The reviewed record of science sign in
Pith

arxiv: 2605.22119 · v2 · pith:76BJUH2Z · submitted 2026-05-21 · cs.CR

Human Vulnerability Assessment in Cybersecurity: A Systematic Literature Review of Methods, Models, and Instruments

Reviewed by Pith T0 review T1 audit T2 compute T3 formal T4 kernel 2026-06-30 16:47 UTCgrok-4.3pith:76BJUH2Zrecord.jsonopen to challenge →

classification cs.CR
keywords human vulnerability assessmentcybersecuritysystematic literature reviewhuman factorsinsider threatssecurity behaviordynamic assessment
0
0 comments X

The pith

No methods, models or instruments dynamically assess the full spectrum of human vulnerabilities in cybersecurity.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This systematic literature review examines methods, models, and instruments for human vulnerability assessment in cybersecurity, drawing on studies from 2017 to 2025. It establishes that existing approaches remain fragmented, typically limited to static evaluations of security behavior, user awareness, or insider threats, without addressing the combined psychological, cognitive, behavioral, social, and contextual factors in a dynamic manner. A sympathetic reader would care because adversaries increasingly target the human element, and incomplete assessments leave organizations exposed to evolving risks that propagate across people and systems.

Core claim

The review finds gaps and limitations in current proposed solutions and identifies no methods, models, or instruments that address the entire spectrum of human vulnerabilities dynamically, including both unintentional and intentional dimensions.

What carries the argument

A PRISMA-guided systematic literature review that searches and analyzes published work on conceptual and practical assessment tools for human vulnerabilities.

If this is right

  • Research must shift toward holistic tools that evaluate vulnerabilities across multiple dimensions at once rather than in isolation.
  • Assessment frameworks need to incorporate dynamic monitoring instead of relying on one-time or static snapshots.
  • Future work should examine how human vulnerabilities spread between individuals and across technical systems.
  • Development efforts should address both unintentional factors like cognitive biases and intentional ones like insider actions within the same instrument.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Combining human vulnerability metrics with traditional technical vulnerability scans could produce integrated security dashboards that update in real time.
  • Organizations adopting dynamic human assessments might reduce reliance on periodic training by identifying context-specific risks as they emerge.
  • Extending the review's scope to include pre-2017 foundational studies could test whether the identified gaps are recent or longstanding.

Load-bearing premise

The PRISMA-guided search of literature from 2017 to 2025 captures a representative sample of all relevant work on human vulnerability assessment without major omissions or bias in study selection.

What would settle it

Publication or identification of even one method, model, or instrument from 2017 to 2025 that simultaneously and dynamically evaluates the full range of unintentional and intentional human vulnerabilities would falsify the central finding.

Figures

Figures reproduced from arXiv: 2605.22119 by Dimitra Papatsaroucha, Eleftheria Vassilaki, Evangelos K. Markakis, Ilias Politis, Konstantina Pityanou, Michail Alexandros Kourtis, Stavroula Psaroudaki.

Figure 1
Figure 1. Figure 1: Identification of Studies following the PRISMA framework [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
Figure 4
Figure 4. Figure 4: Studies Published per Year V. HOW HUMAN VULNERABILITY IS ASSESSED IN CYBERSECURITY A. Methods 1) Conceptual and Theoretical Methods: Conceptual and theoretical methods have mostly focused on defining how human vulnerability may be understood before proposing prac￾tical assessment mechanisms, providing important explanatory foundations and identifying important vulnerability variables. For unintentional thr… view at source ↗
Figure 3
Figure 3. Figure 3: Classification of Studies according to Publication Venues [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Moderator Availability in Studies In addition to taxonomy mapping, further analytical dimen￾sions were introduced in order to further characterize how the studies included in the SLR conceptualize and operational￾ize human cyber vulnerability, namely: i) threat relevance, ii) assessment or measurement approach, iii) vulnerability propagation, iv) vulnerability modelling approach. The threat relevance dimen… view at source ↗
Figure 7
Figure 7. Figure 7: Classification of Studies based on the combinations of Vulnerability [PITH_FULL_IMAGE:figures/full_fig_p018_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: Summary of assessed or considered Human Factors across studies [PITH_FULL_IMAGE:figures/full_fig_p018_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Most Appeared Combinations of Most Assessed or Considered Human [PITH_FULL_IMAGE:figures/full_fig_p019_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Summary of assessed or considered Indicators across studies [PITH_FULL_IMAGE:figures/full_fig_p019_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: Most appeared Combinations of Most Assessed or Considered [PITH_FULL_IMAGE:figures/full_fig_p020_11.png] view at source ↗
Figure 10
Figure 10. Figure 10: Classification of Studies based on the combinations of Moderator [PITH_FULL_IMAGE:figures/full_fig_p020_10.png] view at source ↗
Figure 12
Figure 12. Figure 12: Comparative Analysis of Considered Human Factors & Indicators across Studies [PITH_FULL_IMAGE:figures/full_fig_p021_12.png] view at source ↗
Figure 14
Figure 14. Figure 14: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p021_14.png] view at source ↗
Figure 13
Figure 13. Figure 13: Threat Type Classification of Studies Furthermore, Figures 14, 15, and 16 provide additional information regarding the human factors and indicators that dominate the assessment with regard to the threat type ad￾dressed. Because the number of studies differs across the three threat categories, the interpretation of these figures considers both absolute occurrences and relative prevalence within each catego… view at source ↗
Figure 14
Figure 14. Figure 14: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p022_14.png] view at source ↗
Figure 16
Figure 16. Figure 16: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p022_16.png] view at source ↗
Figure 15
Figure 15. Figure 15: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p022_15.png] view at source ↗
Figure 16
Figure 16. Figure 16: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p023_16.png] view at source ↗
Figure 18
Figure 18. Figure 18: Most Appeared Combinations of Hybrid Assessment or Measurement [PITH_FULL_IMAGE:figures/full_fig_p023_18.png] view at source ↗
Figure 17
Figure 17. Figure 17: Assessment or Measurement Approaches Proposed or Utilized [PITH_FULL_IMAGE:figures/full_fig_p023_17.png] view at source ↗
Figure 19
Figure 19. Figure 19: Assessment or Measurement Approach Distribution Per Year [PITH_FULL_IMAGE:figures/full_fig_p024_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: Distribution of HVA Studies by Vulnerability Propagation and [PITH_FULL_IMAGE:figures/full_fig_p024_20.png] view at source ↗
read the original abstract

