You are viewing v6.0 of the QIF Whitepaper. This version is preserved for reference. Read the current version (v6.3.0) →
Every technique that can harm a brain can also heal one.
QIF is a proposed open framework that maps BCI techniques to their security risks, clinical applications, and potential psychiatric outcomes in a single unified model.
161 catalogued techniques. 11 architectural bands. 6 neural-specific scoring metrics. DSM-5-TR diagnostic mapping. Therapeutic applications for the majority of known attack vectors.
Author: Kevin Qi · Organization: Qinnovate · Prior versions: archived
161
techniques catalogued
32
critical severity
70
irreversible
102
with therapeutic use
76
DSM-5-TR mapped
11
hourglass bands
1. The Problem
There are chips in human brains right now with no security standard protecting them.
Neuralink has implanted its N1 chip in human patients. Synchron's Stentrode is in FDA-approved clinical trials. Blackrock Neurotech has shipped Utah arrays for over a decade. Commercial EEG headsets from Emotiv, Muse, and OpenBCI sit on consumer shelves. These devices are tested for safety and efficacy. They are not tested against adversarial threats. To our knowledge, no standardized framework exists to classify, score, or mitigate attacks on the human brain.
Existing vulnerability scoring systems were designed for software. CVSS v4.0 measures three properties: confidentiality, integrity, and availability. These are sufficient for databases and web servers. These metrics are insufficient for devices that directly interface with the human brain. CVSS cannot express biological tissue damage. It cannot quantify the loss of cognitive integrity. It lacks metrics for consent violation, irreversibility, and neuroplastic change.
The result is a scoring gap. Current CVSS scores for BCI vulnerabilities capture only a partial picture of potential impact. A signal injection attack that induces phantom sensory perception receives the same severity score as a buffer overflow — despite one being a software bug and the other a direct violation of an individual's subjective experience.
This is an immediate concern. The threat surface already exists. We have catalogued 161 techniques across 8 categories, from signal injection to cognitive integrity violations. 32 are critical severity. 39 trigger the PINS flag for Potential Impact to Neural Safety. 70 cause irreversible or partially irreversible damage.
The gap in numbers
Of the catalogued techniques, 63.4% possess neural-specific impacts that CVSS v4.0 cannot adequately express. Prior to NISS, critical dimensions such as biological impact, cognitive integrity, consent violation, reversibility, and neuroplastic change were not quantifiable within existing vulnerability scoring frameworks.
2. Our Approach
The same physics that makes a BCI technique dangerous also makes it therapeutic. Transcranial magnetic stimulation treats depression and induces seizures. Deep brain stimulation manages Parkinson's and causes involuntary movement. The mechanism is identical. The difference is intent, dosage, and governance.
This is the central insight behind QIF: security and clinical safety are not separate problems. They are two views of the same system. A framework that only catalogs threats misses half the picture. A framework that only tracks therapies misses the risks. QIF maps both, for every technique, in a single standard.
All publications are released under the Apache 2.0 license. Neural security standards are too critical to be proprietary. The people whose brains will be connected deserve to understand exactly how they are protected.
We address this with three interlocking pillars:
QIF Model
Quantified Interconnection Framework
The governance architecture. The OSI of Mind. An 11-band hourglass model mapping every surface — from neural tissue to synthetic systems — where security threats and ethical risks converge. One auditable framework for both.
8.0 · Published
TARA
Therapeutic Applications & Risk Assessment
The TARA Atlas. 161 BCI techniques mapped across four projections — modality, clinical, diagnostic (DSM-5-TR), and governance — each scored with NISS and traced through the Neural Impact Chain from attack to clinical outcome.
1.7 · Atlas Published
NSP
Neural Sensory Protocol
The wire protocol. An RFC-style post-quantum protocol ensuring patient safety and data privacy — securing BCI data links with five defense layers at 3.25% power overhead.
