2. Literature Review
The scholarly discourse on cognitive hacking has evolved from early conceptual formulations in the first years of the twenty-first century to empirically grounded studies in the era of generative AI. This body of literature can be organized around four interlocking themes: the definition and taxonomy of cognitive attacks; the psychological mechanisms exploited by attackers; the digital tools that operationalize these attacks; and the countermeasures developed in response. As shown in
Table 1, the key studies reviewed span conceptual, experimental, review-based, and policy-oriented methods, reflecting the field’s pronounced interdisciplinarity.
2.1. Defining and Taxonomizing Cognitive Attacks
The foundational intellectual contribution to this field was made by Cybenko et al. (2002), who provided the first peer-reviewed definition of cognitive hacking in the IEEE journal Computer. Cognitive hackers manipulate a user’s perception and rely on the user’s changed actions to carry out the attack; effective countermeasures must therefore aim at preventing misinformation through mechanisms such as authentication, collaborative filtering, and linguistic analysis (Cybenko et al., 2002). The authors delineated two classes of information systems attacks: autonomous attacks, which operate entirely within the computing and networking infrastructure, and cognitive hacks, which constitute a defined category of computer security exploit directed at the interpretive processes of the human user (Cybenko et al., 2002). A subsequent and more comprehensive treatment distinguished single-source from multiple-source cognitive attacks and organized candidate countermeasures accordingly, establishing the first structured taxonomy in this domain (Cybenko et al., 2004).
The early literature grounded these definitions in documented incidents rather than hypothetical scenarios. Cybenko et al. (2002) analyzed cases in which fabricated information injected into trusted channels produced immediate, measurable behavioral consequences, most famously the fraudulent press release that briefly destroyed more than half of Emulex Corporation’s market capitalization in 2000 after being picked up and redistributed by legitimate financial news services. Such episodes illustrate the defining mechanics of a cognitive hack: the technical infrastructure functions exactly as designed, every packet is delivered intact, and yet the system is compromised because the meaning conveyed to human decision-makers has been corrupted at its source (Cybenko et al., 2002, 2004). The same mechanics operate in slower and subtler registers, including pump-and-dump stock schemes conducted through pseudonymous message board postings, in which a small number of actors simulate independent consensus to move markets (Cybenko et al., 2004).
Thompson (2004) generalized the concept by situating cognitive hacking within Libicki’s (1994) framework of semantic attack and by discussing the role of semantic attacks and countermeasures in the context of an emerging science of intelligence and security informatics. This framework carries an important organizational implication: because the cognitive attacker can be a trusted insider, an organization’s computer system should maintain a cost model of its information assets as well as a model of each insider’s normal use of the system (Thompson, 2004). Definitional work in the adjacent social engineering literature followed a similar consolidating trajectory. After documenting substantial conceptual fragmentation across decades of usage, Wang et al. (2020) proposed a systematic definition of social engineering in cybersecurity, thereby stabilizing a construct that overlaps substantially with cognitive hacking whenever deception is delivered through information systems.
As presented in
Table 2, the definitional evolution of cognitive hacking reflects a progressive broadening of scope: from a computer security exploit aimed at an individual user’s perception, through a general class of semantic attacks on meaning, to a strategic domain of state-level competition over entire populations’ cognition.
The securitization of these ideas proceeded rapidly in the following decade. Waltzman’s 2017 congressional testimony popularized the term “cognitive security” in national security circles, and NATO began engaging formally with these concepts through its Innovation Hub and subsequent symposia (Thompson & Guillory, 2025). NATO’s (2021) publication on countering cognitive warfare brought the vocabulary of awareness and resilience into broader use across allied military structures, framing the human mind itself as a contested domain. Philosophical scholarship has since sharpened the concept’s boundaries: Miller (2023) analyzes cognitive warfare as the weaponization of disinformation by state actors to undermine adversaries’ epistemic autonomy and institutional knowledge, distinguishing it from both kinetic warfare and legitimate persuasion, and arguing that its distinctive harm lies in corroding the rational agency on which liberal-democratic institutions depend.
More recently, Thompson and Guillory (2025) revisited the foundational scholarship of the Semantic Hacking Project and assessed its contemporary relevance. The project anticipated many of today’s challenges, including disinformation campaigns, social media manipulation, and AI-generated narratives, and it did so not only in technical terms but also in philosophical and linguistic terms (Thompson & Guillory, 2025). At the heart of the project’s concern was a question that has only grown more urgent in the era of generative AI: what happens when the inputs to a person’s belief system can be manipulated without the person knowing it (Thompson & Guillory, 2025)?
Figure 1 situates these definitional milestones within the broader trajectory of the field, from Libicki’s (1994) original taxonomy through the securitization of cognitive defense to the present generative AI era.
