Human Factor Risk Modeling in Cybersecurity: A Scoping Review of KAB Frameworks and Data-Driven Approaches

Aybars BARS; Sabri ERDEM

doi:10.5281/zenodo.15812726

Authors

Aybars BARS Dokuz Eylul University, Faculty of Business, Department of Business Administration, İzmir https://orcid.org/0000-0002-8051-9165
Sabri ERDEM Dokuz Eylul University, Faculty of Business, Department of Business Administration, İzmir https://orcid.org/0000-0001-6766-3202

DOI:

https://doi.org/10.5281/zenodo.15812726

Keywords:

cybersecurity, decision making, human factor, cybersecurity strategy

Abstract

Cybersecurity decision making increasingly demands attention to human factors alongside technical defenses. While frameworks such as ISO/IEC 27001 and NIST guide organizational compliance, the behavioral dimensions of risk perception, bounded rationality, and strategic adaptation remain underrepresented in cybersecurity modeling. This scoping review synthesizes the literature to explore how human factor risk is approached in the context of cybersecurity, with a particular emphasis on Knowledge–Attitude–Behavior (KAB) models and data-driven decision frameworks. Drawing from multiple disciplines, the review identifies patterns and limitations in how cybersecurity decision making processes are conceptualized. The findings highlight a fragmented landscape in which descriptive human behavior insights and normative decision models often operate in isolation. The study concludes by identifying the need for hybrid models that incorporate both behavioral insights and data-driven decision frameworks, offering a promising direction for supporting cybersecurity adaptation in business.

References

Acar, Y., Backes, M., Fahl, S., Kim, D., Mazurek, M. L., & Stransky, C. (2016). You Get Where You’re Looking for: The Impact of Information Sources on Code Security. Proceedings - 2016 IEEE Symposium on Security and Privacy, SP 2016, 289–305. https://doi.org/10.1109/SP.2016.25

Ajzen, I. (1985). From intentions to actions: a theory of planned behavior. Action Control, 11–39.

Bashir, M., Wee, C., Memon, N., & Guo, B. (2017). Profiling cybersecurity competition participants: Self-efficacy, decision-making and interests predict effectiveness of competitions as a recruitment tool. Computers and Security, 65, 153–165. https://doi.org/10.1016/j.cose.2016.10.007

Brette, O., Lazaric, N., & Vieira da Silva, V. (2017). Habit, Decision-Making, and Rationality: Comparing Thorstein Veblen and Early Herbert Simon. Journal of Economic Issues, 51(3), 567–587. https://doi.org/10.1080/00213624.2017.1353866

Campitelli, G., & Gobet, F. (2010). Herbert Simon’s Decision-Making Approach: Investigation of Cognitive Processes in Experts. Review of General Psychology, 14(4), 354–364. https://doi.org/10.1037/a0021256

Collier, Z. A., Linkov, I., & Lambert, J. H. (2013). Four domains of cybersecurity: A risk-based systems approach to cyber decisions. Environment Systems and Decisions, 33(4), 469–470. https://doi.org/10.1007/s10669-013-9484-z

Dor, D., & Elovici, Y. (2016). A model of the information security investment decision-making process. Computers and Security, 63, 1–13. https://doi.org/10.1016/j.cose.2016.09.006

Endicott-Popovsky, B., & Popovsky, V. (2018). Searching and Developing Cybersecurity Talent. Journal of The Colloquium for Information System Security Education, (2), 1–17. Retrieved from https://cisse.info/journal/index.php/cisse/article/view/84

Fishbein, M. A., & Ajzen, I. (2011). Belief, attitude, intention and behaviour: An introduction to theory and research. Reading, Addison-Wesley, (May 1975).

Fogg, B. J. (2003). Persuasive Technology: Using Computers to Change What We Think and Do. Morgan Kaufmann Publishers Inc.

Framework for Improving Critical Infrastructure Cybersecurity. (2018). https://doi.org/10.6028/NIST.CSWP.04162018

Hoppa, M. A. (2018). Automating Ethical Advice for Cybersecurity Decision-Making. 170–172.

Jalali, M. S., Siegel, M., & Madnick, S. (2019). Decision-making and biases in cybersecurity capability development: Evidence from a simulation game experiment. Journal of Strategic Information Systems, 28(1), 66–82. https://doi.org/10.1016/j.jsis.2018.09.003

Jeong, J., Mihelcic, J., Oliver, G., & Rudolph, C. (2019). Towards an improved understanding of human factors in cybersecurity. Proceedings - 2019 IEEE 5th International Conference on Collaboration and Internet Computing, CIC 2019, (December), 338–345. https://doi.org/10.1109/CIC48465.2019.00047

Johnson, T. A. (2015). Cybersecurity: Protecting Critical Infrastructures from Cyber Attack and Cyber Warfare (1st ed.; T. A. Johnson, Ed.). Retrieved from https://www.amazon.com/Cybersecurity-Protecting-Critical-Infrastructures-Warfare/dp/1482239221

Kissoon, T. (2020). Optimum spending on cybersecurity measures. Transforming Government: People, Process and Policy, 14(3), 417–431. https://doi.org/10.1108/TG-11-2019-0112