0.4 · Secure Core Complete
Why all three are required
QIF without NSP identifies threats but cannot prevent their transmission. A threat model lacking a wire protocol is a map with no vehicle.
NSP without QIF encrypts data but cannot detect manipulation at the electrode-tissue boundary. A protocol without an underlying threat model provides protection without informed strategy.
Both without a compiler encounter a significant bandwidth challenge. Post-quantum key sizes are 18–46× larger than classical keys, presenting overhead that hinders adoption on 40 mW implants over BLE. Runemate's 65–90% compression mitigates this, making PQC practical for current applications.
3. The Hourglass
3.1 Where the Architecture Comes From
The 11-band model was not designed from first principles. It was derived by converging three established layered architectures:
- The OSI model (ISO/IEC 7498) — 7 layers that decompose a network into physical, data link, network, transport, session, presentation, and application. Every security framework for digital systems uses some variant of this decomposition. But the OSI model stops at the wire. It has no concept of the biological system connected to the other end.
- Neural systems anatomy — The brain is not a single structure. It is a hierarchy of functionally distinct regions: spinal cord, brainstem, cerebellum, diencephalon (thalamus/hypothalamus), basal ganglia, limbic system, and neocortex. Each has different cellular architecture, different oscillatory regimes, and different clinical consequences if compromised. An architecture that treats "the brain" as one layer misses this entirely.
- The bio-digital boundary — Where electrodes touch tissue, signals transition from ionic to electronic. This is not a clean handoff. It is a physical interface with its own impedance characteristics, its own failure modes, and its own threat profile. Neither the OSI model nor neuroanatomy accounts for this zone.
QIF maps all three onto a single stack. The 7 neural bands (N7–N1) come from neuroanatomy, ordered by clinical severity. The 3 synthetic bands (S1–S3) come from the electronic processing chain, analogous to OSI's lower layers. The interface band (I0) is the bridge — the electrode-tissue boundary where biology becomes data. The result is an 11-band, 7-1-3 asymmetric hourglass: wide at the top (neural complexity), narrow at the center (physical bottleneck), and wider at the bottom (synthetic processing).
3.2 Why These Bands and Not Others
Each band corresponds to a distinct scale-frequency regime. Cortical oscillations at N7 operate in the 1–100 Hz range across centimeter-scale structures. Spinal reflexes at N1 propagate at 80–120 m/s through meter-scale pathways. The analog front-end (S1) processes signals in the kHz–MHz range. Radio telemetry (S3) operates at 2.4 GHz.
The physics that governs each regime is fundamentally different, and so are the threats. An anomalous 40 Hz gamma injection at N7 is detected differently than a firmware exploit at S2. The band boundaries are not arbitrary — they follow the relationship L = v/f, where the physical scale of each structure matches its characteristic frequency. When a measured signal violates this constraint, it indicates injection from outside the expected regime.
The mathematical formalization of signal integrity scoring is future work, pending collaboration with physicists and neuroscientists. See BCI Physics Constraints for the current constraint system.
3.3 Architecture
The QIF Hourglass is an 11-band architectural model that maps all potential threat surfaces within a BCI — from the highest cortical structures through the electrode-tissue boundary and into the synthetic processing chain.
Seven bands are neural (N7 Neocortex through N1 Spinal Cord), representing biological tissue with distinct functional properties and vulnerability profiles. One band is the interface (I0), the electrode-tissue boundary where biological signals are converted to digital data — and where the highest concentration of techniques converges. Three bands are synthetic (S1 Analog through S3 Radio/Wireless), covering the electronic processing and communication chain.
The hourglass shape is deliberate. I0, the neural interface band, constitutes the architectural chokepoint. All signals must traverse this point. With over half of the 161 catalogued techniques targeting this band, it represents the majority of the total threat surface. Securing I0 is the single highest-leverage investment in BCI safety.
