The Human Vulnerabilities & Exploits (HVE) Framework
Pith reviewed 2026-06-27 16:11 UTC · model grok-4.3
The pith
A framework classifies behavioral and psychological vulnerabilities exploited in scams and social engineering attacks.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The framework supplies a machine-readable taxonomy for behavioral and psychological vulnerabilities, complete with structured identifiers, multi-dimensional severity scoring, and actionable remediation guidance.
What carries the argument
The taxonomy that converts psychological mechanisms into labeled vulnerability entries supporting classification, scoring, and mitigation steps.
If this is right
- Organizations gain a common language for reporting and sharing data on human-targeted vulnerabilities.
- Defenses can be ranked and allocated according to the severity scores assigned to each vulnerability.
- Specific remediation steps become available for reducing exposure to particular types of manipulation.
- Training and awareness programs can be built around the labeled entries in the taxonomy.
Where Pith is reading between the lines
- The taxonomy could support automated monitoring systems that flag messages or situations matching known vulnerability patterns.
- Cross-cultural testing might show whether the same vulnerability entries apply equally in different populations.
- Over time the system could expand to cover new manipulation methods that emerge in digital environments.
Load-bearing premise
Established theories of human behavior can be synthesized directly into a machine-readable taxonomy with identifiers, scores, and fixes without new empirical validation.
What would settle it
A controlled test in which organizations applying the taxonomy and its recommended fixes show no reduction in successful social engineering or scam attacks compared with control groups.
Figures
read the original abstract
The cybersecurity community has invested over two decades in building standardized frameworks, the Common Vulnerabilities and Exposures (CVE) system, the Common Vulnerability Scoring System (CVSS), and the Common Weakness Enumeration (CWE) to identify, classify, and remediate threats to digital infrastructure. However, an emerging body of research reveals that a vast majority of successful cyberattacks exploit not software flaws, but human behavioral and psychological vulnerabilities. Social engineering, fraud, and scam attacks, which manipulate human cognition, emotion, and trust, do not have an equivalent standardized framework. Meanwhile, behavioral science and psychology research has established robust theoretical foundations, such as dual-process theory, prospect theory, social influence frameworks, and visceral state models, which explain precisely why and how these attacks succeed. This paper introduces the Human Vulnerabilities & Exploits (HVE) Framework, a structured approach for identifying, classifying, and mitigating the behavioral and psychological vulnerabilities exploited in scams, social engineering, and other human-centric fraud and attacks, analogous in concept to how CVE helps classify software vulnerabilities: it provides a shared, machine-readable taxonomy with structured identifiers, multi-dimensional severity scoring via the Human Vulnerability Severity Score (HVSS), and actionable remediation guidance through Human Vulnerability Patches (HVPs). This introduction synthesizes the relevant literature across cybersecurity standardization, behavioral science, and fraud defense to establish the theoretical and practical foundations for the HVE framework, whose architecture and technical specifications are detailed in subsequent sections.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes the Human Vulnerabilities & Exploits (HVE) Framework as a standardized, machine-readable taxonomy for identifying, classifying, and mitigating behavioral and psychological vulnerabilities exploited in social engineering, scams, and human-centric attacks. It draws an analogy to CVE/CVSS/CWE systems and claims to synthesize existing behavioral theories (dual-process theory, prospect theory, social influence frameworks, visceral state models) into structured identifiers, a multi-dimensional Human Vulnerability Severity Score (HVSS), and actionable Human Vulnerability Patches (HVPs), with the architecture and specifications detailed beyond the abstract.
Significance. If the synthesis produces a non-redundant, empirically grounded taxonomy that preserves the explanatory power of the source theories while enabling practical remediation, the framework could offer a useful bridge between behavioral science and cybersecurity standardization efforts. The proposal addresses a recognized gap in human-factor defenses, but its significance hinges on whether the resulting structure avoids overlap, ambiguity, or loss of fidelity compared to the cited literature.
major comments (2)
- [Abstract / Introduction] The central claim (abstract and introduction) that behavioral theories can be directly synthesized into a machine-readable taxonomy with structured identifiers, HVSS, and HVPs is asserted via literature synthesis alone; no concrete mapping example is supplied showing, for instance, how prospect theory's loss aversion or dual-process System 1/System 2 distinctions translate into distinct HVE entries without redundancy or loss of explanatory power.
- [Introduction (synthesis section)] No validation step, external benchmark, or domain-adaptation check is described to confirm that the resulting HVSS scoring and HVPs function analogously to CVSS/CWE (i.e., that they are actionable, non-overlapping, and preserve predictive utility for scam and social-engineering contexts).
minor comments (1)
- [Abstract] Clarify whether the framework introduces any new empirical data or remains a pure synthesis; if the latter, explicitly state the scope limitations in the abstract.
Simulated Author's Rebuttal
We thank the referee for the constructive feedback on the HVE Framework manuscript. We address the major comments point by point below.
read point-by-point responses
-
Referee: [Abstract / Introduction] The central claim (abstract and introduction) that behavioral theories can be directly synthesized into a machine-readable taxonomy with structured identifiers, HVSS, and HVPs is asserted via literature synthesis alone; no concrete mapping example is supplied showing, for instance, how prospect theory's loss aversion or dual-process System 1/System 2 distinctions translate into distinct HVE entries without redundancy or loss of explanatory power.
Authors: The synthesis in the manuscript derives HVE identifiers, HVSS dimensions, and HVPs directly from the cited theories (e.g., loss aversion informs a dedicated vulnerability class with corresponding severity factors). However, we agree that an explicit worked example would make the translation clearer and demonstrate fidelity. We will add a dedicated subsection with concrete mappings in the revision. revision: yes
-
Referee: [Introduction (synthesis section)] No validation step, external benchmark, or domain-adaptation check is described to confirm that the resulting HVSS scoring and HVPs function analogously to CVSS/CWE (i.e., that they are actionable, non-overlapping, and preserve predictive utility for scam and social-engineering contexts).
Authors: The current manuscript is an introductory synthesis establishing the framework architecture. We will revise to include an explicit discussion of design choices that ensure non-overlap and actionability (drawing on how the source theories were operationalized), plus a table comparing HVSS to CVSS structure. Full empirical validation and benchmarks are outside the scope of this conceptual paper and will be flagged as future work. revision: partial
Circularity Check
No circularity; synthesis of external theories presented as novel taxonomy
full rationale
The paper's central contribution is a literature synthesis of established behavioral theories (dual-process theory, prospect theory, social influence frameworks, visceral state models) into the HVE taxonomy, HVSS scoring, and HVPs, explicitly positioned as analogous to CVE/CVSS/CWE. No derivation equations, fitted parameters, predictions, or uniqueness theorems appear in the provided text. The synthesis is the input and output by design, but this is definitional organization rather than a reduction where a claimed result equals its inputs by construction. No self-citation load-bearing steps or ansatz smuggling are quoted. The framework draws from independent external literature and is therefore self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
axioms (1)
- domain assumption Dual-process theory, prospect theory, social influence frameworks, and visceral state models explain why human-centric attacks succeed.
invented entities (3)
-
Human Vulnerabilities & Exploits (HVE) Framework
no independent evidence
-
Human Vulnerability Severity Score (HVSS)
no independent evidence
-
Human Vulnerability Patches (HVPs)
no independent evidence
Reference graph
Works this paper leans on
-
[1]
Aldawood, H., & Skinner, G. (2019). Reviewing cyber security social engineering training and awareness programs: pitfalls and ongoing issues.Future Internet, 11(3),
2019
-
[2]
Asyali, M., Frank, B., & Hölzmer, T. (2026). Fake it till you make it: The psychological and communication tactics behind pig butchering scams.Journal of Cybersecurity, 12(1). Axiom Economics. (2024).Using behavioural economics to understand and prevent authorised push payment fraud. UK Payment Systems Regulator. Beals, M., DeLiema, M., & Deevy, M. (2015)...
2026
-
[3]
Ferreira, A., & Teles, S. (2019). Persuasion: How phishing emails can influence users and bypass security measures. International Journal of Human-Computer Studies, 125, 19–31. Gragg, D. (2003).A multi-level defense against social engineering. SANS Institute Reading Room. Hancock, J., & Tessian. (2020).The psychology of human error. Stanford University & ...
2019
-
[4]
transfer to safe account
Mouton, F., et al. (2014). Social engineering attack framework. InInformation Security for South Africa (ISSA). IEEE. Pedersen, K. T., Pepke, L., Stærmose, T., Papaioannou, M., Choudhary, G., & Dragoni, N. (2025). Deepfake-driven social engineering: Threats, detection techniques, and defensive strategies in corporate environments.Journal of Cybersecurity ...
2014
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.