SCVI: Bridging Social and Cyber Dimensions for Comprehensive Vulnerability Assessment

TL;DR

SCVI introduces a unified framework that blends individual vulnerability factors with attack-level severity to quantify socio-cyber risk, validated on both survey (iPoll) and social-media (Reddit) data. The index combines IVI and ASI through $ \mathrm{SCVI}_{i, k} = \alpha \mathrm{IVI}_{i, k} + \beta \mathrm{ASI}_{i, k} $ with $ \alpha + \beta = 1 $, and further decomposes IVI and ASI into interpretable subcomponents tied to awareness, behavior, psychology, experience, frequency, consequence, and sophistication. Across datasets, SCVI demonstrates robustness via Monte Carlo weight analyses and provides richer insights than CVSS or SVI, revealing demographic and regional disparities and guiding targeted interventions. The work highlights practical implications for policymakers and platforms, supports inclusive cybersecurity strategies, and outlines avenues for data-driven weighting and dynamic updating to address evolving threats like AI-powered phishing and deepfake scams.

Abstract

The rise of cyber threats on social media platforms necessitates advanced metrics to assess and mitigate social cyber vulnerabilities. This paper presents the Social Cyber Vulnerability Index (SCVI), a novel framework integrating individual-level factors (e.g., awareness, behavioral traits, psychological attributes) and attack-level characteristics (e.g., frequency, consequence, sophistication) for comprehensive socio-cyber vulnerability assessment. SCVI is validated using survey data (iPoll) and textual data (Reddit scam reports), demonstrating adaptability across modalities while revealing demographic disparities and regional vulnerabilities. Comparative analyses with the Common Vulnerability Scoring System (CVSS) and the Social Vulnerability Index (SVI) show the superior ability of SCVI to capture nuanced socio-technical risks. Monte Carlo-based weight variability analysis confirms SCVI is robust and highlights its utility in identifying high-risk groups. By addressing gaps in traditional metrics, SCVI offers actionable insights for policymakers and practitioners, advancing inclusive strategies to mitigate emerging threats such as AI-powered phishing and deepfake scams.

Figures (7)

• Figure 1: Comparison of IVI and ASI distributions and their contributing factors using the iPoll dataset.
• Figure 2: Comparison of IVI and ASI distributions and their contributing factors using the Reddit dataset.
• Figure 3: Sensitivity analysis of the iPoll dataset for IVI and ASI factors. Note that $w_A$, $w_B$, $w_P$, and $w_E$ are the weights for 'Awareness,' 'Behavioral,' 'Psychological,' and 'Experience' factors in the individual vulnerability index (IVI) correspondingly. $w_F$, $w_C$, and $w_S$ refer to 'Frequency,' 'Consequence,' and 'Sophistication' in the Attack Security Index (ASI), respectively.
• Figure 4: Sensitivity analysis of the Reddit dataset for IVI and ASI factors. Note that $w_A$, $w_B$, $w_P$, and $w_E$ are the weights for 'Awareness,' 'Behavioral,' 'Psychological,' and 'Experience' factors in the individual vulnerability index (IVI) correspondingly. $w_F$, $w_C$, and $W_S$ refer to 'Frequency,' 'Consequence,' and 'Sophistication' in the Attack Security Index (ASI), respectively.
• Figure 5: Monte Carlo analysis of SCVI components in the iPoll and Reddit datasets.