The 11-Band Hourglass
7 neural + 1 interface + 3 synthetic bands
11 bands · 353 total attack mappings · I0 concentrates 52 techniques at the neural–silicon boundary
How to read the hourglass
Y-axis (vertical): Bands ordered by anatomical hierarchy, from neocortex (N7) at the top through the electrode-tissue interface (I0) at the waist to radio/wireless (S3) at the bottom.
X-axis (bar width): Number of catalogued techniques targeting that band. Wider bars mean a larger attack surface. I0 is the widest because every technique that crosses the bio-digital boundary converges at this single point.
The shape: The hourglass narrows at I0 not because it has fewer threats, but because it is a physical bottleneck. All neural data must pass through this point. The concentration of techniques at the waist is what makes it the highest-leverage target for both attack and defense.
Each band has a distinct threat profile. Neural bands (N7–N1) are susceptible to attacks that induce biological damage, cognitive disruption, and potentially irreversible neuroplastic change. Synthetic bands (S1–S3) confront classical cybersecurity threats such as eavesdropping, data manipulation, and denial of service. The interface band (I0) is uniquely vulnerable to both, serving as the nexus where synthetic attacks can translate into neural damage.
| Band | Name | Zone | Description |
|---|---|---|---|
| N7 | Neocortex | neural | PFC, M1, V1, Broca, Wernicke — executive function, language, movement, perception |
| N6 | Limbic System | neural | Hippocampus, amygdala, insula — emotion, memory, interoception |
| N5 | Basal Ganglia | neural | Striatum, STN, substantia nigra — motor selection, reward, habit |
| N4 | Diencephalon | neural | Thalamus, hypothalamus — sensory gating, consciousness relay |
| N3 | Cerebellum | neural | Cerebellar cortex, deep nuclei — motor coordination, timing |
| N2 | Brainstem | neural | Medulla, pons, midbrain — vital functions, arousal, reflexes |
| N1 | Spinal Cord | neural | Cervical through sacral — reflexes, peripheral relay |
| I0 | Neural Interface | interface | Electrode-tissue boundary — measurement/collapse, quasi-quantum zone |
| S1 | Near-Field / On-Device | synthetic | Amplification, ADC, near-field EM coupling (0-10 kHz, on-device) |
| S2 | Guided-Wave / Host-Local | synthetic | Firmware, drivers, host compute, USB, decoding, BLE/WiFi baseband (10 kHz - 1 GHz, device-local) |
| S3 | Far-Field / Wide-Area | synthetic | RF transmission, directed energy, application layer (1 GHz+, off-device) |
4. TARA Atlas
One standard for both sides of the brain.
TARA (Therapeutic Applications & Risk Assessment) is a dual-use atlas of 161 BCI techniques. Every entry is three things at once: a security threat, an ethical concern, and a potential therapy. Of these, 102 have confirmed therapeutic applications with published clinical evidence. 76 are mapped to DSM-5-TR psychiatric diagnoses. This is not a threat registry with clinical notes appended. It is a single atlas built from the ground up to serve security engineers, clinicians, researchers, and regulators from the same source of truth.
TARA exposes each technique through four explicit projections:
- Modality — Attack severity, status, and physical coupling mechanism
- Clinical — Therapeutic analog, FDA status, evidence level, treated conditions
- Diagnostic — DSM-5-TR diagnostic mapping via the Neural Impact Chain
- Governance — Consent tier, regulatory requirements, data classification
Each technique can be analyzed through any of these projections. Interactive exploration of the TARA grid reveals all four perspectives for a given technique: its neural effects, potential therapeutic applications, diagnostic mappings, and applicable regulations.
Attack Categories
9 taxonomic categories spanning the BCI attack surface
Severity Distribution
Classified by potential impact on neural integrity
161 techniques catalogued
Dual-Use Classification
Every technique that can harm a brain can also heal one
81.4% of catalogued techniques have confirmed, probable, or possible therapeutic applications
Of the 161 techniques, 102 have confirmed therapeutic applications — published clinical use with evidence. Another 19 are probable (under active investigation) and 10 are possible (theoretical mapping exists). Only 30 are pure silicon-only vectors with no known tissue analog.