Viewed across this thirty-year arc, the taxonomic literature displays a notable continuity: each successive reformulation preserves the original insight that the target of the attack is interpretation rather than infrastructure, while widening the unit of analysis from the individual user to organizations, electorates, and alliances. This continuity matters for contemporary research because it means that countermeasure concepts developed for single-user exploits, such as source authentication and credibility scoring, remain structurally relevant to population-scale influence operations, even as their implementation must be rethought for algorithmically mediated environments (Cybenko et al., 2004; Thompson & Guillory, 2025).
2.2. Psychological Mechanisms of Exploitation
A second major strand of research concerns the specific psychological vulnerabilities that cognitive attackers exploit. Social engineering cyberattacks are a major threat because they often precede sophisticated and devastating intrusions, and they constitute a kind of psychological attack that exploits weaknesses in human cognitive functions (Montañez et al., 2020). Treating social engineering cyberattacks as a particular kind of psychological attack has independent theoretical value because it lays the foundation for a field that may be called cybersecurity cognitive psychology, which extends and adapts principles of cognitive psychology to satisfy cybersecurity’s needs while embracing concepts unique to the domain (Montañez et al., 2020). Within this emerging field, persuasion has been identified as a central explanatory construct for understanding how attackers convert psychological pressure into compliant behavior (Montañez et al., 2020).
Complementing this psychological turn, Wang et al. (2021) developed a conceptual model that provides an integrative and structural perspective on how social engineering attacks work, identifying three core entities: the effect mechanism, the human vulnerability, and the attack method. The model’s value lies in tracing the causal pathway from attacker technique through exploited disposition to behavioral outcome, a structure that anticipates the attack lifecycle perspective adopted later in this review. Siddiqi et al. (2022) extended the empirical base through a systematic review, observing that as cybersecurity defenses become more robust, cybercriminals mutate their attacks to be more evasive and increasingly exploit the human factor in an organization’s security architecture. Social engineering attacks exploit specific human attributes to bypass technical security measures, and they are comparatively convenient for adversaries because compromising a human is often easier than discovering a technical vulnerability; moreover, such attacks are difficult to counter because they follow no fixed pattern (Siddiqi et al., 2022).
Within the cybersecurity cognitive psychology program, Montañez et al. (2020) further decompose victim-side vulnerability into interacting factors spanning cognition, personality, awareness, and emotional state, and they map attacker techniques onto established principles of persuasion, showing that most documented social engineering attacks recombine a small set of influence primitives, including authority, scarcity, reciprocity, and social proof, rather than inventing new ones. This decomposition has practical significance for defense: if attack diversity at the surface conceals a limited set of underlying persuasion mechanisms, then training and detection systems that target the mechanisms, rather than the surface features of particular scams, should generalize far better across novel attack variants (Montañez et al., 2020; Wang et al., 2021).
The cognitive science of misinformation supplies the mechanistic detail that the security literature often lacks. Belief in false claims is driven less by motivated reasoning alone than by failures of analytic attention: people who reason more reflectively discern truth from falsehood better regardless of ideological congeniality, and much sharing of falsehood occurs simply because attention is focused on factors other than accuracy (Pennycook & Rand, 2021). Ecker et al. (2022) synthesized the drivers of misinformation belief, showing that repetition breeds familiarity and perceived truth, that emotional content and source cues shortcut deliberation, and that corrections frequently fail because retracted information continues to influence reasoning, a phenomenon known as the continued influence effect. Susceptibility is further patterned by individual differences: van der Linden (2022) documents that intuitive processing styles, prior worldviews, and repeated exposure jointly shape vulnerability, framing misinformation as a pathogen whose spread can be modeled and, critically, immunized against. Consistent with this account, individuals with high emotionality and intuitive cognitive styles are more susceptible to disinformation, including deepfakes, than those with more rational processing styles (von Sikorski & Hameleers, 2025).
Siddiqi et al. (2022) add an important cultural dimension to this discussion, arguing that the manipulation of human behavior and emotions in cyberattacks presents a challenging variable for security experts and that culture plays a significant role in shaping behavior, beliefs, morals, decisions, and attitudes. This observation implies that the effectiveness of cognitive hacking is not universal but modulated by sociocultural context, a conclusion reinforced by cross-national research showing that structural conditions, including media trust, polarization, and platform ecology, produce systematically different levels of national resilience to online disinformation (Humprecht et al., 2020).
Table 3 consolidates the principal psychological triggers documented across this literature, together with the mechanisms through which each is exploited.
