top of page

The Psychology of Post-Quantum Risk

  • Writer: Brian Couzens
    Brian Couzens
  • Jun 20
  • 9 min read

Why the human mind is the primary vulnerability in cryptographic transformation



The standard framing of post-quantum risk is a race between two technical trajectories: the development of a cryptographically relevant quantum computer, and the deployment of quantum-resistant cryptography. The organisation that completes its migration before the former arrives has won. It is presented as an engineering problem, a procurement problem, a programme delivery problem.


This framing is wrong. Not entirely wrong - migration is necessary and the timeline is unforgiving. But it misidentifies the primary obstacle. The cryptographic mathematics is largely settled. NIST published its first post-quantum algorithm standards in 2024 after eight years of evaluation. The technical community has frameworks, tooling, and methodologies. The problem is not that solutions are absent. The problem is that organisations are not deploying them - and the reasons they are not are psychological, not technical.


The primary vulnerability in post-quantum security is not Shor's algorithm. It is the cognitive architecture of the people and institutions responsible for responding to it. Understanding that architecture - how it processes invisible threats, how it reproduces individual bias at institutional scale, how it is exploited by markets and soothed by compliance rituals - is the prerequisite for changing it.


The primary vulnerability in post-quantum security is not Shor's algorithm. It is the cognitive architecture of the people and institutions responsible for responding to it.


THE THREAT THAT COGNITION CANNOT GRASP

Human cognition evolved to respond to threats that are visible, proximate, and immediate. Quantum risk shares none of these properties. The threat is invisible: adversaries harvesting encrypted data today for decryption when a quantum computer exists do so silently, with no perceptible trace in the organisation's systems. The exposure is real, present, and accumulating, but it registers on no instrument the organisation currently monitors.


The threat is temporally displaced. The harm does not manifest this quarter, or plausibly this decade in most current assessments. Temporal discounting - the cognitive tendency to undervalue consequences that are distant in time - systematically compresses perceived urgency toward zero. The threat also has no organisational precedent. Every other technology risk that boards have absorbed had analogues in prior experience. Anchoring to familiar reference points produces systematically wrong threat assessments because the reference points do not apply.


What makes the pattern particularly dangerous is the asymmetry of inaction. In most risk categories, deferral preserves the status quo. Deferring post-quantum migration actively degrades the organisation's position, because data transmitted today under classical cryptography is already, in principle, compromised if a sufficiently capable adversary has chosen to harvest it. The exposure window does not pause while the committee meets. It widens.


Article content

THE CHAIN OF FAILURE: HOW INSTITUTIONS SYSTEMATISE COGNITIVE BIAS

The conventional assumption is that institutional processes correct for individual cognitive bias. Committees aggregate diverse perspectives. Risk frameworks impose structure. The assumption is not without merit. But cognitive bias under conditions of novelty and uncertainty does not disappear when individuals are placed in committees. It crystallises. Groupthink amplifies the dominant framing. Diffusion of responsibility creates the comfortable belief that quantum risk is someone else's problem.


The governance committee convened to address quantum risk is rarely composed of individuals with direct accountability for cryptographic outcomes. It contains technologists, compliance officers, risk managers, occasionally board representatives. Each brings their discipline's heuristics to a problem that fits cleanly within none of them. The result is not synthesis. It is paralysis: a sophisticated capability for performing the rituals of risk governance without the machinery to produce an outcome.


These failures do not operate in isolation. They form a chain. Cognitive bias in the individual produces inertia at the committee level. Committee inertia creates an accountability vacuum at the governance level. That vacuum is then filled - predictably, structurally, and at cost - by the two forces most readily available: vendor influence and compliance ritual. Vendors step into the vacuum because there is commercial advantage in doing so. Compliance frameworks step into it because they are designed to ensure activity occurs, not to ensure outcomes are achieved. The result is a self-reinforcing system in which the appearance of risk management substitutes continuously for the substance of it. Each actor within the system is operating within their defined role. The system as a whole is producing the wrong output.