Latest · v1.6
FDORA §3305 Regulatory Compliance Mapping: 0 new techniques, all with confirmed clinical applications.
- + Regulatory gap analysis enables targeted FDORA compliance for BCI manufacturers
- + Coverage scoring identifies techniques where existing standards are insufficient
- + 74 techniques have coverage below 0.5 (major gaps)
- + Per-technique gap lists provide actionable compliance checklists
How to Read the TARA Atlas
TARA is structured as an interactive grid. Each row is a technique (identified by a QIF-T ID). Each column depends on which projection you are viewing:
Modality Projection
Shows the technique's severity rating (critical/high/medium/low), current status (theoretical, demonstrated, or deployed), coupling mechanism (how it reaches tissue), and which hourglass bands it targets.
Clinical Projection
Reveals the therapeutic analog — the established medical procedure that shares the same physics. Includes FDA approval status, evidence level (confirmed, probable, possible, silicon-only), and treated conditions.
Diagnostic Projection
Maps each technique through the Neural Impact Chain to its corresponding DSM-5-TR diagnostic category, risk class (acute, chronic, progressive), and the specific cognitive or motor function disrupted.
Governance Projection
Displays the consent tier (open, informed, IRB, prohibited), applicable regulatory frameworks, and data classification level. Use this to determine what oversight a technique requires before deployment.
Reading a cell: Click any technique to expand its full detail. The NISS vector (e.g., BI:H/CR:H/CD:C/CV:H/RV:P/NP:T) encodes all six scoring dimensions. The DSM-5-TR mapping shows which diagnostic clusters the technique's impacts correspond to. The dual-use flag indicates whether the same mechanism has an established therapeutic application.
Severity colors: Red = critical (NISS ≥ 9.0), Orange = high (7.0–8.9), Yellow = medium (4.0–6.9), Green = low (< 4.0). The PINS flag (persistent involuntary neural stimulation) is shown separately — 39 techniques carry this flag, indicating potential for ongoing harm after the initial exposure.
Browse the full grid. Click any cell. Switch between all four projections.
5. NISS Scoring
The Neural Impact Scoring System (NISS) is a purpose-built vulnerability scoring system for neural devices. In contrast to CVSS, which measures confidentiality, integrity, and availability, NISS quantifies six dimensions specifically relevant to brain-computer interfaces:
Biological Impact (BI)
Quantifies physical damage to neural tissue. Scores range from None (N) through Low, High, to Critical (C), denoting permanent tissue destruction. A buffer overflow scores BI:N, whereas a seizure-inducing technique scores BI:H or BI:C.
Cognitive Reconnaissance (CR)
Captures read-side attacks: neural data inference, thought decoding, and intent extraction. Neural eavesdropping with partial intent decoding scores CR:L, while full thought stream extraction scores CR:C.
Cognitive Disruption (CD)
Captures write-side attacks: perception manipulation, identity modification, and cognitive coercion. A phantom sensory injection scores CD:H, while a technique that alters the subject's sense of agency scores CD:C.
Consent Violation (CV)
Measures the degree to which a subject's autonomy is compromised. Ranges from None (N) for standard operation, to Partial (P) for degraded consent, Extensive (E) for bypassed consent, and Involuntary (I) when the subject lacks awareness of the intervention.
Reversibility (RV)
Indicates the potential for damage to be undone. Fully Reversible (F) implies complete expected recovery, Treatable (T) indicates recovery requiring intervention, Partially Reversible (P) denotes some permanent change, and Irreversible (I) signifies permanent damage.
Neuroplasticity (NP)
Reflects whether the technique induces physical reorganization of the brain. None (N) indicates no neural change, Temporary (T) signifies transient plasticity, and Structural (S) denotes permanent neural pathway alteration — effectively rewriting brain architecture.
