The same technique that can harm a brain can also heal one.

The same physics that makes a BCI technique dangerous also makes it therapeutic. Transcranial magnetic stimulation treats depression and induces seizures. Deep brain stimulation manages Parkinson's and causes involuntary movement. The mechanism is identical. The difference is intent, dosage, and governance.

This is the central insight behind QIF: security and clinical safety are not separate problems. They are two views of the same system. A framework that only catalogs threats misses half the picture. A framework that only tracks therapies misses the risks. QIF maps both, for every technique, in a single proposed framework.

All publications are released under the Apache 2.0 license. Neural security standards are too critical to be proprietary. The people whose brains will be connected deserve to understand exactly how they are protected.

We address this with three interlocking pillars:

3.1 Where the Architecture Comes From

The 11-band model was not designed from first principles. It was derived by converging three established layered architectures:

1. The OSI model (ISO/IEC 7498) — 7 layers that decompose a network into physical, data link, network, transport, session, presentation, and application. Every security framework for digital systems uses some variant of this decomposition. But the OSI model stops at the wire. It has no concept of the biological system connected to the other end.
2. Neural systems anatomy (Kandel et al., Principles of Neural Science, 6th ed., 2021) — The brain is not a single structure. It is a hierarchy of functionally distinct regions: spinal cord, brainstem, cerebellum, diencephalon (thalamus/hypothalamus), basal ganglia, limbic system, and neocortex. Each has different cellular architecture, different oscillatory regimes, and different clinical consequences if compromised. The 7 neural bands (N7–N1) map directly to this established neuroanatomical hierarchy, with thalamic relay logic (Sherman & Guillery, 2006) providing the gating mechanism between cortical and subcortical layers. An architecture that treats “the brain” as one layer misses this entirely.
3. The bio-digital boundary (Deering, 2001; the Internet hourglass principle) — Where electrodes touch tissue, signals transition from ionic to electronic. This is not a clean handoff. It is a physical interface with its own impedance characteristics, its own failure modes, and its own threat profile. The I0 band applies Deering’s hourglass insight — that all traffic must pass through a narrow waist — to the electrode-tissue boundary, where every neural signal crosses from biology to silicon. Neither the OSI model nor neuroanatomy alone accounts for this zone.

QIF maps all three onto a single stack. The 7 neural bands (N7–N1) come from neuroanatomy, ordered by clinical severity. The 3 synthetic bands (S1–S3) come from the electronic processing chain, analogous to OSI's lower layers. The interface band (I0) is the bridge — the electrode-tissue boundary where biology becomes data. The result is an 11-band, 7-1-3 asymmetric hourglass: wide at the top (neural complexity), narrow at the center (physical bottleneck), and wider at the bottom (synthetic processing).

3.3 Architecture

The QIF Hourglass is an 11-band architectural model that maps all potential threat surfaces within a BCI — from the highest cortical structures through the electrode-tissue boundary and into the synthetic processing chain.

Seven bands are neural (N7 Neocortex through N1 Spinal Cord), representing biological tissue with distinct functional properties and vulnerability profiles. One band is the interface (I0), the electrode-tissue boundary where biological signals are converted to digital data — and where the highest concentration of techniques converges. Three bands are synthetic (S1 Near-Field through S3 Far-Field), covering the electronic processing, host compute, and communication chain.

The hourglass shape is deliberate. I0, the neural interface band, constitutes the architectural chokepoint. All signals must traverse this point. With over half of the 161 catalogued techniques targeting this band, it represents the majority of the total threat surface. Securing I0 is the single highest-leverage investment in BCI safety.

TARA (Therapeutic Applications & Risk Assessment) is a dual-use atlas of 161 BCI techniques. Every entry is three things at once: a security threat, an ethical concern, and a potential therapy. Of these, 102 have confirmed therapeutic applications with published clinical evidence. 76 are mapped to DSM-5-TR psychiatric diagnoses. This is not a threat registry with clinical notes appended. It is a single atlas built from the ground up to serve security engineers, clinicians, researchers, and regulators from the same source of truth.

TARA exposes each technique through four explicit projections:

• Modality — Attack severity, status, and physical coupling mechanism
• Clinical — Therapeutic analog, FDA status, evidence level, treated conditions
• Diagnostic — DSM-5-TR diagnostic mapping via the Neural Impact Chain
• Governance — Consent tier, regulatory requirements, data classification

Each technique can be analyzed through any of these projections. Interactive exploration of the TARA grid reveals all four perspectives for a given technique: its neural effects, potential therapeutic applications, diagnostic mappings, and applicable regulations.

