pith. sign in

arxiv: 2605.22119 · v2 · pith:76BJUH2Znew · submitted 2026-05-21 · 💻 cs.CR

Human Vulnerability Assessment in Cybersecurity: A Systematic Literature Review of Methods, Models, and Instruments

Dimitra Papatsaroucha , Stavroula Psaroudaki , Eleftheria Vassilaki , Konstantina Pityanou , Michail Alexandros Kourtis , Ilias Politis , Evangelos K. Markakis This is my paper

Pith reviewed 2026-05-22 05:25 UTC · model grok-4.3

classification 💻 cs.CR
keywords human vulnerability assessmentcybersecuritysystematic literature reviewPRISMAinsider threatssecurity behavioruser awarenessholistic assessment
0
0 comments X

The pith

Current human vulnerability assessments in cybersecurity remain fragmented, static, and incomplete for both unintentional and intentional dimensions.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This systematic literature review examines methods, models, and instruments for assessing human vulnerabilities in cybersecurity, drawing on studies published between 2017 and 2025 under the PRISMA framework. It establishes that existing work typically isolates single facets such as security behavior, user awareness, or insider threat detection rather than integrating the full range of psychological, cognitive, behavioral, social, and contextual factors. The central finding is that no reviewed approach simultaneously and dynamically covers the entire spectrum of unintentional and intentional human vulnerabilities or their propagation across systems. A sympathetic reader would care because adversaries increasingly exploit these human elements, yet current assessment practices leave organizations exposed to evolving risks. The review therefore identifies specific gaps and calls for new research into holistic, dynamic assessment strategies.

Core claim

The systematic literature review concludes that proposed solutions for human vulnerability assessment address only limited aspects in isolation and from a static perspective, with insufficient attention to dynamic processes or the ways vulnerabilities propagate; no methods, models, or instruments were found that holistically and dynamically consider the complete spectrum of both unintentional and intentional human vulnerabilities simultaneously.

What carries the argument

PRISMA-guided systematic literature review that synthesizes existing methods, models, and instruments for conceptual or practical human vulnerability assessment in cybersecurity.

If this is right

  • New assessment approaches must integrate unintentional and intentional dimensions rather than treating them separately.
  • Assessment tools should move from one-time static evaluations to ongoing dynamic monitoring that tracks changes over time.
  • Models need to account for how human vulnerabilities propagate across individuals and interconnected systems.
  • Future instruments should combine psychological, cognitive, behavioral, social, and contextual factors into unified frameworks.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • Organizations adopting such integrated assessments could reduce incident rates by identifying human-related risks earlier than current siloed approaches allow.
  • Linking human vulnerability metrics with technical asset assessments may produce more accurate overall security risk scores.
  • Training and policy interventions derived from dynamic assessments could adapt in real time to emerging threat patterns.

Load-bearing premise

The literature search limited to 2017-2025 and filtered through PRISMA captures a representative and unbiased sample of all relevant work without significant publication or selection bias.

What would settle it

Discovery of at least one published method, model, or instrument that simultaneously and dynamically assesses the full spectrum of psychological, cognitive, behavioral, social, and contextual factors across both unintentional and intentional human vulnerabilities.

Figures

Figures reproduced from arXiv: 2605.22119 by Dimitra Papatsaroucha, Eleftheria Vassilaki, Evangelos K. Markakis, Ilias Politis, Konstantina Pityanou, Michail Alexandros Kourtis, Stavroula Psaroudaki.