Most organisations also carry arguments for deferral that provide intellectual cover for inaction. The most common is the Symmetric Fallacy: the claim that AES-256 is quantum-resistant and therefore the organisation is already protected. This contains a technical truth - AES-256 is assessed to retain meaningful security against Grover's algorithm. What it omits is that AES-256 does not operate in isolation. The symmetric session key must first be established through an asymmetric key exchange. RSA and ECDH are precisely the schemes Shor's algorithm renders insecure. Shor's algorithm does not pick the lock. It removes the hinge the lock is mounted on.


THE MARKET AS AMPLIFIER

Into the space created by institutional inaction, a market has grown. And markets optimise for their own interests rather than those of their customers.


The post-quantum market is not a single category. It is a capability stack comprising discovery platforms, cryptographic inventory tools, migration consultancies, hardware security module providers, cloud platform features, certificate lifecycle management systems, and key distribution specialists, among others. These capabilities address different problems, operate at different layers of infrastructure, and serve different phases of a migration programme. Procuring from any one of them does not constitute a post-quantum programme any more than purchasing a single tool constitutes a construction project.


The structural misalignment is compounded by the reviewer-builder conflict that pervades the market. The consultancy assessing an organisation's quantum readiness is frequently the same consultancy that hopes to deliver the remediation. The advisory firm identifying the gaps profits from filling them. In other domains of fiduciary decision-making this conflict is subject to disclosure requirements and, in some jurisdictions, prohibition. In cryptographic transformation it has become standard practice, largely unchallenged.


Compounding this is quantum washing: the misrepresentation of products as quantum-safe, quantum-secure, or quantum-ready without meeting the technical, standards-based, and evidentiary requirements those terms demand. The post-quantum market operates without a universally enforced definition of quantum-safe, without a mandatory certification scheme, and without regulatory enforcement against misleading claims. The consequence is an organisation that has spent budget, filed reports, and briefed its board - and has not changed its cryptographic posture by a single system.


Article content

COMPLIANCE AS ANAESTHESIA

Regulatory frameworks for quantum risk management share a common structural vulnerability: they measure activity rather than outcome. A framework requiring organisations to assess quantum risk, report findings, and establish a remediation plan can be fully satisfied by an organisation that has assessed, reported, and planned without migrating a single system. The compliance obligation is discharged by the performance of the required activities. The activities do not themselves require the underlying cryptographic estate to change.


The result is compliance theatre: the production of documentation, governance artefacts, assessment reports, and committee minutes that satisfy formal regulatory requirements while leaving cryptographic posture unchanged. The compliance team that produces a comprehensive quantum risk assessment has fulfilled its function. The fact that no primitive has been replaced and no cryptographic bill of materials has been operationalised is not within that team's mandate. The accountability gap at the centre of the governance structure remains unaddressed.


The perversity of the compliance trap is this: the more impressive the compliance record, the more effectively it disguises the absence of actual migration. An organisation with a 200-page quantum risk assessment, a board-briefed risk register, and a multi-year remediation roadmap may be more dangerous than one with none of these things, because its documentation gives the board confidence that risk is managed - when what has been managed is the appearance of management.


A fully compliant organisation can be fully exposed. Compliance measures whether the required activities were performed. Risk reduction measures whether the cryptographic estate has changed. These are different things.


THE SOLUTIONISM TRAP

For the minority of organisations that break through inertia and resolve to act, a different failure mode awaits. Quantum solutionism is the belief that post-quantum risk is a technology problem with a technology solution, and that purchasing the right product constitutes addressing the risk. The dashboard shows green. Products have been procured. A vendor is engaged. The board receives progress reports. The organisation feels safe.


Safety that depends on feeling rather than evidence is the most dangerous condition of all, because it prevents the organisation from recognising what it has not done. An organisation may deploy a PQC-capable TLS library, record the purchase as progress, and never ask whether the library is configured to negotiate quantum-resistant key exchange in production - or whether it silently falls back to classical cipher suites when a peer does not support it. It may not ask whether the entropy source feeding key generation meets the quality requirements that post-quantum key sizes demand, or whether the certificate authority infrastructure can issue and rotate the larger certificates that post-quantum schemes require within the operational latency the environment will tolerate. None of these questions appear on the procurement checklist. All of them determine whether the deployed algorithm provides any protection at all. The dashboard turns green. The estate remains exposed.


