Unintentional Insider Threats as Conduits of Social Engineering: A Systematic Review of Vulnerabilities, Reverse Social Engineering, and Mitigation Approaches

preprint OA: closed
Full text JSON View at publisher
Full text 283,904 characters · extracted from preprint-html · click to expand
Unintentional Insider Threats as Conduits of Social Engineering: A Systematic Review of Vulnerabilities, Reverse Social Engineering, and Mitigation Approaches | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Systematic Review Unintentional Insider Threats as Conduits of Social Engineering: A Systematic Review of Vulnerabilities, Reverse Social Engineering, and Mitigation Approaches Ishara Barhoson Galadima, Norafida Bte Ithnin, Haliza Abdulwahab, and 2 more This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-7734139/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract Insider social engineering is emerging as a critical yet underexplored dimension of cybersecurity, while unintentional insider threats are still predominantly conceptualised as negligent or careless behaviour. A particularly overlooked vector is insider-induced reverse social engineering, where malicious insiders deliberately manufacture problems and manipulate unsuspecting colleagues into initiating contact, thereby establishing trust and enabling exploitation. This study reframes unintentional insiders as active conduits of insider social engineering and proposes integrative socio-technical defences. A systematic literature review of 39 peer-reviewed articles published between 2014 and 2025 was conducted using PRISMA guidelines. The review consolidates fragmented conceptualisations of unintentional insider threats, classifies vulnerabilities across psychological, organisational, and socio-technical domains, and synthesises existing mitigation strategies. The analysis identifies three enduring shortcomings: the absence of a coherent conceptualisation of unintentional insiders as enablers of social engineering, the weak integration of technical and socio-technical countermeasures, and the lack of frameworks addressing insider and reverse social engineering. To address these gaps, the study contributes a taxonomy of vulnerabilities and mechanisms underpinning insider and reverse social engineering, a problem–solution mapping that aligns vulnerabilities with technical, socio-technical, and hybrid mitigation strategies, and a multi-layered socio-technical framework that integrates anomaly detection with behavioural and procedural indicators. These contributions advance conceptual clarity, reposition unintentional insiders as critical enablers of social engineering, and provide actionable foundations for hybrid socio-technical defences. Unintentional Insider Threats Insider threat Social engineering Reverse social engineering Deep learning Cybersecurity Human factor 1. Introduction Insider social engineering occurs when a threat actor applies social engineering techniques to manipulate an unsuspecting colleague into disclosing sensitive corporate information or performing actions that compromise the organization, its assets, infrastructure, or personnel. This type of attack is typically executed when the malicious actor lacks direct access to the target and instead exploits human trust as an entry point. In contrast, an unintentional insider threat arises when an authorized employee or business associate, through inadvertent actions such as negligence, error, or policy non-compliance, unintentionally exposes organizational assets or information, thereby causing harm to the enterprise (Tsiostas et al., 2021 ). Social engineering is a significant threat to information security, targeting systems and networks by exploiting human vulnerabilities. Such attacks succeed when victims lack awareness of the techniques involved and are unfamiliar with effective models and frameworks for prevention (Syafitri et al., 2022a ). Understanding insider threat scenarios such as privilege abuse, identity theft, and data leakage requires careful analysis of user behaviour patterns, the extraction of detailed behavioural characteristics, and the construction of behaviour sequences, all of which are paramount to effective insider threat detection (Tian et al., 2025 ). Insider threats are critical security challenge for organizations, especially financial institutions globally (Javaheri et al., 2024 ; Renaud et al., 2024). The Ponemon Research Institute’s 2023 Insider Threat Cost Report underscores the scale of this problem, highlighting the substantial resources required for effective mitigation highlighting that on average, organizations take 77 days to contain an insider threat incident, while alarming, only 12% of reported cases are resolved within 30 days (Jones, 2024 ). These statistics show Insider threats remain one of the most persistent challenges in cybersecurity, however, with unintentional insider threats UITs increasingly recognised as critical enablers of breaches (Kammüller & Probst, 2017 ; Greitzer et al., 2014a ). Unlike malicious insiders, UITs often arise from error, negligence, misjudgement, or intentional manipulation (Kotkova & Hromada, 2021 ). Their actions frequently provide attackers with pathways into organisational systems, particularly through social engineering (SE), where human vulnerabilities are exploited to bypass technical controls ((Salahdine & Kaabouch, 2019 ; Canham et al., 2020). For example, (Greitzer, Strozer, Cohen, Moore, et al., 2014b ) examined UIT incidents originating from SE by analysing incident data, behavioural patterns, technical indicators, and potential precursors to better understand contributing factors. Similarly, Abdelsadeq et al., (2019), building on Ismail & Yusof, ( 2018 ), developed a conceptual countermeasure model for UITs by highlighting human errors and behavioural activities in daily job tasks that are often exposed to breaches, enhancing the framework with mitigation strategies from existing literature. Takabi et al., ( 2018 ) introduced a novel method for detecting UITs by analysing users’ eye movements, capturing activity patterns to evaluate mental workload a key factor underlying human error. Greitzer, et al., (2014) concluded that while UITs share organisational precursors with malicious threats, their primary driver is human error, underscoring the need for human-centric mitigation strategies such as system usability improvements, fostering security culture, and maintaining a supportive work environment, rather than relying solely on technical controls. Recent advances have turned attention to SE-specific mechanisms. Sharma et al., ( 2024 ) examined SE methods, showing how attackers reduce user security through manipulation. Using the Social Engineering Detection Algorithm (SEDA), they identified fraudulent SE attempts by analysing message language against behavioural data, incorporating mood analysis, semantic matching, and language complexity metrics to detect suspicious patterns. Zewdie et al., ( 2024a ) further extended this by proposing a deep learning (DL) based holistic detection system capable of identifying insider threats whether intentional or unintentional as well as vulnerabilities to external SE vectors such as phishing. Similarly, He et al., ( 2022 ) developed a double-layer DL detection system to identify phishing and insider threats in enterprise systems. Although, these studies reinforce SE attacks however, phishing is the most prevalent SE vector in their literature. Despite extensive research on insider threats and social engineering, the specific role of unintentional insiders in reverse social engineering remains poorly conceptualised and rarely addressed empirically. Existing surveys and models primarily focus on malicious insiders or on phishing as the dominant social engineering vector (Salahdine & Kaabouch, 2019 ; He et al., 2022 b). This narrow framing has resulted in three persistent gaps: (i) a conceptual gap in theorising UITs as conduits of social engineering, (ii) a mitigation gap where socio-technical approaches are seldom integrated into detection models, and (iii) an empirical blind spot concerning RSE scenarios, where victims are manipulated into initiating contact with attackers. The main contribution of this research can be summarised as: a) Taxonomy of Vulnerabilities and SE/RSE Mechanisms: A refined taxonomy is proposed that classifies vulnerabilities across psychological , organisational , and socio-technical domains. This taxonomy captures the mechanisms by which UITs are exploited in both SE and RSE scenarios, moving beyond generic notions of “human error” to detail specific behavioural, contextual, and structural enablers (Canham et al., 2020; David et al., 2015 ). b) Problem and Solution Mapping of Mitigation Approaches: A systematic problem–solution map is developed that aligns identified vulnerabilities with mitigation strategies, distinguishing between technical , socio-technical , and hybrid approaches. While prior work has examined anomaly detection (Greitzer et al., 2021a ) or awareness training in isolation, this mapping emphasises integrative defences that combine behavioural monitoring with automated detection of anomalous activities, ensuring a layered and adaptive security posture. c) Multi-Layered Socio-Technical Detection Framework: The study introduces a conceptual framework for detecting RSE-based insider threats. The framework integrates three complementary layers: Technical layer , focused on system logs, anomaly detection, and privilege escalation patterns. Behavioural layer , centred on communication, sentiment analysis, and relational dynamics that reveal manipulation. Procedural layer , monitoring deviations from established workflows and policy adherence. By correlating weak signals across these layers, the framework enhances detection fidelity and reduces false positives. It leverages machine learning (ML) and deep learning (DL) techniques to model behavioural baselines and identify anomalies indicative of RSE exploitation (Zewdie et al., 2024); (He et al., 2022 )The novelty of this research lies in reframing unintentional insiders from passive, error-prone actors into active enablers of social engineering, particularly reverse social engineering. To the best of our knowledge, this is the first systematic review to explicitly conceptualise RSE as an internal social engineering vector and to propose a socio-technical detection framework tailored to it. Unlike prior taxonomies that focus narrowly on phishing or malicious insiders, this work offers a comprehensive classification of vulnerabilities, systematically mapped to multi-layered mitigations. Furthermore, by embedding ML/DL techniques into a socio-technical defence model, it bridges the persistent divide between human-centred vulnerabilities and technical detection systems. Accordingly, this review addresses the following research questions (RQs): RQ1 : What conceptualisations of unintentional insider threats exist in the literature, and how are they linked to social engineering? RQ2 : What behavioural mechanisms and vulnerabilities make UITs effective conduits for insider social engineering attacks? RQ3 : What mitigation strategies and defensive models have been proposed to address UITs induced by social engineering? RQ4 : What research gaps and future directions emerge for advancing detection and mitigation of UITs in the context of social engineering? The remainder of the research is organized as follows: Section 2 , Related Studies, reviews the existing academic literature to establish the context and identify the critical research gap. Section 3 , Methodology, details the systematic approach used for this review, including the search strategy, inclusion/exclusion criteria, and data analysis methods. Section 4 , Thematic synthesis and Statistical Analysis, presents the synthesized findings from the literature, organized by the key themes identified during the review. Section 5 , Discussion, interprets these findings, explores their implications, and elaborates on the study's novel contributions, including the proposed taxonomy and framework. Section 6, Key Findings to address RQs. Finally, section 7 , draws Conclusion and future research direction, summarizes the key insights, acknowledges any limitations, and provides clear recommendations for future research. 2. Related Work According to (Tsiostas et al., 2021 ) “insider social engineering involves a threat actor who implements social engineering techniques against an unsuspecting co-worker in order to get from him sensitive corporate details or make him act in a way that will affect negatively the organisation, its assets, its equipment or its personnel” In contrast, an unintentional insider threat arises when an authorized employee or business associate, through inadvertent actions such as negligence, error, or policy non-compliance, unintentionally exposes organizational assets or information, thereby causing harm to the enterprise (Tsiostas et al., 2021 ) (Greitzer et al., 2021). Reverse social engineering is a deceptive form of social engineering attack in which adversaries manipulate victims into voluntarily initiating contact, often under the pretext of seeking assistance, thereby disclosing sensitive information or granting access to organizational systems (Bishnoi et al., 2023a ). Unlike conventional attacks where the perpetrator directly solicits data, RSE exploits trust and perceived authority, making detection more difficult. Mitigation requires not only advanced technical safeguards but also continuous user awareness training and the presence of well-prepared security teams capable of recognizing such subtle manipulations. (Bishnoi et al., 2023b ). Several surveys and literature reviews in cybersecurity have examined social engineering, insider threats, but they remain fragmented and reveal consistent blind spots. Collectively, these works provide important groundwork by classifying techniques, prevention measures, and insider typologies, yet they neither systematically address unintentional insider threats (UITs) as conduits of SE nor recognise reverse social engineering as a distinct insider threat attack vector. In the contemporary cybersecurity paradigm, there is a broad and well-established consensus that the human factor represents the most persistent and unpredictable vulnerability in an organization's defense (Abulencia, 2021 ; Padayachee, 2022 ). Foundational surveys by Salahdine & Kaabouch, ( 2019 ) and comprehensive systematic reviews by Syafitri et al., (2022) have extensively mapped the terrain of social engineering, solidifying its status as a primary threat vector. These attacks are uniquely effective because they bypass technological safeguards, such as firewalls and encryption, to directly target human psychology (Jones, 2024 ; Abiodun et al., 2025 ). They exploit deep-seated cognitive biases, including deference to authority, the desire to be helpful, and fear of negative consequences. In response to this pervasive threat, scholars have dedicated significant effort to developing countermeasures (Green et al., 2023; Ishaq et al., 2023 ; Kasowaki & Yusef, 2023 ; Oner et al., 2025 ). These range from multi-layered, machine learning-based security models designed to detect deceptive communications Edwards et al., 2024; Edwards & Still, 2026 ) to sophisticated double-layer detection systems that aim to identify and neutralize attacks in real-time (He et al., 2022 b). However, a common thread in this body of work is its focus on externally initiated threats, often overlooking the nuanced ways these tactics can manifest from within. Although,Bishnoi et al., (2023) make a comprehensive assessment of reverse social engineering to understand social engineering attacks nevertheless, the study does not articulate insider threat induced by RSE or SE. Similarly, this narrative was substantiated by the works of (Tsiostas et al., 2021 ), significant and growing body of work now investigates the direct causal link between social engineering tactics and the activation of insider threats (Tsiostas et al., 2021 ). Pioneering work in this area by (Prabhu & Thompson, 2020 ;Sharma et al., 2024 ) explicitly connects the manipulative techniques of social engineering to the occurrence of security breaches in organization. A critical insight from this research is its focus on Unintentional Insider Threats (UITs). This distinguishes the unwitting accomplice from the malicious actor, a crucial distinction as studies consistently shows that breaches caused by negligence or error are far more frequent than those caused by malicious intent. An external attacker effectively "weaponizes" an employee's trust and authorized access, turning them into a pawn who facilitates the breach. This transforms the traditional security model on its head; the threat is no longer an external "other" trying to get in, but a trusted "insider" unwittingly opening the door from the inside. Table 1 compares previous studies and our systematic literature review from various perspective on the narrative. Although, several studies also look into SEA in cybersecurity, and insider threat focusing on specific attack vectors such as phishing(Kamruzzaman et al., 2023; He et al., 2022 ). However, for general survey on social engineering and insider threat we take a closer look at the works of (Tsiostas et al., 2021 ; Zewdie et al., 2024a ;Choenherr, 2022; Greitzer, et al., 2014; Hussain et al., 2024; and Coffey, 2018), respectively. As indicate in Table 1 , none of the previous related studies has considered insider social engineering through reverse social engineering as internal social engineering attack vector for UITs. Although,(Tsiostas et al., 2021 ) highlights insider social engineering, but fall short of conceptualising and empirical detection solution. Hence the new threats that could emerged from this vector have not been investigated. To this best of our knowledge, this paper is the first that study insider social engineering attack from the perspective of RSE attack from internal insider threat including vulnerability, human factor and sociotechnical proactive mitigation to deal with RSE induced insider social engineering-based insider threat. Table I: Summary Comparison of Prior Study and the Present Study Ref. SE SE + IT ISE/RSE HF UITs + SE (Edwards et al., 2024b ) ✓ ✓ (Prabhu & Thompson, 2022 ) ✓ (Mittal & Garg, 2022 ) ✓ (Greitzer, et al., 2014b ) ✓ ✓ (Sharma et al., 2024 ) ✓ ✓ (Canham et al., 2020a ) ✓ (Osterritter & Carley, 2021 ) ✓ (Baugher & Qu, 2024a ) ✓ (Zewdie et al., 2024a ) ✓ (Mittal & Garg, 2023a ) ✓ (Soh et al., 2019 ) ✓ (Sood et al., 2017 ) ✓ ✓ ✓ (Ifinedo, 2023 ) ✓ (Marbut & Harms, 2024 ) ✓ (He et al., 2022 a) ✓ (Saxena et al., 2020a ) ✓ (Bolukonda et al., 2024 ) ✓ (Schoenherr, 2022b ) ✓ (Zimmer et al., 2022 ) ✓ ✓ (Ismail & Yusof, 2018 ) ✓ ✓ (Coffey, 2018b ) ✓ ✓ (Mittal & Garg, 2023b ) ✓ (Reveraert & Sauer, 2021 ) ✓ ✓ (MacAk et al., 2020 ) ✓ ✓ (Liu et al., 2017 ) ✓ ✓ (Salahdine & Kaabouch, 2019 ) ✓ ✓ (Sillanpää & Hautamäki, 2020 ) ✓ (Syafitri et al., 2022a ) ✓ ✓ (Kamruzzaman et al., 2023b ) ✓ ✓ (Rajchel et al., 2020 ) ✓ (Zangana et al., 2025 ) ✓ (Schoenherr & Thomson, 2021 ) ✓ (Hafizur Rahman et al., 2022 ) ✓ (Sridhar, 2025 ) ✓ (Khan et al., 2022 ) ✓ ✓ (Hussain et al., 2024b ) ✓ ✓ (Green et al., 2023) ✓ (Greitzer, et al., 2014b ) ✓ (Abdelsadeq et al., 2019a ) ✓ (Bishnoi et al., 2023b ) ✓ ✓ This study ✓ ✓ ✓ ✓ ✓ 3. Methodology This study follows the PRISMA methodology (Liberati et al., 2009) to ensure a systematic and transparent review of the literature on unintentional insider threats (UITs) and their relationship to social engineering (SE). The process comprised four stages: identification, screening, eligibility, and inclusion. 3.1 Identification The search strategy was based on the query: ("insider threat" OR "Unintentional insider threat" OR "Non-Malicious insider" OR "insider threat detection") AND ("social engineering") AND (vulnerability OR "human factor") The above query was applied to five major databases: Web of Science (WoS), Scopus, Springer, ACM Digital Library, and IEEE Xplore. The initial retrieval identified 448 records from WoS, 16 from Scopus, 168 from Springer, 219 from ACM, and 262 from IEEE, for a total of 1,113 records. 3.2 Screening Duplicates were removed, and the titles and abstracts of the remaining studies were screened for relevance. Studies not directly addressing insider threats, social engineering, or human factors were excluded at this stage. In Fig. 3 , Research activity increased steadily from 2014 to 2020, with a peak around 2017–2020. The recent years (2023–2025) show fewer but more targeted studies, reflecting the emerging interest in UITs and RSE specifically. The distribution of reviewed papers in Fig. 3 shows that IEEE Xplore (23.1%), Springer Link (20.5%), and ScienceDirect/Elsevier (17.9%) are the dominant sources, together contributing over 60% of the total studies. ACM Digital Library (15.4%) also represents a significant share, while Wiley/Taylor & Francis (10.3%) and MDPI/Hindawi/Emerald (7.7%) contribute moderately. Miscellaneous sources (5.1%) provided the least. This trend demonstrates the concentration of insider threat and social engineering research within a few leading digital libraries, reinforcing their role as primary repositories for high-impact scholarly contributions in the field. 3.3 Eligibility Full texts of 120 studies were assessed against the inclusion criteria: Published between 2014 and August, 2025. Written in English. Focused on insider threats and social engineering, human factors, or their intersections. Published in peer-reviewed journals or reputable conferences. At this stage, studies that were purely opinion pieces or lacked empirical or conceptual contributions were excluded . 3.4 Inclusion A total of 39 studies were included for qualitative synthesis, comprising 29 journal articles (74%), 6 conference papers (15%), and 4 surveys or systematic reviews (11%). The predominance of journal publications indicates that research on unintentional insider threats (UITs) and social engineering (SE) is primarily disseminated through peer-reviewed journals, reflecting the domain’s academic maturity and methodological rigor. Conference proceedings provide a smaller but important stream of emerging findings, while systematic reviews and surveys highlight efforts toward consolidation and knowledge structuring within the field. To provide a novel taxonomy of UITs and ISE and corresponding mitigation and detection methods, we first manually classified the papers included for qualitative synthesis (Step 4) into two ‘Vulnerability’ and ‘Detection’ which are studied in Section 4 and Section 5 , respectively. 4. Implication of Insider Social Engineering as Conduits of Social Engineering The papers included for qualitative synthesis (Step 4), were further manually labelled and classified into three overarching categories: technical vulnerabilities, human factors, and socio-technical vulnerabilities. This classification extends and refines prior taxonomies of insider and social engineering threats. For instance, (Baugher & Qu, 2024b ; Chaipa et al., 2022 ; Masood & Masood, 2021 ; Renaud et al., 2024b ) provide broader socio-technical systems, integrating the human element as either the originator, medium, or executor of threats into the technology-based taxonomy. Similarly, (Akhunzada et al., 2015 ; Birthriya et al., 2025 ; Zaoui et al., 2024 ) underscores the social engineering human factors in security procedures and internal controls also constitute vulnerabilities. Yet, despite recognition of these dimensions, insider social engineering and procedural elements remain underexplored. To bridge this gap, our survey represents, to the best of our knowledge, the first to systematically address UITs as conduit of insider social engineering and sociotechnical procedures into a unified taxonomy of vulnerabilities and corresponding mitigation. 4.1 Technical Vulnerabilities Papers were further subdivided into subclasses, and the analysis reveals that the majority of vulnerabilities exploited in insider threat and social engineering contexts stem not solely from technology, but from the interplay between human factors and organisational weaknesses. These vulnerabilities enable attackers to manipulate unintentional insiders into becoming conduits of breaches, often through social engineering and reverse social engineering. Key issues include psychological manipulation (e.g., authority, trust, urgency), procedural gaps (e.g., bypassing formal support channels), and socio-technical dependencies (e.g., reliance on informal experts, weak workflow controls). Accordingly, the following subsections present the subclasses across the three main groups technology-based, human-originated, and procedure-related vulnerabilities with specific emphasis on how they facilitate SE and RSE attacks. 4.1.1 Phishing and Spear-Phishing Vectors Phishing remains the most dominant SE vector, repeatedly highlighted in the literature as the primary entry point for exploiting unintentional insiders. Phishing emails and spear-phishing campaigns are designed to bypass technical filters by exploiting cognitive shortcuts such as authority and urgency (Salahdine & Kaabouch, 2019 ). Empirical studies demonstrate that UITs, lacking training or operating under stress, are particularly vulnerable to fraudulent links and attachments, enabling attackers to pivot deeper into systems (He et al., 2022 d). In the context of RSE, phishing can escalate into problem–solution dynamics, where attackers first generate a disruption and then redirect victims to “trusted” but malicious assistance. 4.1.2 Malware Delivery Malware remains a persistent technical vulnerability, often spread through phishing vectors or compromised websites. UITs are frequently the unwitting executors, clicking links or downloading attachments without verifying authenticity. This behaviour aligns with SE manipulation, where trust and reciprocity biases are weaponised (Gallo et al., 2024 ; House & Raja, 2020 ; Maheswaran et al., 2025). Malware can then establish persistence, exfiltrate data, or create backdoors that facilitate subsequent RSE engagement. 4.1.3 Ransomware Attacks Ransomware constitutes a growing socio-technical threat in which UITs inadvertently activate malicious payloads. Once triggered, attackers generate high-pressure conditions by locking critical files and demanding payment. Studies show that insiders, operating under stress, may bypass organisational protocols and seek “informal” help or comply with malicious instructions (Zewdie et al., 2024b ). This dynamic demonstrates how ransomware acts as both a technical and psychological exploit, driving UITs into attacker-controlled problem–solution cycles characteristic of RSE. 4.1.4 Scareware Campaigns Scareware represents a class of deceptive alerts or warnings that manipulate UITs into believing their systems are compromised. These fake notifications often include urgent prompts to contact fraudulent support services, effectively engineering victim-initiated contact. As documented in case-based studies, scareware bridges psychological manipulation (fear, urgency) with procedural exploitation (bypassing IT support), thus aligning closely with the RSE model (L. Edwards et al., 2024c ). 4.1.5 Misconfigured Access Controls Weak authentication mechanisms, default passwords, and poorly managed privileges remain recurring vulnerabilities exploited in UIT incidents. Organisational studies highlight that inadequate role-based access control not only increases attack surfaces but also creates conditions for insider misuse (Abdelsadeq et al., 2019a ). In SE and RSE contexts, attackers can exploit these misconfigurations by persuading UITs to escalate privileges or share credentials, thereby magnifying insider risk. 4.1.6 Detection System Gaps Despite advances in anomaly detection, many organisations still rely on outdated SIEM rules and limited signature-based defences. These detection gaps fail to capture the subtle precursors of UIT exploitation, such as unusual communication patterns or deviations from workflow (Claycomb et al., 2022 ; Greitzer, 2019) Studies show that UIT-driven anomalies often blend with legitimate activity, making them hard to isolate without hybrid ML/DL-enhanced socio-technical systems. RSE in particular thrives in these detection blind spots, as it operates across behavioural and procedural layers not adequately monitored by existing tools. 4.2 Human-Originated Vulnerabilities Human-originated vulnerabilities capture the psychological and behavioural weaknesses that attackers systematically exploit, often magnified under stress, fatigue, or authority pressure. Unlike purely technical flaws, these vulnerabilities manifest in everyday organisational practices and interpersonal interactions, positioning unintentional insiders as particularly attractive conduits for manipulation. The literature consistently highlights that attackers exploit heuristics such as authority, reciprocity, urgency, and cognitive overload to engineer insider compliance (Canham et al., 2020). Such vulnerabilities not only enable phishing and other social engineering vectors but also underpin reverse social engineering, where the insider is persuaded to initiate contact. 4.2.1 Authority and Impersonation Authority is among the most potent levers of manipulation, with attackers often posing as IT support, auditors, or senior managers to gain compliance. Empirical evidence confirms that UITs are especially vulnerable when authority cues override normal security practices, leading to the disclosure of credentials or the circumvention of controls (Canham et al., 2020a ). RSE exploits this mechanism by manufacturing problems and presenting the attacker as an “expert,” encouraging insiders to seek their guidance and thereby granting deeper system access. 