Two features of
Table 3 deserve emphasis. First, the triggers operate at different loci of the persuasion process: some (authority, urgency, fear) are properties of the message; others (inattention, intuitive style, overconfidence) are properties of the receiver; and still others (social proof, repetition) emerge from the information environment itself. Effective attacks typically layer triggers across all three loci, which helps explain why single-point interventions so often disappoint (Ecker et al., 2022; Wang et al., 2021). Second, the most recently documented triggers, inattention and detection overconfidence, are distinctive precisely because they do not require the target to hold any false belief about the attacker; they require only that scarce attentional resources be allocated elsewhere, an insight with direct implications for the accuracy-prompt and inoculation interventions reviewed in
Section 2.4 (Köbis et al., 2021; Pennycook & Rand, 2021).
The trigger taxonomy also carries direct organizational implications. Because attackers recombine a finite repertoire of persuasion primitives, security training built around simulated attacks can sample that repertoire systematically rather than chasing the latest scam template (Montañez et al., 2020; Wang et al., 2021). The economics of attack generation sharpen this requirement: now that large language models can produce individually tailored deceptive messages at negligible cost, organizations should expect the volume and personalization of trigger-laden communications to rise even where their underlying psychology remains unchanged (Heiding et al., 2024). And because the trusted insider enters the interpretive chain with authority and familiarity already established, insider-focused monitoring and information asset cost models remain a necessary complement to perimeter-oriented awareness programs (Thompson, 2004).
2.3. AI-Driven Tools and the Amplification of Cognitive Attacks
The third major theme concerns the role of emerging digital technologies in scaling the reach and persuasiveness of cognitive attacks. A scoping review of 64 peer-reviewed studies published between 2021 and 2024 on the intersection of generative AI and disinformation identified six key thematic areas and found that generative AI plays a dual role: it enables the rapid creation and targeted dissemination of synthetic content, yet it also offers new opportunities for detection, verification, and public education (López-Borrull & Lopezosa, 2025). The environment into which such content flows is one of extraordinary saturation: approximately 5.31 billion social media accounts were in use in early 2025, representing 64.7% of the global population, with users averaging between 143 and 147 minutes per day on social platforms, conditions that allow disinformation to propagate rapidly as generative systems enable low-cost, scalable content production and targeting (Romanishyn et al., 2025).
The technical repertoire available to attackers has been mapped comprehensively. Mirsky and Lee (2021) survey the generative architectures underlying deepfakes across reenactment, replacement, editing, and synthesis, and they document a persistent arms race in which detection methods trail generation capabilities. AI tools now facilitate realistic multimodal content, including deepfake video and AI-generated voice recordings, that is difficult to distinguish from authentic material; a prominent example is the AI-generated robocall mimicking President Joe Biden’s voice during the 2024 Democratic primaries, which illustrates how generative AI can directly interfere with electoral communication (von Sikorski & Hameleers, 2025). The threat extends to targeted attacks on individuals and organizations: large language models can automate the entire spear-phishing pipeline, producing deceptive emails at a small fraction of previous cost while achieving click-through rates comparable to messages crafted with human expertise (Heiding et al., 2024). As shown in
Table 4, these tools span a continuum from fully synthetic media to low-technology manipulation.
What distinguishes the current period from earlier waves of computer-mediated deception is the accumulation of controlled experimental evidence on human susceptibility. Spitale et al. (2023) found that participants not only failed to distinguish GPT-3-generated tweets from human-written ones but rated accurate synthetic tweets as true more often, and false synthetic tweets as true more often, than their organic counterparts, leading the authors to conclude that GPT-3 both informs and disinforms more effectively than humans. Salvi et al. (2025) extended this line of work from judgment to interactive persuasion: in a preregistered randomized controlled trial, GPT-4 equipped with minimal sociodemographic information about its opponent achieved significantly higher post-debate agreement shifts than human persuaders in the majority of contests. On the detection side, Köbis et al. (2021) showed that people cannot reliably identify deepfake videos, exhibit a systematic bias toward judging content authentic, and remain overconfident even when warned; Groh et al. (2022) found that ordinary observers achieve accuracy comparable to a leading computer vision model, with the two making different kinds of errors, such that machine-informed crowds outperform either alone; and Barrington et al. (2025) demonstrated that listeners perform poorly at distinguishing cloned from authentic voices.
Table 5 consolidates this rapidly growing experimental record.