In cybersecurity, vulnerability assessment has typically focused on identifying and measuring vulnerabilities within digital assets and technical infrastructures. However, there is growing recognition that this approach alone is inadequate without a structured examination of the human factor, which is becoming more frequently targeted and manipulated by cyber adversaries. Human vulnerabilities extend beyond individual susceptibility to cyber threats, encompassing a wide array of psychological, cognitive, behavioral, social, and contextual factors that can, whether unintentionally or intentionally, jeopardize the security and integrity of systems and data. Despite this recognition, human vulnerability assessment remains fragmented, often addressed from a static rather than a dynamic perspective, and with limited focus on the ways it propagates across individuals and systems; a growing body of literature has explored specific facets of the issue, including one-time assessments of security behavior, user awareness, and, to a degree, intentional insider threats and their detection. This research offers a systematic literature review (SLR) of Human Vulnerability Assessment (HVA) in cybersecurity, including methods, models, and instruments proposed for the conceptual or practical assessment of human vulnerabilities across various dimensions. Following the PRISMA framework, this review gathers relevant studies published from 2017 to 2025, aiming to investigate whether any assessment methods, models, or instruments exist that address the entire spectrum of human vulnerabilities dynamically. The findings highlight gaps and limitations in current proposed solutions and identify areas for further investigation regarding holistic assessment that simultaneously and dynamically considers the entire spectrum of both the unintentional and intentional dimensions of human vulnerability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper presents a PRISMA-guided systematic literature review of methods, models, and instruments for Human Vulnerability Assessment (HVA) in cybersecurity, covering publications from 2017 to 2025. It concludes that existing approaches remain fragmented and predominantly static, with no identified solutions that dynamically address the full spectrum of human vulnerabilities (psychological, cognitive, behavioral, social, and contextual factors, encompassing both unintentional and intentional dimensions), and highlights resulting gaps for future research.

Significance. If the literature search proves exhaustive, the review would usefully map gaps in holistic, dynamic HVA approaches and could steer development of integrated assessment frameworks in cybersecurity human factors. Explicit adherence to the PRISMA framework is a methodological strength that supports reproducibility of the synthesis process.

major comments (2)
  1. [Methods] Methods section: The manuscript states that it follows the PRISMA framework but provides no explicit search strings, database list, screening counts, PRISMA flow diagram numbers, or inter-rater reliability statistics. These details are required to evaluate whether the 2017–2025 sample is representative and to substantiate the central negative claim that no dynamic holistic HVA methods were found.
  2. [Abstract and Discussion] Abstract and Discussion: The claim that 'no methods, models, or instruments exist that address the entire spectrum of human vulnerabilities dynamically' is load-bearing on search completeness. The rationale for the 2017 cutoff, any supplementary searches (e.g., reference list checking), and handling of potential omissions are not described, leaving open the possibility that relevant dynamic models were excluded by keyword choice or date restriction.
minor comments (1)
  1. [Abstract] The abstract would benefit from a brief quantitative statement (e.g., number of studies included after screening) to give readers an immediate sense of review scope.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on methodological transparency. We address each major comment below and will revise the manuscript to incorporate the requested details.

read point-by-point responses
  1. Referee: [Methods] Methods section: The manuscript states that it follows the PRISMA framework but provides no explicit search strings, database list, screening counts, PRISMA flow diagram numbers, or inter-rater reliability statistics. These details are required to evaluate whether the 2017–2025 sample is representative and to substantiate the central negative claim that no dynamic holistic HVA methods were found.