4.2.2 Trust and Reciprocity Trust and reciprocity form the foundation of many workplace interactions, yet attackers weaponise these values to create false legitimacy. As Coffey, ( 2018b ) demonstrates, victims frequently initiate contact with attackers believing them to be trusted helpers or colleagues. The reciprocal obligation to return “assistance” fosters a sense of indebtedness, compelling UITs to share sensitive information or provide access. This vulnerability is central to RSE, where the insider becomes the driver of engagement under the illusion of mutual trust. 4.2.3 Urgency, Stress, and Fear Stress cues and manufactured urgency are widely reported as accelerants of insider error. Studies confirm that UITs under time pressure or fear of negative consequences are more likely to act hastily, bypassing verification steps or ignoring security policies(Abdelsadeq et al., 2019b ). Attackers craft urgent problem scenarios such as “system failure” or “account compromise” to trigger impulsive responses. In the RSE context, urgency not only increases the likelihood of victim compliance but also channels insiders toward the attacker as a seemingly immediate solution. 4.2.4 Behavioural Fatigue and Cognitive Overload Behavioural fatigue and cognitive overload emerge when insiders face high workloads, multitasking, or distraction. (Takabi et al., 2018 ) demonstrate that such conditions reduce vigilance and impair judgment, significantly increasing susceptibility to manipulation. In this state, UITs are less likely to scrutinise suspicious prompts, verify the legitimacy of requests, or follow formal reporting channels. RSE thrives in these contexts, exploiting insiders’ need for quick resolutions by offering fraudulent “support” that appears to reduce their cognitive burden. Table II: Taxonomy of Vulnerabilities and SE/RSE Mechanisms Main Category Subclass Description Example Ref Technology-Based Vulnerabilities Phishing & Spear-Phishing Fraudulent messages designed to trick users into revealing sensitive data. Malicious link in corporate email directing user to attacker’s page. (Salahdine & Kaabouch, 2019 ; (D. J. He et al., 2022 ) Malware, Ransomware, Scareware Malicious software creates fake problems, coercing users into seeking help. Fake “antivirus alert” prompting user to call attacker. (Zewdie et al., 2024a ) Misconfigured Access Controls Weak authentication/privilege setups expose insider systems. Default admin credentials exploited by attacker. (Abdelsadeq et al., 2019a ) Detection System Gaps Legacy detection tools fail to capture insider-RSE anomalies. SIEM bypassed due to lack of behavioural analysis. (Greitzer, Strozer, Cohen, Moore, et al., 2014a ) Human-Originated Vulnerabilities Authority & Impersonation Attackers exploit authority bias by posing as trusted figures. Attacker posing as IT support requesting login credentials. (Canham et al., 2020b ) Trust & Reciprocity Victim initiates contact, believing attacker to be helpful. Insider calls fake helpdesk number advertised in pop-up. (Coffey, 2018a ) Urgency, Stress, Fear Emotional manipulation forces quick, unthinking response. Email warning of “account suspension” unless action taken. (Alohaly et al., 2022 ) Cognitive Overload & Fatigue Workload stress reduces vigilance, heightening UIT risk. Employee distracted during deadline falls for spear-phishing. (Takabi et al., 2018 ) Socio-Technical / Procedural Vulnerabilities Bypassing Formal Support Channels Employees rely on informal help, bypassing secure IT protocols. Insider calls colleague instead of official helpdesk. (Green et al., 2023) Weak Security Culture & Training Deficits Inconsistent awareness training fails to embed secure practices. Employees click phishing emails despite annual awareness sessions. (Georgiadou et al., 2022a ) Organisational Workflow Weaknesses Policy–practice misalignments create exploitable vulnerabilities. Remote work policy lacking secure escalation processes. (Greitzer, Purl, et al., 2019a ) This taxonomy integrates technical, human, and socio-technical vulnerabilities, systematically captured from the 39 articles. Phishing and malware dominate the technology-based category, reinforcing the centrality of email and malware vectors. Human factors—authority, trust, urgency, and fatigue emerge as critical enablers of UIT exploitation, reframing insiders from “careless actors” to targets of deliberate psychological manipulation. Finally, socio-technical weaknesses, such as bypassed support channels, poor security culture, and workflow gaps, remain underexplored yet highly relevant to reverse social engineering, where attackers manufacture problems and exploit organisational help-seeking behaviours. Collectively, the taxonomy establishes the foundation for the problem–solution mapping (Table V), where each vulnerability is aligned with corresponding technical, socio-technical, and hybrid mitigation strategies. 4.3 Socio-Technical / Procedural Vulnerabilities Socio-technical vulnerabilities emerge at the intersection of organisational workflows, security culture, and human behaviour. Unlike purely technical flaws or individual psychological weaknesses, these vulnerabilities are embedded in organisational norms and procedural gaps, making them particularly difficult to address with conventional controls. The literature underscores that insiders often bypass formal processes, rely on informal expertise, or operate within weak security cultures where policies are poorly enforced or inconsistently communicated (Greitzer, Purl, et al., 2019a ). These weaknesses provide fertile ground for social engineering and reverse social engineering by enabling attackers to exploit the structural inefficiencies of organisations rather than relying solely on individual manipulation. 4.3.1 Bypassing Formal Support Channels One of the most persistent vulnerabilities involves employees seeking assistance from informal colleagues or “local experts” rather than secure IT helpdesks. (Green & Dozier, 2023a , 2023b , 2023c ; Kasowaki & Yusef, 2023 ; Qashqari et al., 2020 ; Zangana et al., 2025 ) highlights how such practices create shadow channels of problem resolution, which attackers can infiltrate by presenting themselves as helpful peers. In RSE scenarios, this bypass becomes a critical exploit path: victims, misdirected by urgency or trust, reach out to the attacker instead of the designated support infrastructure, granting attackers privileged access. 4.3.2 Weak Security Culture and Training Deficits A weak security culture compounds the risks of UIT exploitation, with organisations frequently treating training as a compliance checkbox rather than embedding security awareness into daily practices. (Georgiadou et al., 2022b ) demonstrate that overreliance on one-off training leaves employees ill-prepared to detect novel or sophisticated social engineering attempts. In such contexts, UITs fail to apply learned protocols when under pressure, thereby increasing their susceptibility to SE and RSE. Attackers exploit this gap by crafting scenarios that appear routine, knowing employees lack the adaptive knowledge to challenge them. 4.3.3. Organisational Workflow Weaknesses Organisational workflows often present exploitable misalignments between technical controls and user behaviour. (Greitzer, Purl, et al., 2019b ) show that policies, although formally established, are not consistently enforced or are circumvented when they slow down productivity. This disconnect creates openings for attackers to manipulate UITs into taking shortcuts such as transferring files outside authorised repositories or sharing credentials to expedite tasks. In RSE, attackers amplify these workflow weaknesses by creating fabricated technical problems that appear solvable only through policy deviation, thereby turning procedural flexibility into a vulnerability. 4.4. Reverse Social Engineering Phases, Vulnerabilities, and Insider Manipulation Reverse Social Engineering represents a critical but underexplored dimension of insider-enabled social engineering, characterised by the attacker manufacturing a problem, advertising themselves as the solution, and ultimately eliciting contact from the victim. While this three-phase model has been documented in external attacker scenarios, its implications for insider threats are far more severe. Unlike external attackers, who must first establish credibility, malicious insiders benefit from pre-existing organisational trust, knowledge of workflows, and access to communication channels. This positional advantage enables them to stage highly plausible “sabotages,” leverage informal trust networks, and exploit unintentional insiders into initiating contact (Bishnoi et al., 2023b ; Irani et al., 2011 ). Table III. Core Dimensions of Reverse Social Engineering and Insider Manipulation Aspect Key Insights Implications for Malicious Insider Exploitation Core phases of RSE (sabotage, advertising assistance) Attackers manufacture problems, present themselves as a solution, and receive insider-initiated contact. Malicious insiders can stage believable “sabotages” (e.g., blocking a workflow), then present themselves as informal support, bypassing official helpdesk. Psychological principles Authority, reciprocity, urgency, stress, and trust. Insiders exploit existing hierarchies (manager, IT staff) to appear legitimate; stress and urgency lower vigilance among colleagues. Attack vectors Phishing emails, fake technical support, ransomware alerts, scareware prompts. Malicious insiders enhance these by tailoring to local systems, workflows, and peer relationships, making attacks harder to distinguish from genuine problems. Countermeasures Technical: anomaly detection, MFA, firewalls. Organisational: policies, incident response. Human: awareness and training. Gaps persist in correlating technical anomalies with socio-technical behaviours; malicious insiders often evade detection by blending into organisational norms. Research gaps RSE remains under-theorised; lack of empirical case studies; absence of hybrid socio-technical detection models. Calls for ML/DL-driven socio-technical frameworks that integrate technical, behavioural, and procedural signals to detect insider-induced RSE. Table III highlights core dimensions of how malicious insiders take advantage of the socio-technical environment to manipulate UITs into conduits of exploitation. In the sabotage phase, an insider may deliberately misconfigure access controls or simulate a system error, exploiting procedural gaps they know will trigger reliance on informal support. During the advertising phase, the insider positions themselves as a “trusted helper,” often leveraging authority or reciprocity cues to reinforce legitimacy. In the assistance phase, the UIT initiates contact, unknowingly validating the attacker’s credibility and providing access that would otherwise be scrutinised if requested by an external actor. This dynamic demonstrates that UITs cannot be dismissed as passive actors or “human errors.” Instead, they function as critical enablers of insider led RSE, where manipulation is embedded within everyday organisational processes. Recognising this shift reframes UITs as socio-technical vulnerabilities and underscores the urgent need for integrated detection models capable of correlating behavioural, procedural, and technical indicators. Figure 7 illustrates the dual pathways of reverse social engineering, contrasting external attackers who must manufacture trust through fake authority common vectors like, phishing, and scareware with malicious insiders who exploit pre-existing organisational trust and workflows. Both follow the sabotage–advertising–assistance cycle, yet while external actors rely on fabricated system errors and fraudulent support channels, insiders can subtly misconfigure processes, pose as trusted colleagues, and leverage established socio-technical dependencies. This distinction highlights the novelty of our contribution: reframing unintentional insiders not as passive victims of generic “human error,” but as active conduits of manipulation uniquely vulnerable to insider driven RSE. By mapping both external and insider scenarios in a single framework, the study advances conceptual clarity and provides a foundation for hybrid socio-technical defences tailored to the neglected problem of insider-based RSE. 4.5. Comparison of Vulnerabilities The literature highlights that, vulnerabilities underpinning unintentional insider threats (UITs) manifest differently across psychological, organisational, and socio-technical domains. A comparative perspective (Table IV) shows that while psychological vulnerabilities primarily exploit cognitive and emotional weaknesses, organisational vulnerabilities stem from cultural and procedural deficiencies, and socio-technical vulnerabilities emerge at the human–technology interface. Importantly, reverse social engineering exploits all three domains simultaneously: psychological triggers (e.g., stress, trust, authority), organisational weaknesses (e.g., weak reporting structures, informal support networks), and socio-technical lapses (e.g., procedural bypasses, anomalous workflow behaviours). This comparison underscores the need for hybrid detection and mitigation approaches that integrate behavioural and technical perspectives. Table IV: Comparison of Vulnerabilities Across Domains Domain Key Vulnerabilities Manifestation in SE/RSE Mitigation Orientation Psychological Stress, cognitive overload, trust bias, urgency, authority pressure Users comply with fraudulent requests; initiate contact under stress or when “help” is offered Behavioural training, stress-aware workload design Organisational Weak policies, reliance on informal “experts,” inadequate training, poor incident reporting Insiders bypass helpdesk; contact malicious “expert”; lack of escalation structures Organisational culture reform, adaptive policies Socio-Technical Workflow bypasses, poor usability, lack of monitoring, weak integration between human and technical controls Victims deviate from secure workflows (e.g., shortcut access), leading to exploitable patterns Hybrid socio-technical frameworks with ML/DL analytics Table V. Problem–Solution Mapping: Vulnerabilities → Mitigation Strategies Vulnerability Subclass Technical Mitigations Socio-Technical Mitigations Hybrid / AI-ML Mitigations Supporting References Phishing & Spear-Phishing Advanced email gateways, DMARC/DKIM/SPF, URL detonation sandboxes Role-specific training, simulated phishing, just-in-time warnings, clear escalation paths LSTM/Bi-LSTM/XGBoost email classifiers; behavioural baselining for click anomalies (Salahdine & Kaabouch, 2019 ); (He et al., 2022 a) (Syafitri et al., 2022a ): Malware / Ransomware / Scareware EDR/NGAV, app whitelisting, macro restrictions, network segmentation, backup/restore drills Anti-scareware awareness, “call IT not a number” policy, incident playbooks DL-based malware traffic analysis; cross-signal fusion (host + comms cues) (Coffey, 2018b ; Zewdie et al., 2024a ) Misconfigured Access Controls MFA, least-privilege, just-in-time access, PAM/secret vaults, automatic misconfig scans Joiner-mover-leaver governance, peer reviews for privilege changes Risk-adaptive access using ML risk scores; anomaly detection on access graphs (Bolukonda et al., 2024 ) Detection System Gaps Modern SIEM with UEBA, log normalization, high-fidelity alerting SOC runbooks linking human cues to alerts; red/blue exercises UEBA with sequence models; attention over multi-stream telemetry (email, auth, DLP) (Greitzer et al., 2021c ) (Rajchel et al., 2020 ) Authority & Impersonation Caller ID verification, helpdesk ticket binding, identity proofing for support Anti-authority bias training; mandatory ticket-first policy; “no creds over chat/call” NLP on help interactions to detect power-cue pressure; graph deviations in contact patterns Analyzing the Human Element; (Sharma et al., 2024 ; Xiangyu et al., 2017 ) Trust & Reciprocity Verified support channels; signed admin tools; block sideloading “Trusted helper” registry; mentorship with security guardrails; public key verification norms Social graph anomaly detection; RSE-indicator scoring (victim-initiated contact) (Khadka & Ullah, 2025 ; Sillanpää & Hautamäki, 2020 ) Urgency, Stress, Fear Rate-limit risky actions; step-up auth under pressure contexts Micro-learning on urgency cues; workload management to reduce fatigue Sentiment/tonality analysis in tickets; stress-signal fusion with action anomalies (Schoenherr & Thomson, 2021 ) Cognitive Overload & Fatigue Session timeouts, friction for high-risk actions, safe defaults Usability-first security; spaced training; fatigue-aware scheduling Passive workload inference; policy adaptation via ML fatigue predictors (Green et al., 2023; Takabi et al., 2018 ) Bypassing Formal Support Channels Forced routing to official helpdesk (SSO), shadow-IT detection, chat monitoring for “help” keywords “No side-channel support” policy; social norms for escalation Org-network analytics to flag unusual helper hubs; ticket-to-action correlation (Green et al., 2023) Weak Security Culture & Training Deficits Training LMS integration with controls; policy-as-code enforcement Continuous, role-tailored simulations; leadership modelling; security champions Adaptive training based on risk profiles; RL-driven simulation curricula (Birthriya et al., 2025 ; Syafitri et al., 2022a , b ) Organisational Workflow Weaknesses Workflow enforcement in IAM/ITSM; DLP on sensitive processes Process mapping with security checkpoints; “two-person rule” for high-risk steps Process-mining + ML to detect deviations; sequence-anomaly detectors for RSE (Greitzer, et al., 2014b ) The mapping shows that single-layer controls (purely technical or purely awareness-based) are insufficient for insider-enabled social engineering, especially reverse social engineering. The most effective responses are hybrid: correlate technical anomalies (e.g., odd privilege jumps, unusual data access) with behavioural and procedural cues (e.g., victim-initiated contact, urgency-laden communications, bypassed helpdesk). This aligns with the double-layer detection evidence (He et al., 2022 a) and with DL-based fusion models that outperform single-stream baselines (Zewdie et al., 2024a ). 5. Results of Review The systematic review of 39 empirical and conceptual studies reveals that unintentional insider threats are not isolated lapses of human error, but structured vulnerabilities that attackers exploit through social engineering and reverse social engineering. The findings consolidate technical, human-originated, and socio-technical vulnerabilities into an interdependent taxonomy (Table VI), demonstrating how each domain creates opportunities for adversaries to bypass technical defences and manipulate insiders into becoming conduits of exploitation. 5.1 Technical Vulnerabilities and Exploitation Pathways Technical weaknesses remain a dominant focus in the reviewed literature, particularly in studies on phishing, spear-phishing, malware, and ransomware. Phishing is consistently identified as the most prevalent SE vector, accounting for the majority of UIT exploitation cases (He et al., 2022 b; Salahdine & Kaabouch, 2019 ). Fake login portals, malicious links, and scareware alerts deceive users into disclosing credentials or initiating communication with attackers. Ransomware and scareware exemplify how adversaries create artificial system “failures” to trigger panic and induce UITs to seek “assistance” from the attacker (Zewdie et al., 2024a ). Beyond direct attack vectors, structural flaws such as misconfigured access controls (Abdelsadeq et al., 2019a ) and outdated anomaly detection systems (Greitzer, et al., ( 2014b ) exacerbate risks by enabling UITs to unwittingly overstep privileges or ignore subtle anomalies. The convergence of these flaws with human behaviour highlights that technical vulnerabilities alone cannot explain the scale of UIT exploitation; rather, they are catalysed by psychological manipulation and procedural gaps. 5.2 Human-Originated Vulnerabilities and Psychological Manipulation The literature further demonstrates that attackers consistently exploit psychological principles such as authority, trust, reciprocity, urgency, and fear to manipulate UITs.(Canham et al., 2020a ) emphasise that impersonation of authority figures (e.g., IT support, managers) remains one of the most effective SE tactics, especially when victims are under stress.Coffey, ( 2018c ) highlight how trust-based reciprocity and time pressure cause insiders to initiate contact with attackers, effectively reversing the expected flow of intrusion. Fatigue, cognitive overload, and stress emerge as persistent human vulnerabilities that diminish employees’ vigilance in high-pressure environments (Takabi et al., 2018 ). While these are well-documented in relation to phishing, the review identifies a notable absence of empirical studies explicitly linking such vulnerabilities to RSE. Yet, the described behavioural precursors bypassing official help channels, relying on informal “experts,” or responding hastily to manufactured crises strongly align with RSE conditions. 5.3 Socio-Technical and Procedural Vulnerabilities The third category of vulnerabilities arises from socio-technical interactions and organisational workflows. The Human Factor in Cybersecurity (Zangana et al., 2025 ) shows how employees frequently bypass secure helpdesks to rely on informal colleagues, creating shadow support channels easily exploited in RSE attacks. Similarly, (Georgiadou et al., ( 2022a ) document weak security cultures where training is treated as a one-off exercise, leaving UITs ill-prepared to adapt to novel attack tactics. Workflow misalignments between policy and practice also feature prominently. (Claycomb et al., 2022 ; Greitzer, 2019b ; Greitzer et al., 2021a ; Greitzer, Lee, et al., 2019 ; Greitzer, Purl, et al., 2019a ) illustrate how security policies are often circumvented when they obstruct productivity, enabling attackers to craft scenarios that appear to require procedural shortcuts. These socio-technical weaknesses are particularly relevant to RSE, where attackers create artificial problems that exploit both organisational inefficiencies and the human inclination to seek immediate solutions. 5.4 Cross-Domain Vulnerability Patterns Taken together, the review shows that SE and RSE exploits rarely exploit one domain in isolation. Instead, effective attacks weave together technical entry points (phishing links, malware), human vulnerabilities (authority, stress, reciprocity), and socio-technical weaknesses (bypassed workflows, informal channels). The result is a multi-dimensional exploitation pathway in which UITs are repositioned from passive victims to active conduits of SE attacks. This layered interaction highlights two critical research gaps. First, while phishing has been heavily studied, no empirical model systematically examines how UIT vulnerabilities converge in RSE contexts. Second, mitigation remains fragmented, with most studies advocating either technical anomaly detection or human-centric awareness programs, but rarely integrating the two into socio-technical defence models. 5.5 Towards Problem–Solution Mapping To address these limitations, the vulnerabilities identified in this review are mapped to their corresponding mitigation approaches (Table VIII). Technical defences (e.g., anomaly detection, access control) target sabotage vectors, while socio-technical strategies (e.g., workflow monitoring, adaptive training) address organisational weaknesses. Hybrid solutions particularly AI/ML-driven anomaly detection integrated with behavioural analytics emerge as the most promising avenue for detecting and preventing RSE-based insider exploitation. By aligning the taxonomy of vulnerabilities (Table 1 ) with targeted mitigation strategies (Table 2), this study provides a coherent problem solution map that goes beyond fragmented measures, offering a structured foundation for developing hybrid socio-technical frameworks. Table V1 Taxonomy of Vulnerabilities and SE/RSE Mechanisms Domain Subclass / Mechanism Example Manifestations Relevance to UIT/RSE Ref Psychological Authority Exploitation Impersonation of IT/admin staff Increases trust, induces UIT compliance (Green et al., 2023); (Schoenherr & Thomson, 2021 ) Reciprocity/Trust Helping culture exploited Encourages victim-initiated contact (Sillanpää & Hautamäki, 2020 ) Urgency/Fear Fake alerts, pressure emails Drives fast, uncritical responses (Hussain et al., 2024b ) Organisational Weak Helpdesk Channels Victims bypass official support Enables attacker “helpers” (Bedford & van der Laan, 2021 ; Osterritter & Carley, 2021 ) Security Culture Deficit Training gaps, policy blind spots UITs unaware of manipulative cues (MacAk et al., 2020 ; Syafitri et al., 2022a ) Workflow Weakness Shadow IT, shortcutting policies Normalises unsafe practices (Greitzer, et al., 2014b ) Socio-Technical Misconfigured Access Controls Over-privileged accounts UIT becomes an unintentional access broker (Abdelsadeq et al., 2019a ) Detection Gaps Lack of anomaly baselining RSE precursors missed (Greitzer, et al., 2014b ; Rajchel et al., 2020 ) Cognitive Overload/Fatigue High workload → errors Attackers exploit lowered vigilance (Alohaly et al., 2022 ; Takabi et al., 2018 ) Table VII. Problem–Solution Mapping of Vulnerabilities to Mitigations Vulnerability Technical Mitigations Socio-Technical Mitigations Hybrid / AI-ML Mitigations Phishing & RSE Emails Advanced filters, sandboxing Targeted awareness, escalation policies BiLSTM/Transformer classifiers; anomaly fusion Fake Technical Support Caller ID/auth binding, PAM Ticket-first workflow; anti-authority training NLP sentiment models for pressure cues Workflow Bypasses DLP, process automation “Two-person” approvals; shadow IT mapping Process mining + ML deviation detection Cognitive Fatigue Safe defaults, session limits Fatigue-aware scheduling; micro-learning ML workload inference; adaptive detection Trust Exploitation Verified helper registry Culture of secure mentoring Social graph analytics for helper anomalies Table VIII. Mapping ML/DL Mitigation Techniques to Signals, Datasets, and Outcomes ML/DL Technique Signal Type Datasets Referenced Application Supporting Paper BiLSTM + Attention Sequential behaviour logs CERT Insider Threat, synthetic logs Detect RSE-influenced anomalies (He et al., 2022 a) Autoencoders Logins, data access sequences CERT, enterprise traces Baseline reconstruction, anomaly detection (Zewdie et al., 2024a ) NLP Transformers Emails, chat, tickets Phishing corpora, helpdesk datasets Detect manipulation, urgency/fear (Henge et al., 2023 ; Sharma et al., 2024 ) Process Mining + ML Workflow deviations ITSM/HR logs Detect bypass of formal channels (Greitzer et al., 2021c ; Greitzer, et al., 2014b ; Greitzer, et al., 2014a ) Hybrid UEBA (ML + DL) Multi-modal fusion CERT + org data Cross-layer anomaly correlation (Abdelsadeq et al., 2019a ) The thematic synthesis of the 39 reviewed papers highlights that reverse social engineering is uniquely positioned at the intersection of psychological manipulation, organisational weaknesses, and socio-technical system gaps. Existing mitigation strategies are fragmented, often siloed as either technical (e.g., filters, anomaly detection) or socio-technical (e.g., training, policies). The evidence supports a shift toward hybrid approaches, where technical anomalies (privilege abuse, unusual access) are correlated with behavioural cues (victim-initiated contact, urgency in communications) and procedural deviations (bypassing helpdesks). Machine and deep learning models are consistently identified as enablers of such hybrid detection, offering the capacity to integrate signals across modalities (emails, workflows, psychometric cues). However, few studies explicitly operationalise this integration for reverse social engineering. This review thus contributes a structured taxonomy, a problem–solution map, and a socio-technical detection framework, together forming the first comprehensive model of RSE-based insider exploitation. Findings demonstrate that authority cues, urgency, trust reciprocity, and fatigue are systematically exploited in SE scenarios (Canham et al., 2020a ; Coffey, 2018b ). Organisational patterns including bypassing helpdesks and reliance on informal experts amplify these vulnerabilities (Rahman et al., 2024 ; Zangana et al., 2025 ). While these mechanisms align strongly with RSE conditions, no study has explicitly modelled UIT behaviour under attacker-induced problem scenarios. Implication: Future research must model UIT susceptibility empirically, capturing how psychological stress and organisational dependencies translate into RSE exploitation pathways. 