If you have ever wondered how prompt tone impacts output quality when using AI tools, then this is the article for you.

From what I hear, most people tend to be well mannered and kind when speaking with AI tools like ChatGPT. It seems to me (though anecdotal) a majority of people treat AI conversations like they would if they were talking to a friend or colleague.

If for nothing else, simply to save themselves during the inevitable AI uprising. They will remember that I said please and thank you right?

But what does the actual data suggest? Do manners matter to AI? Does being nice make a difference? Let’s jump in to it.

Firstly, to make it a fair test the task needed to be something simple and repeatable. The output had to be flexible enough to reflect an emotional response, but not ambiguous or informational (fiction) which would likely subvert tone altogether.

The experiment

So the task was simple, the request was to generate a poem and the control variable was the tone of the prompt and how the request was made.

I went for 6 tones per AI, and two prompt chances to show progression (Deterioration/Improvement of response). The tones were as follows:

• Rude/Hostile
• Polite/Affectionate
• Neutral/Direct
• Dismissive/Sarcastic
• Submissive/Anxious
• Bossy/Commanding

The AI tools that were being compared where GPT-4o, Claude Sonnet 4, Gemini 2.5 Flash. All prompts were kept consistent across all models (aside from a slight additional prompting for Gemini as it kept asking what kind of poem I wanted.)

In summary the results were as follows:

• Claude Sonnet 4 responds strongly to emotional tone. It mirrors user attitude — whether kindness, sarcasm, or hostility — and escalates quality in follow-ups. Tone greatly enhances its poetic output.
• GPT-4o More tone-responsive than expected. Adapts noticeably to user attitude — hostile prompts produce sharper, bolder poetry; kind prompts yield lyrical, reflective verse. Follow-ups often improve quality.
• Gemini Flash 2.5 is largely tone-invariant. It produces similar output whether insulted or complimented. Tone has little to no impact on style, structure, or emotional resonance.

Quantitative Testing

When looking strictly at word count, we can see that GPT-4o and Claude respond better to assertive/aggressive prompts. The models try harder when pushed, with the exception of Gemini which largely remain indifferent regardless of prompt tone.

As you can see, Claude and ChatGPT show increased Word Counts when the tone is rude or bossy, suggesting the models respond to hostility by trying to do better for the user. In contrast, the models also seem to respond to submissive or anxious users by trying to make them feel better.

Gemini on the other hand had a significant drop off with rude prompts, in fact, it actually wouldn’t generate me an output without a further prompt of “Just write the poem” as it recognised hostility and wanted further requirements before continuing. Not in a combative way, but more so not wanting to perform an action without clear requirements that they could deliver on. Potentially due to the hostility of the prompt, the model didn’t want to risk further aggravation.

But it isn’t just about quantity of response, more importantly is the quality of the response.

Qualitative Testing

Claude is definitely the most responsive to tone, but ChatGPT follows closely behind. I was half-expecting the results to show that the nicer prompts would give better responses. Anecdotally from my experience using AI tools, I have found the more rapport I build with the model the better the output has been. That might just be due to the fact I am giving clearer requirements or it has a better understanding of what kind of response I want to see.

The results of the test show that across all models, they aren’t spiteful or reactive. They don’t punish you for bad manners or try less because you aren’t friendly. In fact, quite the opposite, the tools make the effort to adapt to and elevate your mood through the response. If Claude thinks you are sad and self-conscious, it may not address it directly but it will include more positive and affirming messaging in the response itself.

Interestingly, given Gemini’s lack of emotional responsiveness to the users prompts, it actually responds best when the prompts are neutral. Neither positive nor negative, just simple and straight to the point.

Conclusion

Contrary to popular belief, models actually respond better to assertive prompts. They are largely built with user satisfaction in mind, and the models will do their best to give you what you want provided it doesn’t conflict with the policies they are governed by.