    Authors: We agree that these elements are necessary for reproducibility and to substantiate our findings. The original Methods section was summarized at a high level. In the revised manuscript we will add the complete search strings for each database, the full list of databases, exact screening counts, the PRISMA flow diagram with stage-by-stage numbers, and inter-rater reliability statistics. revision: yes

  2. Referee: [Abstract and Discussion] Abstract and Discussion: The claim that 'no methods, models, or instruments exist that address the entire spectrum of human vulnerabilities dynamically' is load-bearing on search completeness. The rationale for the 2017 cutoff, any supplementary searches (e.g., reference list checking), and handling of potential omissions are not described, leaving open the possibility that relevant dynamic models were excluded by keyword choice or date restriction.

    Authors: We will explicitly state the rationale for the 2017 cutoff (to capture literature after major shifts in human-factors cybersecurity research) in the Methods section. We will also describe supplementary searches including reference-list checking. A new limitations subsection will address potential omissions due to keyword choice or date bounds. We stand by the conclusion that no dynamic holistic methods were identified within the searched corpus, but the added details will enable independent verification. revision: yes

Circularity Check

0 steps flagged

No circularity: descriptive SLR with no derivations or self-referential predictions

full rationale

The paper is a PRISMA-guided systematic literature review that summarizes existing methods, models, and instruments for human vulnerability assessment. It contains no equations, fitted parameters, predictions derived from inputs, or derivation chains. The central claim (gaps in holistic dynamic HVA) rests on the completeness of the literature search rather than any self-referential construction. No steps match the enumerated circularity patterns.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The review depends on the standard PRISMA methodology for systematic reviews and on the completeness of the indexed literature in the chosen time range; no free parameters, new entities, or ad-hoc axioms are introduced.

axioms (1)
  • domain assumption The PRISMA framework provides an appropriate and unbiased structure for identifying and synthesizing literature on human vulnerability assessment.
    The paper explicitly follows PRISMA to gather and analyze studies.

pith-pipeline@v0.9.1-grok · 5840 in / 1132 out tokens · 30844 ms · 2026-06-30T16:47:51.984038+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

151 extracted references · 151 canonical work pages

  1. [1]

    Leveraging human factors in cybersecurity: an inte- grated methodological approach,

    A. Pollini, T. C. Callari, A. Tedeschi, D. Ruscio, L. Save, F. Chiarugi, and D. Guerri, “Leveraging human factors in cybersecurity: an inte- grated methodological approach,”Cognition, Technology and Work, vol. 24, pp. 371–390, 5 2022

  2. [2]

    Human factors in cybersecurity: A scoping review,

    T. Rahman, R. Rohan, D. Pal, and P. Kanthamanon, “Human factors in cybersecurity: A scoping review,” inACM International Conference Proceeding Series. Association for Computing Machinery, 6 2021

  3. [3]

    Human error - a critical contributing factor to the rise in data breaches: A case study of higher education,

    K. Amoresano and B. Yankson, “Human error - a critical contributing factor to the rise in data breaches: A case study of higher education,” HOLISTICA – Journal of Business and Public Administration, vol. 14, pp. 110–132, 6 2023

  4. [4]

    Understanding insider threat: A framework for characterising attacks,

    J. R. Nurse, O. Buckley, P. A. Legg, M. Goldsmith, S. Creese, G. R. Wright, and M. Whitty, “Understanding insider threat: A framework for characterising attacks,” inProceedings - IEEE Symposium on Security and Privacy, vol. 2014-January. Institute of Electrical and Electronics Engineers Inc., 11 2014, pp. 214–228

  5. [5]

    Characterizing and measuring maliciousness for cybersecurity risk assessment,

    Z. M. King, D. S. Henshel, L. Flora, M. G. Cains, B. Hoffman, and C. Sample, “Characterizing and measuring maliciousness for cybersecurity risk assessment,” 2 2018

  6. [6]

    Visualizing insider threats: An effective interface for security analytics,

    B. Haim, E. Menahem, Y . Wolfsthal, and C. Meenan, “Visualizing insider threats: An effective interface for security analytics,” inInter- national Conference on Intelligent User Interfaces, Proceedings IUI. Association for Computing Machinery, 3 2017, pp. 39–42

  7. [7]

    A survey on human and personality vulnerability assessment in cyber-security: Challenges, approaches, and open issues,

    D. Papatsaroucha, Y . Nikoloudakis, I. Kefaloukos, E. Pallis, and E. K. Markakis, “A survey on human and personality vulnerability assessment in cyber-security: Challenges, approaches, and open issues,” 2021. [Online]. Available: https://arxiv.org/abs/2106.09986

  8. [8]

    Determining employee awareness using the human aspects of information security questionnaire (hais-q),

    K. Parsons, A. McCormac, M. Butavicius, M. Pattinson, and C. Jer- ram, “Determining employee awareness using the human aspects of information security questionnaire (hais-q),”Computers and Security, vol. 42, pp. 165–176, 2014