PINS Flag
Potential Impact to Neural Safety. Triggered when Biological Impact (BI) is assessed as High/Critical or Reversibility (RV) is Irreversible. 39 of 161 techniques carry this flag, indicating their potential to induce persistent, non-consensual alterations to neural function.
NISS scores are computed as an equal-weighted average of all assessed metrics, normalized to a 0–10 scale. Severity bands align with CVSS thresholds: 0.0 (None), 0.1–3.9 (Low), 4.0–6.9 (Medium), 7.0–8.9 (High), and 9.0–10.0 (Critical). Optional context profiles (clinical, research, consumer, military) allow for differentiated weighting of each metric.
CVSS vs NISS: The Scoring Gap
94.4% of techniques have neural impacts invisible to CVSS
6 metrics vs 3 — NISS captures biological damage, cognitive reconnaissance, cognitive disruption, consent violations, reversibility, and neuroplastic changes that CVSS cannot express. Traditional scoring treats a brain implant breach the same as a stolen cookie.
NISS is purpose-built for neural security — every metric addresses a dimension of harm unique to brain–computer interfaces
Mathematical formalization — signal integrity equations, spectral decomposition, and coupling mechanisms — is future work pending collaboration with domain experts. This section presents the scoring system; the underlying physics constraints are documented at BCI Physics Constraints.
6. The Neural Impact Chain
Why this matters
When a BCI attack disrupts your amygdala, what happens to your mental health? Not in the abstract. In DSM-5-TR diagnostic terms. The Neural Impact Chain answers this question for every technique in the atlas.
The Neural Impact Chain (NIC) is a six-stage mapping that traces every technique from its physical mechanism to its psychiatric outcome. For each entry in TARA, the chain identifies the targeted hourglass band, the affected neural structure, the disrupted cognitive or motor function, the resulting NISS severity score, and the corresponding DSM-5-TR diagnostic category.
To our knowledge, this represents a systematic mapping from cybersecurity severity to clinical outcome references. It makes a verifiable claim: specific techniques, applied to specific neural bands, produce predictable functional impacts that correspond to recognized clinical conditions. A security engineer can now see that a technique targeting the limbic system (N6) with high cognitive integrity impact maps to mood and trauma-related disorders. A clinician can see that the same attack vector shares its mechanism with an FDA-approved therapy.
This is the bridge between cybersecurity and clinical neuroscience that did not previously exist.
The Neural Impact Chain
Research mapping from security severity to psychiatric diagnostic categories
Transcranial Magnetic Stimulation (QIF-T0042) → N7 Neocortex → Prefrontal cortex → Executive function disruption → NISS 7.4 (high) → F06.7 Mild neurocognitive disorder
Each of the 161 techniques traces a research path from exploit mechanism to diagnostic category reference
The chain produces a diagnostic profile for each technique. 76 of 161 techniques have DSM-5-TR mappings, organized into five diagnostic clusters:
DSM-5-TR Diagnostic Clusters
Neural Impact Chain mapping: attack technique → psychiatric outcome
Clinical outcome references for threat modeling — mapping BCI attack vectors to potential DSM-5-TR diagnostic patterns. Not diagnostic claims; neuroscience understanding remains incomplete.
Cognitive/Psychotic (22 techniques) — Attacks that disrupt perception, cognition, or reality testing. Primarily driven by high Cognitive Reconnaissance (CR) and Cognitive Disruption (CD) scores, mapping to disorders such as brief psychotic disorder, delirium, and dissociative conditions.
Mood/Trauma (27 techniques) — Attacks that alter emotional state or violate autonomy. Driven by Consent Violation (CV) metrics, mapping to PTSD, acute stress disorder, and adjustment disorders.