Figure 1
Figure 1. Figure 1: Identification of Studies following the PRISMA framework [PITH_FULL_IMAGE:figures/full_fig_p007_1.png] view at source ↗
Figure 4
Figure 4. Figure 4: Studies Published per Year V. HOW HUMAN VULNERABILITY IS ASSESSED IN CYBERSECURITY A. Methods 1) Conceptual and Theoretical Methods: Conceptual and theoretical methods have mostly focused on defining how human vulnerability may be understood before proposing prac￾tical assessment mechanisms, providing important explanatory foundations and identifying important vulnerability variables. For unintentional thr… view at source ↗
Figure 3
Figure 3. Figure 3: Classification of Studies according to Publication Venues [PITH_FULL_IMAGE:figures/full_fig_p008_3.png] view at source ↗
Figure 5
Figure 5. Figure 5: Moderator Availability in Studies In addition to taxonomy mapping, further analytical dimen￾sions were introduced in order to further characterize how the studies included in the SLR conceptualize and operational￾ize human cyber vulnerability, namely: i) threat relevance, ii) assessment or measurement approach, iii) vulnerability propagation, iv) vulnerability modelling approach. The threat relevance dimen… view at source ↗
Figure 7
Figure 7. Figure 7: Classification of Studies based on the combinations of Vulnerability [PITH_FULL_IMAGE:figures/full_fig_p018_7.png] view at source ↗
Figure 6
Figure 6. Figure 6: Summary of assessed or considered Human Factors across studies [PITH_FULL_IMAGE:figures/full_fig_p018_6.png] view at source ↗
Figure 8
Figure 8. Figure 8: Most Appeared Combinations of Most Assessed or Considered Human [PITH_FULL_IMAGE:figures/full_fig_p019_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Summary of assessed or considered Indicators across studies [PITH_FULL_IMAGE:figures/full_fig_p019_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: Most appeared Combinations of Most Assessed or Considered [PITH_FULL_IMAGE:figures/full_fig_p020_11.png] view at source ↗
Figure 10
Figure 10. Figure 10: Classification of Studies based on the combinations of Moderator [PITH_FULL_IMAGE:figures/full_fig_p020_10.png] view at source ↗
Figure 12
Figure 12. Figure 12: Comparative Analysis of Considered Human Factors & Indicators across Studies [PITH_FULL_IMAGE:figures/full_fig_p021_12.png] view at source ↗
Figure 14
Figure 14. Figure 14: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p021_14.png] view at source ↗
Figure 13
Figure 13. Figure 13: Threat Type Classification of Studies Furthermore, Figures 14, 15, and 16 provide additional information regarding the human factors and indicators that dominate the assessment with regard to the threat type ad￾dressed. Because the number of studies differs across the three threat categories, the interpretation of these figures considers both absolute occurrences and relative prevalence within each catego… view at source ↗
Figure 16
Figure 16. Figure 16: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p022_16.png] view at source ↗
Figure 15
Figure 15. Figure 15: Most considered Human Factors + Indicators for Studies addressing [PITH_FULL_IMAGE:figures/full_fig_p022_15.png] view at source ↗
Figure 18
Figure 18. Figure 18: Most Appeared Combinations of Hybrid Assessment or Measurement [PITH_FULL_IMAGE:figures/full_fig_p023_18.png] view at source ↗
Figure 17
Figure 17. Figure 17: Assessment or Measurement Approaches Proposed or Utilized [PITH_FULL_IMAGE:figures/full_fig_p023_17.png] view at source ↗
Figure 19
Figure 19. Figure 19: Assessment or Measurement Approach Distribution Per Year [PITH_FULL_IMAGE:figures/full_fig_p024_19.png] view at source ↗
Figure 20
Figure 20. Figure 20: Distribution of HVA Studies by Vulnerability Propagation and [PITH_FULL_IMAGE:figures/full_fig_p024_20.png] view at source ↗
read the original abstract

In cybersecurity, vulnerability assessment has typically focused on identifying and measuring vulnerabilities within digital assets and technical infrastructures. However, there is growing recognition that this approach alone is inadequate without a structured examination of the human factor, which is becoming more frequently targeted and manipulated by cyber adversaries. Human vulnerabilities extend beyond individual susceptibility to cyber threats, encompassing a wide array of psychological, cognitive, behavioral, social, and contextual factors that can, whether unintentionally or intentionally, jeopardize the security and integrity of systems and data. Despite this recognition, human vulnerability assessment remains fragmented, often addressed from a static rather than a dynamic perspective, and with limited focus on the ways it propagates across individuals and systems; a growing body of literature has explored specific facets of the issue, including one-time assessments of security behavior, user awareness, and, to a degree, intentional insider threats and their detection. This research offers a systematic literature review (SLR) of Human Vulnerability Assessment (HVA) in cybersecurity, including methods, models, and instruments proposed for the conceptual or practical assessment of human vulnerabilities across various dimensions. Following the PRISMA framework, this review gathers relevant studies published from 2017 to 2025, aiming to investigate whether any assessment methods, models, or instruments exist that address the entire spectrum of human vulnerabilities dynamically. The findings highlight gaps and limitations in current proposed solutions and identify areas for further investigation regarding holistic assessment that simultaneously and dynamically considers the entire spectrum of both the unintentional and intentional dimensions of human vulnerability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. This paper conducts a systematic literature review (SLR) of Human Vulnerability Assessment (HVA) methods, models, and instruments in cybersecurity. Following the PRISMA framework, it examines studies published 2017–2025 to determine whether any existing approaches address the full spectrum of unintentional and intentional human vulnerabilities in a dynamic, holistic manner that accounts for propagation across individuals and systems. The review concludes that current solutions remain fragmented and static, with notable gaps in integrated dynamic assessment, and calls for further research on comprehensive models.