The maturity gap between knowing which algorithms to deploy and being able to prove the infrastructure those algorithms run on is trustworthy, monitored, and governed is precisely where solutionism thrives. Procuring a product is visible, recordable, and reportable to a board. Confirming that PQC key exchange is actually occurring in production - and not just theoretically available - is invisible, technically demanding, and nobody's current job description. Building the telemetry to monitor it, the governance machinery to evidence it, and the key management infrastructure to sustain it are unglamorous work that produce no impressive line item on a progress report. The gap between the two is not a technical failure. It is a governance one.


AWARENESS WITHOUT OWNERSHIP

The most consequential failure mode in post-quantum governance is the confusion of awareness with ownership. An organisation that has placed quantum risk on its risk register, briefed its board, and constituted a working group has achieved awareness. It has not achieved ownership. Awareness is passive: it acknowledges that a risk exists and assigns it a colour on a dashboard. Ownership is active, singular, and accountable: it commits a named individual to a specific outcome, with a mandate, a budget, and a consequence for non-delivery.


Committees cannot own outcomes because ownership requires the possibility of individual failure. A committee that does not migrate the cryptographic estate has not failed as a committee; each member has simply continued performing their committee function. The quantum risk register entry turns from red to amber not because the estate has been migrated, but because the committee has met and the assessment has been filed. These are not equivalent events. They have been allowed to function as though they are, and the confusion between them is costing organisations years of exposure they will not be able to recover.



Genuine readiness requires three structural commitments that committees cannot provide. First: named accountability - a single executive with the authority to mandate cross-functional programme delivery, the budget to fund it, and personal accountability to the board for the outcome. Second: outcome measurement - not briefings delivered or assessments completed, but cryptographic systems migrated, key management infrastructure upgraded, and a maintained cryptographic bill of materials mapping current state against target with evidenced progress. Third: independent scrutiny - the organisation that allows the vendor assessing its posture to also deliver the remediation will be told, repeatedly, that its posture is improving and that further investment in the same vendor's products will improve it further.


THE LOOP AND THE REAL RACE

Before addressing what must change, it is worth being precise about what the current system is actually doing, because it is doing it very effectively.


Boards receive briefings that produce acknowledgement without mandate. Acknowledgement without mandate produces committees. Committees produce assessments. Assessments produce compliance records. Compliance records satisfy regulators whose frameworks do not require migration. Vendors fill the remaining space with products that report as progress and dashboards that display as green. Each actor in this system is doing precisely what their role and incentive structure demands. No individual component is malfunctioning. The system as a whole is producing the appearance of risk reduction at industrial scale, while the cryptographic estate of regulated organisations accumulates exposure with each passing quarter. The loop is self-sustaining because it satisfies everyone within it except the organisation's future self - which will inherit the consequences of an exposure window that has been widening for years while the committee minutes were being filed.


Breaking the loop is not primarily a technical challenge. It is an institutional one. It requires boards to treat cryptographic migration as an enterprise outcome rather than a technology project. It requires governance frameworks to measure migration, not activity. It requires procurement disciplines that can distinguish a capability stack from a vendor category. It requires the separation of advisory and delivery functions, and periodic assessment against verifiable criteria that neither the assessing firm nor the delivering vendor has defined.


The quantum computer is a future uncertainty. The human mind - and the institutions it has built - are present ones. That is where the work must begin.



The mathematics of post-quantum cryptography is substantially settled. The standards exist. The algorithms exist. The tooling exists. What is not settled is the human system that must deploy them: the cognitive biases that prevent recognition of invisible and temporally displaced threats; the governance structures that systematise those biases rather than correcting them; the markets that exploit the resulting inaction; the compliance frameworks that reward documentation over migration; and the solutionist impulse that substitutes visible procurement for structural change.


The quantum computer is a future uncertainty. The human mind is a present one. That is where the work must begin.


Kantima Meewaew & Brian Couzens | SITG-Consulting | 2026

 
 
 

Recent Posts

See All

Comments


bottom of page