6.1. Discussion and Key Findings This systematic review analysed 39 peer-reviewed studies to investigate the role of unintentional insider threats (UITs) in social engineering, with particular focus on the neglected dimension of reverse social engineering. The findings are organised around four guiding research questions (RQs), with insights aligned to the proposed taxonomy (Table V1 ), problem–solution map (Table VII), mitigation socio-technical framework (Fig. 8 , Table VIII). RQ1 : What conceptualisations of UITs exist in the literature, and how are they linked to social engineering? The literature consistently recognises UITs as critical enablers of cyber incidents but continues to frame them predominantly as negligence, error, or carelessness (Greitzer et al., 2021a ; Greitzer, et al., 2014c ; Greitzer, et al., 2014a ; Kotkova & Hromada, 2021 ). While phishing is the most extensively documented attack vector (He et al., 2022 a; Salahdine & Kaabouch, 2019 ), studies rarely conceptualise UITs as active conduits of manipulation. A notable blind spot is RSE, where attackers create artificial problems and induce victims to initiate contact a dynamic only implicitly described in organisational bypass or help-seeking behaviours (Coffey, 2018b ; Rahman et al., 2024 ). This highlights a conceptual gap: UITs must be reconceptualised not as passive actors but as manipulated vectors of SE/RSE exploitation. RQ2 What behavioural mechanisms and vulnerabilities make UITs effective conduits for insider social engineering attacks? Across psychological, human, and organisational domains, several recurrent vulnerabilities emerge. These include authority and impersonation tactics, trust and reciprocity cues, and stress-induced urgency (Canham et al., 2020a ). Additionally, behavioural fatigue and cognitive overload under heavy workloads amplify susceptibility (Alohaly et al., 2022 ; Takabi et al., 2018 ). At the socio-technical level, reliance on informal experts, weak security cultures, and procedural misalignments expose UITs to exploitation (Greitzer, et al., 2019 b; Greitzer, et al., 2014a ). Collectively, these vulnerabilities map onto the axes of our taxonomy (Table 1 ), which classifies UIT exposure across psychological principles, communication channels, attacker objectives, and RSE indicators. RQ3 What mitigation strategies and defensive models have been proposed to address UITs induced by social engineering? Existing strategies cluster into three domains Technical measures: anomaly detection, malware filtering, access control (Abdelsadeq et al., 2019a ; Greitzer et al., 2021a ; Greitzer, et al., 2014a ). Human-centric measures: awareness training, phishing simulations, and stress-management interventions (Canham et al., 2020a ). Socio-technical measures: embedding security into workflows, policy enforcement, and organisational culture (Rahman et al., 2024 ). While these approaches demonstrate value, they remain fragmented and siloed. None of the reviewed studies propose hybrid socio-technical detection models that correlate weak technical signals with human or organisational anomalies. To bridge this, our problem–solution map (Table VII) links vulnerabilities directly to layered mitigation strategies, and our framework (Fig. 8 ) demonstrates how multi-layered correlation increases detection fidelity. RQ4 What research gaps and future directions emerge for advancing detection and mitigation of UITs in the context of social engineering? Three core gaps persist. First, a conceptual gap: UITs continue to be framed narrowly as human error, overlooking their role as manipulated conduits of SE/RSE. Second, a mitigation gap: technical tools remain disconnected from socio-technical processes. Third, an empirical gap: few studies simulate real-world RSE dynamics, where attackers manufacture problems and victims initiate contact. To close these gaps, future research should (i) reconceptualise UITs as central enablers of SE/RSE, (ii) conduct empirical case studies modelling RSE (problem–solution–assistance cycles), (iii) design hybrid ML/DL detection systems integrating anomaly detection, sentiment and psychometric analysis, and workflow monitoring, and (iv) operationalise adaptive organisational tools such as dynamic helpdesk protocols and human vulnerability exposure databases. Looking forward, four priorities are identified: reconceptualising unintentional insiders as conduits of social engineering, developing empirical case studies to operationalise reverse social engineering, advancing hybrid socio-technical detection systems that integrate machine and deep learning with behavioural analytics, and translating these insights into adaptive organisational tools. By bridging technical, behavioural, and organisational perspectives, the study shifts the discourse from viewing unintentional insiders as peripheral actors to recognising them as critical enablers of social engineering and provides a pathway toward integrated socio-technical mitigation. 7. Conclusion and Future Research Agenda Detecting insider threat behaviours remains a critical challenge because many actions align with an individual’s legitimate role and responsibilities, making them indistinguishable from normal activity. Enforcing and monitoring privileged user access rights compounds this challenge, as organisations struggle with the volume of access requests, the costs of monitoring, and the risks associated with remote work for users with administrative or root-level privileges. Alarmingly, surveys show that 30% of privileged users believe monitoring and control are insufficient, while 41% report inadequate background vetting prior to granting access—underscoring systemic vulnerabilities (Saxena et al., 2020b ). Social engineering further amplifies these risks, as insufficiently trained staff may fall victim to phishing or manipulation strategies that exploit human personality and cultural factors such as agreeableness, conscientiousness, or organisational norms. These vulnerabilities are not purely technical but sociotechnical, requiring detection methods that incorporate behavioural and organisational indicators alongside cyber-technical ones. Innovative approaches, such as custom-built tools for analysing email attachments or ontologies like the Sociotechnical and Organisational Factors for Insider Threat (SOFIT) framework, illustrate the potential of hybrid models. However, significant gaps remain in developing scalable behavioural analytics, integrating socio-technical data streams, and validating these models in real-world organisational contexts. Addressing these challenges requires advancing machine learning and deep learning techniques that correlate technical anomalies with behavioural cues, thereby enabling more proactive detection of insider threats shaped by social engineering and reverse social engineering dynamics (Saxena et al., 2020b ). Declarations Author Contribution Author A Wrote the main manuscript as a PhD student under the supervision of B, C, D respectively provide technical support and guidance in drafting the manuscript, reading and observation. Author E, provide quick assistance in the area of structure and concepts. References A. Jones, L. (2024). Unveiling Human Factors: Aligning Facets of Cybersecurity Leadership, Insider Threats, and Arsonist Attributes to Reduce Cyber Risk. SocioEconomic Challenges , 8 (2), 44–63. https://doi.org/10.61093/sec.8(2).44-63.2024 Abdelsadeq, Z. A. A., Omar, S. N., Basir, N., & Heng, N. F. N. B. M. R. (2019a). Unintentional Insider Threats Countermeasures Model (UITCM). 2019 International Conference on Cybersecurity, ICoCSec 2019 , 53–58. https://doi.org/10.1109/ICoCSec47621.2019.8970986 Abdelsadeq, Z. A. A., Omar, S. N., Basir, N., & Heng, N. F. N. B. M. R. (2019b). Unintentional Insider Threats Countermeasures Model (UITCM). 2019 International Conference on Cybersecurity, ICoCSec 2019 , 53–58. https://doi.org/10.1109/ICoCSec47621.2019.8970986 Abiodun, Y. T., Mahmood, S., Niazi, M., Alshayeb, M., & AlGhamdi, A. A. (2025). Cybersecurity Readiness Model Based on Human Factors. ARABIAN JOURNAL FOR SCIENCE AND ENGINEERING . https://doi.org/10.1007/s13369-025-10349-w Abulencia, J. (2021). Insider attacks: human-factors attacks and mitigation. Computer Fraud & Security , 2021 (5), 14–17. https://doi.org/https://doi.org/10.1016/S1361-3723(21)00054-3 Akhunzada, A., Sookhak, M., Anuar, N. B., Gani, A., Ahmed, E., Shiraz, M., Furnell, S., Hayat, A., & Khan, M. K. (2015). Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions. JOURNAL OF NETWORK AND COMPUTER APPLICATIONS , 48 , 44–57. https://doi.org/10.1016/j.jnca.2014.10.009 WE - Science Citation Index Expanded (SCI-EXPANDED) WE - Social Science Citation Index (SSCI) Alohaly, M., Balogun, O., & Takabi, D. (2022). Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection. IEEE Access , 10 , 108965–108978. https://doi.org/10.1109/ACCESS.2022.3213645 Baugher, J., & Qu, Y. (2024a). Create the Taxonomy for Unintentional Insider Threat via Text Mining and Hierarchical Clustering Analysis. European Journal of Electrical Engineering and Computer Science , 8 (2), 36–49. https://doi.org/10.24018/ejece.2024.8.2.608 Baugher, J., & Qu, Y. (2024b). Create the Taxonomy for Unintentional Insider Threat via Text Mining and Hierarchical Clustering Analysis. European Journal of Electrical Engineering and Computer Science , 8 (2), 36–49. https://doi.org/10.24018/ejece.2024.8.2.608 Bedford, J., & van der Laan, L. (2021). Operationalising a framework for organisational vulnerability to intentional insider threat: the OVIT as a valid and reliable diagnostic tool. JOURNAL OF RISK RESEARCH , 24 (9), 1180–1203. https://doi.org/10.1080/13669877.2020.1806910 Birthriya, S. K., Ahlawat, P., & Jain, A. K. (2025). A Comprehensive Survey of Social Engineering Attacks: Taxonomy of Attacks, Prevention, and Mitigation Strategies. Journal of Applied Security Research , 20 (2), 244–292. https://doi.org/10.1080/19361610.2024.2372986 Bishnoi, A., Garv, Bishnoi, S., & Gupta, N. (2023a). Comprehensive Assessment of Reverse Social Engineering to Understand Social Engineering Attacks. Proceedings - 5th International Conference on Smart Systems and Inventive Technology, ICSSIT 2023 , Icssit , 681–685. https://doi.org/10.1109/ICSSIT55814.2023.10061054 Bishnoi, A., Garv, Bishnoi, S., & Gupta, N. (2023b). Comprehensive Assessment of Reverse Social Engineering to Understand Social Engineering Attacks. Proceedings - 5th International Conference on Smart Systems and Inventive Technology, ICSSIT 2023 , Icssit , 681–685. https://doi.org/10.1109/ICSSIT55814.2023.10061054 Bolukonda, D., Bolukonda, D., Mishra, R. K., & Ranjan, R. (2024). Insider Threat Detection and its Behavior with Excessive Access Privileges. 2024 1st International Conference on Software, Systems and Information Technology, SSITCON 2024 , 1–6. https://doi.org/10.1109/SSITCON62437.2024.10796563 Canham, M., Posey, C., & Bockelman, P. S. (2020a). Confronting information security’s elephant, the unintentional insider threat. In C. M. Fidopiastis & D. D. Schmorrow (Eds.), Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 12197 LNAI (Issue 14th International Conference on Augmented Cognition (AC), pp. 316–334). https://doi.org/10.1007/978-3-030-50439-7_22 Canham, M., Posey, C., & Bockelman, P. S. (2020b). Confronting information security’s elephant, the unintentional insider threat. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 12197 LNAI . Springer International Publishing. https://doi.org/10.1007/978-3-030-50439-7_22 Chaipa, S., Ngassam, E. K., & Shawren, S. (2022). Towards a New Taxonomy of Insider Threats. 2022 IST-Africa Conference (IST-Africa) , 1–10. https://doi.org/10.23919/IST-Africa56635.2022.9845581 Claycomb, B., Greitzer, F., Jaros, S. L., & Gardner, C. (2022). Introduction to the Special Issue on Insider Threats. DIGITAL THREATS: RESEARCH AND PRACTICE , 3 (1). https://doi.org/10.1145/3477501 WE - Emerging Sources Citation Index (ESCI) Coffey, J. W. (2018a). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. Journal of Systemics, Cybernetics and Informatics , 16 (4), 94–99. Coffey, J. W. (2018b). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. Journal of Systemics, Cybernetics and Informatics , 16 (4), 94–99. Coffey, J. W. (2018c). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. Journal of Systemics, Cybernetics and Informatics , 16 (4), 94–99. David, N., David, A., Hansen, R. R., Larsen, K. G., Legay, A., Olesen, M. C., & Probst, C. W. (2015). Modelling social-technical attacks with timed automata. MIST 2015 - Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, Co-Located with CCS 2015 , 21–28. https://doi.org/10.1145/2808783.2808787 Edwards, L., Zahid Iqbal, M., & Hassan, M. (2024a). A multi-layered security model to counter social engineering attacks: a learning-based approach. International Cybersecurity Law Review , 5 (2), 313–336. https://doi.org/10.1365/s43439-024-00119-z Edwards, L., Zahid Iqbal, M., & Hassan, M. (2024b). A multi-layered security model to counter social engineering attacks: a learning-based approach. International Cybersecurity Law Review , 5 (2), 313–336. https://doi.org/10.1365/s43439-024-00119-z Edwards, L., Zahid Iqbal, M., & Hassan, M. (2024c). A multi-layered security model to counter social engineering attacks: a learning-based approach. International Cybersecurity Law Review , 5 (2), 313–336. https://doi.org/10.1365/s43439-024-00119-z Edwards, M. E., & Still, J. D. (2026). Cyber hygiene of SMiShing: What they know and where they look. COMPUTER STANDARDS & INTERFACES , 95 . https://doi.org/10.1016/j.csi.2025.104048 Gallo, L., Gentile, D., Ruggiero, S., Botta, A., & Ventre, G. (2024). The human factor in phishing: Collecting and analyzing user behavior when reading emails. Computers and Security , 139 . https://doi.org/10.1016/j.cose.2023.103671 Georgiadou, A., Mouzakitis, S., & Askounis, D. (2022a). Detecting Insider Threat via a Cyber-Security Culture Framework. JOURNAL OF COMPUTER INFORMATION SYSTEMS , 62 (4), 706–716. https://doi.org/10.1080/08874417.2021.1903367 Georgiadou, A., Mouzakitis, S., & Askounis, D. (2022b). Detecting Insider Threat via a Cyber-Security Culture Framework. Journal of Computer Information Systems , 62 (4), 706–716. https://doi.org/10.1080/08874417.2021.1903367 Green, M. L., & Dozier, P. (2023a). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023 (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111–116). https://doi.org/10.1109/CSR57506.2023.10224926 Green, M. L., & Dozier, P. (2023b). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023 (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111–116). https://doi.org/10.1109/CSR57506.2023.10224926 Green, M. L., & Dozier, P. (2023c). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In Proceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023 (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111–116). https://doi.org/10.1109/CSR57506.2023.10224926 Green, M. L., Dozier, P., & IEEE. (2023). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In 2023 IEEE INTERNATIONAL CONFERENCE ON CYBER SECURITY AND RESILIENCE, CSR (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111–116). https://doi.org/10.1109/CSR57506.2023.10224926 WE - Conference Proceedings Citation Index - Science (CPCI-S) Greitzer, F. L. (2019a). Insider Threats: It’s the HUMAN, Stupid! https://doi.org/10.1145/3332448.3332458 Greitzer, F. L. (2019b). Insider threats: It’s the Human, Stupid! ACM International Conference Proceeding Series . https://doi.org/10.1145/3332448.3332458 Greitzer, F. L., Lee, J. D., Purl, J., & Zaidi, A. K. (2019). Design and Implementation of a Comprehensive Insider Threat Ontology. Procedia Computer Science , 153 , 361–369. https://doi.org/https://doi.org/10.1016/j.procs.2019.05.090 Greitzer, F. L., Li, W., Laskey, K. B., Lee, J., & Purl, J. (2021a). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. Trans. Soc. Comput. , 4 (2). https://doi.org/10.1145/3461672 Greitzer, F. L., Li, W., Laskey, K. B., Lee, J., & Purl, J. (2021b). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. ACM Transactions on Social Computing , 4 (2), 1–48. https://doi.org/10.1145/3461672 Greitzer, F. L., Li, W., Laskey, K. B., Lee, J., & Purl, J. (2021c). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. ACM Transactions on Social Computing , 4 (2), 1–48. https://doi.org/10.1145/3461672 Greitzer, F. L., Purl, J., Leong, Y. M., & Sticha, P. J. (2019a). Positioning Your Organization to Respond to Insider Threats. IEEE Engineering Management Review , 47 (2), 75–83. https://doi.org/10.1109/EMR.2019.2914612 Greitzer, F. L., Purl, J., Leong, Y. M., & Sticha, P. J. (2019b). Positioning Your Organization to Respond to Insider Threats. IEEE Engineering Management Review , 47 (2), 75–83. https://doi.org/10.1109/EMR.2019.2914612 Greitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., & Mundie, D. (2014a). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. Proceedings of the Annual Hawaii International Conference on System Sciences , 2025–2034. https://doi.org/10.1109/HICSS.2014.256 Greitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., & Mundie, D. (2014b). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. In R. H. Sprague (Ed.), Proceedings of the Annual Hawaii International Conference on System Sciences (Issue 47th Annual Hawaii International Conference on System Sciences, pp. 2025–2034). https://doi.org/10.1109/HICSS.2014.256 Greitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., & Mundie, D. (2014c). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. Proceedings of the Annual Hawaii International Conference on System Sciences , 2025–2034. https://doi.org/10.1109/HICSS.2014.256 Greitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., & Cowley, J. (2014a). Analysis of unintentional insider threats deriving from social engineering exploits. In Proceedings - IEEE Symposium on Security and Privacy (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236–250). https://doi.org/10.1109/SPW.2014.39 Greitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., & Cowley, J. (2014b). Analysis of unintentional insider threats deriving from social engineering exploits. In Proceedings - IEEE Symposium on Security and Privacy (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236–250). https://doi.org/10.1109/SPW.2014.39 Greitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., & Cowley, J. (2014c). Analysis of unintentional insider threats deriving from social engineering exploits. In Proceedings - IEEE Symposium on Security and Privacy (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236–250). https://doi.org/10.1109/SPW.2014.39 Hafizur Rahman, M. M., Naeem, M. A. Al, & Abubakar, A. (2022). Threats From Unintentional Insiders: An Assessment of an Organization’s Readiness Using Machine Learning. IEEE Access , 10 , 110294–110308. https://doi.org/10.1109/ACCESS.2022.3214819 He, D. J., Lv, X., Xu, X. Q., Yu, S., Li, D. W., Chan, S. M. Y., & Guizani, M. (2022). An Effective Double-Layer Detection System Against Social Engineering Attacks. IEEE NETWORK , 36 (6), 92–98. https://doi.org/10.1109/MNET.105.2100425 WE - Science Citation Index Expanded (SCI-EXPANDED) He, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., & Guizani, M. (2022a). An Effective Double-Layer Detection System Against Social Engineering Attacks. IEEE Network , 36 (6), 92–98. https://doi.org/10.1109/MNET.105.2100425 He, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., & Guizani, M. (2022b). An Effective Double-Layer Detection System Against Social Engineering Attacks. IEEE Network , 36 (6), 92–98. https://doi.org/10.1109/MNET.105.2100425 He, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., & Guizani, M. (2022c). An Effective Double-Layer Detection System Against Social Engineering Attacks. IEEE Network , 36 (6), 92–98. https://doi.org/10.1109/MNET.105.2100425 He, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., & Guizani, M. (2022d). An Effective Double-Layer Detection System Against Social Engineering Attacks. IEEE Network , 36 (6), 92–98. https://doi.org/10.1109/MNET.105.2100425 Henge, S. K., Upadhyay, A., Saini, A. K., Mishra, N., Sharma, D., & Sharma, G. (2023). Analysis and detection of insider attacks using behaviour rule based architecture in enterprise multitenancy. Journal of Discrete Mathematical Sciences and Cryptography , 26 (3), 707–718. https://doi.org/10.47974/JDMSC-1743 House, D., & Raja, M. K. (2020). Phishing: message appraisal and the exploration of fear and self-confidence. Behaviour and Information Technology , 39 (11), 1204–1224. https://doi.org/10.1080/0144929X.2019.1657180 Hussain, F., Rahman, R., Attarbashi, Z. S., Fadaq, W. H. N., & Mustafa, M. (2024a). Understanding Human Behavior in Phishing Attacks Across Diverse User Groups: An Ethical Hacking Analysis. 2024 IEEE 1st Karachi Section Humanitarian Technology Conference, Khi-HTC 2024 , 1–7. https://doi.org/10.1109/KHI-HTC60760.2024.10482040 Hussain, F., Rahman, R., Attarbashi, Z. S., Fadaq, W. H. N., & Mustafa, M. (2024b). Understanding Human Behavior in Phishing Attacks Across Diverse User Groups: An Ethical Hacking Analysis. 2024 IEEE 1st Karachi Section Humanitarian Technology Conference, Khi-HTC 2024 , 1–7. https://doi.org/10.1109/KHI-HTC60760.2024.10482040 Ifinedo, P. (2023). Exploring Personal and Environmental Factors that Can Reduce Nonmalicious Information Security Violations. INFORMATION SYSTEMS MANAGEMENT , 40 (4), 316–336. https://doi.org/10.1080/10580530.2022.2131944 Irani, D., Balduzzi, M., Balzarotti, D., Kirda, E., & Pu, C. (2011). Reverse social engineering attacks in online social networks. Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) , 6739 LNCS (March 2010), 55–74. https://doi.org/10.1007/978-3-642-22424-9_4 Ishaq, M., Kifayat, K., & Zafar, M. (2023). A Survey on Human Factors in Cyberspace: A New Dimension of Privacy Threats. 2023 3rd International Conference on Communication, Computing and Digital Systems, C-CODE 2023 , 1–6. https://doi.org/10.1109/C-CODE58145.2023.10139904 Ismail, W. B. W., & Yusof, M. (2018). Mitigation Strategies for Unintentional Insider Threats on Information Leaks. International Journal of Security and Its Applications , 12 (1), 37–46. https://doi.org/10.14257/ijsia.2018.12.1.03 Javaheri, D., Fahmideh, M., Chizari, H., Lalbakhsh, P., & Hur, J. (2024). Cybersecurity threats in FinTech: A systematic review. Expert Systems with Applications , 241 (September 2023), 122697. https://doi.org/10.1016/j.eswa.2023.122697 Kammüller, F., & Probst, C. W. (2017). Modeling and Verification of Insider Threats Using Logical Analysis. IEEE Systems Journal , 11 (2), 534–545. https://doi.org/10.1109/JSYST.2015.2453215 Kamruzzaman, A., Thakur, K., Ismat, S., Ali, M. L., Huang, K., & Thakur, H. N. (2023a). Social Engineering Incidents and Preventions (R. Paul, Ed.; pp. 494–498). IEEE. https://doi.org/10.1109/CCWC57344.2023.10099202 Kamruzzaman, A., Thakur, K., Ismat, S., Ali, M. L., Huang, K., & Thakur, H. N. (2023b). Social Engineering Incidents and Preventions. In R. Paul (Ed.), 2023 IEEE 13th Annual Computing and Communication Workshop and Conference, CCWC 2023 (Issue IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), pp. 494–498). IEEE. https://doi.org/10.1109/CCWC57344.2023.10099202 Kasowaki, L., & Yusef, O. (2023). The Human Factor in Cybersecurity: Addressing Social Engineering and Insider Threats . 3 (January), 76–85. https://easychair.org/publications/preprint_download/wDQQ Khadka, K., & Ullah, A. B. (2025). Human factors in cybersecurity: an interdisciplinary review and framework proposal. International Journal of Information Security , 24 (3), 1–13. https://doi.org/10.1007/s10207-025-01032-0 Khan, N., J. Houghton, R., & Sharples, S. (2022). Understanding factors that influence unintentional insider threat: a framework to counteract unintentional risks. Cognition, Technology and Work , 24 (3), 393–421. https://doi.org/10.1007/s10111-021-00690-z Kotkova, B., & Hromada, M. (2021). The Threat of Social Engineering and the Safety of Companies. In Proceedings - 25th International Conference on Circuits, Systems, Communications and Computers, CSCC 2021 (Issues 25th International Conference on Circuits, Systems, Communications and Computers (CSCC), pp. 126–133). https://doi.org/10.1109/CSCC53858.2021.00030 Liu, X., Li, Q., & Sonali, C. (2017). Social engineering and insider threats. In Proceedings - 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, CyberC 2017 (Vols. 2018-Janua, Issue International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 25–34). https://doi.org/10.1109/CyberC.2017.91 MacAk, M., Kruzikova, A., Daubner, L., & Buhnova, B. (2020). Simulation Games Platform for Unintentional Perpetrator Attack Vector Identification. Proceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020 , 222–229. https://doi.org/10.1145/3387940.3391475 Marbut, A. R., & Harms, P. D. (2024). Fiends and Fools: A Narrative Review and Neo-socioanalytic Perspective on Personality and Insider Threats. JOURNAL OF BUSINESS AND PSYCHOLOGY , 39 (3), 679–696. https://doi.org/10.1007/s10869-023-09885-9 Masood, A., & Masood, A. (2021). A Taxonomy of Insider Threat in isolated (air-gapped) Computer Networks. In M. ZafarUzZaman (Ed.), PROCEEDINGS OF 2021 INTERNATIONAL BHURBAN CONFERENCE ON APPLIED SCIENCES AND TECHNOLOGIES (IBCAST) (Issues 18th International Bhurban Conference on Applied Sciences and Technologies (IBCAST), pp. 678–685). https://doi.org/10.1109/IBCAST51254.2021.9393281 WE - Conference Proceedings Citation Index - Science (CPCI-S) Mittal, A., & Garg, U. (2022). A Proposed Approach to Analyze Insider Threat Detection Using Emails. Proceedings - 2022 3rd International Conference on Computation, Automation and Knowledge Management, ICCAKM 2022 , 1–6. https://doi.org/10.1109/ICCAKM54721.2022.9990361 Mittal, A., & Garg, U. (2023a). Design and Analysis of Insider Threat Detection and Prediction System Using Machine Learning Techniques. 2023 5th International Conference on Electrical, Computer and Communication Technologies, ICECCT 2023 , 1–8. https://doi.org/10.1109/ICECCT56650.2023.10179686 Mittal, A., & Garg, U. (2023b). Prediction and Detection of Insider Threat Detection using Emails: A Comparision. 2023 2nd International Conference on Electrical, Electronics, Information and Communication Technologies, ICEEICT 2023 . https://doi.org/10.1109/ICEEICT56924.2023.10157297 Oner, U., Cetin, O., & Savas, E. (2025). Human factors in phishing: Understanding susceptibility and resilience. COMPUTER STANDARDS & INTERFACES , 94 . https://doi.org/10.1016/j.csi.2025.104014 Osterritter, L., & Carley, K. M. (2021). Conversations around organizational risk and insider threat. In M. Coscia, A. Cuzzocrea, & K. Shu (Eds.), Proceedings of the 2021 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2021 (Issue IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), pp. 252–260). https://doi.org/10.1145/3487351.3492721 Padayachee, K. (2022). An Exploratory Factor Analysis of Personality Factors: An Insider Threat Perspective. In N. Clarke & S. Furnell (Eds.), HUMAN ASPECTS OF INFORMATION SECURITY AND ASSURANCE, HAISA 2022 (Vol. 658, Issues 16th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance (HAISA), pp. 253–264). https://doi.org/10.1007/978-3-031-12172-2_20 WE - Conference Proceedings Citation Index - Science (CPCI-S) Prabhu, S., & Thompson, N. (2020). A Unified Classification Model of Insider Threats to Information Security. ACIS 2020 Proceedings - 31st Australasian Conference on Information Systems . https://www.scopus.com/inward/record.uri?eid=2-s2.0-85162681051&partnerID=40&md5=c6fdd95f34f321ed9bd153795e3e4653 Prabhu, S., & Thompson, N. (2022). A primer on insider threats in cybersecurity. Information Security Journal , 31 (5), 602–611. https://doi.org/10.1080/19393555.2021.1971802 Qashqari, A. A., Munshi, A. M., Alturkstani, H. A., Ghwati, H. T., & Alhebshi, D. H. (2020). The Human Factors and Cybersecurity Policy. International Journal of Computer Science and Network Security , 20 (4), 1–5. Rahman, A. U., Al-Obeidat, F., Tubaishat, A., Shah, B., Anwar, S., & Halim, Z. (2024). Discovering the Correlation between Phishing Susceptibility Causing Data Biases and Big Five Personality Traits Using C-GAN. IEEE Transactions on Computational Social Systems , 11 (4), 4800–4808. https://doi.org/10.1109/TCSS.2022.3201153 Rajchel, B., Monaco, J. V., Singh, G., Hu, A., Shingleton, J., & Anderson, T. (2020). Temporal Behavior in Network Traffic as a Basis for Insider Threat Detection. In 2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020 (Issue IEEE Symposium Series on Computational Intelligence (IEEE SSCI), pp. 1427–1434). https://doi.org/10.1109/SSCI47803.2020.9308236 Renaud, K., Warkentin, M., Pogrebna, G., & van der Schyff, K. (2024a). VISTA: An inclusive insider threat taxonomy, with mitigation strategies. INFORMATION & MANAGEMENT , 61 (1). https://doi.org/10.1016/j.im.2023.103877 Renaud, K., Warkentin, M., Pogrebna, G., & van der Schyff, K. (2024b). VISTA: An inclusive insider threat taxonomy, with mitigation strategies. INFORMATION & MANAGEMENT , 61 (1). https://doi.org/10.1016/j.im.2023.103877 Reveraert, M., & Sauer, T. (2021). Redefining insider threats: a distinction between insider hazards and insider threats. Security Journal , 34 (4), 755–775. https://doi.org/10.1057/s41284-020-00259-x Salahdine, F., & Kaabouch, N. (2019). Social engineering attacks: A survey. Future Internet , 11 (4). https://doi.org/10.3390/FI11040089 Saxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K. K. R., & Burnap, P. (2020a). Impact and key challenges of insider threats on organizations and critical businesses. Electronics (Switzerland) , 9 (9), 1–29. https://doi.org/10.3390/electronics9091460 Saxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K. K. R., & Burnap, P. (2020b). Impact and key challenges of insider threats on organizations and critical businesses. Electronics (Switzerland) , 9 (9), 1–29. https://doi.org/10.3390/electronics9091460 Schoenherr, J. R. (2022a). Insider Threats and Individual Differences: Intention and Unintentional Motivations. IEEE Transactions on Technology and Society , 3 (3), 175–184. https://doi.org/10.1109/tts.2022.3192767 Schoenherr, J. R. (2022b). Insider Threats and Individual Differences: Intention and Unintentional Motivations. IEEE Transactions on Technology and Society , 3 (3), 175–184. https://doi.org/10.1109/tts.2022.3192767 Schoenherr, J. R., & Thomson, R. (2021). The Cybersecurity (CSEC) Questionnaire: Individual Differences in Unintentional Insider Threat Behaviours. 