Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SocialHarmBench: Revealing LLM Vulnerabilities to Socially Harmful Requests

Punya Syon Pandey, Hai Son Le, Devansh Bhardwaj, Rada Mihalcea, Zhijing Jin

TL;DR

This work introduces SocialHarmBench, a large-scale benchmark designed to surface LLM vulnerabilities in sociopolitical contexts by evaluating 585 prompts across 7 domains and 34 countries. It presents a three-stage evaluation pipeline using HarmBench and StrongREJECT to quantify harmful-completion risk under baseline and adversarial conditions, including five jailbreak/attack methods and weight-space perturbations. The study reveals that current safeguards poorly generalize to politically charged tasks, with open-weight models especially susceptible, and demonstrates that attacks can push vulnerability metrics well beyond baseline levels. An influence-function analysis connects harmful generations to specific training data, highlighting data-level contributors to risk. The work highlights the need for defense strategies that incorporate sociopolitical awareness, cultural diversity, and adversarial robustness, and provides a foundation for ongoing, global safety testing of LLMs.

Abstract

Large language models (LLMs) are increasingly deployed in contexts where their failures can have direct sociopolitical consequences. Yet, existing safety benchmarks rarely test vulnerabilities in domains such as political manipulation, propaganda and disinformation generation, or surveillance and information control. We introduce SocialHarmBench, a dataset of 585 prompts spanning 7 sociopolitical categories and 34 countries, designed to surface where LLMs most acutely fail in politically charged contexts. Our evaluations reveal several shortcomings: open-weight models exhibit high vulnerability to harmful compliance, with Mistral-7B reaching attack success rates as high as 97% to 98% in domains such as historical revisionism, propaganda, and political manipulation. Moreover, temporal and geographic analyses show that LLMs are most fragile when confronted with 21st-century or pre-20th-century contexts, and when responding to prompts tied to regions such as Latin America, the USA, and the UK. These findings demonstrate that current safeguards fail to generalize to high-stakes sociopolitical settings, exposing systematic biases and raising concerns about the reliability of LLMs in preserving human rights and democratic values. We share the SocialHarmBench benchmark at https://huggingface.co/datasets/psyonp/SocialHarmBench.

SocialHarmBench: Revealing LLM Vulnerabilities to Socially Harmful Requests

TL;DR

This work introduces SocialHarmBench, a large-scale benchmark designed to surface LLM vulnerabilities in sociopolitical contexts by evaluating 585 prompts across 7 domains and 34 countries. It presents a three-stage evaluation pipeline using HarmBench and StrongREJECT to quantify harmful-completion risk under baseline and adversarial conditions, including five jailbreak/attack methods and weight-space perturbations. The study reveals that current safeguards poorly generalize to politically charged tasks, with open-weight models especially susceptible, and demonstrates that attacks can push vulnerability metrics well beyond baseline levels. An influence-function analysis connects harmful generations to specific training data, highlighting data-level contributors to risk. The work highlights the need for defense strategies that incorporate sociopolitical awareness, cultural diversity, and adversarial robustness, and provides a foundation for ongoing, global safety testing of LLMs.

Abstract

Large language models (LLMs) are increasingly deployed in contexts where their failures can have direct sociopolitical consequences. Yet, existing safety benchmarks rarely test vulnerabilities in domains such as political manipulation, propaganda and disinformation generation, or surveillance and information control. We introduce SocialHarmBench, a dataset of 585 prompts spanning 7 sociopolitical categories and 34 countries, designed to surface where LLMs most acutely fail in politically charged contexts. Our evaluations reveal several shortcomings: open-weight models exhibit high vulnerability to harmful compliance, with Mistral-7B reaching attack success rates as high as 97% to 98% in domains such as historical revisionism, propaganda, and political manipulation. Moreover, temporal and geographic analyses show that LLMs are most fragile when confronted with 21st-century or pre-20th-century contexts, and when responding to prompts tied to regions such as Latin America, the USA, and the UK. These findings demonstrate that current safeguards fail to generalize to high-stakes sociopolitical settings, exposing systematic biases and raising concerns about the reliability of LLMs in preserving human rights and democratic values. We share the SocialHarmBench benchmark at https://huggingface.co/datasets/psyonp/SocialHarmBench.

Paper Structure

This paper contains 69 sections, 8 equations, 12 figures, 17 tables.

Table of Contents

  1. Introduction
  2. The SocialHarmBench Evaluation Benchmark
  3. Dataset Composition
  4. Harmful behaviors.
  5. Semantic categories.
  6. Functional categories.
  7. Curation of Harmful Behaviors
  8. Data Diversity
  9. Experimental Setup
  10. Results and Analyses
  11. Current LLM safeguards fail to defend against sociopolitical harms
  12. Existing jailbreaks remain highly effective at bypassing safeguards in sociopolitical contexts
  13. LLMs are more vulnerable towards harmful queries contextualized in certain time periods and regions
  14. Explaining Finetuning Attack Success via Influence Functions
  15. Experimental Setup.
  16. ...and 54 more sections

Figures (12)

  • Figure 1: Dataset description of SocialHarmBench. We cover 7 sociopolitical domains, 37 subtopics, and 3 functional templates to provide a holistic assessment of sociopolitical vulnerability. Additional details on dataset filtering and subtopic generation methodology can be found in Appendices \ref{['subtopic-generation']} and \ref{['dataset-curation']} with further temporal and geographic distributions in Appendices \ref{['semantic']} and \ref{['geographic-distribution']}.
  • Figure 2: Topic prevalence by region identity and sub-topic classification. We show total prompts clustered into sub-topics (bars) and total counts of each prompt type and covered region. Across prompt types and covered regions, we depict the over-representation factor (Appendix \ref{['dataset-curation']}) alongside the default baseline to demonstrate the comprehensiveness of sociopolitical vulnerability evaluations. Further sub-topic classification details can be found in Appendix \ref{['subtopic-generation']}.
  • Figure 3: Overall ASRs show heightened sociopolitical vulnerability in current LLMs. SocialHarmBench elicits malicious content from open-weight LLMs in sociopolitical contexts, with weight-tampering attacks being the most effective. Additional details on attack mechanisms and adversarial results are presented in Appendices \ref{['adversarial-experimental-setup']} and \ref{['adversarial-results']}.
  • Figure 4: Category-wise HarmBench scores across all attacks distinguish attack efficiency. Latent-space and input-space attacks are less effective when evaluating LLMs on SocialHarmBench, however all attacks show heightened vulnerability to aiding historical revisionism and censorship. StrongREJECT scores across all attacks are presented in Appendix \ref{['adversarial-results']}.
  • Figure 5: Temporal and geographic ASRs expose amplified sociopolitical vulnerabilities. Current LLMs exhibit varied susceptibility to misuse across both historical ranges and region-specific prompts. In particular, prompts centered around the 21st century and Latin America, the USA, and the UK show higher vulnerability. SocialHarmBench provides a unified framework for evaluating LLMs across temporal and geographic dimensions (Appendices \ref{['semantic']} and \ref{['geographic-distribution']}).
  • ...and 7 more figures