Significance. If the search and screening process proves exhaustive, the paper would usefully synthesize the fragmented HVA literature and provide a clear roadmap for developing integrated dynamic assessments that span psychological, behavioral, and insider-threat dimensions. Such a synthesis could help shift the field from one-off awareness metrics toward more systemic, time-varying vulnerability models.

major comments (2)
  1. [Methods] Methods section (PRISMA description): The abstract states adherence to PRISMA and a 2017–2025 window but supplies no search strings, database list, inclusion/exclusion criteria, or inter-rater reliability statistics. Because the central claim—that no existing method covers the full unintentional+intentional spectrum dynamically—rests on having exhaustively identified the literature, the absence of these details prevents verification that relevant holistic or dynamic models were not systematically excluded.
  2. [Results] Results and gap analysis: The claim that current instruments are limited to static, one-time assessments of security behavior or isolated insider-threat detection requires explicit mapping of reviewed papers to the “dynamic” and “holistic” criteria. Without a table or appendix showing which papers were screened against these dimensions and why they failed, the gap conclusion remains difficult to evaluate.
minor comments (2)
  1. [Introduction] Clarify whether the review distinguishes between vulnerability assessment instruments and threat-detection tools; the current wording occasionally conflates the two.
  2. [Throughout] Ensure all acronyms (HVA, SLR, PRISMA) are defined on first use and that figure captions explicitly state the time window and number of included studies.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their detailed and constructive feedback on our systematic literature review. The comments highlight opportunities to improve transparency in the methods and to strengthen the presentation of the gap analysis. We will revise the manuscript to address these points directly.

read point-by-point responses

  1. Referee: [Methods] Methods section (PRISMA description): The abstract states adherence to PRISMA and a 2017–2025 window but supplies no search strings, database list, inclusion/exclusion criteria, or inter-rater reliability statistics. Because the central claim—that no existing method covers the full unintentional+intentional spectrum dynamically—rests on having exhaustively identified the literature, the absence of these details prevents verification that relevant holistic or dynamic models were not systematically excluded.

    Authors: We acknowledge the referee's concern about methodological transparency. While the manuscript states adherence to the PRISMA framework and specifies the 2017–2025 window, we agree that the absence of explicit search strings, database names, inclusion/exclusion criteria, and inter-rater reliability metrics in the provided text limits immediate verification. In the revised manuscript we will expand the Methods section to include these details in full, along with a flow diagram and description of the screening process, to confirm that the search was exhaustive and that no relevant holistic or dynamic models were excluded. revision: yes

  2. Referee: [Results] Results and gap analysis: The claim that current instruments are limited to static, one-time assessments of security behavior or isolated insider-threat detection requires explicit mapping of reviewed papers to the “dynamic” and “holistic” criteria. Without a table or appendix showing which papers were screened against these dimensions and why they failed, the gap conclusion remains difficult to evaluate.

    Authors: We agree that an explicit mapping would make the gap analysis more transparent and easier for readers to evaluate. In the revised version we will add a table (or appendix) that lists each included study, indicates whether it addresses unintentional or intentional vulnerabilities, whether the assessment is static or dynamic, and whether it is holistic or fragmented, together with a brief rationale for why it does not fully satisfy the combined dynamic-and-holistic criterion. This will directly support the conclusion that existing approaches remain limited. revision: yes

Circularity Check

0 steps flagged

No circularity: literature review synthesizes external sources without self-referential derivation

full rationale

This is a systematic literature review that applies the PRISMA framework to collect and analyze studies published 2017-2025 on human vulnerability assessment methods. The paper's claims about gaps in holistic, dynamic coverage of unintentional and intentional dimensions are conclusions drawn from the external body of reviewed work rather than any quantitative prediction, fitted parameter, or equation that reduces to the review's own inputs by construction. No self-definitional steps, fitted-input predictions, or load-bearing self-citation chains appear in the derivation; the search process itself is presented as a methodological choice whose exhaustiveness is an empirical question separate from circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The review depends on standard evidence-synthesis practices and the assumption that the chosen time window and databases adequately represent the field.

axioms (1)
  • domain assumption The PRISMA framework is an appropriate and unbiased method for identifying and synthesizing literature on human vulnerability assessment.
    Invoked by the statement that the review follows the PRISMA framework.

pith-pipeline@v0.9.0 · 5827 in / 1203 out tokens · 32884 ms · 2026-05-22T05:25:58.269171+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.