implementation and informed users. While technology can support security, it cannot replace human judgment. Stanford’s approach reflects this balance by pairing automated tools with education and training.
Security and accessibility: not at odds
Participants also explored the misconception that security and accessibility are fundamentally incompatible. In reality, modern tools and thoughtful configurations can support both. In many cases, challenges arise not from the principles themselves, but from how systems are implemented.
Avoiding a false sense of security
Speakers also addressed the “false sense of security” that can come from relying solely on tools. Advanced technologies, such as AI-driven monitoring, do not eliminate risk on their own. Many security issues stem from misconfiguration or human behavior, reinforcing that tools are most effective when paired with education and awareness.
Accessibility follows a similar pattern: while standards and scanning tools help identify issues, training ensures they are applied effectively. In both areas, technology provides structure, but people ultimately shape the outcome.
Continuing the conversation
The session concluded with resources for continued learning, including:
- Do: Verify your password meets Stanford's password standards.
- Read: Familiarize yourself with the Minimum Security Standards and the security site.
- Watch: A SANS Institute talk on inclusive cybersecurity.
- Listen: To an IAAP podcast on digital accessibility best practices.
As the discussion made clear, the most resilient digital environments are not just secure—or just accessible. They are intentionally designed to be both.