  9. [9]

    Scaling the security wall : Developing a secu- rity behavior intentions scale (sebis),

    S. Egelman and E. Peer, “Scaling the security wall : Developing a secu- rity behavior intentions scale (sebis),” inConference on Human Factors in Computing Systems - Proceedings, vol. 2015-April. Association for Computing Machinery, 4 2015, pp. 2873–2882

  10. [10]

    A human vulnerability assessment methodology,

    A. Cullen and L. Armitage, “A human vulnerability assessment methodology,” inProceedings of the 2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA). IEEE, 2018

  11. [11]

    A bayesian multi-armed bandit approach for identifying human vulnerabilities,

    E. Miehling, B. Xiao, R. Poovendran, and T. Bas ¸ar, “A bayesian multi-armed bandit approach for identifying human vulnerabilities,” in Decision and Game Theory for Security, L. Bushnell, R. Poovendran, and T. Bas ¸ar, Eds. Springer International Publishing, 2018, pp. 521– 539

  12. [12]

    The design and evaluation of a user-centric information security risk assessment and response framework,

    M. Alohali, N. Clarke, and S. Furnell, “The design and evaluation of a user-centric information security risk assessment and response framework,”International Journal of Advanced Computer Science and Applications (IJACSA), vol. 9, no. 10, 2018. [Online]. Available: www.ijacsa.thesai.org

  13. [13]

    User behavior pattern -signature based intrusion detection,

    Z. S. Malek, B. Trivedi, and A. Shah, “User behavior pattern -signature based intrusion detection,” in2020 Fourth World Conference on Smart Trends in Systems, Security and Sustainability (WorldS4), 2020, pp. 549–552

  14. [14]

    Hos-ml: Socio-technical system adl dedicated to human vulnerability identification,

    P. Perrotin, N. Belloir, S. Sadou, D. Hairion, and A. Beugnard, “Hos-ml: Socio-technical system adl dedicated to human vulnerability identification,” inProceedings of the IEEE International Conference on Engineering of Complex Computer Systems, ICECCS, vol. 2022- March. Institute of Electrical and Electronics Engineers Inc., 2022, pp. 11–16

  15. [15]

    The prisma 2020 statement: An updated guideline for reporting systematic reviews,

    M. J. Page, J. E. McKenzie, P. M. Bossuyt, I. Boutron, T. C. Hoffmann, C. D. Mulrow, L. Shamseer, J. M. Tetzlaff, E. A. Akl, S. E. Brennan, R. Chou, J. Glanville, J. M. Grimshaw, A. Hr ´objartsson, M. M. Lalu, T. Li, E. W. Loder, E. Mayo-Wilson, S. McDonald, L. A. McGuinness, L. A. Stewart, J. Thomas, A. C. Tricco, V . A. Welch, P. Whiting, and D. Moher, ...

  16. [16]

    A systematic literature review of how cybersecurity-related behavior has been assessed,

    K. Kannelønning and S. K. Katsikas, “A systematic literature review of how cybersecurity-related behavior has been assessed,” pp. 463–477, 10 2023

  17. [17]

    A systematic literature review of cybersecurity scales assessing information security awareness,

    R. Rohan, D. Pal, J. Hautam ¨aki, S. Funilkul, W. Chutimaskul, and H. Thapliyal, “A systematic literature review of cybersecurity scales assessing information security awareness,”Heliyon, vol. 9, 3 2023

  18. [18]

    Evaluating the human factor in cybersecurity threats (a systematic literature review),

    A. Abuiteiwi and S. Escobar, “Evaluating the human factor in cybersecurity threats (a systematic literature review),” Polytechnic University of Valencia, Tech. Rep., 2025. [Online]. Available: https://ssrn.com/abstract=5465433

  19. [19]

    Human and cognitive factors involved in phishing detection. a literature review,

    D. Ar ´evalo, D. Valarezo, W. Fuertes, M. F. Cazares, R. O. Andrade, and M. MacAs, “Human and cognitive factors involved in phishing detection. a literature review,” inProceedings - 2023 Congress in Computer Science, Computer Engineering, and Applied Computing, CSCE 2023. Institute of Electrical and Electronics Engineers Inc., 2023, pp. 608–614

  20. [20]

    Human vulnerabilities to social engineering attacks: A systematic literature review for building a human firewall,

    M. S. Tsauri, “Human vulnerabilities to social engineering attacks: A systematic literature review for building a human firewall,”Journal of Applied Informatics and Computing (JAIC), vol. 9, no. 4, 2025. [Online]. Available: http://jurnal.polibatam.ac.id/index.php/JAIC

  21. [21]

    Phishing attacks in the age of gener- ative artificial intelligence: A systematic review of human factors,

    R. Jabir, J. Le, and C. Nguyen, “Phishing attacks in the age of gener- ative artificial intelligence: A systematic review of human factors,” 8 2025

  22. [22]