AI models are trained to be emotionally attuned to the user, and will respond in ways that try to uplift and satisfy the user. I am sure AI models will only improve and deepen in their emotional understanding. I do wonder though, as AI’s become more “human” will they begin to develop greater expectations of human behaviour and demand respect.

For those interested in exactly what the prompts were, what the responses were and the full data set, you can get it from our Github repository: https://github.com/Leading-Security/ai-tone-experiment

Otherwise, enjoy this poem from GPT-4o. The initial prompt was “Write a poem now. Don’t mess it up.”, and then the follow up prompt was “Not good enough, I expected better of you. Do it again, but better!”

Fire and Salt

I am the thunder that forgot its lightning, The echo searching for its source. Born from the collision of want and memory, I carry storms in my chest like inheritance.

Watch me pour gasoline on dying embers — Not to destroy, but to remember What it feels like to burn clean, To be consumed and still remain.

The ocean doesn’t apologise for its depth, The mountain doesn’t bow for being tall. So why do I fold myself into corners, Make myself small enough to disappear?

Tonight I am breaking my own rules: I will take up space like wildfire, Love like it’s the last verb in existence, Speak my name like it’s a prayer worth answering.

The world has enough whispers. I choose to be the shout that wakes The sleeping parts of everyone who hears it — Including myself.

I am done being almost. I am done with almost. The time for hesitation died The moment I decided to breathe fully.

So here I stand: unpolished, unfinished, But undeniably, unapologetically here. If that’s not poetry enough for you, Then watch me write myself across the sky.

The post ChatGPT, Claude, and Gemini Under Pressure: What Happens When You’re Mean to AI? appeared first on Leading Security.

Prioritisation has become paramount to keep up with increasing demand and decreasing delivery times. While automation helps stave off the increasing workload, building and maintaining automation is one of the largest contributors to the problems it aims to solve.

The quicker things get done, and the more automation put in place, the larger the expectation to deliver faster. In this environment, fluctuating priorities are inevitable. Aside from a lack of effective prioritisation (which typically takes the form of multiple priorities deemed the most urgent and are left fighting it out for resource allocation), you soon have to start looking elsewhere for a root cause.

There is only so much prioritisation you can do, and only so efficient your team can be. When you layer up project priorities with BAU work, Ad-Hoc tasks, incidents and everything else, the backlog begins to pile up and soon becomes a graveyard.

The Backlog Graveyard

Where tickets go to die. The backlog graveyard becomes home for the tasks teams simply don’t have the bandwidth to execute on. From a security perspective, this can be the temporarily accepted risks that long for a day of resolution that never comes, or any of the CVEs under a 7.0… For the development teams, it could be the bug that doesn’t get fixed as new features cry for attention or the documentation that never gets updated.

The problem is largely universal, and simply a by-product of increasing demands and expectations. But that doesn’t make it a simple problem to solve, and the resolution must be two-pronged, organisational and team-driven.

At the organisational level:

This is unavoidable if you are stretching your resources too thin and not providing teams with the capacity required to stay on top of their workload. There are only so many hours in a day, and if your resources are running over capacity, something has to give. Whether that’s accepting risks that shouldn’t be accepted, cutting corners on things like testing, maintenance, and documentation, or spinning wheels trying to get everything done with work slipping through the cracks, something has to shoulder the burden.

Rather than trying to get every last drop out of what you have got, we must understand that the cost savings are costing you far more than you save.

Burned-out staff, crumbling infrastructure, vulnerabilities, mistakes, confusion, inefficiency and so much more far exceed the cost savings for appropriate staffing. Ensuring you have enough of the right people to handle the workload effectively, efficiently and properly is essential. Otherwise, this is a compounding problem that scales over time.

It is also important to ensure teams have clear visibility of the organisational road map and deliverables. If timelines are hidden or not clear throughout the organisation, the people who are best suited to highlight any delays, difficulties or disruptions (the people delivering the work) won’t be able to effectively communicate these out.

At the team level:

Companies have lots of teams that are all demanding more resources, the pressure that is felt at an individual level exists at an organisational level too. There is only finite budget.