Motor/Neurocognitive (26 techniques) — Attacks that cause physical neural damage. Driven by Biological Impact (BI) scores, mapping to neurocognitive disorders and movement conditions.
Persistent/Personality (9 techniques) — Attacks that induce lasting neural reorganization. Driven by Neuroplasticity (NP) and Reversibility (RV) scores, mapping to personality change due to medical condition and persistent functional alterations.
Non-Diagnostic (51 techniques) — Silicon-only attacks that lack a direct neural impact pathway.
Risk classes
6.5 Neurorights Mapping
From diagnosis to rights
The Neural Impact Chain tells us what psychiatric harm a technique can cause. The neurorights mapping asks the next question: which fundamental rights does it violate?
Ienca & Andorno (2017) proposed four neurorights: Mental Privacy, Cognitive Liberty, Mental Integrity, and Psychological Continuity. Chile enshrined them in law. The OECD published neurotechnology governance guidelines (2019). But nobody had tested them against an actual threat taxonomy.
Every technique in the TARA atlas is now mapped to the affected neurorights through a systematic, multi-layer process: UI category provides the primary signal, DSM-5-TR cluster adds overlays, and NISS vector components refine the result. This mapping is deterministic and reproducible — the same technique always maps to the same rights.
Running 161 techniques through this process confirmed four established rights from Ienca & Andorno (2017). QIF extends Mental Integrity with engineering-level signal dynamics protections and maps the read/write distinction to the CIA triad: MP = Confidentiality (don't read neural data), MI = Integrity (don't write into neural signals). MP is extended with data-lifecycle protections. Cross-validated against six established frameworks (Ienca & Andorno 2017, Yuste/NeuroRights Foundation 2017, Chile Law 21.383, UNESCO 2025 Recommendation, Farahany 2023, Bublitz 2022):
106 of 161 techniques
85 of 161 techniques
101 of 161 techniques
79 of 161 techniques
CIA Triad Mapping: QIF maps Ienca & Andorno's neurorights to the CIA triad: Mental Privacy = Confidentiality (don't read neural data), Mental Integrity = Integrity (don't write into neural signals). A disclosed vulnerability in a BCI-adjacent streaming library demonstrates both in a single exploit chain: Phase 2 (exfiltrate) = MP violation, Phase 3 (inject) = MI violation.
Mental Integrity (MI) — QIF Extended: Now includes signal dynamics protections. Some attacks don't break neural function; they retune it. Gradual drift, neurofeedback falsification, and baseline adaptation poisoning reshape the brain's homeostatic equilibrium. QIF extends MI with engineering-level specifications for detecting these dynamical retuning attacks. 101 techniques map to MI.
Mental Privacy (MP) — QIF Extended: Now includes data-lifecycle protections. Multi-modal biometric fusion attacks correlate neural data with gait, voice, and typing rhythm. QIF extends MP to cover cross-modal re-identification and the right to consent to each data modality independently.
Consent Complexity Index (CCI)
CCI = (consent_weight × rights_count × severity_factor) / 10. It quantifies whether a technique's consent process is adequate for the rights it violates. Mean CCI across 161 techniques: 0.89. 6 techniques exceed 2.0 (high complexity).
A low CCI with a high NISS score signals a consent blind spot — the consent infrastructure under-protects the neural impact. Four silicon-only attacks have CCI below 0.6 but NISS above 6.4.
Policy-Layer Rights
Three additional neurorights proposed by Yuste and the NeuroRights Foundation (2017) and reinforced by UNESCO's 2025 Recommendation — equitable access to mental augmentation, protection from algorithmic bias, and free will — are not mapped in the threat taxonomy. These are distributive justice and governance concerns: no attack technique directly violates “fair access,” and algorithmic bias arises from systems processing neural data, not from attacks on the interface itself. Free will substantially overlaps with Cognitive Liberty in the context of threat-to-harm mappings. These rights are addressed at QIF's governance layer rather than the security layer. See Governance → Neuroethics Alignment for the full mapping.