TARA organizes 161 techniques across 7 operational domains and 17 tactics using a QIF-[Domain].[Action] format:

Of the 161 techniques, 102 have confirmed therapeutic applications — published clinical use with evidence. Another 19 are probable (under active investigation) and 10 are possible (theoretical mapping exists). Only 30 are pure silicon-only vectors with no known tissue analog.

The Neural Impact Scoring System (NISS) is a proposed vulnerability scoring system purpose-built for neural devices. In contrast to CVSS, which measures confidentiality, integrity, and availability, NISS quantifies six dimensions specifically relevant to brain-computer interfaces:

NISS scores are computed as an equal-weighted average of all assessed metrics, normalized to a 0–10 scale. Severity bands align with CVSS thresholds: 0.0 (None), 0.1–3.9 (Low), 4.0–6.9 (Medium), 7.0–8.9 (High), and 9.0–10.0 (Critical). Optional context profiles (clinical, research, consumer, military) allow for differentiated weighting of each metric.

The Neural Impact Chain (NIC) is a six-stage mapping that traces every technique from its physical mechanism to its potential clinical outcome for threat modeling purposes. For each entry in TARA, the chain identifies the targeted hourglass band, the affected neural structure, the disrupted cognitive or motor function, the resulting NISS severity score, and the corresponding DSM-5-TR diagnostic reference. These references illustrate the potential severity of sustained attack patterns; they are not diagnostic predictions.

To our knowledge, this represents a systematic mapping from cybersecurity severity to clinical outcome references. It traces a structured pathway: specific techniques, applied to specific neural bands, produce functional impacts that correspond to recognized clinical conditions. A security engineer can see that a technique targeting the limbic system (N6) with high cognitive integrity impact references mood and trauma-related disorders. A clinician can see that the same attack vector shares its mechanism with an FDA-approved therapy. These references must be interpreted with caution — neural correlates do not prove causation, and the brain's complexity means that identical stimulation can produce different outcomes across individuals.

This is the bridge between cybersecurity and clinical neuroscience that we found missing from existing frameworks.

Ienca & Andorno (2017) proposed four neurorights: Mental Privacy, Cognitive Liberty, Mental Integrity, and Psychological Continuity. Chile enshrined them in law. The OECD published neurotechnology governance guidelines (2019). But nobody had tested them against an actual threat taxonomy.

Every technique in the TARA atlas is now mapped to the affected neurorights through a systematic, multi-layer process: UI category provides the primary signal, DSM-5-TR cluster adds overlays, and NISS vector components refine the result. This mapping is deterministic and reproducible — the same technique always maps to the same rights.

Running 161 techniques through this process confirmed all four established rights from Ienca & Andorno (2017). QIF operationalizes Mental Integrity with engineering-level signal dynamics specifications and Mental Privacy with data-lifecycle specifications. QIF also maps these neurorights onto the CIA triad (MP = Confidentiality, MI = Integrity) and demonstrates both violations via a disclosed vulnerability in a BCI-adjacent streaming library. Cross-validated against six established frameworks (Ienca & Andorno 2017, Yuste/NeuroRights Foundation 2017, Chile Law 21.383, UNESCO 2025 Recommendation, Farahany 2023, Bublitz 2022):

CIA Triad Mapping: QIF maps Ienca & Andorno's neurorights onto the CIA triad: Mental Privacy = Confidentiality (don't read my neural data), Mental Integrity = Integrity (don't write into my neural signals). A disclosed vulnerability in a BCI-adjacent streaming library demonstrates both violations in a single exploit chain: Phase 2 (exfiltrate neural data) = MP violation, Phase 3 (inject false signals) = MI violation.

Mental Integrity (MI) — QIF Operationalized: QIF provides engineering-level specifications for Mental Integrity (Ienca & Andorno, 2017), including signal dynamics protections. Some attacks don't break neural function; they retune it. Gradual drift, neurofeedback falsification, and baseline adaptation poisoning reshape the brain's homeostatic equilibrium. QIF operationalizes MI with measurable specifications for detecting these dynamical retuning attacks. 101 techniques map to MI.

Mental Privacy (MP) — QIF Operationalized: QIF provides engineering-level specifications for Mental Privacy (Ienca & Andorno, 2017), including data-lifecycle protections. Multi-modal biometric fusion attacks correlate neural data with gait, voice, and typing rhythm. QIF operationalizes MP to cover cross-modal re-identification and the right to consent to each data modality independently.

Policy-Layer Rights

Three additional neurorights proposed by Yuste and the NeuroRights Foundation (2017) and reinforced by UNESCO's 2025 Recommendation — equitable access to mental augmentation, protection from algorithmic bias, and free will — are not mapped in the threat taxonomy. These are distributive justice and governance concerns: no attack technique directly violates “fair access,” and algorithmic bias arises from systems processing neural data, not from attacks on the interface itself. Free will substantially overlaps with Cognitive Liberty in the context of threat-to-harm mappings. These rights are addressed at QIF's governance layer rather than the security layer. See Governance → Neuroethics Alignment for the full mapping.

