MORPHEUS: A Multidimensional Framework for Modeling, Measuring, and Mitigating Human Factors in Cybersecurity

TL;DR

MORPHEUS provides a comprehensive, theory-driven framework that reframes human factors in cybersecurity as a dynamic, interconnected system. By integrating the CAB model with Attribution Theory, it identifies 50 factors across six threat domains, maps 295 factor interactions into 12 mechanisms, and links to 99 validated psychometric tools and 8 practical scenarios. The framework enables granular risk diagnosis, ethical interventions, threat mapping, and monitoring, bridging theory and practice for human-centered cybersecurity. The work advances beyond fragmented prior models by offering a scalable, auditable methodology and actionable guidance for organizations to mitigate human-driven cyber risk.

Abstract

Current cybersecurity research increasingly acknowledges the human factor, yet remains fragmented, often treating user vulnerabilities as isolated and static traits. This paper introduces MORPHEUS, a holistic framework that operationalizes human-centric security as a dynamic and interconnected system. Grounded in the Cognition-Affect-Behavior (CAB) model and Attribution Theory, MORPHEUS consolidates 50 human factors influencing susceptibility to major cyberthreats, including phishing, malware, password management, and misconfigurations. Beyond factor identification, the framework systematically maps 295 documented interactions, revealing how cognitive, emotional, behavioral, and socio-organizational processes jointly shape security outcomes, and distills them into twelve recurring interaction mechanisms. MORPHEUS further links theory to practice through an inventory of 99 validated psychometric instruments, enabling empirical assessment and targeted intervention. We illustrate the framework's applicability through concrete operational scenarios, spanning risk diagnosis, training, and interface design. Overall, MORPHEUS provides a rigorous yet actionable foundation for advancing human-centered cybersecurity research and practice.

Figures (8)

• Figure 1: High-level overview of the MORPHEUS Framework. The central hub organizes $n=50$ human factors across six dimensions (Cognitive, Affective, Behavioral, Personality, Demographic, Social/Organizational), distinguishing between proximal Direct Factors (aligned with the internal CAB triad: Cognition, Affect, Behavior) and distal Modulators. The core is connected to four operational layers: (Top) mapping of factors to specific cyber-threat vectors; (Left) an inventory of $n=99$ validated measurement solutions; (Right) a network depicting $n=295$ documented interactions among factors; (Bottom) operational scenarios for applying the framework in risk diagnosis and intervention.
• Figure 2: The Causal Pathway Architecture of MORPHEUS. The framework distinguishes between distal Modulators (Layer 1), categorized by attributional origin (Internal vs. External), and proximal Direct Factors (Layer 2). The final susceptibility outcome (Layer 3) is precipitated by behavior, which is driven by the interplay of all factors and adversarial triggers.
• Figure 3: Summary of the interactions among the demographic human factors and the other ones. Legend: $\uparrow$ indicates a positive association between the traits, $\downarrow$ a negative association, $\sim$ a mixed or complex association, and $\times$ a modulation effect between the two factors.
• Figure 4: Summary of the interactions among the personality traits human factors and the other ones. Legend: $\uparrow$ indicates a positive association between the traits, $\downarrow$ a negative association, $\sim$ a mixed or complex association, and $\times$ a modulation effect between the two factors.
• Figure 5: Summary of the interactions among the cognitive human factors and the other ones. Legend: $\uparrow$ indicates a positive association between the traits, $\downarrow$ a negative association, $\sim$ a mixed or complex association, and $\times$ a modulation effect between the two factors.