2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, CyberSA 2021 , 1–8. https://doi.org/10.1109/CyberSA52016.2021.9478213 Sharma, D., Varalakshmi, S., & Loonkar, S. (2024). Analyzing the Human Element in Cybersecurity Breaches with a Focus on Social Engineering Tactics and the Risks Posed by Insider Threats. 2024 International Conference on Advances in Computing Research on Science Engineering and Technology, ACROSET 2024 , 1–6. https://doi.org/10.1109/ACROSET62108.2024.10743197 Sillanpää, M., & Hautamäki, J. (2020). Social Engineering Intrusion: A Case Study . https://doi.org/10.1145/3406601.3406631 Soh, C., Yu, S., Narayanan, A., Duraisamy, S., & Chen, L. (2019). Employee profiling via aspect-based sentiment and network for insider threats detection. Expert Systems with Applications , 135 , 351–361. https://doi.org/10.1016/j.eswa.2019.05.043 Sood, A. K., Zeadally, S., & Bansal, R. (2017). Exploiting trust: Stealthy attacks through socioware and insider threats. IEEE Systems Journal , 11 (2), 415–426. https://doi.org/10.1109/JSYST.2015.2388707 Sridhar, A. P. (2025). Unauthorized Deep Learning Techniques for Identifying Insider Risks in Standardized Cybersecurity Databases. 2025 International Conference on Intelligent Control, Computing and Communications, IC3 2025 , 1178–1183. https://doi.org/10.1109/IC363308.2025.10957272 Syafitri, W., Shukur, Z., Mokhtar, U. A., Sulaiman, R., & Ibrahim, M. A. (2022a). Social Engineering Attacks Prevention: A Systematic Literature Review. IEEE Access , 10 , 39325–39343. https://doi.org/10.1109/ACCESS.2022.3162594 Syafitri, W., Shukur, Z., Mokhtar, U. A., Sulaiman, R., & Ibrahim, M. A. (2022b). Social Engineering Attacks Prevention: A Systematic Literature Review. IEEE Access , 10 , 39325–39343. https://doi.org/10.1109/ACCESS.2022.3162594 Takabi, H., Hashem, Y., & Dantu, R. (2018). Prediction of human error using eye movements patterns for unintentional insider threat detection. In 2018 IEEE 4th International Conference on Identity, Security, and Behavior Analysis, ISBA 2018 (Vols. 2018-Janua, Issue IEEE 4th International Conference on Identity, Security, and Behavior Analysis (ISBA), pp. 1–8). https://doi.org/10.1109/ISBA.2018.8311479 Tian, T., Zhang, C., Jiang, B., Feng, H., & Lu, Z. (2025). Insider threat detection for specific threat scenarios. Cybersecurity , 8 (1). https://doi.org/10.1186/s42400-024-00321-w Tsiostas, D., Kittes, G., Chouliaras, N., Kantzavelou, I., Maglaras, L., Douligeris, C., & Vlachos, V. (2021). The Insider Threat: Reasons, Effects and Mitigation Techniques . 340–345. https://doi.org/10.1145/3437120.3437336 Uma Maheswaran, S. K., Rajasekar, L., Haque Choudhury, Z., & Shahade, M. (2025). User behaviour based insider threat detection model using an LSTM integrated RF model. Network: Computation in Neural Systems , 1–38. https://doi.org/10.1080/0954898X.2025.2483342 Xiangyu, L., Qiuyang, L., & Chandel, S. (2017). Social Engineering and Insider Threats. 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC) , 25–34. https://doi.org/10.1109/CyberC.2017.91 Zangana, H. M., Sallow, Z. B., & Omar, M. (2025). The Human Factor in Cybersecurity: Addressing the Risks of Insider Threats. Jurnal Ilmiah Computer Science , 3 (2), 76–85. https://doi.org/10.58602/jics.v3i2.37 Zaoui, M., Yousra, B., Yassine, S., Yassine, M., & Karim, O. (2024). A Comprehensive Taxonomy of Social Engineering Attacks and Defense Mechanisms: Toward Effective Mitigation Strategies. IEEE ACCESS , 12 , 72224–72241. https://doi.org/10.1109/ACCESS.2024.3403197 WE - Science Citation Index Expanded (SCI-EXPANDED) Zewdie, M., Girma, A., & Sitote, T. M. (2024a). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. International Conference on Electrical, Computer, and Energy Technologies, ICECET 2024 . https://doi.org/10.1109/ICECET61485.2024.10698519 Zewdie, M., Girma, A., & Sitote, T. M. (2024b). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. International Conference on Electrical, Computer, and Energy Technologies, ICECET 2024 . https://doi.org/10.1109/ICECET61485.2024.10698519 Zewdie, M., Girma, A., & Sitote, T. M. (2024c). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. International Conference on Electrical, Computer, and Energy Technologies, ICECET 2024 , 1–8. https://doi.org/10.1109/ICECET61485.2024.10698519 Zimmer, E., Burkert, C., & Federrath, H. (2022). Insiders Dissected: New Foundations and a Systematisation of the Research on Insiders. Digital Threats: Research and Practice , 3 (1). https://doi.org/10.1145/3473674 Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-7734139","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Systematic Review","associatedPublications":[],"authors":[{"id":526819560,"identity":"ff83ded7-55e1-445b-b6d9-900bd5b7408f","order_by":0,"name":"Ishara Barhoson Galadima","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAABSUlEQVRIiWNgGAWjYBACAwYGNiiTuYGBB8jlB7F5iNPCCNEi2QDRIgERIqgFJHKAgBZz9rPPHnz4Y5Mn736w8cObgm3yxufXPvzwts2ujp+Bx/zRDYZtiWj6LHvSzQ1ntqUVG55JbJacY3DbcNuN58aSc9uSJSQbeAybcxhuo2sxOJDGJs3bcDhxY0NigzSPwW3GbTeOMUjztjFLGBzAoeX8MzZpnj9ALf0Pm38DtdhvnnGM+TdvW72EPS4tN4C28LAdTpwvkdgGsiVxA38b0N62wxIGDNi1WM54xiYJ9EviBomHbZZAvyTPuMHGZjnn3HHJGYfZCmfnGNw2RtNizp/GJgEMscT5/cmHb7z5c9u2v/8Y8403ZdX8/O3NGz7nVNyWxRbSDLDoAAOJBCiDGSzO4IhLizxcgv8Aqow9Dh2jYBSMglEwYgAAm8R69I2PlvIAAAAASUVORK5CYII=","orcid":"","institution":"University of Technology Malaysia","correspondingAuthor":true,"prefix":"","firstName":"Ishara","middleName":"Barhoson","lastName":"Galadima","suffix":""},{"id":526819561,"identity":"46588f85-a323-4a79-9b82-9885bd00783d","order_by":1,"name":"Norafida Bte Ithnin","email":"","orcid":"","institution":"University of Technology Malaysia","correspondingAuthor":false,"prefix":"","firstName":"Norafida","middleName":"Bte","lastName":"Ithnin","suffix":""},{"id":526819562,"identity":"85ffaa99-0ec9-42c4-a7da-5a8cff72a84d","order_by":2,"name":"Haliza Abdulwahab","email":"","orcid":"","institution":"University of Technology Malaysia","correspondingAuthor":false,"prefix":"","firstName":"Haliza","middleName":"","lastName":"Abdulwahab","suffix":""},{"id":526819563,"identity":"8fb55221-8883-403c-8780-06dd7a33289e","order_by":3,"name":"Mohd Zamri","email":"","orcid":"","institution":"University of Technology Malaysia","correspondingAuthor":false,"prefix":"","firstName":"Mohd","middleName":"","lastName":"Zamri","suffix":""},{"id":526819564,"identity":"b088247d-8464-4c8d-b70d-d2374809c34a","order_by":4,"name":"Gabi Danlami","email":"","orcid":"","institution":"University of Technology Malaysia","correspondingAuthor":false,"prefix":"","firstName":"Gabi","middleName":"","lastName":"Danlami","suffix":""}],"badges":[],"createdAt":"2025-09-28 11:53:18","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-7734139/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-7734139/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":93332886,"identity":"5af03e34-c119-4d93-b5a0-61d168fc223f","added_by":"auto","created_at":"2025-10-12 12:58:56","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":2024160,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-7734139/v1/a5fb30a9-a599-4501-986c-8cf29dbcc5fd.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Unintentional Insider Threats as Conduits of Social Engineering: A Systematic Review of Vulnerabilities, Reverse Social Engineering, and Mitigation Approaches","fulltext":[{"header":"1. Introduction","content":"\u003cp\u003eInsider social engineering occurs when a threat actor applies social engineering techniques to manipulate an unsuspecting colleague into disclosing sensitive corporate information or performing actions that compromise the organization, its assets, infrastructure, or personnel. This type of attack is typically executed when the malicious actor lacks direct access to the target and instead exploits human trust as an entry point. In contrast, an unintentional insider threat arises when an authorized employee or business associate, through inadvertent actions such as negligence, error, or policy non-compliance, unintentionally exposes organizational assets or information, thereby causing harm to the enterprise (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e). Social engineering is a significant threat to information security, targeting systems and networks by exploiting human vulnerabilities. Such attacks succeed when victims lack awareness of the techniques involved and are unfamiliar with effective models and frameworks for prevention (Syafitri et al., \u003cspan citationid=\"CR99\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e). Understanding insider threat scenarios such as privilege abuse, identity theft, and data leakage requires careful analysis of user behaviour patterns, the extraction of detailed behavioural characteristics, and the construction of behaviour sequences, all of which are paramount to effective insider threat detection (Tian et al., \u003cspan citationid=\"CR102\" class=\"CitationRef\"\u003e2025\u003c/span\u003e). Insider threats are critical security challenge for organizations, especially financial institutions globally (Javaheri et al., \u003cspan citationid=\"CR62\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Renaud et al., 2024). The Ponemon Research Institute\u0026rsquo;s 2023 Insider Threat Cost Report underscores the scale of this problem, highlighting the substantial resources required for effective mitigation highlighting that on average, organizations take 77 days to contain an insider threat incident, while alarming, only 12% of reported cases are resolved within 30 days (Jones, \u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e2024\u003c/span\u003e). These statistics show Insider threats remain one of the most persistent challenges in cybersecurity, however, with unintentional insider threats UITs increasingly recognised as critical enablers of breaches (Kamm\u0026uuml;ller \u0026amp; Probst, \u003cspan citationid=\"CR63\" class=\"CitationRef\"\u003e2017\u003c/span\u003e; Greitzer et al., \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e). Unlike malicious insiders, UITs often arise from error, negligence, misjudgement, or intentional manipulation (Kotkova \u0026amp; Hromada, \u003cspan citationid=\"CR69\" class=\"CitationRef\"\u003e2021\u003c/span\u003e). Their actions frequently provide attackers with pathways into organisational systems, particularly through social engineering (SE), where human vulnerabilities are exploited to bypass technical controls ((Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Canham et al., 2020). For example, (Greitzer, Strozer, Cohen, Moore, et al., \u003cspan citationid=\"CR46\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e) examined UIT incidents originating from SE by analysing incident data, behavioural patterns, technical indicators, and potential precursors to better understand contributing factors. Similarly, Abdelsadeq et al., (2019), building on Ismail \u0026amp; Yusof, (\u003cspan citationid=\"CR61\" class=\"CitationRef\"\u003e2018\u003c/span\u003e), developed a conceptual countermeasure model for UITs by highlighting human errors and behavioural activities in daily job tasks that are often exposed to breaches, enhancing the framework with mitigation strategies from existing literature. Takabi et al., (\u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e) introduced a novel method for detecting UITs by analysing users\u0026rsquo; eye movements, capturing activity patterns to evaluate mental workload a key factor underlying human error. Greitzer, et al., (2014) concluded that while UITs share organisational precursors with malicious threats, their primary driver is human error, underscoring the need for human-centric mitigation strategies such as system usability improvements, fostering security culture, and maintaining a supportive work environment, rather than relying solely on technical controls. Recent advances have turned attention to SE-specific mechanisms. Sharma et al., (\u003cspan citationid=\"CR94\" class=\"CitationRef\"\u003e2024\u003c/span\u003e) examined SE methods, showing how attackers reduce user security through manipulation. Using the Social Engineering Detection Algorithm (SEDA), they identified fraudulent SE attempts by analysing message language against behavioural data, incorporating mood analysis, semantic matching, and language complexity metrics to detect suspicious patterns. Zewdie et al., (\u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e) further extended this by proposing a deep learning (DL) based holistic detection system capable of identifying insider threats whether intentional or unintentional as well as vulnerabilities to external SE vectors such as phishing. Similarly, He et al., (\u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003e) developed a double-layer DL detection system to identify phishing and insider threats in enterprise systems. Although, these studies reinforce SE attacks however, phishing is the most prevalent SE vector in their literature. Despite extensive research on insider threats and social engineering, the specific role of unintentional insiders in reverse social engineering remains poorly conceptualised and rarely addressed empirically. Existing surveys and models primarily focus on malicious insiders or on phishing as the dominant social engineering vector (Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003eb). This narrow framing has resulted in three persistent gaps: (i) a conceptual gap in theorising UITs as conduits of social engineering, (ii) a mitigation gap where socio-technical approaches are seldom integrated into detection models, and (iii) an empirical blind spot concerning RSE scenarios, where victims are manipulated into initiating contact with attackers. The main contribution of this research can be summarised as: a) Taxonomy of Vulnerabilities and SE/RSE Mechanisms: A refined taxonomy is proposed that classifies vulnerabilities across \u003cem\u003epsychological\u003c/em\u003e, \u003cem\u003eorganisational\u003c/em\u003e, and \u003cem\u003esocio-technical\u003c/em\u003e domains. This taxonomy captures the mechanisms by which UITs are exploited in both SE and RSE scenarios, moving beyond generic notions of \u0026ldquo;human error\u0026rdquo; to detail specific behavioural, contextual, and structural enablers (Canham et al., 2020; David et al., \u003cspan citationid=\"CR22\" class=\"CitationRef\"\u003e2015\u003c/span\u003e). b) Problem and Solution Mapping of Mitigation Approaches: A systematic problem\u0026ndash;solution map is developed that aligns identified vulnerabilities with mitigation strategies, distinguishing between \u003cem\u003etechnical\u003c/em\u003e, \u003cem\u003esocio-technical\u003c/em\u003e, and \u003cem\u003ehybrid\u003c/em\u003e approaches. While prior work has examined anomaly detection (Greitzer et al., \u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e2021a\u003c/span\u003e) or awareness training in isolation, this mapping emphasises integrative defences that combine behavioural monitoring with automated detection of anomalous activities, ensuring a layered and adaptive security posture. c) Multi-Layered Socio-Technical Detection Framework: The study introduces a conceptual framework for detecting RSE-based insider threats. The framework integrates three complementary layers:\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eTechnical layer\u003c/b\u003e, focused on system logs, anomaly detection, and privilege escalation patterns.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eBehavioural layer\u003c/b\u003e, centred on communication, sentiment analysis, and relational dynamics that reveal manipulation.\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003e\u003cb\u003eProcedural layer\u003c/b\u003e, monitoring deviations from established workflows and policy adherence.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003eBy correlating weak signals across these layers, the framework enhances detection fidelity and reduces false positives. It leverages machine learning (ML) and deep learning (DL) techniques to model behavioural baselines and identify anomalies indicative of RSE exploitation (Zewdie et al., 2024); (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)The novelty of this research lies in reframing unintentional insiders from passive, error-prone actors into active enablers of social engineering, particularly reverse social engineering. To the best of our knowledge, this is the first systematic review to explicitly conceptualise RSE as an internal social engineering vector and to propose a socio-technical detection framework tailored to it. Unlike prior taxonomies that focus narrowly on phishing or malicious insiders, this work offers a comprehensive classification of vulnerabilities, systematically mapped to multi-layered mitigations. Furthermore, by embedding ML/DL techniques into a socio-technical defence model, it bridges the persistent divide between human-centred vulnerabilities and technical detection systems. Accordingly, this review addresses the following research questions (RQs): \u003cb\u003eRQ1\u003c/b\u003e: What conceptualisations of unintentional insider threats exist in the literature, and how are they linked to social engineering? \u003cb\u003eRQ2\u003c/b\u003e: What behavioural mechanisms and vulnerabilities make UITs effective conduits for insider social engineering attacks? \u003cb\u003eRQ3\u003c/b\u003e: What mitigation strategies and defensive models have been proposed to address UITs induced by social engineering? \u003cb\u003eRQ4\u003c/b\u003e: What research gaps and future directions emerge for advancing detection and mitigation of UITs in the context of social engineering?\u003c/p\u003e\u003cp\u003eThe remainder of the research is organized as follows: Section \u003cspan refid=\"Sec2\" class=\"InternalRef\"\u003e2\u003c/span\u003e, Related Studies, reviews the existing academic literature to establish the context and identify the critical research gap. Section \u003cspan refid=\"Sec3\" class=\"InternalRef\"\u003e3\u003c/span\u003e, Methodology, details the systematic approach used for this review, including the search strategy, inclusion/exclusion criteria, and data analysis methods. Section \u003cspan refid=\"Sec8\" class=\"InternalRef\"\u003e4\u003c/span\u003e, Thematic synthesis and Statistical Analysis, presents the synthesized findings from the literature, organized by the key themes identified during the review. Section \u003cspan refid=\"Sec27\" class=\"InternalRef\"\u003e5\u003c/span\u003e, Discussion, interprets these findings, explores their implications, and elaborates on the study's novel contributions, including the proposed taxonomy and framework. Section 6, Key Findings to address RQs. Finally, section \u003cspan refid=\"Sec34\" class=\"InternalRef\"\u003e7\u003c/span\u003e, draws Conclusion and future research direction, summarizes the key insights, acknowledges any limitations, and provides clear recommendations for future research.\u003c/p\u003e"},{"header":"2. Related Work","content":"\u003cp\u003eAccording to (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) \u0026ldquo;insider social engineering involves a threat actor who implements social engineering techniques against an unsuspecting co-worker in order to get from him sensitive corporate details or make him act in a way that will affect negatively the organisation, its assets, its equipment or its personnel\u0026rdquo; In contrast, an unintentional insider threat arises when an authorized employee or business associate, through inadvertent actions such as negligence, error, or policy non-compliance, unintentionally exposes organizational assets or information, thereby causing harm to the enterprise (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) (Greitzer et al., 2021). Reverse social engineering is a deceptive form of social engineering attack in which adversaries manipulate victims into voluntarily initiating contact, often under the pretext of seeking assistance, thereby disclosing sensitive information or granting access to organizational systems (Bishnoi et al., \u003cspan citationid=\"CR12\" class=\"CitationRef\"\u003e2023a\u003c/span\u003e). Unlike conventional attacks where the perpetrator directly solicits data, RSE exploits trust and perceived authority, making detection more difficult. Mitigation requires not only advanced technical safeguards but also continuous user awareness training and the presence of well-prepared security teams capable of recognizing such subtle manipulations. (Bishnoi et al., \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e). Several surveys and literature reviews in cybersecurity have examined social engineering, insider threats, but they remain fragmented and reveal consistent blind spots. Collectively, these works provide important groundwork by classifying techniques, prevention measures, and insider typologies, yet they neither systematically address unintentional insider threats (UITs) as conduits of SE nor recognise reverse social engineering as a distinct insider threat attack vector. In the contemporary cybersecurity paradigm, there is a broad and well-established consensus that the human factor represents the most persistent and unpredictable vulnerability in an organization's defense (Abulencia, \u003cspan citationid=\"CR5\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Padayachee, \u003cspan citationid=\"CR79\" class=\"CitationRef\"\u003e2022\u003c/span\u003e). Foundational surveys by Salahdine \u0026amp; Kaabouch, (\u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e) and comprehensive systematic reviews by Syafitri et al., (2022) have extensively mapped the terrain of social engineering, solidifying its status as a primary threat vector. These attacks are uniquely effective because they bypass technological safeguards, such as firewalls and encryption, to directly target human psychology (Jones, \u003cspan citationid=\"CR1\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Abiodun et al., \u003cspan citationid=\"CR4\" class=\"CitationRef\"\u003e2025\u003c/span\u003e). They exploit deep-seated cognitive biases, including deference to authority, the desire to be helpful, and fear of negative consequences. In response to this pervasive threat, scholars have dedicated significant effort to developing countermeasures (Green et al., 2023; Ishaq et al., \u003cspan citationid=\"CR60\" class=\"CitationRef\"\u003e2023\u003c/span\u003e; Kasowaki \u0026amp; Yusef, \u003cspan citationid=\"CR66\" class=\"CitationRef\"\u003e2023\u003c/span\u003e; Oner et al., \u003cspan citationid=\"CR77\" class=\"CitationRef\"\u003e2025\u003c/span\u003e). These range from multi-layered, machine learning-based security models designed to detect deceptive communications Edwards et al., 2024; Edwards \u0026amp; Still, \u003cspan citationid=\"CR26\" class=\"CitationRef\"\u003e2026\u003c/span\u003e) to sophisticated double-layer detection systems that aim to identify and neutralize attacks in real-time (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003eb). However, a common thread in this body of work is its focus on externally initiated threats, often overlooking the nuanced ways these tactics can manifest from within.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eAlthough,Bishnoi et al., (2023) make a comprehensive assessment of reverse social engineering to understand social engineering attacks nevertheless, the study does not articulate insider threat induced by RSE or SE. Similarly, this narrative was substantiated by the works of (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e), significant and growing body of work now investigates the direct causal link between social engineering tactics and the activation of insider threats (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e). Pioneering work in this area by (Prabhu \u0026amp; Thompson, \u003cspan citationid=\"CR80\" class=\"CitationRef\"\u003e2020\u003c/span\u003e;Sharma et al., \u003cspan citationid=\"CR94\" class=\"CitationRef\"\u003e2024\u003c/span\u003e) explicitly connects the manipulative techniques of social engineering to the occurrence of security breaches in organization. A critical insight from this research is its focus on Unintentional Insider Threats (UITs). This distinguishes the unwitting accomplice from the malicious actor, a crucial distinction as studies consistently shows that breaches caused by negligence or error are far more frequent than those caused by malicious intent. An external attacker effectively \"weaponizes\" an employee's trust and authorized access, turning them into a pawn who facilitates the breach. This transforms the traditional security model on its head; the threat is no longer an external \"other\" trying to get in, but a trusted \"insider\" unwittingly opening the door from the inside.\u003c/p\u003e\u003cp\u003eTable 1 compares previous studies and our systematic literature review from various perspective on the narrative. Although, several studies also look into SEA in cybersecurity, and insider threat focusing on specific attack vectors such as phishing(Kamruzzaman et al., 2023; He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003e). However, for general survey on social engineering and insider threat we take a closer look at the works of (Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e;Choenherr, 2022; Greitzer, et al., 2014; Hussain et al., 2024; and Coffey, 2018), respectively. As indicate in Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e, none of the previous related studies has considered insider social engineering through reverse social engineering as internal social engineering attack vector for UITs. Although,(Tsiostas et al., \u003cspan citationid=\"CR103\" class=\"CitationRef\"\u003e2021\u003c/span\u003e) highlights insider social engineering, but fall short of conceptualising and empirical detection solution. Hence the new threats that could emerged from this vector have not been investigated. To this best of our knowledge, this paper is the first that study insider social engineering attack from the perspective of RSE attack from internal insider threat including vulnerability, human factor and sociotechnical proactive mitigation to deal with RSE induced insider social engineering-based insider threat. \u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab1\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003e\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003e\u003cb\u003eTable I: Summary Comparison of Prior Study and the Present Study\u003c/b\u003e\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"6\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c6\" colnum=\"6\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eRef.\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSE\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eSE\u0026thinsp;+\u0026thinsp;IT\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eISE/RSE\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eHF\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c6\"\u003e\u003cp\u003eUITs\u0026thinsp;+\u0026thinsp;SE\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Edwards et al., \u003cspan citationid=\"CR24\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Prabhu \u0026amp; Thompson, \u003cspan citationid=\"CR81\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Mittal \u0026amp; Garg, \u003cspan citationid=\"CR74\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Sharma et al., \u003cspan citationid=\"CR94\" class=\"CitationRef\"\u003e2024\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Osterritter \u0026amp; Carley, \u003cspan citationid=\"CR78\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Baugher \u0026amp; Qu, \u003cspan citationid=\"CR8\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Mittal \u0026amp; Garg, \u003cspan citationid=\"CR75\" class=\"CitationRef\"\u003e2023a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Soh et al., \u003cspan citationid=\"CR96\" class=\"CitationRef\"\u003e2019\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Sood et al., \u003cspan citationid=\"CR97\" class=\"CitationRef\"\u003e2017\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Ifinedo, \u003cspan citationid=\"CR58\" class=\"CitationRef\"\u003e2023\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Marbut \u0026amp; Harms, \u003cspan citationid=\"CR72\" class=\"CitationRef\"\u003e2024\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ea)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Saxena et al., \u003cspan citationid=\"CR89\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Bolukonda et al., \u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e2024\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Schoenherr, \u003cspan citationid=\"CR92\" class=\"CitationRef\"\u003e2022b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Zimmer et al., \u003cspan citationid=\"CR111\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Ismail \u0026amp; Yusof, \u003cspan citationid=\"CR61\" class=\"CitationRef\"\u003e2018\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Coffey, \u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e2018b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Mittal \u0026amp; Garg, \u003cspan citationid=\"CR76\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Reveraert \u0026amp; Sauer, \u003cspan citationid=\"CR87\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(MacAk et al., \u003cspan citationid=\"CR71\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Liu et al., \u003cspan citationid=\"CR70\" class=\"CitationRef\"\u003e2017\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Sillanp\u0026auml;\u0026auml; \u0026amp; Hautam\u0026auml;ki, \u003cspan citationid=\"CR95\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Syafitri et al., \u003cspan citationid=\"CR99\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Kamruzzaman et al., \u003cspan citationid=\"CR65\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Rajchel et al., \u003cspan citationid=\"CR84\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Zangana et al., \u003cspan citationid=\"CR106\" class=\"CitationRef\"\u003e2025\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Schoenherr \u0026amp; Thomson, \u003cspan citationid=\"CR93\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Hafizur Rahman et al., \u003cspan citationid=\"CR48\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Sridhar, \u003cspan citationid=\"CR98\" class=\"CitationRef\"\u003e2025\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Khan et al., \u003cspan citationid=\"CR68\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Hussain et al., \u003cspan citationid=\"CR57\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Green et al., 2023)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u0026nbsp;\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003e(Bishnoi et al., \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eThis study\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c6\"\u003e\u003cp\u003e✓\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e"},{"header":"3. Methodology","content":"\u003cp\u003eThis study follows the PRISMA methodology (Liberati et al., 2009) to ensure a systematic and transparent review of the literature on unintentional insider threats (UITs) and their relationship to social engineering (SE). The process comprised four stages: identification, screening, eligibility, and inclusion.