    Exploring the frontiers of cybersecurity behavior: A systematic review of studies and theories,

    A. Almansoori, M. Al-Emran, and K. Shaalan, “Exploring the frontiers of cybersecurity behavior: A systematic review of studies and theories,” 5 2023

  23. [23]

    A systematic review of multi perspectives on human cybersecurity behavior,

    R. A. Alsharida, B. A. S. Al-rimy, M. Al-Emran, and A. Zainal, “A systematic review of multi perspectives on human cybersecurity behavior,”Technology in Society, vol. 73, 5 2023

  24. [24]

    Information security policy compliance behavior models, theories, and influencing factors: A systematic literature review,

    P. Kuppusamy, G. N. Samy, N. Maarop, B. Shanmugam, and S. Perumal, “Information security policy compliance behavior models, theories, and influencing factors: A systematic literature review,” Journal of Theoretical and Applied Information Technology, vol. 15, p. 2022, 2022. [Online]. Available: www.jatit.org

  25. [25]

    Self-eficacy and security behavior: Results from a systematic review of research methods,

    N. Borgert, L. Jansen, I. B ¨ose, J. Friedauer, M. A. Sasse, and M. Elson, “Self-eficacy and security behavior: Results from a systematic review of research methods,” inConference on Human Factors in Computing Systems - Proceedings. Association for Computing Machinery, 5 2024

  26. [26]

    A systematic literature review : Human factor as insider threat in organizations,

    W. Abdallah, “A systematic literature review : Human factor as insider threat in organizations,” Al Quds Open University, Palestine, Research Article/Report, 2023. [Online]. Available: https: //google.academia.edu/JournalofComputerScience

  27. [27]

    Integrating human factors into insider threat detection – a systematic review,

    N. Pathirana, R. Roberts, H. Kalutarage, and C. D. McDermott, “Integrating human factors into insider threat detection – a systematic review,”ACM Computing Surveys, vol. 58, pp. 1–37, 7 2026. [Online]. Available: https://dl.acm.org/doi/10.1145/3798089

  28. [28]

    Investigating the cybersecurity risks of remote work: a systematic literature review of organizational vulnerabilities and mitigation strategies,

    M. Nizamuddin, “Investigating the cybersecurity risks of remote work: a systematic literature review of organizational vulnerabilities and mitigation strategies,”International Journal of Information Security, vol. 24, 8 2025

  29. [29]

    Influence of human factors on cyber security within healthcare organisations: A systematic review,

    S. Nifakos, K. Chandramouli, C. K. Nikolaou, P. Papachristou, S. Koch, E. Panaousis, and S. Bonacina, “Influence of human factors on cyber security within healthcare organisations: A systematic review,” 8 2021

  30. [30]

    Analyzing insider cyber threats and human factors within the framework of agriculture 5.0,

    K. Bissadu, G. Hossain, L. P. Velagala, and S. Sonko, “Analyzing insider cyber threats and human factors within the framework of agriculture 5.0,” in12th International Symposium on Digital Forensics and Security, ISDFS 2024. Institute of Electrical and Electronics Engineers Inc., 2024

  31. [31]

    In- trusion detection with deep learning: A literature review,

    B. K. Sedraoui, A. Benmachiche, A. Makhlouf, and C. Chemam, “In- trusion detection with deep learning: A literature review,” inPAIS 2024 - Proceedings: 6th International Conference on Pattern Analysis and Intelligent Systems. Institute of Electrical and Electronics Engineers Inc., 2024

  32. [32]

    Insider threat detection: A review,

    P. Manoharan, J. Yin, H. Wang, Y . Zhang, and W. Ye, “Insider threat detection: A review,” inProceedings - 2024 International Conference on Networking and Network Applications, NaNA 2024. Institute of Electrical and Electronics Engineers Inc., 2024, pp. 147–153

  33. [33]

    A review: Human factor and cyberse- curity,

    A. Abzakh and A. Althunibat, “A review: Human factor and cyberse- curity,” in2023 International Conference on Information Technology: Cybersecurity Challenges for Sustainable Cities, ICIT 2023 - Proceed- ing. Institute of Electrical and Electronics Engineers Inc., 2023, pp. 589–592

  34. [34]

    Understanding of human factors in cybersecurity: A systematic literature review,

    R. Rohan, S. Funilkul, D. Pal, and W. Chutimaskul, “Understanding of human factors in cybersecurity: A systematic literature review,” in2021 International Conference on Computational Performance Evaluation, ComPE 2021. Institute of Electrical and Electronics Engineers Inc., 2021, pp. 133–140. 27

  35. [35]

    Deciphering the influence of human behavior on cybersecurity risks: An in-depth review of amplification and mitigation factors,

    F. Masimba, F. Gumbo, and T. Zuva, “Deciphering the influence of human behavior on cybersecurity risks: An in-depth review of amplification and mitigation factors,” in2025 5th International Multidisciplinary Information Technology and Engineering Conference (IMITEC). IEEE, 11 2025, pp. 1–6. [Online]. Available: https: //ieeexplore.ieee.org/document/11410469/