7. Governance
Each technique within the TARA atlas is assigned a consent tier reflecting the minimum regulatory oversight necessary for its deployment. These tiers are derived directly from NISS scores: higher biological impact, lower reversibility, and greater consent violation necessitate stricter governance.
Consent Tier Distribution
Ethical oversight requirements across all 161 catalogued techniques
Normal informed consent
Additional safeguards required
Institutional review board oversight
Not permissible under any protocol
161 techniques across 4 consent tiers
The consent tier system aligns with existing regulatory frameworks:
- FDA 21 CFR Part 820 / 524B — Quality system requirements and cybersecurity expectations for medical devices
- EU Medical Device Regulation (MDR) 2017/745 — Post-market surveillance and clinical evaluation requirements
- HIPAA — Neural signals constitute Protected Health Information (PHI) when linked to an individual. Raw EEG, decoded intentions, and cognitive state inferences all fall under the Security Rule and Breach Notification Rule. See the full Regulatory Compliance Guide for neural data classification
- GDPR Article 9 — Neural data is special category data (health data) under EU regulation, requiring explicit consent for processing. The right to erasure poses unique challenges for neural recordings
- ISO 14971 — Risk management for medical devices, mapped to NISS severity levels
- IEC 62304 — Software lifecycle for medical devices, with Runemate targeting Class C certification
These alignments are not merely aspirational. Each consent tier directly corresponds to specific regulatory obligations. An IRB-tier technique, for instance, mandates review processes equivalent to those governing invasive research protocols. A prohibited-tier technique is not merely categorized as "high risk" — it is explicitly ineligible for any clinical or research protocol under existing frameworks.
7.2 FDORA §3305 Compliance Mapping
Why this matters for manufacturers
Since October 2023, the FDA enforces a Refuse-to-Accept policy under FDORA Section 524B: premarket submissions for "cyber devices" lacking cybersecurity documentation are rejected before review begins. Every BCI is a cyber device. TARA provides the threat catalog these submissions require.
Section 3305 of the Food and Drug Omnibus Reform Act (FDORA, 2022) defines a "cyber device" as one that (1) contains software, (2) can connect to the internet, and (3) could be vulnerable to cybersecurity threats. Every technique in TARA is classified against this three-prong test.
68
Target cyber devices
0.39
Mean regulatory coverage (0–1)
74
Techniques with major gaps (<0.5)
Section 524B requires five categories of cybersecurity documentation. Each technique is mapped to the requirements it is relevant to:
| Requirement | Section 524B Mandate | Techniques |
|---|---|---|
| TM | Threat modeling — identification of cybersecurity risks | 135 |
| VA | Vulnerability assessment — severity ratings for known vulnerabilities | 134 |
| SBOM | Software Bill of Materials — component transparency | 61 |
| SA | Security architecture — design controls for cybersecurity | 97 |
| PM | Post-market monitoring — ongoing vulnerability surveillance | 130 |
The regulatory coverage score (0.0–1.0) measures how well existing standards cover each technique. A score of 0.8 means current FDA pathways, IEC standards, and privacy regulations adequately address the risk. A score below 0.5 indicates a major regulatory gap — the technique represents a neural-specific threat that pre-FDORA frameworks were not designed to handle. 74 of 161 techniques fall below this threshold.
The top gaps are structural, not incidental: CVSS cannot express neural-specific impacts for the majority of techniques, and no FDA pathway exists for consumer sensor exploitation in the S-domain. These are precisely the gaps that TARA and NISS were built to fill — providing the neural threat catalog and impact scoring that Section 524B mandates but existing standards do not supply.
8. NSP Protocol
The Neural Sensory Protocol (NSP) is a five-layer, post-quantum communication protocol specifically designed for BCI data links. It encapsulates every neural data frame using ML-KEM key exchange, ML-DSA digital signatures, and AES-256-GCM authenticated encryption, achieving this with a modeled 3.25% power overhead on constrained implanted devices (hardware validation pending).