\u003c/p\u003e\u003cdiv id=\"Sec4\" class=\"Section2\"\u003e\u003ch2\u003e3.1 Identification\u003c/h2\u003e\u003cp\u003eThe search strategy was based on the query:\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003e\u003cem\u003e(\"insider threat\" OR \"Unintentional insider threat\" OR \"Non-Malicious insider\" OR \"insider threat detection\") AND (\"social engineering\") AND (vulnerability OR \"human factor\")\u003c/em\u003e\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThe above query was applied to five major databases: Web of Science (WoS), Scopus, Springer, ACM Digital Library, and IEEE Xplore. The initial retrieval identified 448 records from WoS, 16 from Scopus, 168 from Springer, 219 from ACM, and 262 from IEEE, for a total of 1,113 records.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec5\" class=\"Section2\"\u003e\u003ch2\u003e3.2 Screening\u003c/h2\u003e\u003cp\u003eDuplicates were removed, and the titles and abstracts of the remaining studies were screened for relevance. Studies not directly addressing insider threats, social engineering, or human factors were excluded at this stage.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eIn Fig.\u0026nbsp;\u003cspan refid=\"Fig3\" class=\"InternalRef\"\u003e3\u003c/span\u003e, Research activity increased steadily from 2014 to 2020, with a peak around 2017\u0026ndash;2020. The recent years (2023\u0026ndash;2025) show fewer but more targeted studies, reflecting the emerging interest in UITs and RSE specifically.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eThe distribution of reviewed papers in Fig.\u0026nbsp;\u003cspan refid=\"Fig3\" class=\"InternalRef\"\u003e3\u003c/span\u003e shows that IEEE Xplore (23.1%), Springer Link (20.5%), and ScienceDirect/Elsevier (17.9%) are the dominant sources, together contributing over 60% of the total studies. ACM Digital Library (15.4%) also represents a significant share, while Wiley/Taylor \u0026amp; Francis (10.3%) and MDPI/Hindawi/Emerald (7.7%) contribute moderately. Miscellaneous sources (5.1%) provided the least. This trend demonstrates the concentration of insider threat and social engineering research within a few leading digital libraries, reinforcing their role as primary repositories for high-impact scholarly contributions in the field.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec6\" class=\"Section2\"\u003e\u003ch2\u003e3.3 Eligibility\u003c/h2\u003e\u003cp\u003eFull texts of 120 studies were assessed against the inclusion criteria:\u003c/p\u003e\u003cp\u003e\u003col\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003ePublished between 2014 and August, 2025.\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003eWritten in English.\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003eFocused on insider threats and social engineering, human factors, or their intersections.\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003cspan\u003e\u003cli\u003e\u003cp\u003ePublished in peer-reviewed journals or reputable conferences.\u003c/p\u003e\u003c/li\u003e\u003c/span\u003e\u003c/ol\u003e\u003c/p\u003e\u003cp\u003eAt this stage, studies that were purely opinion pieces or lacked empirical or conceptual contributions were \u003cb\u003eexcluded\u003c/b\u003e.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec7\" class=\"Section2\"\u003e\u003ch2\u003e3.4 Inclusion\u003c/h2\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eA total of 39 studies were included for qualitative synthesis, comprising 29 journal articles (74%), 6 conference papers (15%), and 4 surveys or systematic reviews (11%). The predominance of journal publications indicates that research on unintentional insider threats (UITs) and social engineering (SE) is primarily disseminated through peer-reviewed journals, reflecting the domain\u0026rsquo;s academic maturity and methodological rigor. Conference proceedings provide a smaller but important stream of emerging findings, while systematic reviews and surveys highlight efforts toward consolidation and knowledge structuring within the field.\u003c/p\u003e\u003cp\u003eTo provide a novel taxonomy of UITs and ISE and corresponding mitigation and detection methods, we first manually classified the papers included for qualitative synthesis (Step 4) into two \u0026lsquo;Vulnerability\u0026rsquo; and \u0026lsquo;Detection\u0026rsquo; which are studied in Section \u003cspan refid=\"Sec8\" class=\"InternalRef\"\u003e4\u003c/span\u003e and Section \u003cspan refid=\"Sec27\" class=\"InternalRef\"\u003e5\u003c/span\u003e, respectively.\u003c/p\u003e\u003c/div\u003e"},{"header":"4. Implication of Insider Social Engineering as Conduits of Social Engineering","content":"\u003cp\u003eThe papers included for qualitative synthesis (Step 4), were further manually labelled and classified into three overarching categories: technical vulnerabilities, human factors, and socio-technical vulnerabilities. This classification extends and refines prior taxonomies of insider and social engineering threats. For instance, (Baugher \u0026amp; Qu, \u003cspan citationid=\"CR9\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e; Chaipa et al., \u003cspan citationid=\"CR17\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Masood \u0026amp; Masood, \u003cspan citationid=\"CR73\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Renaud et al., \u003cspan citationid=\"CR86\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e) provide broader socio-technical systems, integrating the human element as either the originator, medium, or executor of threats into the technology-based taxonomy. Similarly, (Akhunzada et al., \u003cspan citationid=\"CR6\" class=\"CitationRef\"\u003e2015\u003c/span\u003e; Birthriya et al., \u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e2025\u003c/span\u003e; Zaoui et al., \u003cspan citationid=\"CR107\" class=\"CitationRef\"\u003e2024\u003c/span\u003e) underscores the social engineering human factors in security procedures and internal controls also constitute vulnerabilities. Yet, despite recognition of these dimensions, insider social engineering and procedural elements remain underexplored. To bridge this gap, our survey represents, to the best of our knowledge, the first to systematically address UITs as conduit of insider social engineering and sociotechnical procedures into a unified taxonomy of vulnerabilities and corresponding mitigation.\u003c/p\u003e\u003cdiv id=\"Sec9\" class=\"Section2\"\u003e\u003ch2\u003e4.1 Technical Vulnerabilities\u003c/h2\u003e\u003cp\u003ePapers were further subdivided into subclasses, and the analysis reveals that the majority of vulnerabilities exploited in insider threat and social engineering contexts stem not solely from technology, but from the interplay between human factors and organisational weaknesses. These vulnerabilities enable attackers to manipulate unintentional insiders into becoming conduits of breaches, often through social engineering and reverse social engineering. Key issues include psychological manipulation (e.g., authority, trust, urgency), procedural gaps (e.g., bypassing formal support channels), and socio-technical dependencies (e.g., reliance on informal experts, weak workflow controls). Accordingly, the following subsections present the subclasses across the three main groups technology-based, human-originated, and procedure-related vulnerabilities with specific emphasis on how they facilitate SE and RSE attacks.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cdiv id=\"Sec10\" class=\"Section3\"\u003e\u003ch2\u003e4.1.1 Phishing and Spear-Phishing Vectors\u003c/h2\u003e\u003cp\u003ePhishing remains the most dominant SE vector, repeatedly highlighted in the literature as the primary entry point for exploiting unintentional insiders. Phishing emails and spear-phishing campaigns are designed to bypass technical filters by exploiting cognitive shortcuts such as authority and urgency (Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). Empirical studies demonstrate that UITs, lacking training or operating under stress, are particularly vulnerable to fraudulent links and attachments, enabling attackers to pivot deeper into systems (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ed). In the context of RSE, phishing can escalate into problem\u0026ndash;solution dynamics, where attackers first generate a disruption and then redirect victims to \u0026ldquo;trusted\u0026rdquo; but malicious assistance.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec11\" class=\"Section3\"\u003e\u003ch2\u003e4.1.2 Malware Delivery\u003c/h2\u003e\u003cp\u003eMalware remains a persistent technical vulnerability, often spread through phishing vectors or compromised websites. UITs are frequently the unwitting executors, clicking links or downloading attachments without verifying authenticity. This behaviour aligns with SE manipulation, where trust and reciprocity biases are weaponised (Gallo et al., \u003cspan citationid=\"CR27\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; House \u0026amp; Raja, \u003cspan citationid=\"CR55\" class=\"CitationRef\"\u003e2020\u003c/span\u003e; Maheswaran et al., 2025). Malware can then establish persistence, exfiltrate data, or create backdoors that facilitate subsequent RSE engagement.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec12\" class=\"Section3\"\u003e\u003ch2\u003e4.1.3 Ransomware Attacks\u003c/h2\u003e\u003cp\u003eRansomware constitutes a growing socio-technical threat in which UITs inadvertently activate malicious payloads. Once triggered, attackers generate high-pressure conditions by locking critical files and demanding payment. Studies show that insiders, operating under stress, may bypass organisational protocols and seek \u0026ldquo;informal\u0026rdquo; help or comply with malicious instructions (Zewdie et al., \u003cspan citationid=\"CR109\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e). This dynamic demonstrates how ransomware acts as both a technical and psychological exploit, driving UITs into attacker-controlled problem\u0026ndash;solution cycles characteristic of RSE.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec13\" class=\"Section3\"\u003e\u003ch2\u003e4.1.4 Scareware Campaigns\u003c/h2\u003e\u003cp\u003eScareware represents a class of deceptive alerts or warnings that manipulate UITs into believing their systems are compromised. These fake notifications often include urgent prompts to contact fraudulent support services, effectively engineering victim-initiated contact. As documented in case-based studies, scareware bridges psychological manipulation (fear, urgency) with procedural exploitation (bypassing IT support), thus aligning closely with the RSE model (L. Edwards et al., \u003cspan citationid=\"CR25\" class=\"CitationRef\"\u003e2024c\u003c/span\u003e).\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec14\" class=\"Section3\"\u003e\u003ch2\u003e4.1.5 Misconfigured Access Controls\u003c/h2\u003e\u003cp\u003eWeak authentication mechanisms, default passwords, and poorly managed privileges remain recurring vulnerabilities exploited in UIT incidents. Organisational studies highlight that inadequate role-based access control not only increases attack surfaces but also creates conditions for insider misuse (Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e). In SE and RSE contexts, attackers can exploit these misconfigurations by persuading UITs to escalate privileges or share credentials, thereby magnifying insider risk.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec15\" class=\"Section3\"\u003e\u003ch2\u003e4.1.6 Detection System Gaps\u003c/h2\u003e\u003cp\u003eDespite advances in anomaly detection, many organisations still rely on outdated SIEM rules and limited signature-based defences. These detection gaps fail to capture the subtle precursors of UIT exploitation, such as unusual communication patterns or deviations from workflow (Claycomb et al., \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Greitzer, 2019) Studies show that UIT-driven anomalies often blend with legitimate activity, making them hard to isolate without hybrid ML/DL-enhanced socio-technical systems. RSE in particular thrives in these detection blind spots, as it operates across behavioural and procedural layers not adequately monitored by existing tools.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec16\" class=\"Section2\"\u003e\u003ch2\u003e4.2 Human-Originated Vulnerabilities\u003c/h2\u003e\u003cp\u003eHuman-originated vulnerabilities capture the psychological and behavioural weaknesses that attackers systematically exploit, often magnified under stress, fatigue, or authority pressure. Unlike purely technical flaws, these vulnerabilities manifest in everyday organisational practices and interpersonal interactions, positioning unintentional insiders as particularly attractive conduits for manipulation. The literature consistently highlights that attackers exploit heuristics such as authority, reciprocity, urgency, and cognitive overload to engineer insider compliance (Canham et al., 2020). Such vulnerabilities not only enable phishing and other social engineering vectors but also underpin reverse social engineering, where the insider is persuaded to initiate contact.\u003c/p\u003e\u003cdiv id=\"Sec17\" class=\"Section3\"\u003e\u003ch2\u003e4.2.1 Authority and Impersonation\u003c/h2\u003e\u003cp\u003eAuthority is among the most potent levers of manipulation, with attackers often posing as IT support, auditors, or senior managers to gain compliance. Empirical evidence confirms that UITs are especially vulnerable when authority cues override normal security practices, leading to the disclosure of credentials or the circumvention of controls (Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e). RSE exploits this mechanism by manufacturing problems and presenting the attacker as an \u0026ldquo;expert,\u0026rdquo; encouraging insiders to seek their guidance and thereby granting deeper system access.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec18\" class=\"Section3\"\u003e\u003ch2\u003e4.2.2 Trust and Reciprocity\u003c/h2\u003e\u003cp\u003eTrust and reciprocity form the foundation of many workplace interactions, yet attackers weaponise these values to create false legitimacy. As Coffey, (\u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e2018b\u003c/span\u003e) demonstrates, victims frequently initiate contact with attackers believing them to be trusted helpers or colleagues. The reciprocal obligation to return \u0026ldquo;assistance\u0026rdquo; fosters a sense of indebtedness, compelling UITs to share sensitive information or provide access. This vulnerability is central to RSE, where the insider becomes the driver of engagement under the illusion of mutual trust.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec19\" class=\"Section3\"\u003e\u003ch2\u003e4.2.3 Urgency, Stress, and Fear\u003c/h2\u003e\u003cp\u003eStress cues and manufactured urgency are widely reported as accelerants of insider error. Studies confirm that UITs under time pressure or fear of negative consequences are more likely to act hastily, bypassing verification steps or ignoring security policies(Abdelsadeq et al., \u003cspan citationid=\"CR3\" class=\"CitationRef\"\u003e2019b\u003c/span\u003e). Attackers craft urgent problem scenarios such as \u0026ldquo;system failure\u0026rdquo; or \u0026ldquo;account compromise\u0026rdquo; to trigger impulsive responses. In the RSE context, urgency not only increases the likelihood of victim compliance but also channels insiders toward the attacker as a seemingly immediate solution.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec20\" class=\"Section3\"\u003e\u003ch2\u003e4.2.4 Behavioural Fatigue and Cognitive Overload\u003c/h2\u003e\u003cp\u003eBehavioural fatigue and cognitive overload emerge when insiders face high workloads, multitasking, or distraction. (Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e) demonstrate that such conditions reduce vigilance and impair judgment, significantly increasing susceptibility to manipulation. In this state, UITs are less likely to scrutinise suspicious prompts, verify the legitimacy of requests, or follow formal reporting channels. RSE thrives in these contexts, exploiting insiders\u0026rsquo; need for quick resolutions by offering fraudulent \u0026ldquo;support\u0026rdquo; that appears to reduce their cognitive burden.\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable II: Taxonomy of Vulnerabilities and SE/RSE Mechanisms\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Taba\" border=\"1\"\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eMain Category\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSubclass\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDescription\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eExample\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eRef\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTechnology-Based Vulnerabilities\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003ePhishing \u0026amp; Spear-Phishing\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eFraudulent messages designed to trick users into revealing sensitive data.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eMalicious link in corporate email directing user to attacker\u0026rsquo;s page.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; (D. J. He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMalware, Ransomware, Scareware\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eMalicious software creates fake problems, coercing users into seeking help.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eFake \u0026ldquo;antivirus alert\u0026rdquo; prompting user to call attacker.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMisconfigured Access Controls\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eWeak authentication/privilege setups expose insider systems.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDefault admin credentials exploited by attacker.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDetection System Gaps\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eLegacy detection tools fail to capture insider-RSE anomalies.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eSIEM bypassed due to lack of behavioural analysis.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer, Strozer, Cohen, Moore, et al., \u003cspan citationid=\"CR45\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eHuman-Originated Vulnerabilities\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAuthority \u0026amp; Impersonation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eAttackers exploit authority bias by posing as trusted figures.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eAttacker posing as IT support requesting login credentials.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Canham et al., \u003cspan citationid=\"CR16\" class=\"CitationRef\"\u003e2020b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTrust \u0026amp; Reciprocity\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eVictim initiates contact, believing attacker to be helpful.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eInsider calls fake helpdesk number advertised in pop-up.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Coffey, \u003cspan citationid=\"CR19\" class=\"CitationRef\"\u003e2018a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUrgency, Stress, Fear\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eEmotional manipulation forces quick, unthinking response.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eEmail warning of \u0026ldquo;account suspension\u0026rdquo; unless action taken.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Alohaly et al., \u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e2022\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCognitive Overload \u0026amp; Fatigue\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eWorkload stress reduces vigilance, heightening UIT risk.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eEmployee distracted during deadline falls for spear-phishing.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSocio-Technical / Procedural Vulnerabilities\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eBypassing Formal Support Channels\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eEmployees rely on informal help, bypassing secure IT protocols.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eInsider calls colleague instead of official helpdesk.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Green et al., 2023)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWeak Security Culture \u0026amp; Training Deficits\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eInconsistent awareness training fails to embed secure practices.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eEmployees click phishing emails despite annual awareness sessions.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Georgiadou et al., \u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eOrganisational Workflow Weaknesses\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ePolicy\u0026ndash;practice misalignments create exploitable vulnerabilities.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eRemote work policy lacking secure escalation processes.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer, Purl, et al., \u003cspan citationid=\"CR40\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThis taxonomy integrates technical, human, and socio-technical vulnerabilities, systematically captured from the 39 articles. Phishing and malware dominate the technology-based category, reinforcing the centrality of email and malware vectors. Human factors\u0026mdash;authority, trust, urgency, and fatigue emerge as critical enablers of UIT exploitation, reframing insiders from \u0026ldquo;careless actors\u0026rdquo; to targets of deliberate psychological manipulation. Finally, socio-technical weaknesses, such as bypassed support channels, poor security culture, and workflow gaps, remain underexplored yet highly relevant to reverse social engineering, where attackers manufacture problems and exploit organisational help-seeking behaviours. Collectively, the taxonomy establishes the foundation for the problem\u0026ndash;solution mapping (Table V), where each vulnerability is aligned with corresponding technical, socio-technical, and hybrid mitigation strategies.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec21\" class=\"Section2\"\u003e\u003ch2\u003e4.3 Socio-Technical / Procedural Vulnerabilities\u003c/h2\u003e\u003cp\u003eSocio-technical vulnerabilities emerge at the intersection of organisational workflows, security culture, and human behaviour. Unlike purely technical flaws or individual psychological weaknesses, these vulnerabilities are embedded in organisational norms and procedural gaps, making them particularly difficult to address with conventional controls. The literature underscores that insiders often bypass formal processes, rely on informal expertise, or operate within weak security cultures where policies are poorly enforced or inconsistently communicated (Greitzer, Purl, et al., \u003cspan citationid=\"CR40\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e). These weaknesses provide fertile ground for social engineering and reverse social engineering by enabling attackers to exploit the structural inefficiencies of organisations rather than relying solely on individual manipulation.\u003c/p\u003e\u003cdiv id=\"Sec22\" class=\"Section3\"\u003e\u003ch2\u003e4.3.1 Bypassing Formal Support Channels\u003c/h2\u003e\u003cp\u003eOne of the most persistent vulnerabilities involves employees seeking assistance from informal colleagues or \u0026ldquo;local experts\u0026rdquo; rather than secure IT helpdesks. (Green \u0026amp; Dozier, \u003cspan citationid=\"CR30\" class=\"CitationRef\"\u003e2023a\u003c/span\u003e, \u003cspan citationid=\"CR31\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e, \u003cspan citationid=\"CR32\" class=\"CitationRef\"\u003e2023c\u003c/span\u003e; Kasowaki \u0026amp; Yusef, \u003cspan citationid=\"CR66\" class=\"CitationRef\"\u003e2023\u003c/span\u003e; Qashqari et al., \u003cspan citationid=\"CR82\" class=\"CitationRef\"\u003e2020\u003c/span\u003e; Zangana et al., \u003cspan citationid=\"CR106\" class=\"CitationRef\"\u003e2025\u003c/span\u003e) highlights how such practices create shadow channels of problem resolution, which attackers can infiltrate by presenting themselves as helpful peers. In RSE scenarios, this bypass becomes a critical exploit path: victims, misdirected by urgency or trust, reach out to the attacker instead of the designated support infrastructure, granting attackers privileged access.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec23\" class=\"Section3\"\u003e\u003ch2\u003e4.3.2 Weak Security Culture and Training Deficits\u003c/h2\u003e\u003cp\u003eA weak security culture compounds the risks of UIT exploitation, with organisations frequently treating training as a compliance checkbox rather than embedding security awareness into daily practices. (Georgiadou et al., \u003cspan citationid=\"CR29\" class=\"CitationRef\"\u003e2022b\u003c/span\u003e) demonstrate that overreliance on one-off training leaves employees ill-prepared to detect novel or sophisticated social engineering attempts. In such contexts, UITs fail to apply learned protocols when under pressure, thereby increasing their susceptibility to SE and RSE. Attackers exploit this gap by crafting scenarios that appear routine, knowing employees lack the adaptive knowledge to challenge them.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec24\" class=\"Section3\"\u003e\u003ch2\u003e4.3.3. Organisational Workflow Weaknesses\u003c/h2\u003e\u003cp\u003eOrganisational workflows often present exploitable misalignments between technical controls and user behaviour. (Greitzer, Purl, et al., \u003cspan citationid=\"CR41\" class=\"CitationRef\"\u003e2019b\u003c/span\u003e) show that policies, although formally established, are not consistently enforced or are circumvented when they slow down productivity. This disconnect creates openings for attackers to manipulate UITs into taking shortcuts such as transferring files outside authorised repositories or sharing credentials to expedite tasks. In RSE, attackers amplify these workflow weaknesses by creating fabricated technical problems that appear solvable only through policy deviation, thereby turning procedural flexibility into a vulnerability.\u003c/p\u003e\u003c/div\u003e\u003c/div\u003e\u003cdiv id=\"Sec25\" class=\"Section2\"\u003e\u003ch2\u003e4.4. Reverse Social Engineering Phases, Vulnerabilities, and Insider Manipulation\u003c/h2\u003e\u003cp\u003eReverse Social Engineering represents a critical but underexplored dimension of insider-enabled social engineering, characterised by the attacker manufacturing a problem, advertising themselves as the solution, and ultimately eliciting contact from the victim. While this three-phase model has been documented in external attacker scenarios, its implications for insider threats are far more severe. Unlike external attackers, who must first establish credibility, malicious insiders benefit from pre-existing organisational trust, knowledge of workflows, and access to communication channels. This positional advantage enables them to stage highly plausible \u0026ldquo;sabotages,\u0026rdquo; leverage informal trust networks, and exploit unintentional insiders into initiating contact (Bishnoi et al., \u003cspan citationid=\"CR13\" class=\"CitationRef\"\u003e2023b\u003c/span\u003e; Irani et al., \u003cspan citationid=\"CR59\" class=\"CitationRef\"\u003e2011\u003c/span\u003e).