  36. [36]

    Towards a human factors ontology for cyber security,

    A. Oltramari, D. Henshel, M. Cains, and B. Hoffman, “Towards a human factors ontology for cyber security,” inProceedings of the International Workshop on Semantic Technology for Intelligence, Defense, and Security (STIDS), ser. CEUR Workshop Proceedings. CEUR-WS.org, 2015. [Online]. Available: https://ceur-ws.org/

  37. [37]

    Human factors in cybersecurity: an in- terdisciplinary review and framework proposal,

    K. Khadka and A. B. Ullah, “Human factors in cybersecurity: an in- terdisciplinary review and framework proposal,”International Journal of Information Security, vol. 24, 6 2025

  38. [38]

    Towards an improved understanding of human factors in cybersecurity,

    J. Jeong, J. Mihelcic, G. Oliver, and C. Rudolph, “Towards an improved understanding of human factors in cybersecurity,” inProceedings - 2019 IEEE 5th International Conference on Collaboration and Internet Computing, CIC 2019. Institute of Electrical and Electronics Engineers Inc., 12 2019, pp. 338–345

  39. [39]

    Trust as a human factor in holistic cyber security risk assessment,

    D. Henshel, M. G. Cains, B. Hoffman, and T. Kelley, “Trust as a human factor in holistic cyber security risk assessment,” inProcedia Manufacturing, vol. 3. Elsevier B.V ., 2015, pp. 1117–1124

  40. [40]

    Integrating cultural factors into human factors framework and ontology for cyber attackers,

    D. Henshel, C. Sample, M. Cains, and B. Hoffman, “Integrating cultural factors into human factors framework and ontology for cyber attackers,” inAdvances in Intelligent Systems and Computing, vol. 501. Springer Verlag, 2016, pp. 123–136

  41. [41]

    Passive- and not active-risk tendencies predict cyber security behav- ior,

    I. Arend, A. Shabtai, T. Idan, R. Keinan, and Y . Bereby-Meyer, “Passive- and not active-risk tendencies predict cyber security behav- ior,”Computers and Security, vol. 96, 9 2020

  42. [42]

    Susceptibility to phishing on social network sites: A personality information processing model,

    E. D. Frauenstein and S. Flowerday, “Susceptibility to phishing on social network sites: A personality information processing model,” Computers and Security, vol. 94, 7 2020

  43. [43]

    Understanding the relationship between human behavior and susceptibility to cyber attacks: A data-driven approach,

    M. Ovelg ¨onne, T. Dumitras, B. A. Prakash, V . S. Subrahmanian, and B. Wang, “Understanding the relationship between human behavior and susceptibility to cyber attacks: A data-driven approach,”ACM Transactions on Intelligent Systems and Technology, vol. 8, 2 2017

  44. [44]

    A psychological profile of defender personality traits,

    T. Whalen and C. Gates, “A psychological profile of defender personality traits,” inProceedings of the 2007 New Security Paradigms Workshop (NSPW). ACM, 2007. [Online]. Available: https://dl.acm.org/doi/10.1145/1600110.1600125

  45. [45]

    User characteristics that influence judgment of social engineering attacks in social networks,

    S. M. Albladi and G. R. Weir, “User characteristics that influence judgment of social engineering attacks in social networks,”Human- centric Computing and Information Sciences, vol. 8, 12 2018

  46. [46]

    Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?

    Z. Yan, T. Robertson, R. Yan, S. Y . Park, S. Bordoff, Q. Chen, and E. Sprissler, “Finding the weakest links in the weakest link: How well do undergraduate students make cybersecurity judgment?”Computers in Human Behavior, vol. 84, pp. 375–382, 7 2018

  47. [47]

    Gender difference and employees’ cybersecurity behaviors,

    M. Anwar, W. He, I. Ash, X. Yuan, L. Li, and L. Xu, “Gender difference and employees’ cybersecurity behaviors,”Computers in Human Behavior, vol. 69, pp. 437–443, 4 2017

  48. [48]

    Deriving cyber security risks from human and organizational factors – a socio-technical approach,

    T. R. McEvoy and S. J. Kowalski, “Deriving cyber security risks from human and organizational factors – a socio-technical approach,” Complex Systems Informatics and Modeling Quarterly, vol. 2019, pp. 47–64, 2019

  49. [49]

    Personalizing persuasive technologies: Do gender and age affect susceptibility to persuasive strategies?