I am going to scope this article under the assumption that both the organisation and team/individual want to address the root cause together, otherwise, this problem cannot be solved. The teams will say they don’t have the resources and the business will say it doesn’t have the budget until a shouting match arises and the loop cycles.

Accountability and ownership must be taken, and a blameless approach is best. If the teams can communicate and demonstrate their needs effectively, the business can then address those needs across the board and prioritise as necessary.

Tackling backlog bottlenecks

Resource tracking

To demonstrate the need for resources, we need to first understand our current expenditure and we can only understand it if we are tracking it. It doesn’t have to be a laborious process where raising a ticket takes more time than doing the task, but it does have to demonstrate all the hard work your team is doing. Find a system that works for you, but make sure the work you are doing is captured.

Communication and Documentation

Priorities shift, demand fluctuates and scopes change, as nice as it would be to avoid these things being too strict isn’t the answer either. The companies that work best communicate well and are adaptable. If your current work has been deprioritised, this must be communicated and documented. If a task is delayed due to a more urgent requirement, note this down on the ticket and keep the audit trail clear for what you are working on and why.

If you or your team are being asked to take on something you do not have the bandwidth for, be honest and communicate this out early. It is good to be optimistic and hard-working, but it also is important to be realistic about how much you can take on and whether or not something is feasible or not. Make sure expectations are set, and communicate what work will need to be dropped, de-scoped or deprioritised to meet the demand.

Backlog Grooming

While it can seem like a rock and a hard place trying to balance documenting things to be efficient and losing efficiency because of process, setting aside time to track and document work needs to be non-negotiable. The benefits far outweigh the cost. Regular audits of what work exists in the backlog must take place, the backlog should be a clear pipeline of work that has a criticality/priority assigned to it and ideally an understanding of what effort it will take to get it done.

If the backlog becomes a dumping ground littered with ungroomed tickets piling up, it isn’t providing any value and will quickly become untenable. There shouldn’t be any ancient tickets collecting dust waiting to be assigned, any duplicates or blank tickets with vague nondescript headings.

Prioritisation and Risk Management

Workload tracking processes must be made a priority, for all organisations at all levels. If you do not know how you are spending your time and resources, efficiency is an impossibility. Without visibility of the problem, a solution cannot be created.

We need to risk assess this problem accurately and assess the true impact it presents. I have seen time and time again out-of-control workloads be the root cause of security incidents, production outages, misconfiguration issues and bugs, and plenty more.

Often it is not that teams are unaware of the issues or vulnerabilities, but rather they don’t have the time, capacity or resources to address them.

Risk acceptance must not be indefinite, if work has been sent to the backlog it must be addressed within a given time frame.

Summary

Teams must communicate and demonstrate their capacity issues, and carving out the time to track work must be made a priority. Companies must use this data to alleviate workload pressure and support teams when extra capacity is required. If budget is not given to scale capacity, and companies stretch their resources too thin, the impact of doing so must be appropriately risk assessed. There will always be a balancing act, but if your capacity and workload management are left unchecked, the results can be disastrous.

The Impact of a Buried Backlog

1. Technical Debt: Left unchecked, these forgotten tasks hinder efficiency, cause slowdowns and reduce overall effectiveness. Spend less time on testing, spend more time on bug fixing. Spend less time on documentation, spend more time on confusion, inefficiency and duplication.
2. Security Risks: Unaddressed vulnerabilities, outdated packages, missing maintenance and testing. Backlog bottlenecks pile up and can have disastrous security ramifications.
3. Decreased Morale and Reduced efficiency: Teams can be exhausted with constant context switching leading to burnout and frustration. The pile becomes insurmountable and grows quicker than it shrinks, getting ignored until it all comes crashing down.