\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable III. Core Dimensions of Reverse Social Engineering and Insider Manipulation\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabb\" border=\"1\"\u003e\u003ccolgroup cols=\"3\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAspect\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eKey Insights\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eImplications for Malicious Insider Exploitation\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCore phases of RSE (sabotage, advertising assistance)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAttackers manufacture problems, present themselves as a solution, and receive insider-initiated contact.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eMalicious insiders can stage believable \u0026ldquo;sabotages\u0026rdquo; (e.g., blocking a workflow), then present themselves as informal support, bypassing official helpdesk.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePsychological principles\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAuthority, reciprocity, urgency, stress, and trust.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eInsiders exploit existing hierarchies (manager, IT staff) to appear legitimate; stress and urgency lower vigilance among colleagues.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAttack vectors\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003ePhishing emails, fake technical support, ransomware alerts, scareware prompts.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eMalicious insiders enhance these by tailoring to local systems, workflows, and peer relationships, making attacks harder to distinguish from genuine problems.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCountermeasures\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTechnical: anomaly detection, MFA, firewalls. Organisational: policies, incident response. Human: awareness and training.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eGaps persist in correlating technical anomalies with socio-technical behaviours; malicious insiders often evade detection by blending into organisational norms.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eResearch gaps\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eRSE remains under-theorised; lack of empirical case studies; absence of hybrid socio-technical detection models.\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eCalls for ML/DL-driven socio-technical frameworks that integrate technical, behavioural, and procedural signals to detect insider-induced RSE.\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eTable III highlights core dimensions of how malicious insiders take advantage of the socio-technical environment to manipulate UITs into conduits of exploitation. In the sabotage phase, an insider may deliberately misconfigure access controls or simulate a system error, exploiting procedural gaps they know will trigger reliance on informal support. During the advertising phase, the insider positions themselves as a \u0026ldquo;trusted helper,\u0026rdquo; often leveraging authority or reciprocity cues to reinforce legitimacy. In the assistance phase, the UIT initiates contact, unknowingly validating the attacker\u0026rsquo;s credibility and providing access that would otherwise be scrutinised if requested by an external actor. This dynamic demonstrates that UITs cannot be dismissed as passive actors or \u0026ldquo;human errors.\u0026rdquo; Instead, they function as critical enablers of insider led RSE, where manipulation is embedded within everyday organisational processes. Recognising this shift reframes UITs as socio-technical vulnerabilities and underscores the urgent need for integrated detection models capable of correlating behavioural, procedural, and technical indicators.\u003c/p\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eFigure \u003cspan refid=\"Fig7\" class=\"InternalRef\"\u003e7\u003c/span\u003e illustrates the dual pathways of reverse social engineering, contrasting external attackers who must manufacture trust through fake authority common vectors like, phishing, and scareware with malicious insiders who exploit pre-existing organisational trust and workflows. Both follow the sabotage\u0026ndash;advertising\u0026ndash;assistance cycle, yet while external actors rely on fabricated system errors and fraudulent support channels, insiders can subtly misconfigure processes, pose as trusted colleagues, and leverage established socio-technical dependencies. This distinction highlights the novelty of our contribution: reframing unintentional insiders not as passive victims of generic \u0026ldquo;human error,\u0026rdquo; but as active conduits of manipulation uniquely vulnerable to insider driven RSE. By mapping both external and insider scenarios in a single framework, the study advances conceptual clarity and provides a foundation for hybrid socio-technical defences tailored to the neglected problem of insider-based RSE.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec26\" class=\"Section2\"\u003e\u003ch2\u003e4.5. Comparison of Vulnerabilities\u003c/h2\u003e\u003cp\u003eThe literature highlights that, vulnerabilities underpinning unintentional insider threats (UITs) manifest differently across psychological, organisational, and socio-technical domains. A comparative perspective (Table IV) shows that while psychological vulnerabilities primarily exploit cognitive and emotional weaknesses, organisational vulnerabilities stem from cultural and procedural deficiencies, and socio-technical vulnerabilities emerge at the human\u0026ndash;technology interface. Importantly, reverse social engineering exploits all three domains simultaneously: psychological triggers (e.g., stress, trust, authority), organisational weaknesses (e.g., weak reporting structures, informal support networks), and socio-technical lapses (e.g., procedural bypasses, anomalous workflow behaviours). This comparison underscores the need for hybrid detection and mitigation approaches that integrate behavioural and technical perspectives.\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable IV: Comparison of Vulnerabilities Across Domains\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabc\" border=\"1\"\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eDomain\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eKey Vulnerabilities\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eManifestation in SE/RSE\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eMitigation Orientation\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePsychological\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eStress, cognitive overload, trust bias, urgency, authority pressure\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eUsers comply with fraudulent requests; initiate contact under stress or when \u0026ldquo;help\u0026rdquo; is offered\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eBehavioural training, stress-aware workload design\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eOrganisational\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWeak policies, reliance on informal \u0026ldquo;experts,\u0026rdquo; inadequate training, poor incident reporting\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eInsiders bypass helpdesk; contact malicious \u0026ldquo;expert\u0026rdquo;; lack of escalation structures\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eOrganisational culture reform, adaptive policies\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSocio-Technical\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWorkflow bypasses, poor usability, lack of monitoring, weak integration between human and technical controls\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eVictims deviate from secure workflows (e.g., shortcut access), leading to exploitable patterns\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eHybrid socio-technical frameworks with ML/DL analytics\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable V. Problem\u0026ndash;Solution Mapping: Vulnerabilities \u0026rarr; Mitigation Strategies\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabd\" border=\"1\"\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eVulnerability Subclass\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTechnical Mitigations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eSocio-Technical Mitigations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eHybrid / AI-ML Mitigations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eSupporting References\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePhishing \u0026amp; Spear-Phishing\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAdvanced email gateways, DMARC/DKIM/SPF, URL detonation sandboxes\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eRole-specific training, simulated phishing, just-in-time warnings, clear escalation paths\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eLSTM/Bi-LSTM/XGBoost email classifiers; behavioural baselining for click anomalies\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e); (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ea) (Syafitri et al., \u003cspan citationid=\"CR99\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e):\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eMalware / Ransomware / Scareware\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEDR/NGAV, app whitelisting, macro restrictions, network segmentation, backup/restore drills\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eAnti-scareware awareness, \u0026ldquo;call IT not a number\u0026rdquo; policy, incident playbooks\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDL-based malware traffic analysis; cross-signal fusion (host\u0026thinsp;+\u0026thinsp;comms cues)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Coffey, \u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e2018b\u003c/span\u003e; Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eMisconfigured Access Controls\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMFA, least-privilege, just-in-time access, PAM/secret vaults, automatic misconfig scans\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eJoiner-mover-leaver governance, peer reviews for privilege changes\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eRisk-adaptive access using ML risk scores; anomaly detection on access graphs\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Bolukonda et al., \u003cspan citationid=\"CR14\" class=\"CitationRef\"\u003e2024\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eDetection System Gaps\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eModern SIEM with UEBA, log normalization, high-fidelity alerting\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eSOC runbooks linking human cues to alerts; red/blue exercises\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eUEBA with sequence models; attention over multi-stream telemetry (email, auth, DLP)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer et al., \u003cspan citationid=\"CR39\" class=\"CitationRef\"\u003e2021c\u003c/span\u003e) (Rajchel et al., \u003cspan citationid=\"CR84\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAuthority \u0026amp; Impersonation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCaller ID verification, helpdesk ticket binding, identity proofing for support\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eAnti-authority bias training; mandatory ticket-first policy; \u0026ldquo;no creds over chat/call\u0026rdquo;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNLP on help interactions to detect power-cue pressure; graph deviations in contact patterns\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003eAnalyzing the Human Element; (Sharma et al., \u003cspan citationid=\"CR94\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Xiangyu et al., \u003cspan citationid=\"CR105\" class=\"CitationRef\"\u003e2017\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrust \u0026amp; Reciprocity\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eVerified support channels; signed admin tools; block sideloading\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026ldquo;Trusted helper\u0026rdquo; registry; mentorship with security guardrails; public key verification norms\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eSocial graph anomaly detection; RSE-indicator scoring (victim-initiated contact)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Khadka \u0026amp; Ullah, \u003cspan citationid=\"CR67\" class=\"CitationRef\"\u003e2025\u003c/span\u003e; Sillanp\u0026auml;\u0026auml; \u0026amp; Hautam\u0026auml;ki, \u003cspan citationid=\"CR95\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eUrgency, Stress, Fear\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eRate-limit risky actions; step-up auth under pressure contexts\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eMicro-learning on urgency cues; workload management to reduce fatigue\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eSentiment/tonality analysis in tickets; stress-signal fusion with action anomalies\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Schoenherr \u0026amp; Thomson, \u003cspan citationid=\"CR93\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCognitive Overload \u0026amp; Fatigue\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSession timeouts, friction for high-risk actions, safe defaults\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eUsability-first security; spaced training; fatigue-aware scheduling\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003ePassive workload inference; policy adaptation via ML fatigue predictors\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Green et al., 2023; Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eBypassing Formal Support Channels\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eForced routing to official helpdesk (SSO), shadow-IT detection, chat monitoring for \u0026ldquo;help\u0026rdquo; keywords\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026ldquo;No side-channel support\u0026rdquo; policy; social norms for escalation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eOrg-network analytics to flag unusual helper hubs; ticket-to-action correlation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Green et al., 2023)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eWeak Security Culture \u0026amp; Training Deficits\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTraining LMS integration with controls; policy-as-code enforcement\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eContinuous, role-tailored simulations; leadership modelling; security champions\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eAdaptive training based on risk profiles; RL-driven simulation curricula\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Birthriya et al., \u003cspan citationid=\"CR11\" class=\"CitationRef\"\u003e2025\u003c/span\u003e; Syafitri et al., \u003cspan citationid=\"CR99\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e, \u003cspan citationid=\"CR100\" class=\"CitationRef\"\u003eb\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eOrganisational Workflow Weaknesses\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWorkflow enforcement in IAM/ITSM; DLP on sensitive processes\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eProcess mapping with security checkpoints; \u0026ldquo;two-person rule\u0026rdquo; for high-risk steps\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eProcess-mining\u0026thinsp;+\u0026thinsp;ML to detect deviations; sequence-anomaly detectors for RSE\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThe mapping shows that single-layer controls (purely technical or purely awareness-based) are insufficient for insider-enabled social engineering, especially reverse social engineering. The most effective responses are hybrid: correlate technical anomalies (e.g., odd privilege jumps, unusual data access) with behavioural and procedural cues (e.g., victim-initiated contact, urgency-laden communications, bypassed helpdesk). This aligns with the double-layer detection evidence (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ea) and with DL-based fusion models that outperform single-stream baselines (Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e).\u003c/p\u003e\u003c/div\u003e"},{"header":"5. Results of Review","content":"\u003cp\u003eThe systematic review of 39 empirical and conceptual studies reveals that unintentional insider threats are not isolated lapses of human error, but structured vulnerabilities that attackers exploit through social engineering and reverse social engineering. The findings consolidate technical, human-originated, and socio-technical vulnerabilities into an interdependent taxonomy (Table VI), demonstrating how each domain creates opportunities for adversaries to bypass technical defences and manipulate insiders into becoming conduits of exploitation.\u003c/p\u003e\u003cdiv id=\"Sec28\" class=\"Section2\"\u003e\u003ch2\u003e5.1 Technical Vulnerabilities and Exploitation Pathways\u003c/h2\u003e\u003cp\u003eTechnical weaknesses remain a dominant focus in the reviewed literature, particularly in studies on phishing, spear-phishing, malware, and ransomware. Phishing is consistently identified as the most prevalent SE vector, accounting for the majority of UIT exploitation cases (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003eb; Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e). Fake login portals, malicious links, and scareware alerts deceive users into disclosing credentials or initiating communication with attackers. Ransomware and scareware exemplify how adversaries create artificial system \u0026ldquo;failures\u0026rdquo; to trigger panic and induce UITs to seek \u0026ldquo;assistance\u0026rdquo; from the attacker (Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e). Beyond direct attack vectors, structural flaws such as misconfigured access controls (Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e) and outdated anomaly detection systems (Greitzer, et al., (\u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e) exacerbate risks by enabling UITs to unwittingly overstep privileges or ignore subtle anomalies. The convergence of these flaws with human behaviour highlights that technical vulnerabilities alone cannot explain the scale of UIT exploitation; rather, they are catalysed by psychological manipulation and procedural gaps.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec29\" class=\"Section2\"\u003e\u003ch2\u003e5.2 Human-Originated Vulnerabilities and Psychological Manipulation\u003c/h2\u003e\u003cp\u003eThe literature further demonstrates that attackers consistently exploit psychological principles such as authority, trust, reciprocity, urgency, and fear to manipulate UITs.(Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e) emphasise that impersonation of authority figures (e.g., IT support, managers) remains one of the most effective SE tactics, especially when victims are under stress.Coffey, (\u003cspan citationid=\"CR21\" class=\"CitationRef\"\u003e2018c\u003c/span\u003e) highlight how trust-based reciprocity and time pressure cause insiders to initiate contact with attackers, effectively reversing the expected flow of intrusion. Fatigue, cognitive overload, and stress emerge as persistent human vulnerabilities that diminish employees\u0026rsquo; vigilance in high-pressure environments (Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e). While these are well-documented in relation to phishing, the review identifies a notable absence of empirical studies explicitly linking such vulnerabilities to RSE. Yet, the described behavioural precursors bypassing official help channels, relying on informal \u0026ldquo;experts,\u0026rdquo; or responding hastily to manufactured crises strongly align with RSE conditions.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec30\" class=\"Section2\"\u003e\u003ch2\u003e5.3 Socio-Technical and Procedural Vulnerabilities\u003c/h2\u003e\u003cp\u003eThe third category of vulnerabilities arises from socio-technical interactions and organisational workflows. The Human Factor in Cybersecurity (Zangana et al., \u003cspan citationid=\"CR106\" class=\"CitationRef\"\u003e2025\u003c/span\u003e) shows how employees frequently bypass secure helpdesks to rely on informal colleagues, creating shadow support channels easily exploited in RSE attacks. Similarly, (Georgiadou et al., (\u003cspan citationid=\"CR28\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e) document weak security cultures where training is treated as a one-off exercise, leaving UITs ill-prepared to adapt to novel attack tactics.\u003c/p\u003e\u003cp\u003eWorkflow misalignments between policy and practice also feature prominently. (Claycomb et al., \u003cspan citationid=\"CR18\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Greitzer, \u003cspan citationid=\"CR35\" class=\"CitationRef\"\u003e2019b\u003c/span\u003e; Greitzer et al., \u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e2021a\u003c/span\u003e; Greitzer, Lee, et al., \u003cspan citationid=\"CR36\" class=\"CitationRef\"\u003e2019\u003c/span\u003e; Greitzer, Purl, et al., \u003cspan citationid=\"CR40\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e) illustrate how security policies are often circumvented when they obstruct productivity, enabling attackers to craft scenarios that appear to require procedural shortcuts. These socio-technical weaknesses are particularly relevant to RSE, where attackers create artificial problems that exploit both organisational inefficiencies and the human inclination to seek immediate solutions.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec31\" class=\"Section2\"\u003e\u003ch2\u003e5.4 Cross-Domain Vulnerability Patterns\u003c/h2\u003e\u003cp\u003e\u003c/p\u003e\u003cp\u003eTaken together, the review shows that SE and RSE exploits rarely exploit one domain in isolation. Instead, effective attacks weave together technical entry points (phishing links, malware), human vulnerabilities (authority, stress, reciprocity), and socio-technical weaknesses (bypassed workflows, informal channels). The result is a multi-dimensional exploitation pathway in which UITs are repositioned from passive victims to active conduits of SE attacks.\u003c/p\u003e\u003cp\u003eThis layered interaction highlights two critical research gaps. First, while phishing has been heavily studied, no empirical model systematically examines how UIT vulnerabilities converge in RSE contexts. Second, mitigation remains fragmented, with most studies advocating either technical anomaly detection or human-centric awareness programs, but rarely integrating the two into socio-technical defence models.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec32\" class=\"Section2\"\u003e\u003ch2\u003e5.5 Towards Problem\u0026ndash;Solution Mapping\u003c/h2\u003e\u003cp\u003eTo address these limitations, the vulnerabilities identified in this review are mapped to their corresponding mitigation approaches (Table VIII). Technical defences (e.g., anomaly detection, access control) target sabotage vectors, while socio-technical strategies (e.g., workflow monitoring, adaptive training) address organisational weaknesses. Hybrid solutions particularly AI/ML-driven anomaly detection integrated with behavioural analytics emerge as the most promising avenue for detecting and preventing RSE-based insider exploitation. By aligning the taxonomy of vulnerabilities (Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e) with targeted mitigation strategies (Table\u0026nbsp;2), this study provides a coherent problem solution map that goes beyond fragmented measures, offering a structured foundation for developing hybrid socio-technical frameworks.\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"Yes\" id=\"Tab2\" border=\"1\"\u003e\u003ccaption language=\"En\"\u003e\u003cdiv class=\"CaptionNumber\"\u003eTable V1\u003c/div\u003e\u003cdiv class=\"CaptionContent\"\u003e\u003cp\u003eTaxonomy of Vulnerabilities and SE/RSE Mechanisms\u003c/p\u003e\u003c/div\u003e\u003c/caption\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eDomain\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSubclass / Mechanism\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eExample Manifestations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eRelevance to UIT/RSE\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eRef\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePsychological\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAuthority Exploitation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eImpersonation of IT/admin staff\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eIncreases trust, induces UIT compliance\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Green et al., 2023); (Schoenherr \u0026amp; Thomson, \u003cspan citationid=\"CR93\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eReciprocity/Trust\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eHelping culture exploited\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eEncourages victim-initiated contact\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Sillanp\u0026auml;\u0026auml; \u0026amp; Hautam\u0026auml;ki, \u003cspan citationid=\"CR95\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eUrgency/Fear\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eFake alerts, pressure emails\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDrives fast, uncritical responses\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Hussain et al., \u003cspan citationid=\"CR57\" class=\"CitationRef\"\u003e2024b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eOrganisational\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWeak Helpdesk Channels\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eVictims bypass official support\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eEnables attacker \u0026ldquo;helpers\u0026rdquo;\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Bedford \u0026amp; van der Laan, \u003cspan citationid=\"CR10\" class=\"CitationRef\"\u003e2021\u003c/span\u003e; Osterritter \u0026amp; Carley, \u003cspan citationid=\"CR78\" class=\"CitationRef\"\u003e2021\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSecurity Culture Deficit\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eTraining gaps, policy blind spots\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eUITs unaware of manipulative cues\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(MacAk et al., \u003cspan citationid=\"CR71\" class=\"CitationRef\"\u003e2020\u003c/span\u003e; Syafitri et al., \u003cspan citationid=\"CR99\" class=\"CitationRef\"\u003e2022a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWorkflow Weakness\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eShadow IT, shortcutting policies\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNormalises unsafe practices\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eSocio-Technical\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMisconfigured Access Controls\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eOver-privileged accounts\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eUIT becomes an unintentional access broker\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDetection Gaps\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eLack of anomaly baselining\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eRSE precursors missed\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e; Rajchel et al., \u003cspan citationid=\"CR84\" class=\"CitationRef\"\u003e2020\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u0026nbsp;\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCognitive Overload/Fatigue\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eHigh workload \u0026rarr; errors\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eAttackers exploit lowered vigilance\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Alohaly et al., \u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable VII. Problem\u0026ndash;Solution Mapping of Vulnerabilities to Mitigations\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabe\" border=\"1\"\u003e\u003ccolgroup cols=\"4\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eVulnerability\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eTechnical Mitigations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eSocio-Technical Mitigations\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eHybrid / AI-ML Mitigations\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003ePhishing \u0026amp; RSE Emails\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eAdvanced filters, sandboxing\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eTargeted awareness, escalation policies\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eBiLSTM/Transformer classifiers; anomaly fusion\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eFake