Each technique within the TARA atlas is assigned a consent tier reflecting the minimum regulatory oversight necessary for its deployment. These tiers are derived directly from NISS scores: higher biological impact, lower reversibility, and greater consent violation necessitate stricter governance.

Section 3305 of the Food and Drug Omnibus Reform Act (FDORA, 2022) defines a "cyber device" as one that (1) contains software, (2) can connect to the internet, and (3) could be vulnerable to cybersecurity threats. Every technique in TARA is classified against this three-prong test.

Section 524B requires five categories of cybersecurity documentation. Each technique is mapped to the requirements it is relevant to:

The regulatory coverage score (0.0–1.0) measures how well existing standards cover each technique. A score of 0.8 means current FDA pathways, IEC standards, and privacy regulations adequately address the risk. A score below 0.5 indicates a major regulatory gap — the technique represents a neural-specific threat that pre-FDORA frameworks were not designed to handle. 74 of 161 techniques fall below this threshold.

The top gaps are structural, not incidental: CVSS cannot express neural-specific impacts for the majority of techniques, and no FDA pathway exists for consumer sensor exploitation in the S-domain. These are precisely the gaps that TARA and NISS were built to fill — providing the neural threat catalog and impact scoring that Section 524B mandates but existing standards do not supply.

The Neural Sensory Protocol (NSP) is a proposed post-quantum security protocol specifically designed for BCI data links. It protects every neural data frame using ML-KEM key exchange (NIST’s quantum-resistant replacement for classical key exchange, standardized as FIPS 203), ML-DSA digital signatures (the quantum-resistant replacement for RSA and ECDSA signing, FIPS 204), and AES-256-GCM authenticated encryption (which both encrypts data and cryptographically verifies it has not been tampered with in transit). Power modeling against the Neuralink N1 reference platform estimates an overhead of approximately 3.25% of a 40 mW implant budget (hardware validation pending).

NSP defines five independent defense layers. Each layer operates independently — failure of one does not compromise the others:

The protocol is specified across three device tiers: implanted (most constrained, ≤40 mW), wearable (moderate power budget), and external (unconstrained). Not all tiers require all layers — consumer wearables implement Layers 1–3, while implanted devices implement all five. Each tier uses the same cryptographic primitives but with different parameter sets and duty cycles.

Post-quantum key sizes represent the primary implementation challenge. ML-KEM-768 public keys are 1,184 bytes — 18 times larger than classical X25519 keys (the standard used in most encrypted connections today). Runemate — a purpose-built compression layer for BCI payloads — mitigates this by encoding neural interface content (visual, auditory, haptic) through a closed-vocabulary DSL, achieving 65–90% compression and net bandwidth savings over classical transport for typical BCI content exceeding 23 KB.

Scope: NSP secures the I0 data link — the wireless boundary between implant and external device. It does not address physical-layer failures such as electrode migration, chronic immune response, or biocompatibility degradation. These are clinical monitoring concerns outside the protocol’s threat model.

QIF is open research, not a finished product. It was built by one independent researcher with AI collaboration — no lab, no faculty advisor, no institutional review board. The framework, the threat taxonomy, the scoring system, and the neurorights mappings all need stress testing by domain experts. Nothing here has been peer-reviewed yet. Here's where your expertise fits.

QIF is designed as a living framework. As neural device technology matures, the evolving threat landscape necessitates a corresponding evolution of the framework. Our immediate priorities:

QIF was developed by a single independent researcher. The framework, threat taxonomy, scoring system, clinical mappings, and architectural decisions reflect one perspective. Multi-disciplinary peer review is essential before any component informs clinical or regulatory practice.

Every architectural choice in QIF is documented in a 57-entry derivation log written like a lab notebook. Below are the pivotal decisions that shaped the framework — each one traceable to a specific entry with full reasoning chains.

Given the multi-disciplinary scale of this project — spanning 161 attack techniques across clinical, neural, and digital domains — Large Language Models (Claude, Gemini, ChatGPT) were used as computational research assistants to help synthesize regulatory datasets, cross-reference neuroscience literature, and generate code for data pipelines and visualizations.

The author takes full responsibility for all content in this research proposal, irrespective of how it was generated. AI tools cannot be listed as authors per arXiv, ACM, and IEEE policy. No AI system originated any architectural or methodological contribution.

Every decision, derivation, and AI interaction is logged in a cryptographically verifiable audit trail. Monthly checksums of collaboration logs are GPG-signed by the maintainer. The full chain of evidence: