pith. sign in

arxiv: 2606.10083 · v1 · pith:P3LAETTHnew · submitted 2026-06-08 · 💻 cs.CR · cs.CY

The Human Vulnerabilities & Exploits (HVE) Framework

Pith reviewed 2026-06-27 16:11 UTC · model grok-4.3

classification 💻 cs.CR cs.CY
keywords human vulnerabilitiessocial engineeringcybersecuritybehavioral sciencescamsvulnerability classificationpsychological exploitsfraud mitigation
0
0 comments X

The pith

A framework classifies behavioral and psychological vulnerabilities exploited in scams and social engineering attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces a structured system to identify, classify, and reduce human vulnerabilities that attackers use in manipulation-based threats. It draws from established theories of human decision making and social behavior to create identifiers for specific vulnerabilities, a scoring method for their severity, and guidance on how to address them. A sympathetic reader would care because the majority of successful cyberattacks succeed by targeting people rather than technical systems. If the approach holds, it would allow consistent tracking and response to these human factors across different organizations and tools.

Core claim

The framework supplies a machine-readable taxonomy for behavioral and psychological vulnerabilities, complete with structured identifiers, multi-dimensional severity scoring, and actionable remediation guidance.

What carries the argument

The taxonomy that converts psychological mechanisms into labeled vulnerability entries supporting classification, scoring, and mitigation steps.

If this is right

  • Organizations gain a common language for reporting and sharing data on human-targeted vulnerabilities.
  • Defenses can be ranked and allocated according to the severity scores assigned to each vulnerability.
  • Specific remediation steps become available for reducing exposure to particular types of manipulation.
  • Training and awareness programs can be built around the labeled entries in the taxonomy.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The taxonomy could support automated monitoring systems that flag messages or situations matching known vulnerability patterns.
  • Cross-cultural testing might show whether the same vulnerability entries apply equally in different populations.
  • Over time the system could expand to cover new manipulation methods that emerge in digital environments.

Load-bearing premise

Established theories of human behavior can be synthesized directly into a machine-readable taxonomy with identifiers, scores, and fixes without new empirical validation.

What would settle it

A controlled test in which organizations applying the taxonomy and its recommended fixes show no reduction in successful social engineering or scam attacks compared with control groups.

Figures

Figures reproduced from arXiv: 2606.10083 by Avichai Ben, Avi Grushka, Aviv Nahon, Daniel Illaev, Tom Rahav.

Figure 1
Figure 1. Figure 1: Two sides of the same fraud event. F3 describes the attacker’s behavior; HVE describes the victim-side vulnerability exploited, with severity scoring (HVSS) and intervention bundles (HVPs). (Vector reconstruction of the source figure.) 3.4 Behavioral Psychology Literature HVE’s psychological layer is scientifically grounded in behavioral science literature on social influence, dual-process cognition, visce… view at source ↗
Figure 2
Figure 2. Figure 2: HVE feature-axis labelling of a BBB scam case (Section 4.10). Each colour maps a textual span to a single HVE feature axis. (Vector reconstruction of the source figure; case text paraphrased to preserve the highlighted spans.) 5 Agent Integration and Real-Time Deployment The preceding sections have established the HVE, HWE, HVSS, and HVP registries as structured artifacts. This section describes how those … view at source ↗
Figure 3
Figure 3. Figure 3: HVE Walkthrough of a Flash Investment Fraud [PITH_FULL_IMAGE:figures/full_fig_p024_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: HVE walkthrough of a multi-step employment fraud 24 [PITH_FULL_IMAGE:figures/full_fig_p024_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: HVE walkthrough of a high authority sweepstakes scam [PITH_FULL_IMAGE:figures/full_fig_p025_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: HVE high level comparison of the cases 25 [PITH_FULL_IMAGE:figures/full_fig_p025_6.png] view at source ↗
read the original abstract

The cybersecurity community has invested over two decades in building standardized frameworks, the Common Vulnerabilities and Exposures (CVE) system, the Common Vulnerability Scoring System (CVSS), and the Common Weakness Enumeration (CWE) to identify, classify, and remediate threats to digital infrastructure. However, an emerging body of research reveals that a vast majority of successful cyberattacks exploit not software flaws, but human behavioral and psychological vulnerabilities. Social engineering, fraud, and scam attacks, which manipulate human cognition, emotion, and trust, do not have an equivalent standardized framework. Meanwhile, behavioral science and psychology research has established robust theoretical foundations, such as dual-process theory, prospect theory, social influence frameworks, and visceral state models, which explain precisely why and how these attacks succeed. This paper introduces the Human Vulnerabilities & Exploits (HVE) Framework, a structured approach for identifying, classifying, and mitigating the behavioral and psychological vulnerabilities exploited in scams, social engineering, and other human-centric fraud and attacks, analogous in concept to how CVE helps classify software vulnerabilities: it provides a shared, machine-readable taxonomy with structured identifiers, multi-dimensional severity scoring via the Human Vulnerability Severity Score (HVSS), and actionable remediation guidance through Human Vulnerability Patches (HVPs). This introduction synthesizes the relevant literature across cybersecurity standardization, behavioral science, and fraud defense to establish the theoretical and practical foundations for the HVE framework, whose architecture and technical specifications are detailed in subsequent sections.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 1 minor

Summary. The paper proposes the Human Vulnerabilities & Exploits (HVE) Framework as a standardized, machine-readable taxonomy for identifying, classifying, and mitigating behavioral and psychological vulnerabilities exploited in social engineering, scams, and human-centric attacks. It draws an analogy to CVE/CVSS/CWE systems and claims to synthesize existing behavioral theories (dual-process theory, prospect theory, social influence frameworks, visceral state models) into structured identifiers, a multi-dimensional Human Vulnerability Severity Score (HVSS), and actionable Human Vulnerability Patches (HVPs), with the architecture and specifications detailed beyond the abstract.

Significance. If the synthesis produces a non-redundant, empirically grounded taxonomy that preserves the explanatory power of the source theories while enabling practical remediation, the framework could offer a useful bridge between behavioral science and cybersecurity standardization efforts. The proposal addresses a recognized gap in human-factor defenses, but its significance hinges on whether the resulting structure avoids overlap, ambiguity, or loss of fidelity compared to the cited literature.

major comments (2)
  1. [Abstract / Introduction] The central claim (abstract and introduction) that behavioral theories can be directly synthesized into a machine-readable taxonomy with structured identifiers, HVSS, and HVPs is asserted via literature synthesis alone; no concrete mapping example is supplied showing, for instance, how prospect theory's loss aversion or dual-process System 1/System 2 distinctions translate into distinct HVE entries without redundancy or loss of explanatory power.
  2. [Introduction (synthesis section)] No validation step, external benchmark, or domain-adaptation check is described to confirm that the resulting HVSS scoring and HVPs function analogously to CVSS/CWE (i.e., that they are actionable, non-overlapping, and preserve predictive utility for scam and social-engineering contexts).
minor comments (1)
  1. [Abstract] Clarify whether the framework introduces any new empirical data or remains a pure synthesis; if the latter, explicitly state the scope limitations in the abstract.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive feedback on the HVE Framework manuscript. We address the major comments point by point below.

read point-by-point responses
  1. Referee: [Abstract / Introduction] The central claim (abstract and introduction) that behavioral theories can be directly synthesized into a machine-readable taxonomy with structured identifiers, HVSS, and HVPs is asserted via literature synthesis alone; no concrete mapping example is supplied showing, for instance, how prospect theory's loss aversion or dual-process System 1/System 2 distinctions translate into distinct HVE entries without redundancy or loss of explanatory power.

    Authors: The synthesis in the manuscript derives HVE identifiers, HVSS dimensions, and HVPs directly from the cited theories (e.g., loss aversion informs a dedicated vulnerability class with corresponding severity factors). However, we agree that an explicit worked example would make the translation clearer and demonstrate fidelity. We will add a dedicated subsection with concrete mappings in the revision. revision: yes

  2. Referee: [Introduction (synthesis section)] No validation step, external benchmark, or domain-adaptation check is described to confirm that the resulting HVSS scoring and HVPs function analogously to CVSS/CWE (i.e., that they are actionable, non-overlapping, and preserve predictive utility for scam and social-engineering contexts).

    Authors: The current manuscript is an introductory synthesis establishing the framework architecture. We will revise to include an explicit discussion of design choices that ensure non-overlap and actionability (drawing on how the source theories were operationalized), plus a table comparing HVSS to CVSS structure. Full empirical validation and benchmarks are outside the scope of this conceptual paper and will be flagged as future work. revision: partial

Circularity Check

0 steps flagged

No circularity; synthesis of external theories presented as novel taxonomy

full rationale

The paper's central contribution is a literature synthesis of established behavioral theories (dual-process theory, prospect theory, social influence frameworks, visceral state models) into the HVE taxonomy, HVSS scoring, and HVPs, explicitly positioned as analogous to CVE/CVSS/CWE. No derivation equations, fitted parameters, predictions, or uniqueness theorems appear in the provided text. The synthesis is the input and output by design, but this is definitional organization rather than a reduction where a claimed result equals its inputs by construction. No self-citation load-bearing steps or ansatz smuggling are quoted. The framework draws from independent external literature and is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 3 invented entities

The proposal rests on the assumption that behavioral science models translate directly into a CVE-style taxonomy. No free parameters are visible. Axioms are the cited psychology theories. The HVE, HVSS, and HVPs are invented entities without independent evidence in the abstract.

axioms (1)
  • domain assumption Dual-process theory, prospect theory, social influence frameworks, and visceral state models explain why human-centric attacks succeed.
    Abstract states these theories provide the foundations for the framework.
invented entities (3)
  • Human Vulnerabilities & Exploits (HVE) Framework no independent evidence
    purpose: Provide shared machine-readable taxonomy for behavioral vulnerabilities.
    New structure proposed in the paper; no external validation shown.
  • Human Vulnerability Severity Score (HVSS) no independent evidence
    purpose: Multi-dimensional severity scoring analogous to CVSS.
    Invented scoring system; details not provided in abstract.
  • Human Vulnerability Patches (HVPs) no independent evidence
    purpose: Actionable remediation guidance.
    New remediation concept introduced by the paper.

pith-pipeline@v0.9.1-grok · 5804 in / 1367 out tokens · 19441 ms · 2026-06-27T16:11:17.795678+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

4 extracted references

  1. [1]

    Aldawood, H., & Skinner, G. (2019). Reviewing cyber security social engineering training and awareness programs: pitfalls and ongoing issues.Future Internet, 11(3),

  2. [2]

    Asyali, M., Frank, B., & Hölzmer, T. (2026). Fake it till you make it: The psychological and communication tactics behind pig butchering scams.Journal of Cybersecurity, 12(1). Axiom Economics. (2024).Using behavioural economics to understand and prevent authorised push payment fraud. UK Payment Systems Regulator. Beals, M., DeLiema, M., & Deevy, M. (2015)...

  3. [3]

    Ferreira, A., & Teles, S. (2019). Persuasion: How phishing emails can influence users and bypass security measures. International Journal of Human-Computer Studies, 125, 19–31. Gragg, D. (2003).A multi-level defense against social engineering. SANS Institute Reading Room. Hancock, J., & Tessian. (2020).The psychology of human error. Stanford University & ...

  4. [4]

    transfer to safe account

    Mouton, F., et al. (2014). Social engineering attack framework. InInformation Security for South Africa (ISSA). IEEE. Pedersen, K. T., Pepke, L., Stærmose, T., Papaioannou, M., Choudhary, G., & Dragoni, N. (2025). Deepfake-driven social engineering: Threats, detection techniques, and defensive strategies in corporate environments.Journal of Cybersecurity ...