Krämer, W. (2014). Kahneman, D. (2011): Thinking, Fast and Slow. Statistical Papers, 55(3), 915–915. https://doi.org/10.1007/s00362-013-0533-y

Launiala, A. (2009). How much can a KAP survey tell us about people’s knowledge, attitudes and practices? Some observations from medical anthropology research on malaria in pregnancy in Malawi. Anthropology Matters, 11(1), 1–13. https://doi.org/10.22582/am.v11i1.31

M’manga, A., Faily, S., McAlaney, J., Williams, C., Kadobayashi, Y., & Miyamoto, D. (2019). A normative decision-making model for cyber security. Information and Computer Security, 26(5), 636–646. https://doi.org/10.1108/ICS-01-2019-0021

M’manga, A. W. (2020). Designing for Cyber Security Risk-based Decision Making.

Nobles, C. (2022). Investigating Cloud Computing Misconfiguration Errors using the Human Factors Analysis and Classification System. Scientific Bulletin, 27(1), 59–66. https://doi.org/10.2478/bsaft-2022-0007

Nussbaum, B., & Park, S. (2018). A tough decision made easy? Local government decision-making about contracting for cybersecurity. ACM International Conference Proceeding Series. https://doi.org/10.1145/3209281.3209368

Oltramari, A., Henshel, D., Cains, M., & Hoffman, B. (2015). Towards a human factors ontology for cyber security. CEUR Workshop Proceedings, 1523, 26–33.

Parsons, K., McCormac, A., Butavicius, M., Pattinson, M., & Jerram, C. (2014). Determining employee awareness using the Human Aspects of Information Security Questionnaire (HAIS-Q). Computers and Security, 42, 165–176. https://doi.org/10.1016/j.cose.2013.12.003

Pollock, T. (2017). Reducing human error in cyber security using the Human Factors Analysis Classification System (HFACS). (October). Retrieved from http://digitalcommons.kennesaw.edu/ccerp%0Ahttp://digitalcommons.kennesaw.edu/ccerp/2017/research/2

Rahman, T., Rohan, R., Pal, D., & Kanthamanon, P. (2021). Human Factors in Cybersecurity: A Scoping Review. ACM International Conference Proceeding Series. https://doi.org/10.1145/3468784.3468789

Ribeiro, M. T., Singh, S., & Guestrin, C. (2016). “Why Should I Trust You?” Explaining the Predictions of Any Classifier. NAACL-HLT 2016 - 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Proceedings of the Demonstrations Session, 97–101. https://doi.org/10.18653/v1/n16-3020

Shappell, S. A., & Wiegmann, D. A. (2000). Office of Aviation Medicine The Human Factors Analysis and Classification System – HFACS. Embry-Riddle Aeronautical University, 1–15. Retrieved from https://commons.erau.edu/publication/737

Shreeve, B., Hallett, J., Edwards, M., Anthonysamy, P., Frey, S., & Rashid, A. (2020). “So if Mr Blue Head here clicks the link⋯” Risk Thinking in Cyber Security Decision Making. ACM Transactions on Privacy and Security, 24(1), 1–29. https://doi.org/10.1145/3419101

Simon, H. A. (1957). Models of Man Social and Rational, Mathematical Essays on Rational Human Behavior in a Social Setting. John Wiley and Sons, Inc.

Tara Kissoon, S. (2021). Optimum Spending on Cybersecurity Measures: Part II. Journal of Information Security, 12(01), 137–161. https://doi.org/10.4236/jis.2021.121007

Thron, E., & Faily, S. (2022). Automation and Cyber Security Risks on the Railways - the Human Factors implications.

Tiffany Bao, Yan Shoshitaishvili, Ruoyu Wang, Christopher Kruegel, Giovanni Vigna, D. B. (2017). How Shall We Play a Game? A Game-theoretical Model for Cyber-warfare Games. IEEE 30th Computer Security Foundations Symposium (CSF), 7–21. https://doi.org/10.1109/CSF.2017.34

Vining, A., & Globerman, S. (1999). A conceptual framework for understanding the outsourcing decision. European Management Journal, 17(6), 645–654. https://doi.org/10.1016/S0263-2373(99)00055-9

Wiseman, R. M., & Gomez-Mejia, L. R. (1998). A Behavioral Agency Model of Managerial Risk Taking. The Academy of Management Review, 23(1), 133. https://doi.org/10.2307/259103

Witte, K., & Allen, M. (2000). A meta-analysis of fear appeals: Implications for effective public health campaigns. Health Education and Behavior, 27(5), 591–615. https://doi.org/10.1177/109019810002700506

Zhang, Y., & Liu, J. (2019). Optimal Decision-Making Approach for Cyber Security Defense Using Game Theory and Intelligent Learning. Security and Communication Networks, 2019. https://doi.org/10.1155/2019/3038586

Human Factor Risk Modeling in Cybersecurity: A Scoping Review of KAB Frameworks and Data-Driven Approaches

Authors

DOI:

Keywords:

Abstract

References

Downloads

Published

How to Cite

Issue

Section

License

Most read articles by the same author(s)

Make a Submission

Language

Information

Keywords