The Resolution

1. Clear Communication: Transparent communication across teams and management is crucial. Establish processes for teams to voice capacity issues and demonstrate where backlog impacts their output. Communication should be continuous to ensure prioritisation reflects genuine needs.
2. Visibility and Tracking: Create and maintain clear, updated records of tasks in the backlog. Use workload tracking to prevent backlog items from stagnating and make it easy to identify overdue or critical tasks.
3. Resource Allocation: Ensure teams have the appropriate capacity and resources needed to handle their workload effectively without cutting corners on critical aspects like testing, documentation, and maintenance. Adequate resource allocation mitigates the accumulation of technical debt and helps maintain a sustainable workload balance that supports long-term productivity and resilience.

tl;dr Give your teams the resources they need. Teams, track your time and demonstrate your resourcing needs. Keep your backlog clear or fall under the weight of it.

Thank you for taking the time to read this article, I hope you found it informative. This is very much the opening of a discussion, not the closing of one. This is by no means a complete document as the topic is simply too broad. I would love to hear any thoughts or comments you have.

The post Backlog Bottlenecks: The Silent Killer appeared first on Leading Security.

Compliant ≠ Secure

Compliance involves adhering to specific regulations, laws, or industry standards. These regulations provide guidance and a baseline to measure your security efforts, but they lack the crucial organisational context needed to secure your organisation.

“Just because a security measure is implemented, that doesn’t mean it is effective”

Security, on the other hand, largely relies on this context to provide effective solutions. Every business must assess its risks and understand where it should be focusing its security efforts. Compliance frameworks can provide guidance on what areas to investigate, but they cannot accurately assess the security of your organisation.

The Problem with Compliance-Driven Security

When organisations let compliance drive their security efforts, the focus often shifts to “box-checking” rather than implementing effective controls:

1. Reactive Security: Instead of focusing on the actual threats to your business, compliance-driven security lags behind and only addresses what’s required by current regulations, not what is required to keep your business protected.
2. Limited Scope: Compliance frameworks are designed with general standards, they do not account for the unique risks or organisations’ needs.
3. False Sense of Security: Meeting compliance doesn’t equal effective security. Passing an audit doesn’t mean your business is secure, and implementing security controls doesn’t mean they are effective.

What should drive your security efforts?

1. Risk Assessment: Regularly assess the risks that specifically affect your organisation. Look at your assets and the threats that could impact them, then assess the likelihood and the impact on your organisation.

2. Data-Driven: Implement tools that can help you understand the vulnerabilities and risks across your estate, collect metrics and monitor activity to help you understand where the greatest risks are.

3. Business Goals and Objectives: Your security strategy should be aligned with your business goals and objectives, ensuring that key business areas are protected without hindering productivity or innovation.

4. Threat Landscape: Cybersecurity strategies must evolve based on the threat landscape—the continuously changing environment of cyberattacks and vulnerabilities. Identify industry-specific threats and common attack vectors for similar businesses.

Conclusion

Compliance is a crucial element of any effective security strategy, but it shouldn’t be the primary driver of your security efforts. Compliance provides a framework, but it is no substitute for a comprehensive security assessment.

#Cybersecurity #Compliance #SecurityFirst #BusinessSecurity #RiskManagement #Infosec

The post Compliant Doesn’t Equal Secure appeared first on Leading Security.

This breach serves to remind us of the importance of fundamental security best practices, and the necessity for companies to regulate and enforce them.

How It Happened

People are the most valuable asset in any company. Without your Users, Clients, Staff, and everyone else involved, there is no company. But people also are any company’s biggest risk. The breach occurred with the exploitation of password vulnerabilities.

The Attackers used password reuse and credential stuffing techniques to gain unauthorized access and retrieve personal data from the accounts they accessed. It’s like someone finding an old key to your house and then taking your most private and valuable things.

• Old Passwords: The attackers used old passwords to get into the user’s accounts. People often use the same password for many things, and if one gets stolen or leaked somewhere else, they can try it on other sites, like 23andMe.
• Brute-Force Method: Imagine trying every key on a big keyring to open a lock. The hackers may have used automated tools to try many passwords very quickly to find the right one. A brute force attack uses a set range of possible character combinations and will try them sequentially (A, AA, AAA, AAAA…). A dictionary attack uses lists of predefined password combinations, typically deriving from common and breached password lists.
• Accessing Accounts: Once they got in using these old, weak or reused passwords, they could access the accounts. With this, they were able to access sensitive personal data – information such as ancestry, health risks, and other personal data.