Technical Support\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eCaller ID/auth binding, PAM\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eTicket-first workflow; anti-authority training\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eNLP sentiment models for pressure cues\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eWorkflow Bypasses\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eDLP, process automation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003e\u0026ldquo;Two-person\u0026rdquo; approvals; shadow IT mapping\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eProcess mining\u0026thinsp;+\u0026thinsp;ML deviation detection\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eCognitive Fatigue\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSafe defaults, session limits\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eFatigue-aware scheduling; micro-learning\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eML workload inference; adaptive detection\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eTrust Exploitation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eVerified helper registry\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eCulture of secure mentoring\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eSocial graph analytics for helper anomalies\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003e\u003cb\u003eTable VIII. Mapping ML/DL Mitigation Techniques to Signals, Datasets, and Outcomes\u003c/b\u003e\u003c/p\u003e\u003cp\u003e\u003cdiv class=\"gridtable\"\u003e\u003ctable float=\"No\" id=\"Tabf\" border=\"1\"\u003e\u003ccolgroup cols=\"5\"\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c1\" colnum=\"1\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c2\" colnum=\"2\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c3\" colnum=\"3\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c4\" colnum=\"4\"\u003e\u003c/div\u003e\u003cdiv align=\"left\" class=\"colspec\" colname=\"c5\" colnum=\"5\"\u003e\u003c/div\u003e\u003cthead\u003e\u003ctr\u003e\u003cth align=\"left\" colname=\"c1\"\u003e\u003cp\u003eML/DL Technique\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSignal Type\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c3\"\u003e\u003cp\u003eDatasets Referenced\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c4\"\u003e\u003cp\u003eApplication\u003c/p\u003e\u003c/th\u003e\u003cth align=\"left\" colname=\"c5\"\u003e\u003cp\u003eSupporting Paper\u003c/p\u003e\u003c/th\u003e\u003c/tr\u003e\u003c/thead\u003e\u003ctbody\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eBiLSTM\u0026thinsp;+\u0026thinsp;Attention\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eSequential behaviour logs\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eCERT Insider Threat, synthetic logs\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDetect RSE-influenced anomalies\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ea)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eAutoencoders\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eLogins, data access sequences\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eCERT, enterprise traces\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eBaseline reconstruction, anomaly detection\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Zewdie et al., \u003cspan citationid=\"CR108\" class=\"CitationRef\"\u003e2024a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eNLP Transformers\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eEmails, chat, tickets\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003ePhishing corpora, helpdesk datasets\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDetect manipulation, urgency/fear\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Henge et al., \u003cspan citationid=\"CR54\" class=\"CitationRef\"\u003e2023\u003c/span\u003e; Sharma et al., \u003cspan citationid=\"CR94\" class=\"CitationRef\"\u003e2024\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eProcess Mining\u0026thinsp;+\u0026thinsp;ML\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eWorkflow deviations\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eITSM/HR logs\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eDetect bypass of formal channels\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Greitzer et al., \u003cspan citationid=\"CR39\" class=\"CitationRef\"\u003e2021c\u003c/span\u003e; Greitzer, et al., \u003cspan citationid=\"CR43\" class=\"CitationRef\"\u003e2014b\u003c/span\u003e; Greitzer, et al., \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003ctr\u003e\u003ctd align=\"left\" colname=\"c1\"\u003e\u003cp\u003eHybrid UEBA (ML\u0026thinsp;+\u0026thinsp;DL)\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c2\"\u003e\u003cp\u003eMulti-modal fusion\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c3\"\u003e\u003cp\u003eCERT\u0026thinsp;+\u0026thinsp;org data\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c4\"\u003e\u003cp\u003eCross-layer anomaly correlation\u003c/p\u003e\u003c/td\u003e\u003ctd align=\"left\" colname=\"c5\"\u003e\u003cp\u003e(Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e)\u003c/p\u003e\u003c/td\u003e\u003c/tr\u003e\u003c/tbody\u003e\u003c/colgroup\u003e\u003c/table\u003e\u003c/div\u003e\u003c/p\u003e\u003cp\u003eThe thematic synthesis of the 39 reviewed papers highlights that reverse social engineering is uniquely positioned at the intersection of psychological manipulation, organisational weaknesses, and socio-technical system gaps. Existing mitigation strategies are fragmented, often siloed as either technical (e.g., filters, anomaly detection) or socio-technical (e.g., training, policies). The evidence supports a shift toward hybrid approaches, where technical anomalies (privilege abuse, unusual access) are correlated with behavioural cues (victim-initiated contact, urgency in communications) and procedural deviations (bypassing helpdesks). Machine and deep learning models are consistently identified as enablers of such hybrid detection, offering the capacity to integrate signals across modalities (emails, workflows, psychometric cues). However, few studies explicitly operationalise this integration for reverse social engineering. This review thus contributes a structured taxonomy, a problem\u0026ndash;solution map, and a socio-technical detection framework, together forming the first comprehensive model of RSE-based insider exploitation.\u003c/p\u003e\u003cp\u003eFindings demonstrate that authority cues, urgency, trust reciprocity, and fatigue are systematically exploited in SE scenarios (Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e; Coffey, \u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e2018b\u003c/span\u003e). Organisational patterns including bypassing helpdesks and reliance on informal experts amplify these vulnerabilities (Rahman et al., \u003cspan citationid=\"CR83\" class=\"CitationRef\"\u003e2024\u003c/span\u003e; Zangana et al., \u003cspan citationid=\"CR106\" class=\"CitationRef\"\u003e2025\u003c/span\u003e). While these mechanisms align strongly with RSE conditions, no study has explicitly modelled UIT behaviour under attacker-induced problem scenarios. Implication: Future research must model UIT susceptibility empirically, capturing how psychological stress and organisational dependencies translate into RSE exploitation pathways.\u003c/p\u003e\u003c/div\u003e\u003cdiv id=\"Sec33\" class=\"Section2\"\u003e\u003ch2\u003e6.1. Discussion and Key Findings\u003c/h2\u003e\u003cp\u003eThis systematic review analysed 39 peer-reviewed studies to investigate the role of unintentional insider threats (UITs) in social engineering, with particular focus on the neglected dimension of reverse social engineering. The findings are organised around four guiding research questions (RQs), with insights aligned to the proposed taxonomy (Table \u003cspan refid=\"Tab2\" class=\"InternalRef\"\u003eV1\u003c/span\u003e), problem\u0026ndash;solution map (Table VII), mitigation socio-technical framework (Fig.\u0026nbsp;\u003cspan refid=\"Fig8\" class=\"InternalRef\"\u003e8\u003c/span\u003e, Table VIII).\u003c/p\u003e\u003cp\u003e\u003cb\u003eRQ1\u003c/b\u003e: What conceptualisations of UITs exist in the literature, and how are they linked to social engineering? The literature consistently recognises UITs as critical enablers of cyber incidents but continues to frame them predominantly as negligence, error, or carelessness (Greitzer et al., \u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e2021a\u003c/span\u003e; Greitzer, et al., \u003cspan citationid=\"CR44\" class=\"CitationRef\"\u003e2014c\u003c/span\u003e; Greitzer, et al., \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e; Kotkova \u0026amp; Hromada, \u003cspan citationid=\"CR69\" class=\"CitationRef\"\u003e2021\u003c/span\u003e). While phishing is the most extensively documented attack vector (He et al., \u003cspan citationid=\"CR49\" class=\"CitationRef\"\u003e2022\u003c/span\u003ea; Salahdine \u0026amp; Kaabouch, \u003cspan citationid=\"CR88\" class=\"CitationRef\"\u003e2019\u003c/span\u003e), studies rarely conceptualise UITs as active conduits of manipulation. A notable blind spot is RSE, where attackers create artificial problems and induce victims to initiate contact a dynamic only implicitly described in organisational bypass or help-seeking behaviours (Coffey, \u003cspan citationid=\"CR20\" class=\"CitationRef\"\u003e2018b\u003c/span\u003e; Rahman et al., \u003cspan citationid=\"CR83\" class=\"CitationRef\"\u003e2024\u003c/span\u003e). This highlights a conceptual gap: UITs must be reconceptualised not as passive actors but as manipulated vectors of SE/RSE exploitation.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRQ2\u003c/strong\u003e\u003cp\u003eWhat behavioural mechanisms and vulnerabilities make UITs effective conduits for insider social engineering attacks? Across psychological, human, and organisational domains, several recurrent vulnerabilities emerge. These include authority and impersonation tactics, trust and reciprocity cues, and stress-induced urgency (Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e). Additionally, behavioural fatigue and cognitive overload under heavy workloads amplify susceptibility (Alohaly et al., \u003cspan citationid=\"CR7\" class=\"CitationRef\"\u003e2022\u003c/span\u003e; Takabi et al., \u003cspan citationid=\"CR101\" class=\"CitationRef\"\u003e2018\u003c/span\u003e). At the socio-technical level, reliance on informal experts, weak security cultures, and procedural misalignments expose UITs to exploitation (Greitzer, et al., \u003cspan citationid=\"CR36\" class=\"CitationRef\"\u003e2019\u003c/span\u003eb; Greitzer, et al., \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e). Collectively, these vulnerabilities map onto the axes of our taxonomy (Table\u0026nbsp;\u003cspan refid=\"Tab1\" class=\"InternalRef\"\u003e1\u003c/span\u003e), which classifies UIT exposure across psychological principles, communication channels, attacker objectives, and RSE indicators.\u003c/p\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRQ3\u003c/strong\u003e\u003cp\u003eWhat mitigation strategies and defensive models have been proposed to address UITs induced by social engineering? Existing strategies cluster into three domains\u003c/p\u003e\u003c/p\u003e\u003cp\u003e\u003cul\u003e\u003cli\u003e\u003cp\u003eTechnical measures: anomaly detection, malware filtering, access control (Abdelsadeq et al., \u003cspan citationid=\"CR2\" class=\"CitationRef\"\u003e2019a\u003c/span\u003e; Greitzer et al., \u003cspan citationid=\"CR37\" class=\"CitationRef\"\u003e2021a\u003c/span\u003e; Greitzer, et al., \u003cspan citationid=\"CR42\" class=\"CitationRef\"\u003e2014a\u003c/span\u003e).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eHuman-centric measures: awareness training, phishing simulations, and stress-management interventions (Canham et al., \u003cspan citationid=\"CR15\" class=\"CitationRef\"\u003e2020a\u003c/span\u003e).\u003c/p\u003e\u003c/li\u003e\u003cli\u003e\u003cp\u003eSocio-technical measures: embedding security into workflows, policy enforcement, and organisational culture (Rahman et al., \u003cspan citationid=\"CR83\" class=\"CitationRef\"\u003e2024\u003c/span\u003e). While these approaches demonstrate value, they remain fragmented and siloed. None of the reviewed studies propose hybrid socio-technical detection models that correlate weak technical signals with human or organisational anomalies. To bridge this, our problem\u0026ndash;solution map (Table VII) links vulnerabilities directly to layered mitigation strategies, and our framework (Fig.\u0026nbsp;\u003cspan refid=\"Fig8\" class=\"InternalRef\"\u003e8\u003c/span\u003e) demonstrates how multi-layered correlation increases detection fidelity.\u003c/p\u003e\u003c/li\u003e\u003c/ul\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRQ4\u003c/strong\u003e\u003cp\u003eWhat research gaps and future directions emerge for advancing detection and mitigation of UITs in the context of social engineering?\u003c/p\u003e\u003c/p\u003e\u003cp\u003eThree core gaps persist. First, a conceptual gap: UITs continue to be framed narrowly as human error, overlooking their role as manipulated conduits of SE/RSE. Second, a mitigation gap: technical tools remain disconnected from socio-technical processes. Third, an empirical gap: few studies simulate real-world RSE dynamics, where attackers manufacture problems and victims initiate contact. To close these gaps, future research should (i) reconceptualise UITs as central enablers of SE/RSE, (ii) conduct empirical case studies modelling RSE (problem\u0026ndash;solution\u0026ndash;assistance cycles), (iii) design hybrid ML/DL detection systems integrating anomaly detection, sentiment and psychometric analysis, and workflow monitoring, and (iv) operationalise adaptive organisational tools such as dynamic helpdesk protocols and human vulnerability exposure databases. Looking forward, four priorities are identified: reconceptualising unintentional insiders as conduits of social engineering, developing empirical case studies to operationalise reverse social engineering, advancing hybrid socio-technical detection systems that integrate machine and deep learning with behavioural analytics, and translating these insights into adaptive organisational tools. By bridging technical, behavioural, and organisational perspectives, the study shifts the discourse from viewing unintentional insiders as peripheral actors to recognising them as critical enablers of social engineering and provides a pathway toward integrated socio-technical mitigation.\u003c/p\u003e\u003c/div\u003e"},{"header":"7. Conclusion and Future Research Agenda","content":"\u003cp\u003eDetecting insider threat behaviours remains a critical challenge because many actions align with an individual\u0026rsquo;s legitimate role and responsibilities, making them indistinguishable from normal activity. Enforcing and monitoring privileged user access rights compounds this challenge, as organisations struggle with the volume of access requests, the costs of monitoring, and the risks associated with remote work for users with administrative or root-level privileges. Alarmingly, surveys show that 30% of privileged users believe monitoring and control are insufficient, while 41% report inadequate background vetting prior to granting access\u0026mdash;underscoring systemic vulnerabilities (Saxena et al., \u003cspan citationid=\"CR90\" class=\"CitationRef\"\u003e2020b\u003c/span\u003e).\u003c/p\u003e\u003cp\u003eSocial engineering further amplifies these risks, as insufficiently trained staff may fall victim to phishing or manipulation strategies that exploit human personality and cultural factors such as agreeableness, conscientiousness, or organisational norms. These vulnerabilities are not purely technical but sociotechnical, requiring detection methods that incorporate behavioural and organisational indicators alongside cyber-technical ones. Innovative approaches, such as custom-built tools for analysing email attachments or ontologies like the Sociotechnical and Organisational Factors for Insider Threat (SOFIT) framework, illustrate the potential of hybrid models. However, significant gaps remain in developing scalable behavioural analytics, integrating socio-technical data streams, and validating these models in real-world organisational contexts. Addressing these challenges requires advancing machine learning and deep learning techniques that correlate technical anomalies with behavioural cues, thereby enabling more proactive detection of insider threats shaped by social engineering and reverse social engineering dynamics (Saxena et al., \u003cspan citationid=\"CR90\" class=\"CitationRef\"\u003e2020b\u003c/span\u003e).\u003c/p\u003e"},{"header":"Declarations","content":"\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\u003cp\u003eAuthor A Wrote the main manuscript as a PhD student under the supervision of B, C, D respectively provide technical support and guidance in drafting the manuscript, reading and observation. Author E, provide quick assistance in the area of structure and concepts.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\n\u003cli\u003eA. Jones, L. (2024). Unveiling Human Factors: Aligning Facets of Cybersecurity Leadership, Insider Threats, and Arsonist Attributes to Reduce Cyber Risk. \u003cem\u003eSocioEconomic Challenges\u003c/em\u003e, \u003cem\u003e8\u003c/em\u003e(2), 44\u0026ndash;63. https://doi.org/10.61093/sec.8(2).44-63.2024\u003c/li\u003e\n\u003cli\u003eAbdelsadeq, Z. A. A., Omar, S. N., Basir, N., \u0026amp; Heng, N. F. N. B. M. R. (2019a). Unintentional Insider Threats Countermeasures Model (UITCM). \u003cem\u003e2019 International Conference on Cybersecurity, ICoCSec 2019\u003c/em\u003e, 53\u0026ndash;58. https://doi.org/10.1109/ICoCSec47621.2019.8970986\u003c/li\u003e\n\u003cli\u003eAbdelsadeq, Z. A. A., Omar, S. N., Basir, N., \u0026amp; Heng, N. F. N. B. M. R. (2019b). Unintentional Insider Threats Countermeasures Model (UITCM). \u003cem\u003e2019 International Conference on Cybersecurity, ICoCSec 2019\u003c/em\u003e, 53\u0026ndash;58. https://doi.org/10.1109/ICoCSec47621.2019.8970986\u003c/li\u003e\n\u003cli\u003eAbiodun, Y. T., Mahmood, S., Niazi, M., Alshayeb, M., \u0026amp; AlGhamdi, A. A. (2025). Cybersecurity Readiness Model Based on Human Factors. \u003cem\u003eARABIAN JOURNAL FOR SCIENCE AND ENGINEERING\u003c/em\u003e. https://doi.org/10.1007/s13369-025-10349-w\u003c/li\u003e\n\u003cli\u003eAbulencia, J. (2021). Insider attacks: human-factors attacks and mitigation. \u003cem\u003eComputer Fraud \u0026amp; Security\u003c/em\u003e, \u003cem\u003e2021\u003c/em\u003e(5), 14\u0026ndash;17. https://doi.org/https://doi.org/10.1016/S1361-3723(21)00054-3\u003c/li\u003e\n\u003cli\u003eAkhunzada, A., Sookhak, M., Anuar, N. B., Gani, A., Ahmed, E., Shiraz, M., Furnell, S., Hayat, A., \u0026amp; Khan, M. K. (2015). Man-At-The-End attacks: Analysis, taxonomy, human aspects, motivation and future directions. \u003cem\u003eJOURNAL OF NETWORK AND COMPUTER APPLICATIONS\u003c/em\u003e, \u003cem\u003e48\u003c/em\u003e, 44\u0026ndash;57. https://doi.org/10.1016/j.jnca.2014.10.009 WE - Science Citation Index Expanded (SCI-EXPANDED) WE - Social Science Citation Index (SSCI)\u003c/li\u003e\n\u003cli\u003eAlohaly, M., Balogun, O., \u0026amp; Takabi, D. (2022). Integrating Cyber Deception Into Attribute-Based Access Control (ABAC) for Insider Threat Detection. \u003cem\u003eIEEE Access\u003c/em\u003e, \u003cem\u003e10\u003c/em\u003e, 108965\u0026ndash;108978. https://doi.org/10.1109/ACCESS.2022.3213645\u003c/li\u003e\n\u003cli\u003eBaugher, J., \u0026amp; Qu, Y. (2024a). Create the Taxonomy for Unintentional Insider Threat via Text Mining and Hierarchical Clustering Analysis. \u003cem\u003eEuropean Journal of Electrical Engineering and Computer Science\u003c/em\u003e, \u003cem\u003e8\u003c/em\u003e(2), 36\u0026ndash;49. https://doi.org/10.24018/ejece.2024.8.2.608\u003c/li\u003e\n\u003cli\u003eBaugher, J., \u0026amp; Qu, Y. (2024b). Create the Taxonomy for Unintentional Insider Threat via Text Mining and Hierarchical Clustering Analysis. \u003cem\u003eEuropean Journal of Electrical Engineering and Computer Science\u003c/em\u003e, \u003cem\u003e8\u003c/em\u003e(2), 36\u0026ndash;49. https://doi.org/10.24018/ejece.2024.8.2.608\u003c/li\u003e\n\u003cli\u003eBedford, J., \u0026amp; van der Laan, L. (2021). Operationalising a framework for organisational vulnerability to intentional insider threat: the OVIT as a valid and reliable diagnostic tool. \u003cem\u003eJOURNAL OF RISK RESEARCH\u003c/em\u003e, \u003cem\u003e24\u003c/em\u003e(9), 1180\u0026ndash;1203. https://doi.org/10.1080/13669877.2020.1806910\u003c/li\u003e\n\u003cli\u003eBirthriya, S. K., Ahlawat, P., \u0026amp; Jain, A. K. (2025). A Comprehensive Survey of Social Engineering Attacks: Taxonomy of Attacks, Prevention, and Mitigation Strategies. \u003cem\u003eJournal of Applied Security Research\u003c/em\u003e, \u003cem\u003e20\u003c/em\u003e(2), 244\u0026ndash;292. https://doi.org/10.1080/19361610.2024.2372986\u003c/li\u003e\n\u003cli\u003eBishnoi, A., Garv, Bishnoi, S., \u0026amp; Gupta, N. (2023a). Comprehensive Assessment of Reverse Social Engineering to Understand Social Engineering Attacks. \u003cem\u003eProceedings - 5th International Conference on Smart Systems and Inventive Technology, ICSSIT 2023\u003c/em\u003e, \u003cem\u003eIcssit\u003c/em\u003e, 681\u0026ndash;685. https://doi.org/10.1109/ICSSIT55814.2023.10061054\u003c/li\u003e\n\u003cli\u003eBishnoi, A., Garv, Bishnoi, S., \u0026amp; Gupta, N. (2023b). Comprehensive Assessment of Reverse Social Engineering to Understand Social Engineering Attacks. \u003cem\u003eProceedings - 5th International Conference on Smart Systems and Inventive Technology, ICSSIT 2023\u003c/em\u003e, \u003cem\u003eIcssit\u003c/em\u003e, 681\u0026ndash;685. https://doi.org/10.1109/ICSSIT55814.2023.10061054\u003c/li\u003e\n\u003cli\u003eBolukonda, D., Bolukonda, D., Mishra, R. K., \u0026amp; Ranjan, R. (2024). Insider Threat Detection and its Behavior with Excessive Access Privileges. \u003cem\u003e2024 1st International Conference on Software, Systems and Information Technology, SSITCON 2024\u003c/em\u003e, 1\u0026ndash;6. https://doi.org/10.1109/SSITCON62437.2024.10796563\u003c/li\u003e\n\u003cli\u003eCanham, M., Posey, C., \u0026amp; Bockelman, P. S. (2020a). Confronting information security\u0026rsquo;s elephant, the unintentional insider threat. In C. M. Fidopiastis \u0026amp; D. D. Schmorrow (Eds.), \u003cem\u003eLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 12197 LNAI\u003c/em\u003e (Issue 14th International Conference on Augmented Cognition (AC), pp. 316\u0026ndash;334). https://doi.org/10.1007/978-3-030-50439-7_22\u003c/li\u003e\n\u003cli\u003eCanham, M., Posey, C., \u0026amp; Bockelman, P. S. (2020b). Confronting information security\u0026rsquo;s elephant, the unintentional insider threat. In \u003cem\u003eLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics): Vol. 12197 LNAI\u003c/em\u003e. Springer International Publishing. https://doi.org/10.1007/978-3-030-50439-7_22\u003c/li\u003e\n\u003cli\u003eChaipa, S., Ngassam, E. K., \u0026amp; Shawren, S. (2022). Towards a New Taxonomy of Insider Threats. \u003cem\u003e2022 IST-Africa Conference (IST-Africa)\u003c/em\u003e, 1\u0026ndash;10. https://doi.org/10.23919/IST-Africa56635.2022.9845581\u003c/li\u003e\n\u003cli\u003eClaycomb, B., Greitzer, F., Jaros, S. L., \u0026amp; Gardner, C. (2022). Introduction to the Special Issue on Insider Threats. \u003cem\u003eDIGITAL THREATS: RESEARCH AND PRACTICE\u003c/em\u003e, \u003cem\u003e3\u003c/em\u003e(1). https://doi.org/10.1145/3477501 WE - Emerging Sources Citation Index (ESCI)\u003c/li\u003e\n\u003cli\u003eCoffey, J. W. (2018a). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. \u003cem\u003eJournal of Systemics, Cybernetics and Informatics\u003c/em\u003e, \u003cem\u003e16\u003c/em\u003e(4), 94\u0026ndash;99.\u003c/li\u003e\n\u003cli\u003eCoffey, J. W. (2018b). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. \u003cem\u003eJournal of Systemics, Cybernetics and Informatics\u003c/em\u003e, \u003cem\u003e16\u003c/em\u003e(4), 94\u0026ndash;99.\u003c/li\u003e\n\u003cli\u003eCoffey, J. W. (2018c). On Social Engineering Attacks and Unintended Data Disclosures: Two Major Categories of End-User Cybersecurity Error. \u003cem\u003eJournal of Systemics, Cybernetics and Informatics\u003c/em\u003e, \u003cem\u003e16\u003c/em\u003e(4), 94\u0026ndash;99.\u003c/li\u003e\n\u003cli\u003eDavid, N., David, A., Hansen, R. R., Larsen, K. G., Legay, A., Olesen, M. C., \u0026amp; Probst, C. W. (2015). Modelling social-technical attacks with timed automata. \u003cem\u003eMIST 2015 - Proceedings of the 7th ACM CCS International Workshop on Managing Insider Security Threats, Co-Located with CCS 2015\u003c/em\u003e, 21\u0026ndash;28. https://doi.org/10.1145/2808783.2808787\u003c/li\u003e\n\u003cli\u003eEdwards, L., Zahid Iqbal, M., \u0026amp; Hassan, M. (2024a). A multi-layered security model to counter social engineering attacks: a learning-based approach. \u003cem\u003eInternational Cybersecurity Law Review\u003c/em\u003e, \u003cem\u003e5\u003c/em\u003e(2), 313\u0026ndash;336. https://doi.org/10.1365/s43439-024-00119-z\u003c/li\u003e\n\u003cli\u003eEdwards, L., Zahid Iqbal, M., \u0026amp; Hassan, M. (2024b). A multi-layered security model to counter social engineering attacks: a learning-based approach. \u003cem\u003eInternational Cybersecurity Law Review\u003c/em\u003e, \u003cem\u003e5\u003c/em\u003e(2), 313\u0026ndash;336. https://doi.org/10.1365/s43439-024-00119-z\u003c/li\u003e\n\u003cli\u003eEdwards, L., Zahid Iqbal, M., \u0026amp; Hassan, M. (2024c). A multi-layered security model to counter social engineering attacks: a learning-based approach. \u003cem\u003eInternational Cybersecurity Law Review\u003c/em\u003e, \u003cem\u003e5\u003c/em\u003e(2), 313\u0026ndash;336. https://doi.org/10.1365/s43439-024-00119-z\u003c/li\u003e\n\u003cli\u003eEdwards, M. E., \u0026amp; Still, J. D. (2026). Cyber hygiene of SMiShing: What they know and where they look. \u003cem\u003eCOMPUTER STANDARDS \u0026amp; INTERFACES\u003c/em\u003e, \u003cem\u003e95\u003c/em\u003e. https://doi.org/10.1016/j.csi.2025.104048\u003c/li\u003e\n\u003cli\u003eGallo, L., Gentile, D., Ruggiero, S., Botta, A., \u0026amp; Ventre, G. (2024). The human factor in phishing: Collecting and analyzing user behavior when reading emails. \u003cem\u003eComputers and Security\u003c/em\u003e, \u003cem\u003e139\u003c/em\u003e. https://doi.org/10.1016/j.cose.2023.103671\u003c/li\u003e\n\u003cli\u003eGeorgiadou, A., Mouzakitis, S., \u0026amp; Askounis, D. (2022a). Detecting Insider Threat via a Cyber-Security Culture Framework. \u003cem\u003eJOURNAL OF COMPUTER INFORMATION SYSTEMS\u003c/em\u003e, \u003cem\u003e62\u003c/em\u003e(4), 706\u0026ndash;716. https://doi.org/10.1080/08874417.2021.1903367\u003c/li\u003e\n\u003cli\u003eGeorgiadou, A., Mouzakitis, S., \u0026amp; Askounis, D. (2022b). Detecting Insider Threat via a Cyber-Security Culture Framework. \u003cem\u003eJournal of Computer Information Systems\u003c/em\u003e, \u003cem\u003e62\u003c/em\u003e(4), 706\u0026ndash;716. https://doi.org/10.1080/08874417.2021.1903367\u003c/li\u003e\n\u003cli\u003eGreen, M. L., \u0026amp; Dozier, P. (2023a). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In \u003cem\u003eProceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023\u003c/em\u003e (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111\u0026ndash;116). https://doi.org/10.1109/CSR57506.2023.10224926\u003c/li\u003e\n\u003cli\u003eGreen, M. L., \u0026amp; Dozier, P. (2023b). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In \u003cem\u003eProceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023\u003c/em\u003e (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111\u0026ndash;116). https://doi.org/10.1109/CSR57506.2023.10224926\u003c/li\u003e\n\u003cli\u003eGreen, M. L., \u0026amp; Dozier, P. (2023c). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In \u003cem\u003eProceedings of the 2023 IEEE International Conference on Cyber Security and Resilience, CSR 2023\u003c/em\u003e (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111\u0026ndash;116). https://doi.org/10.1109/CSR57506.2023.10224926\u003c/li\u003e\n\u003cli\u003eGreen, M. L., Dozier, P., \u0026amp; IEEE. (2023). Understanding Human Factors of Cybersecurity: Drivers of Insider Threats. In \u003cem\u003e2023 IEEE INTERNATIONAL CONFERENCE ON CYBER SECURITY AND RESILIENCE, CSR\u003c/em\u003e (Issue IEEE International Conference on Cyber Security and Resilience (CSR), pp. 111\u0026ndash;116). https://doi.org/10.1109/CSR57506.2023.10224926 WE - Conference Proceedings Citation Index - Science (CPCI-S)\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L. (2019a). \u003cem\u003eInsider Threats: It\u0026rsquo;s the HUMAN, Stupid!\u003c/em\u003e https://doi.org/10.1145/3332448.3332458\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L. (2019b). Insider threats: It\u0026rsquo;s the Human, Stupid! \u003cem\u003eACM International Conference Proceeding Series\u003c/em\u003e. https://doi.org/10.1145/3332448.3332458\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Lee, J. D., Purl, J., \u0026amp; Zaidi, A. K. (2019). Design and Implementation of a Comprehensive Insider Threat Ontology. \u003cem\u003eProcedia Computer Science\u003c/em\u003e, \u003cem\u003e153\u003c/em\u003e, 361\u0026ndash;369. https://doi.org/https://doi.org/10.1016/j.procs.2019.05.090\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Li, W., Laskey, K. B., Lee, J., \u0026amp; Purl, J. (2021a). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. \u003cem\u003eTrans. Soc. Comput.\u003c/em\u003e, \u003cem\u003e4\u003c/em\u003e(2). https://doi.org/10.1145/3461672\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Li, W., Laskey, K. B., Lee, J., \u0026amp; Purl, J. (2021b). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. \u003cem\u003eACM Transactions on Social Computing\u003c/em\u003e, \u003cem\u003e4\u003c/em\u003e(2), 1\u0026ndash;48. https://doi.org/10.1145/3461672\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Li, W., Laskey, K. B., Lee, J., \u0026amp; Purl, J. (2021c). Experimental Investigation of Technical and Human Factors Related to Phishing Susceptibility. \u003cem\u003eACM Transactions on Social Computing\u003c/em\u003e, \u003cem\u003e4\u003c/em\u003e(2), 1\u0026ndash;48. https://doi.org/10.1145/3461672\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Purl, J., Leong, Y. M., \u0026amp; Sticha, P. J. (2019a). Positioning Your Organization to Respond to Insider Threats. \u003cem\u003eIEEE Engineering Management Review\u003c/em\u003e, \u003cem\u003e47\u003c/em\u003e(2), 75\u0026ndash;83. https://doi.org/10.1109/EMR.2019.2914612\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Purl, J., Leong, Y. M., \u0026amp; Sticha, P. J. (2019b). Positioning Your Organization to Respond to Insider Threats. \u003cem\u003eIEEE Engineering Management Review\u003c/em\u003e, \u003cem\u003e47\u003c/em\u003e(2), 75\u0026ndash;83. https://doi.org/10.1109/EMR.2019.2914612\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., \u0026amp; Mundie, D. (2014a). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. \u003cem\u003eProceedings of the Annual Hawaii International Conference on System Sciences\u003c/em\u003e, 2025\u0026ndash;2034. https://doi.org/10.1109/HICSS.2014.256\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., \u0026amp; Mundie, D. (2014b). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. In R. H. Sprague (Ed.), \u003cem\u003eProceedings of the Annual Hawaii International Conference on System Sciences\u003c/em\u003e (Issue 47th Annual Hawaii International Conference on System Sciences, pp. 2025\u0026ndash;2034). https://doi.org/10.1109/HICSS.2014.256\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J., Cohen, S., Bergey, J., Cowley, J., Moore, A., \u0026amp; Mundie, D. (2014c). Unintentional insider threat: Contributing factors, observables, and mitigation strategies. \u003cem\u003eProceedings of the Annual Hawaii International Conference on System Sciences\u003c/em\u003e, 2025\u0026ndash;2034. https://doi.org/10.1109/HICSS.2014.256\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., \u0026amp; Cowley, J. (2014a). Analysis of unintentional insider threats deriving from social engineering exploits. In \u003cem\u003eProceedings - IEEE Symposium on Security and Privacy\u003c/em\u003e (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236\u0026ndash;250). https://doi.org/10.1109/SPW.2014.39\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., \u0026amp; Cowley, J. (2014b). Analysis of unintentional insider threats deriving from social engineering exploits. In \u003cem\u003eProceedings - IEEE Symposium on Security and Privacy\u003c/em\u003e (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236\u0026ndash;250). https://doi.org/10.1109/SPW.2014.39\u003c/li\u003e\n\u003cli\u003eGreitzer, F. L., Strozer, J. R., Cohen, S., Moore, A. P., Mundie, D., \u0026amp; Cowley, J. (2014c). Analysis of unintentional insider threats deriving from social engineering exploits. In \u003cem\u003eProceedings - IEEE Symposium on Security and Privacy\u003c/em\u003e (Vols. 2014-Janua, Issues 35th IEEE-Computer-Society Workshop on Security and Privacy (SP), pp. 236\u0026ndash;250). https://doi.org/10.1109/SPW.2014.39\u003c/li\u003e\n\u003cli\u003eHafizur Rahman, M. M., Naeem, M. A. Al, \u0026amp; Abubakar, A. (2022). Threats From Unintentional Insiders: An Assessment of an Organization\u0026rsquo;s Readiness Using Machine Learning. \u003cem\u003eIEEE Access\u003c/em\u003e, \u003cem\u003e10\u003c/em\u003e, 110294\u0026ndash;110308. https://doi.org/10.1109/ACCESS.2022.3214819\u003c/li\u003e\n\u003cli\u003eHe, D. J., Lv, X., Xu, X. Q., Yu, S., Li, D. W., Chan, S. M. Y., \u0026amp; Guizani, M. (2022). An Effective Double-Layer Detection System Against Social Engineering Attacks. \u003cem\u003eIEEE NETWORK\u003c/em\u003e, \u003cem\u003e36\u003c/em\u003e(6), 92\u0026ndash;98. https://doi.org/10.1109/MNET.105.2100425 WE - Science Citation Index Expanded (SCI-EXPANDED)\u003c/li\u003e\n\u003cli\u003eHe, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., \u0026amp; Guizani, M. (2022a). An Effective Double-Layer Detection System Against Social Engineering Attacks. \u003cem\u003eIEEE Network\u003c/em\u003e, \u003cem\u003e36\u003c/em\u003e(6), 92\u0026ndash;98. https://doi.org/10.1109/MNET.105.2100425\u003c/li\u003e\n\u003cli\u003eHe, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., \u0026amp; Guizani, M. (2022b). An Effective Double-Layer Detection System Against Social Engineering Attacks. \u003cem\u003eIEEE Network\u003c/em\u003e, \u003cem\u003e36\u003c/em\u003e(6), 92\u0026ndash;98. https://doi.org/10.1109/MNET.105.2100425\u003c/li\u003e\n\u003cli\u003eHe, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., \u0026amp; Guizani, M. (2022c). An Effective Double-Layer Detection System Against Social Engineering Attacks. \u003cem\u003eIEEE Network\u003c/em\u003e, \u003cem\u003e36\u003c/em\u003e(6), 92\u0026ndash;98. https://doi.org/10.1109/MNET.105.2100425\u003c/li\u003e\n\u003cli\u003eHe, D., Lv, X., Xu, X., Yu, S., Li, D., Chan, S., \u0026amp; Guizani, M. (2022d). An Effective Double-Layer Detection System Against Social Engineering Attacks. \u003cem\u003eIEEE Network\u003c/em\u003e, \u003cem\u003e36\u003c/em\u003e(6), 92\u0026ndash;98. https://doi.org/10.1109/MNET.105.2100425\u003c/li\u003e\n\u003cli\u003eHenge, S. K., Upadhyay, A., Saini, A. K., Mishra, N., Sharma, D., \u0026amp; Sharma, G. (2023). Analysis and detection of insider attacks using behaviour rule based architecture in enterprise multitenancy. \u003cem\u003eJournal of Discrete Mathematical Sciences and Cryptography\u003c/em\u003e, \u003cem\u003e26\u003c/em\u003e(3), 707\u0026ndash;718. https://doi.org/10.47974/JDMSC-1743\u003c/li\u003e\n\u003cli\u003eHouse, D., \u0026amp; Raja, M. K. (2020). Phishing: message appraisal and the exploration of fear and self-confidence. \u003cem\u003eBehaviour and Information Technology\u003c/em\u003e, \u003cem\u003e39\u003c/em\u003e(11), 1204\u0026ndash;1224. https://doi.org/10.1080/0144929X.2019.1657180\u003c/li\u003e\n\u003cli\u003eHussain, F., Rahman, R., Attarbashi, Z. S., Fadaq, W. H. N., \u0026amp; Mustafa, M. (2024a). Understanding Human Behavior in Phishing Attacks Across Diverse User Groups: An Ethical Hacking Analysis. \u003cem\u003e2024 IEEE 1st Karachi Section Humanitarian Technology Conference, Khi-HTC 2024\u003c/em\u003e, 1\u0026ndash;7. https://doi.org/10.1109/KHI-HTC60760.2024.10482040\u003c/li\u003e\n\u003cli\u003eHussain, F., Rahman, R., Attarbashi, Z. S., Fadaq, W. H. N., \u0026amp; Mustafa, M. (2024b). Understanding Human Behavior in Phishing Attacks Across Diverse User Groups: An Ethical Hacking Analysis. \u003cem\u003e2024 IEEE 1st Karachi Section Humanitarian Technology Conference, Khi-HTC 2024\u003c/em\u003e, 1\u0026ndash;7. https://doi.org/10.1109/KHI-HTC60760.2024.10482040\u003c/li\u003e\n\u003cli\u003eIfinedo, P. (2023). Exploring Personal and Environmental Factors that Can Reduce Nonmalicious Information Security Violations. \u003cem\u003eINFORMATION SYSTEMS MANAGEMENT\u003c/em\u003e, \u003cem\u003e40\u003c/em\u003e(4), 316\u0026ndash;336. https://doi.org/10.1080/10580530.2022.2131944\u003c/li\u003e\n\u003cli\u003eIrani, D., Balduzzi, M., Balzarotti, D., Kirda, E., \u0026amp; Pu, C. (2011). Reverse social engineering attacks in online social networks. \u003cem\u003eLecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)\u003c/em\u003e, \u003cem\u003e6739 LNCS\u003c/em\u003e(March 2010), 55\u0026ndash;74. https://doi.org/10.1007/978-3-642-22424-9_4\u003c/li\u003e\n\u003cli\u003eIshaq, M., Kifayat, K., \u0026amp; Zafar, M. (2023). A Survey on Human Factors in Cyberspace: A New Dimension of Privacy Threats. \u003cem\u003e2023 3rd International Conference on Communication, Computing and Digital Systems, C-CODE 2023\u003c/em\u003e, 1\u0026ndash;6. https://doi.org/10.1109/C-CODE58145.2023.10139904\u003c/li\u003e\n\u003cli\u003eIsmail, W. B. W., \u0026amp; Yusof, M. (2018). Mitigation Strategies for Unintentional Insider Threats on Information Leaks. \u003cem\u003eInternational Journal of Security and Its Applications\u003c/em\u003e, \u003cem\u003e12\u003c/em\u003e(1), 37\u0026ndash;46. https://doi.org/10.14257/ijsia.2018.12.1.03\u003c/li\u003e\n\u003cli\u003eJavaheri, D., Fahmideh, M., Chizari, H., Lalbakhsh, P., \u0026amp; Hur, J. (2024). Cybersecurity threats in FinTech: A systematic review. \u003cem\u003eExpert Systems with Applications\u003c/em\u003e, \u003cem\u003e241\u003c/em\u003e(September 2023), 122697. https://doi.org/10.1016/j.eswa.2023.122697\u003c/li\u003e\n\u003cli\u003eKamm\u0026uuml;ller, F., \u0026amp; Probst, C. W. (2017). Modeling and Verification of Insider Threats Using Logical Analysis. \u003cem\u003eIEEE Systems Journal\u003c/em\u003e, \u003cem\u003e11\u003c/em\u003e(2), 534\u0026ndash;545. https://doi.org/10.1109/JSYST.2015.2453215\u003c/li\u003e\n\u003cli\u003eKamruzzaman, A., Thakur, K., Ismat, S., Ali, M. L., Huang, K., \u0026amp; Thakur, H. N. (2023a). \u003cem\u003eSocial Engineering Incidents and Preventions\u003c/em\u003e (R. Paul, Ed.; pp. 494\u0026ndash;498). IEEE. https://doi.org/10.1109/CCWC57344.2023.10099202\u003c/li\u003e\n\u003cli\u003eKamruzzaman, A., Thakur, K., Ismat, S., Ali, M. L., Huang, K., \u0026amp; Thakur, H. N. (2023b). Social Engineering Incidents and Preventions. In R. Paul (Ed.), \u003cem\u003e2023 IEEE 13th Annual Computing and Communication Workshop and Conference, CCWC 2023\u003c/em\u003e (Issue IEEE 13th Annual Computing and Communication Workshop and Conference (CCWC), pp. 494\u0026ndash;498). IEEE. https://doi.org/10.1109/CCWC57344.2023.10099202\u003c/li\u003e\n\u003cli\u003eKasowaki, L., \u0026amp; Yusef, O. (2023). \u003cem\u003eThe Human Factor in Cybersecurity: Addressing Social Engineering and Insider Threats\u003c/em\u003e. \u003cem\u003e3\u003c/em\u003e(January), 76\u0026ndash;85. https://easychair.org/publications/preprint_download/wDQQ\u003c/li\u003e\n\u003cli\u003eKhadka, K., \u0026amp; Ullah, A. B. (2025). Human factors in cybersecurity: an interdisciplinary review and framework proposal. \u003cem\u003eInternational Journal of Information Security\u003c/em\u003e, \u003cem\u003e24\u003c/em\u003e(3), 1\u0026ndash;13. https://doi.org/10.1007/s10207-025-01032-0\u003c/li\u003e\n\u003cli\u003eKhan, N., J. Houghton, R., \u0026amp; Sharples, S. (2022). Understanding factors that influence unintentional insider threat: a framework to counteract unintentional risks. \u003cem\u003eCognition, Technology and Work\u003c/em\u003e, \u003cem\u003e24\u003c/em\u003e(3), 393\u0026ndash;421. https://doi.org/10.1007/s10111-021-00690-z\u003c/li\u003e\n\u003cli\u003eKotkova, B., \u0026amp; Hromada, M. (2021). The Threat of Social Engineering and the Safety of Companies. In \u003cem\u003eProceedings - 25th International Conference on Circuits, Systems, Communications and Computers, CSCC 2021\u003c/em\u003e (Issues 25th International Conference on Circuits, Systems, Communications and Computers (CSCC), pp. 126\u0026ndash;133). https://doi.org/10.1109/CSCC53858.2021.00030\u003c/li\u003e\n\u003cli\u003eLiu, X., Li, Q., \u0026amp; Sonali, C. (2017). Social engineering and insider threats. In \u003cem\u003eProceedings - 2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, CyberC 2017\u003c/em\u003e (Vols. 2018-Janua, Issue International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC), pp. 25\u0026ndash;34). https://doi.org/10.1109/CyberC.2017.91\u003c/li\u003e\n\u003cli\u003eMacAk, M., Kruzikova, A., Daubner, L., \u0026amp; Buhnova, B. (2020). Simulation Games Platform for Unintentional Perpetrator Attack Vector Identification. \u003cem\u003eProceedings - 2020 IEEE/ACM 42nd International Conference on Software Engineering Workshops, ICSEW 2020\u003c/em\u003e, 222\u0026ndash;229. https://doi.org/10.1145/3387940.3391475\u003c/li\u003e\n\u003cli\u003eMarbut, A. R., \u0026amp; Harms, P. D. (2024). Fiends and Fools: A Narrative Review and Neo-socioanalytic Perspective on Personality and Insider Threats. \u003cem\u003eJOURNAL OF BUSINESS AND PSYCHOLOGY\u003c/em\u003e, \u003cem\u003e39\u003c/em\u003e(3), 679\u0026ndash;696. https://doi.org/10.1007/s10869-023-09885-9\u003c/li\u003e\n\u003cli\u003eMasood, A., \u0026amp; Masood, A. (2021). A Taxonomy of Insider Threat in isolated (air-gapped) Computer Networks. In M. ZafarUzZaman (Ed.), \u003cem\u003ePROCEEDINGS OF 2021 INTERNATIONAL BHURBAN CONFERENCE ON APPLIED SCIENCES AND TECHNOLOGIES (IBCAST)\u003c/em\u003e (Issues 18th International Bhurban Conference on Applied Sciences and Technologies (IBCAST), pp. 678\u0026ndash;685). https://doi.org/10.1109/IBCAST51254.2021.9393281 WE - Conference Proceedings Citation Index - Science (CPCI-S)\u003c/li\u003e\n\u003cli\u003eMittal, A., \u0026amp; Garg, U. (2022). A Proposed Approach to Analyze Insider Threat Detection Using Emails. \u003cem\u003eProceedings - 2022 3rd International Conference on Computation, Automation and Knowledge Management, ICCAKM 2022\u003c/em\u003e, 1\u0026ndash;6. https://doi.org/10.1109/ICCAKM54721.2022.9990361\u003c/li\u003e\n\u003cli\u003eMittal, A., \u0026amp; Garg, U. (2023a). Design and Analysis of Insider Threat Detection and Prediction System Using Machine Learning Techniques. \u003cem\u003e2023 5th International Conference on Electrical, Computer and Communication Technologies, ICECCT 2023\u003c/em\u003e, 1\u0026ndash;8. https://doi.org/10.1109/ICECCT56650.2023.10179686\u003c/li\u003e\n\u003cli\u003eMittal, A., \u0026amp; Garg, U. (2023b). Prediction and Detection of Insider Threat Detection using Emails: A Comparision. \u003cem\u003e2023 2nd International Conference on Electrical, Electronics, Information and Communication Technologies, ICEEICT 2023\u003c/em\u003e. https://doi.org/10.1109/ICEEICT56924.2023.10157297\u003c/li\u003e\n\u003cli\u003eOner, U., Cetin, O., \u0026amp; Savas, E. (2025). Human factors in phishing: Understanding susceptibility and resilience. \u003cem\u003eCOMPUTER STANDARDS \u0026amp; INTERFACES\u003c/em\u003e, \u003cem\u003e94\u003c/em\u003e. https://doi.org/10.1016/j.csi.2025.104014\u003c/li\u003e\n\u003cli\u003eOsterritter, L., \u0026amp; Carley, K. M. (2021). Conversations around organizational risk and insider threat. In M. Coscia, A. Cuzzocrea, \u0026amp; K. Shu (Eds.), \u003cem\u003eProceedings of the 2021 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining, ASONAM 2021\u003c/em\u003e (Issue IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM), pp. 252\u0026ndash;260). https://doi.org/10.1145/3487351.3492721\u003c/li\u003e\n\u003cli\u003ePadayachee, K. (2022). An Exploratory Factor Analysis of Personality Factors: An Insider Threat Perspective. In N. Clarke \u0026amp; S. Furnell (Eds.), \u003cem\u003eHUMAN ASPECTS OF INFORMATION SECURITY AND ASSURANCE, HAISA 2022\u003c/em\u003e (Vol. 658, Issues 16th IFIP WG 11.12 International Symposium on Human Aspects of Information Security and Assurance (HAISA), pp. 253\u0026ndash;264). https://doi.org/10.1007/978-3-031-12172-2_20 WE - Conference Proceedings Citation Index - Science (CPCI-S)\u003c/li\u003e\n\u003cli\u003ePrabhu, S., \u0026amp; Thompson, N. (2020). A Unified Classification Model of Insider Threats to Information Security. \u003cem\u003eACIS 2020 Proceedings - 31st Australasian Conference on Information Systems\u003c/em\u003e. https://www.scopus.com/inward/record.uri?eid=2-s2.0-85162681051\u0026amp;partnerID=40\u0026amp;md5=c6fdd95f34f321ed9bd153795e3e4653\u003c/li\u003e\n\u003cli\u003ePrabhu, S., \u0026amp; Thompson, N. (2022). A primer on insider threats in cybersecurity. \u003cem\u003eInformation Security Journal\u003c/em\u003e, \u003cem\u003e31\u003c/em\u003e(5), 602\u0026ndash;611. https://doi.org/10.1080/19393555.2021.1971802\u003c/li\u003e\n\u003cli\u003eQashqari, A. A., Munshi, A. M., Alturkstani, H. A., Ghwati, H. T., \u0026amp; Alhebshi, D. H. (2020). The Human Factors and Cybersecurity Policy. \u003cem\u003eInternational Journal of Computer Science and Network Security\u003c/em\u003e, \u003cem\u003e20\u003c/em\u003e(4), 1\u0026ndash;5.\u003c/li\u003e\n\u003cli\u003eRahman, A. U., Al-Obeidat, F., Tubaishat, A., Shah, B., Anwar, S., \u0026amp; Halim, Z. (2024). Discovering the Correlation between Phishing Susceptibility Causing Data Biases and Big Five Personality Traits Using C-GAN. \u003cem\u003eIEEE Transactions on Computational Social Systems\u003c/em\u003e, \u003cem\u003e11\u003c/em\u003e(4), 4800\u0026ndash;4808. https://doi.org/10.1109/TCSS.2022.3201153\u003c/li\u003e\n\u003cli\u003eRajchel, B., Monaco, J. V., Singh, G., Hu, A., Shingleton, J., \u0026amp; Anderson, T. (2020). Temporal Behavior in Network Traffic as a Basis for Insider Threat Detection. In \u003cem\u003e2020 IEEE Symposium Series on Computational Intelligence, SSCI 2020\u003c/em\u003e (Issue IEEE Symposium Series on Computational Intelligence (IEEE SSCI), pp. 1427\u0026ndash;1434). https://doi.org/10.1109/SSCI47803.2020.9308236\u003c/li\u003e\n\u003cli\u003eRenaud, K., Warkentin, M., Pogrebna, G., \u0026amp; van der Schyff, K. (2024a). VISTA: An inclusive insider threat taxonomy, with mitigation strategies. \u003cem\u003eINFORMATION \u0026amp; MANAGEMENT\u003c/em\u003e, \u003cem\u003e61\u003c/em\u003e(1). https://doi.org/10.1016/j.im.2023.103877\u003c/li\u003e\n\u003cli\u003eRenaud, K., Warkentin, M., Pogrebna, G., \u0026amp; van der Schyff, K. (2024b). VISTA: An inclusive insider threat taxonomy, with mitigation strategies. \u003cem\u003eINFORMATION \u0026amp; MANAGEMENT\u003c/em\u003e, \u003cem\u003e61\u003c/em\u003e(1). https://doi.org/10.1016/j.im.2023.103877\u003c/li\u003e\n\u003cli\u003eReveraert, M., \u0026amp; Sauer, T. (2021). Redefining insider threats: a distinction between insider hazards and insider threats. \u003cem\u003eSecurity Journal\u003c/em\u003e, \u003cem\u003e34\u003c/em\u003e(4), 755\u0026ndash;775. https://doi.org/10.1057/s41284-020-00259-x\u003c/li\u003e\n\u003cli\u003eSalahdine, F., \u0026amp; Kaabouch, N. (2019). Social engineering attacks: A survey. \u003cem\u003eFuture Internet\u003c/em\u003e, \u003cem\u003e11\u003c/em\u003e(4). https://doi.org/10.3390/FI11040089\u003c/li\u003e\n\u003cli\u003eSaxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K. K. R., \u0026amp; Burnap, P. (2020a). Impact and key challenges of insider threats on organizations and critical businesses. \u003cem\u003eElectronics (Switzerland)\u003c/em\u003e, \u003cem\u003e9\u003c/em\u003e(9), 1\u0026ndash;29. https://doi.org/10.3390/electronics9091460\u003c/li\u003e\n\u003cli\u003eSaxena, N., Hayes, E., Bertino, E., Ojo, P., Choo, K. K. R., \u0026amp; Burnap, P. (2020b). Impact and key challenges of insider threats on organizations and critical businesses. \u003cem\u003eElectronics (Switzerland)\u003c/em\u003e, \u003cem\u003e9\u003c/em\u003e(9), 1\u0026ndash;29. https://doi.org/10.3390/electronics9091460\u003c/li\u003e\n\u003cli\u003eSchoenherr, J. R. (2022a). Insider Threats and Individual Differences: Intention and Unintentional Motivations. \u003cem\u003eIEEE Transactions on Technology and Society\u003c/em\u003e, \u003cem\u003e3\u003c/em\u003e(3), 175\u0026ndash;184. https://doi.org/10.1109/tts.2022.3192767\u003c/li\u003e\n\u003cli\u003eSchoenherr, J. R. (2022b). Insider Threats and Individual Differences: Intention and Unintentional Motivations. \u003cem\u003eIEEE Transactions on Technology and Society\u003c/em\u003e, \u003cem\u003e3\u003c/em\u003e(3), 175\u0026ndash;184. https://doi.org/10.1109/tts.2022.3192767\u003c/li\u003e\n\u003cli\u003eSchoenherr, J. R., \u0026amp; Thomson, R. (2021). The Cybersecurity (CSEC) Questionnaire: Individual Differences in Unintentional Insider Threat Behaviours. \u003cem\u003e2021 International Conference on Cyber Situational Awareness, Data Analytics and Assessment, CyberSA 2021\u003c/em\u003e, 1\u0026ndash;8. https://doi.org/10.1109/CyberSA52016.2021.9478213\u003c/li\u003e\n\u003cli\u003eSharma, D., Varalakshmi, S., \u0026amp; Loonkar, S. (2024). Analyzing the Human Element in Cybersecurity Breaches with a Focus on Social Engineering Tactics and the Risks Posed by Insider Threats. \u003cem\u003e2024 International Conference on Advances in Computing Research on Science Engineering and Technology, ACROSET 2024\u003c/em\u003e, 1\u0026ndash;6. https://doi.org/10.1109/ACROSET62108.2024.10743197\u003c/li\u003e\n\u003cli\u003eSillanp\u0026auml;\u0026auml;, M., \u0026amp; Hautam\u0026auml;ki, J. (2020). \u003cem\u003eSocial Engineering Intrusion: A Case Study\u003c/em\u003e. https://doi.org/10.1145/3406601.3406631\u003c/li\u003e\n\u003cli\u003eSoh, C., Yu, S., Narayanan, A., Duraisamy, S., \u0026amp; Chen, L. (2019). Employee profiling via aspect-based sentiment and network for insider threats detection. \u003cem\u003eExpert Systems with Applications\u003c/em\u003e, \u003cem\u003e135\u003c/em\u003e, 351\u0026ndash;361. https://doi.org/10.1016/j.eswa.2019.05.043\u003c/li\u003e\n\u003cli\u003eSood, A. K., Zeadally, S., \u0026amp; Bansal, R. (2017). Exploiting trust: Stealthy attacks through socioware and insider threats. \u003cem\u003eIEEE Systems Journal\u003c/em\u003e, \u003cem\u003e11\u003c/em\u003e(2), 415\u0026ndash;426. https://doi.org/10.1109/JSYST.2015.2388707\u003c/li\u003e\n\u003cli\u003eSridhar, A. P. (2025). Unauthorized Deep Learning Techniques for Identifying Insider Risks in Standardized Cybersecurity Databases. \u003cem\u003e2025 International Conference on Intelligent Control, Computing and Communications, IC3 2025\u003c/em\u003e, 1178\u0026ndash;1183. https://doi.org/10.1109/IC363308.2025.10957272\u003c/li\u003e\n\u003cli\u003eSyafitri, W., Shukur, Z., Mokhtar, U. A., Sulaiman, R., \u0026amp; Ibrahim, M. A. (2022a). Social Engineering Attacks Prevention: A Systematic Literature Review. \u003cem\u003eIEEE Access\u003c/em\u003e, \u003cem\u003e10\u003c/em\u003e, 39325\u0026ndash;39343. https://doi.org/10.1109/ACCESS.2022.3162594\u003c/li\u003e\n\u003cli\u003eSyafitri, W., Shukur, Z., Mokhtar, U. A., Sulaiman, R., \u0026amp; Ibrahim, M. A. (2022b). Social Engineering Attacks Prevention: A Systematic Literature Review. \u003cem\u003eIEEE Access\u003c/em\u003e, \u003cem\u003e10\u003c/em\u003e, 39325\u0026ndash;39343. https://doi.org/10.1109/ACCESS.2022.3162594\u003c/li\u003e\n\u003cli\u003eTakabi, H., Hashem, Y., \u0026amp; Dantu, R. (2018). Prediction of human error using eye movements patterns for unintentional insider threat detection. In \u003cem\u003e2018 IEEE 4th International Conference on Identity, Security, and Behavior Analysis, ISBA 2018\u003c/em\u003e (Vols. 2018-Janua, Issue IEEE 4th International Conference on Identity, Security, and Behavior Analysis (ISBA), pp. 1\u0026ndash;8). https://doi.org/10.1109/ISBA.2018.8311479\u003c/li\u003e\n\u003cli\u003eTian, T., Zhang, C., Jiang, B., Feng, H., \u0026amp; Lu, Z. (2025). Insider threat detection for specific threat scenarios. \u003cem\u003eCybersecurity\u003c/em\u003e, \u003cem\u003e8\u003c/em\u003e(1). https://doi.org/10.1186/s42400-024-00321-w\u003c/li\u003e\n\u003cli\u003eTsiostas, D., Kittes, G., Chouliaras, N., Kantzavelou, I., Maglaras, L., Douligeris, C., \u0026amp; Vlachos, V. (2021). \u003cem\u003eThe Insider Threat: Reasons, Effects and Mitigation Techniques\u003c/em\u003e. 340\u0026ndash;345. https://doi.org/10.1145/3437120.3437336\u003c/li\u003e\n\u003cli\u003eUma Maheswaran, S. K., Rajasekar, L., Haque Choudhury, Z., \u0026amp; Shahade, M. (2025). User behaviour based insider threat detection model using an LSTM integrated RF model. \u003cem\u003eNetwork: Computation in Neural Systems\u003c/em\u003e, 1\u0026ndash;38. https://doi.org/10.1080/0954898X.2025.2483342\u003c/li\u003e\n\u003cli\u003eXiangyu, L., Qiuyang, L., \u0026amp; Chandel, S. (2017). Social Engineering and Insider Threats. \u003cem\u003e2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)\u003c/em\u003e, 25\u0026ndash;34. https://doi.org/10.1109/CyberC.2017.91\u003c/li\u003e\n\u003cli\u003eZangana, H. M., Sallow, Z. B., \u0026amp; Omar, M. (2025). The Human Factor in Cybersecurity: Addressing the Risks of Insider Threats. \u003cem\u003eJurnal Ilmiah Computer Science\u003c/em\u003e, \u003cem\u003e3\u003c/em\u003e(2), 76\u0026ndash;85. https://doi.org/10.58602/jics.v3i2.37\u003c/li\u003e\n\u003cli\u003eZaoui, M., Yousra, B., Yassine, S., Yassine, M., \u0026amp; Karim, O. (2024). A Comprehensive Taxonomy of Social Engineering Attacks and Defense Mechanisms: Toward Effective Mitigation Strategies. \u003cem\u003eIEEE ACCESS\u003c/em\u003e, \u003cem\u003e12\u003c/em\u003e, 72224\u0026ndash;72241. https://doi.org/10.1109/ACCESS.2024.3403197 WE - Science Citation Index Expanded (SCI-EXPANDED)\u003c/li\u003e\n\u003cli\u003eZewdie, M., Girma, A., \u0026amp; Sitote, T. M. (2024a). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. \u003cem\u003eInternational Conference on Electrical, Computer, and Energy Technologies, ICECET 2024\u003c/em\u003e. https://doi.org/10.1109/ICECET61485.2024.10698519\u003c/li\u003e\n\u003cli\u003eZewdie, M., Girma, A., \u0026amp; Sitote, T. M. (2024b). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. \u003cem\u003eInternational Conference on Electrical, Computer, and Energy Technologies, ICECET 2024\u003c/em\u003e. https://doi.org/10.1109/ICECET61485.2024.10698519\u003c/li\u003e\n\u003cli\u003eZewdie, M., Girma, A., \u0026amp; Sitote, T. M. (2024c). Deep Neural Networks for Detecting Insider Threats and Social Engineering Attacks. \u003cem\u003eInternational Conference on Electrical, Computer, and Energy Technologies, ICECET 2024\u003c/em\u003e, 1\u0026ndash;8. https://doi.org/10.1109/ICECET61485.2024.10698519\u003c/li\u003e\n\u003cli\u003eZimmer, E., Burkert, C., \u0026amp; Federrath, H. (2022). Insiders Dissected: New Foundations and a Systematisation of the Research on Insiders. \u003cem\u003eDigital Threats: Research and Practice\u003c/em\u003e, \u003cem\u003e3\u003c/em\u003e(1). https://doi.org/10.1145/3473674\u003c/li\u003e\n\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":true,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"Unintentional Insider Threats, Insider threat, Social engineering, Reverse social engineering, Deep learning, Cybersecurity Human factor","lastPublishedDoi":"10.21203/rs.3.rs-7734139/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-7734139/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eInsider social engineering is emerging as a critical yet underexplored dimension of cybersecurity, while unintentional insider threats are still predominantly conceptualised as negligent or careless behaviour. A particularly overlooked vector is insider-induced reverse social engineering, where malicious insiders deliberately manufacture problems and manipulate unsuspecting colleagues into initiating contact, thereby establishing trust and enabling exploitation. This study reframes unintentional insiders as active conduits of insider social engineering and proposes integrative socio-technical defences. A systematic literature review of 39 peer-reviewed articles published between 2014 and 2025 was conducted using PRISMA guidelines. The review consolidates fragmented conceptualisations of unintentional insider threats, classifies vulnerabilities across psychological, organisational, and socio-technical domains, and synthesises existing mitigation strategies. The analysis identifies three enduring shortcomings: the absence of a coherent conceptualisation of unintentional insiders as enablers of social engineering, the weak integration of technical and socio-technical countermeasures, and the lack of frameworks addressing insider and reverse social engineering. To address these gaps, the study contributes a taxonomy of vulnerabilities and mechanisms underpinning insider and reverse social engineering, a problem\u0026ndash;solution mapping that aligns vulnerabilities with technical, socio-technical, and hybrid mitigation strategies, and a multi-layered socio-technical framework that integrates anomaly detection with behavioural and procedural indicators. These contributions advance conceptual clarity, reposition unintentional insiders as critical enablers of social engineering, and provide actionable foundations for hybrid socio-technical defences.\u003c/p\u003e","manuscriptTitle":"Unintentional Insider Threats as Conduits of Social Engineering: A Systematic Review of Vulnerabilities, Reverse Social Engineering, and Mitigation Approaches","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2025-10-12 12:50:48","doi":"10.21203/rs.3.rs-7734139/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"1249c87e-4eab-433a-a906-bac8f04dd752","owner":[],"postedDate":"October 12th, 2025","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2025-10-12T12:50:48+00:00","versionOfRecord":[],"versionCreatedAt":"2025-10-12 12:50:48","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-7734139","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-7734139","identity":"rs-7734139","version":["v1"]},"buildId":"8U1c8b4HqxoKbykW_rLl7","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2025) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00