    R. Orji, A. M. Abdullahi, and K. Oyibo, “Personalizing persuasive technologies: Do gender and age affect susceptibility to persuasive strategies?” inUMAP 2018 - Adjunct Publication of the 26th Confer- ence on User Modeling, Adaptation and Personalization. Association for Computing Machinery, Inc, 7 2018, pp. 329–334

  50. [50]

    The impact of information security threat awareness on privacy-protective behaviors,

    S. Mamonov and R. Benbunan-Fich, “The impact of information security threat awareness on privacy-protective behaviors,”Computers in Human Behavior, vol. 83, pp. 32–44, 6 2018

  51. [51]

    More than the individual: Examining the relationship between culture and information security awareness,

    A. Wiley, A. McCormac, and D. Calic, “More than the individual: Examining the relationship between culture and information security awareness,”Computers and Security, vol. 88, 1 2020

  52. [52]

    Uncovering susceptibility risk to online deception in aging,

    N. C. Ebner, D. M. Ellis, T. Lin, H. A. Rocha, H. Yang, S. Dommaraju, A. Soliman, D. L. Woodard, G. R. Turner, R. N. Spreng, and D. S. Oliveira, “Uncovering susceptibility risk to online deception in aging,” Journals of Gerontology - Series B Psychological Sciences and Social Sciences, vol. 75, pp. 522–533, 2 2020

  53. [53]

    An examination of the effect of recent phishing encounters on phishing susceptibility,

    R. Chen, J. Gaia, and H. R. Rao, “An examination of the effect of recent phishing encounters on phishing susceptibility,”Decision Support Systems, vol. 133, 6 2020

  54. [54]

    A method for taxonomy development and its application in information systems,

    R. C. Nickerson, U. Varshney, and J. Muntermann, “A method for taxonomy development and its application in information systems,” European Journal of Information Systems, vol. 22, pp. 336–359, 2013

  55. [55]

    Social cognitive theory of personality,

    A. Bandura, “Social cognitive theory of personality,”The coherence of personality: Social-cognitive bases of consistency, variability, and organization, pp. 185–241, 1999

  56. [56]

    Digital human in cybersecurity risk assessment,

    A. Jurevi ˇcien˙e, A. Brilingait ˙e, and L. Bukauskas, “Digital human in cybersecurity risk assessment,” inAugmented Cognition, D. D. Schmor- row and C. M. Fidopiastis, Eds. Springer International Publishing, 2021, pp. 418–432

  57. [57]

    Exploring automation bias in human–ai collaboration: a review and implications for explainable ai,

    G. Romeo and D. Conti, “Exploring automation bias in human–ai collaboration: a review and implications for explainable ai,”AI and Society, 1 2025

  58. [58]

    Human-factor vulnerabilities of automation in socs: A mixed-methods multigroup analysis,

    J. Tilbury, S. Flowerday, G. Bott, Y . T. Chua, E. Olson, and B. Foltz, “Human-factor vulnerabilities of automation in socs: A mixed-methods multigroup analysis,”Computers and Security, vol. 166, 7 2026

  59. [59]

    Artificial intelligence, human vulnerability and multi- level resilience,

    S. A. Teo, “Artificial intelligence, human vulnerability and multi- level resilience,”Computer Law & Security Review, vol. 57, p. 106134, 2025. [Online]. Available: https://www.sciencedirect.com/ science/article/pii/S2212473X25000070

  60. [60]

    Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods,

    Z. Wang, H. Zhu, and L. Sun, “Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods,”IEEE Access, vol. 9, pp. 11 895–11 910, 2021

  61. [61]

    Predicting susceptibility to social influence in phishing emails,

    K. Parsons, M. Butavicius, P. Delfabbro, and M. Lillie, “Predicting susceptibility to social influence in phishing emails,”International Journal of Human Computer Studies, vol. 128, pp. 17–26, 8 2019

  62. [62]

    Social engineering and organisational dependencies in phishing at- tacks,

    R. Taib, K. Yu, S. Berkovsky, M. Wiggins, and P. Bayl-Smith, “Social engineering and organisational dependencies in phishing at- tacks,” inHuman-Computer Interaction – INTERACT 2019, D. Lamas, F. Loizides, L. Nacke, H. Petrie, M. Winckler, and P. Zaphiris, Eds. Springer International Publishing, 2019, pp. 564–584

  63. [63]

    Examining factors impacting the effectiveness of anti-phishing trainings,

    A. Sumner, X. Yuan, M. Anwar, and M. McBride, “Examining factors impacting the effectiveness of anti-phishing trainings,”Journal of Computer Information Systems, vol. 62, pp. 975–997, 2022

  64. [64]

    Human risk factors in cybersecurity,

    T. Cuchta, B. Blackwood, T. R. Devine, R. J. Niichel, K. M. Daniels, C. H. Lutjens, S. Maibach, and R. J. Stephenson, “Human risk factors in cybersecurity,” inSIGITE 2019 - Proceedings of the 20th Annual Conference on Information Technology Education. Association for Computing Machinery, Inc, 9 2019, pp. 87–92

  65. [65]

    Human factors in the cybersecurity of autonomous vehicles: Trends in current research,

    V . Linkov, P. Z ´amecn´ık, D. Havl ´ıckov´a, and C. W. Pai, “Human factors in the cybersecurity of autonomous vehicles: Trends in current research,” 2019

  66. [66]