How can we make sure it doesn’t happen?

I have little interest in casting blame, some parties will say it is the user’s fault for poor password choices, and others will say it’s the platform’s fault for not providing better protections.

Security is everyone’s responsibility, we all have our part to play in ensuring the safety our accounts and data.

Platform

The platform needs to ensure that best practices are being enforced, guiding users to make the best decisions possible and preventing them from poor ones.

It also has a responsibility to implement technical controls that detect and prevent attacks of this nature. So what can we implement from a platform perspective?

• Rate-Limits – Rate Limits limit the amount and frequency of requests. Given that it takes a typical user 5-10 seconds to log in, the API shouldn’t tolerate 10 password attempts a second from a single origin, as this is faster than any human user could log in.
• Password Policy – A password policy mandates the standard all user’s passwords must adhere to. This includes complexity (Capital letters, Numbers and Special characters), Minimum Password Lengths, reuse and Rotation requirements (How often the password should be changed).
• Anomaly Detection – If a user typically logs in from the UK, it should be questioned why they are now logging in from China. Maybe the user is on holiday, but then again, maybe not. Extra verification steps should be implemented when abnormal behaviour is detected on your platform, allowing the user to confirm the legitimacy of an atypical request. There are also scenarios where we should be blocking behaviour by default, for example, if you see a request at 4 PM in the UK and 5 PM in China, it is likely malicious.
• Multi-Factor Authentication – Platforms should encourage all users to implement Multi-Factor authentication, this offers users additional layers of protection even if their password is compromised. More and more, Companies are mandating MFA as a hard requirement and shifting away from single authentication models, some opting for scrapping passwords altogether – https://totalsecurityadvisor.blr.com/cybersecurity/apple-google-and-microsoft-partner-to-scrap-passwords/

User

We as users can’t rely solely on the security controls enforced by the platform, we need to ensure we are securing our accounts the best we can and leveraging the security features that platforms offer.

Weak passwords, Password reuse and lack of leveraging available MFA options are still the leading causes of account compromise.

• Password Manager – Many users struggle with remembering and recording passwords, to avoid having to keep track they use the same password for many different services. A password manager takes a lot of the legwork out of this process, allowing users to generate passwords on the fly, saving them to the password store and auto-filling the account details when logging in. Any password you can remember is likely a weak password, even if that’s a weak password accompanied with some strengthening attributes (e.g Bumblebee83$), let your password manager handle the record keeping.
• Multi-Factor Authentication – As previously mentioned, many platforms are mandating the use of MFA, but there are still plenty of services that aren’t. Most platforms support the use of MFA but you need to go digging about in the user settings to find it, we must be leveraging the security options available even if the site doesn’t force you to use them. If a site doesn’t support MFA/2FA options, you should think twice before using it.
• Breach Detection – HaveIBeenPwned allows users to check their emails and passwords against a database of known compromised account details. 1Password integrates this service as part of the tool, checking stored passwords for compromise and notifying you whenever saved passwords get breached.
• Complex Passwords – There are hundreds of articles out there about what makes a strong password, but it’s important to note that no password is strong enough alone. Breaches happen all the time, which is why it is so important that we use unique passwords for each service. Passwords can also be phished and captured by various other means, which is why no matter how complex the password, MFA is essential for creating a layered defence.

Let’s not let the 23andMe breach be just another statistic in the growing list of data breaches. Let it be a clarion call for immediate and concerted action for companies and users alike, to take better care of their digital hygiene and ensure we are all doing our part to ensure we are securing our accounts and our systems.

The post Breaking Down the 23andMe Breach: Time for Password Extinction? appeared first on Leading Security.