NSP comprises five layers: (1) Physical (electrode interface and signal conditioning); (2) Integrity (QI-based signal validation via STFT spectral analysis); (3) Encryption (post-quantum key exchange and authenticated encryption); (4) Transport (framing, sequencing, and flow control); and (5) Application (BCI command interpretation and consent enforcement).
The protocol is specified across three device tiers: implanted (most constrained, ≤40 mW), wearable (moderate power budget), and external (unconstrained). Each tier uses the same cryptographic primitives but with different parameter sets and duty cycles.
Post-quantum key sizes represent the primary implementation challenge. ML-KEM-768 public keys are 1,184 bytes — 18 times larger than X25519 keys. Project Runemate's Staves bytecode compression mitigates this overhead, achieving net bandwidth savings over classical transport for typical BCI interface content exceeding 23 KB.
9. How to Help
QIF is open research, not a finished product. It was built by one independent researcher with AI collaboration — no lab, no faculty advisor, no institutional review board. The framework, the threat taxonomy, the scoring system, and the neurorights mappings all need stress testing by domain experts. Nothing here has been peer-reviewed yet. Here's where your expertise fits.
Clinicians
- Use the Neural Impact Chain to understand security risks in terms of clinical outcomes
- Review TARA Clinical projections for therapeutic analogs and risk profiles
- Apply consent tiers to BCI technique selection in treatment planning
- The DSM-5-TR mapping bridges security language and clinical language
Psychologists
- Use the DSM-5-TR diagnostic mapping to assess cognitive and psychiatric risks of BCI techniques
- Evaluate NISS Cognitive Reconnaissance and Disruption scores for impact on perception, agency, and decision-making
- Inform neuropsychological assessment protocols with the band-to-function mapping
- Contribute clinical expertise to the dual-use classification of emerging neurotechnologies
Researchers
- Use the TARA atlas to identify risk profiles for BCI techniques in your studies
- Apply NISS scoring to quantify neural impact in vulnerability reports
- Reference the Neural Impact Chain for technique-to-diagnosis mapping
- Cite:
Qi, K. (2026). QIF v6.0. Qinnovate. Available at qinnovate.com
Engineers & Implementers
- Post-quantum native. NSP and Runemate are designed PQC-first — no legacy cipher inheritance. NIST mandates all legacy encryption deprecated by 2030 and disallowed by 2035 — and adversaries are already harvesting encrypted data today to crack later. Neural data has a lifetime shelf life; we’re not shipping it with an expiration date.
- Employ the hourglass model to structure threat assessments by architectural band
- Map your device's threat surface to TARA categories
- All specifications are Apache 2.0 — fork, implement, contribute
Standards Bodies
- Evaluate NISS as a neural-specific complement to CVSS for BCI vulnerability scoring
- Review the consent tier framework for alignment with your regulatory structure
- The hourglass model provides a neutral, device-agnostic architectural taxonomy
- Collaboration welcome: github.com/qinnovates
10. What's Next
QIF is designed as a living framework. As neural device technology matures, the evolving threat landscape necessitates a corresponding evolution of the framework. Our immediate priorities:
NISS v1.1
Refine scoring weights based on clinical validation. Explore temporal metrics for techniques that escalate over time.
NSP Reference Implementation
Open-source reference implementation of the full 5-layer protocol stack on a constrained ARM Cortex-M4 target.
Runemate Forge
The Staves bytecode compiler. Currently in Rust implementation targeting IEC 62304 Class C certification path. 200 KB on-chip footprint.
Community & Governance
Establish a technical advisory board. Formalize the contribution process. Build partnerships with academic neuroscience labs and BCI manufacturers.
QIF, its underlying standards, and the TARA atlas are all maintained as open resources. For developers of devices that interface with the brain, we offer support in securing these critical systems.