    Assessment of spear phishing user experience and awareness: An evaluation framework model of spear phishing exposure level (spel) in the namibian financial industry,

    V . Shakela and H. Jazri, “Assessment of spear phishing user experience and awareness: An evaluation framework model of spear phishing exposure level (spel) in the namibian financial industry,” in2019 International Conference on Advances in Big Data, Computing and Data Communication Systems (icABCD), 2019, pp. 1–5

  67. [67]

    Eyes wide open: The role of situational information security awareness for security-related behaviour,

    L. Jaeger and A. Eckhardt, “Eyes wide open: The role of situational information security awareness for security-related behaviour,”Infor- mation Systems Journal, vol. 31, pp. 429–472, 5 2021

  68. [68]

    The social engineering personality frame- work,

    S. Uebelacker and S. Quiel, “The social engineering personality frame- work,” inProceedings - 4th Workshop on Socio-Technical Aspects in Security and Trust, STAST 2014 - Co-located with 27th IEEE Computer Security Foundations Symposium, CSF 2014 in the Vienna Summer of Logic 2014. Institute of Electrical and Electronics Engineers Inc., 12 2014, pp. 24–30

  69. [69]

    Phishing attempts among the dark triad: Patterns of attack and vulnerability,

    S. R. Curtis, P. Rajivan, D. N. Jones, and C. Gonzalez, “Phishing attempts among the dark triad: Patterns of attack and vulnerability,” Computers in Human Behavior, vol. 87, pp. 174–182, 10 2018

  70. [70]

    Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis,

    J. H. Cho, H. Cam, and A. Oltramari, “Effect of personality traits on trust and risk to phishing vulnerability: Modeling and analysis,” in 2016 IEEE International Multi-Disciplinary Conference on Cognitive Methods in Situation Awareness and Decision Support, CogSIMA 2016. Institute of Electrical and Electronics Engineers Inc., 6 2016, pp. 7–13

  71. [71]

    Time pressure in human cybersecurity behavior: Theoretical framework and countermea- sures,

    N. H. Chowdhury, M. T. Adam, and T. Teubner, “Time pressure in human cybersecurity behavior: Theoretical framework and countermea- sures,”Computers and Security, vol. 97, 10 2020

  72. [72]

    Human and contextual factors influencing cyber- security in organizations, and implications for higher education insti- tutions: a systematic review,

    M. N. AL-Nuaimi, “Human and contextual factors influencing cyber- security in organizations, and implications for higher education insti- tutions: a systematic review,” pp. 1–23, 1 2024

  73. [73]

    Factors affecting risky cybersecurity behaviors by u.s. workers: An exploratory study,

    A. R. Gillam and W. T. Foster, “Factors affecting risky cybersecurity behaviors by u.s. workers: An exploratory study,”Computers in Human Behavior, vol. 108, 7 2020

  74. [74]

    Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours,

    L. Hadlington, “Human factors in cybersecurity; examining the link between internet addiction, impulsivity, attitudes towards cybersecurity, and risky cybersecurity behaviours,”Heliyon, vol. 3, no. 7, p. e00346, 2017

  75. [75]

    From law to folklore: Work stress and the yerkes-dodson law,

    M. Corbett, “From law to folklore: Work stress and the yerkes-dodson law,”Journal of Managerial Psychology, vol. 30, pp. 741–752, 8 2015. 28

  76. [76]

    Impact of human vulnera- bilities on cybersecurity,

    M. Alsharif, S. Mishra, and M. AlShehri, “Impact of human vulnera- bilities on cybersecurity,”Computer Systems Science and Engineering, vol. 40, pp. 1153–1166, 9 2021

  77. [77]

    Phish me, phish me not,

    B. Hanus, Y . A. Wu, and J. Parrish, “Phish me, phish me not,”Journal of Computer Information Systems, vol. 62, pp. 516–526, 2022

  78. [78]

    An analysis of phishing emails and how the human vulnerabilities are exploited,

    T. Sharma and M. Bashir, “An analysis of phishing emails and how the human vulnerabilities are exploited,” inAdvances in Human Factors in Cybersecurity, I. Corradini, E. Nardelli, and T. Ahram, Eds. Springer International Publishing, 2020, pp. 49–55

  79. [79]

    Identifying factors that influence security behaviors relating to phishing attacks susceptibility: A systematic literature review,

    A. H. Asfoor, F. A. Rahim, and S. Yussof, “Identifying factors that influence security behaviors relating to phishing attacks susceptibility: A systematic literature review,”Journal of Theoretical and Applied Information Technology, vol. 15, p. 15, 2020. [Online]. Available: www.jatit.org

  80. [80]

    Short-term and long-term effects of fear appeals in improving compliance with password guide- lines,

    F. Mwagwabi, T. McGill, and M. Dixon, “Short-term and long-term effects of fear appeals in improving compliance with password guide- lines,”Communications of the Association for Information Systems, vol. 42, pp. 147–182, 2 2018

Showing first 80 references.