Read together, the studies in
Table 5 support three interpretive conclusions. First, the discrimination problem is real and general: across modalities of text, audio, and video, unaided humans perform near chance at identifying synthetic content, and the deficit is compounded by overconfidence (Barrington et al., 2025; Groh et al., 2022; Köbis et al., 2021). Second, the persuasion advantage of AI-generated content is now documented experimentally rather than merely conjectured, and it grows when generation is coupled with personalization (Salvi et al., 2025; Spitale et al., 2023). Third, however, the effects literature counsels against technological determinism: deepfakes often function less as instruments of outright deception than as generators of uncertainty and distrust (Vaccari & Chadwick, 2020), their persuasive edge over cheaper textual falsehoods is modest or absent (Barari et al., 2025), and supply-side abundance does not automatically translate into demand-side influence (Simon et al., 2023). Indeed, systematic analysis of visual disinformation emphasizes that low-technology cheap fakes remain far more prevalent than sophisticated synthetic media in documented political manipulation (Weikmann & Lecheler, 2023), an empirical regularity that Thompson and Guillory (2025) likewise stress. Benchmark comparisons nonetheless confirm an accelerating trajectory, with reported fivefold rises in deepfake volume and tens of millions of fabricated identities mirroring global surges in those phenomena (Romanishyn et al., 2025), and the ethical and legal frameworks required to contain these techniques remain fragmented and slow to adapt, leaving a governance gap that challenges existing models of truth mediation and democratic oversight (von Sikorski & Hameleers, 2025).
A final feature of this literature deserves attention: the same generative systems that empower attackers are simultaneously reshaping the institutions that defend the information environment. The scoping review evidence shows generative AI transforming journalism, scientific communication, media literacy education, and fact-checking practice, often in ways that strengthen rather than weaken verification capacity (López-Borrull & Lopezosa, 2025). Credibility effects are also conditional rather than uniform: Kreps et al. (2022) found that partisan congeniality moderated the perceived believability of synthetic news, indicating that audience predispositions, not generation quality alone, govern uptake. Assessments of recent election cycles similarly report that feared waves of decisive AI-driven manipulation have so far failed to materialize at scale, even as documented incidents accumulate (von Sikorski & Hameleers, 2025). The tools literature therefore describes not a one-sided armament but an unstable equilibrium in which offensive and defensive applications of the same underlying models co-evolve, a dynamic taken up in the countermeasures theme that follows.
2.4. Countermeasures: Technical, Psychological, and Institutional
The fourth major theme addresses the development of effective countermeasures. The foundational technical framework proposed by Cybenko et al. (2002) remains widely cited: because cognitive hackers rely on changed user actions, defenses must aim at preventing misinformation from taking hold, through authentication of source, collaborative filtering and reliability reporting, detection of collusion by information sources, and linguistic analysis. The Semantic Hacking Project, though primarily conceptual, culminated in a working prototype of one proposed countermeasure and produced one of the first structured taxonomies of cognitive threats and defenses in the information domain (Thompson & Guillory, 2025). Revisiting that agenda with modern technology in view, Thompson and Guillory (2025) argue that several early concepts have become newly feasible: collaborative filtering and trust reporting could lower the credibility of unverified accounts making bold claims, information trajectory modeling could flag sudden anomalies, and linguistic analysis could reveal that hundreds of seemingly independent posts were authored by only a few people.
On the technical frontier, detection research has matured into a discipline of its own. Mirsky and Lee (2021) catalogue artifact-based, spatiotemporal, and biological-signal approaches to deepfake detection while cautioning that each is vulnerable to adversarial adaptation, and Groh et al. (2022) provide experimental grounds for hybrid architectures in which model predictions inform, rather than replace, human judgment. Generative AI itself offers powerful tools for fact-checking: AI technologies can analyze large volumes of data in real time, identifying patterns and anomalies that may indicate false information, enabling fact-checkers to work more efficiently and reducing the time needed to identify and debunk falsehoods (López-Borrull & Lopezosa, 2025). Beyond detection, a growing research agenda emphasizes provenance infrastructure, including watermarking and content credentials, alongside systematic measurement of real-world prevalence, as preconditions for effective platform and regulatory action (Feuerriegel et al., 2023).
The psychological countermeasure literature has advanced even more rapidly. Drawing on inoculation theory, van der Linden (2022) synthesizes evidence that preemptive exposure to weakened doses of manipulation techniques confers measurable resistance to subsequent disinformation. The approach scales: in seven preregistered studies culminating in a field experiment on YouTube, short inoculation videos improved viewers’ recognition of manipulation techniques, their discernment of untrustworthy content, and the quality of their sharing decisions (Roozenbeek et al., 2022). Complementary interventions operate through attention rather than knowledge: simple accuracy prompts that shift attention back to truthfulness reliably improve the quality of sharing decisions (Pennycook & Rand, 2021). Corrective approaches remain necessary but face well-documented limits, as the continued influence effect means that debunking rarely eliminates reliance on retracted claims entirely (Ecker et al., 2022). Notably, generative AI can also serve corrective ends: in extended dialogues, a GPT-4-based system durably reduced belief in conspiracy theories by roughly 20%, with effects persisting for at least two months, suggesting that tailored counterevidence delivered conversationally can succeed where generic corrections fail (Costello et al., 2024).
Each psychological countermeasure carries documented boundary conditions that temper enthusiasm without negating effectiveness. Inoculation effects decay over weeks unless refreshed by booster interventions, and their magnitude, while robust, is moderate rather than transformative (van der Linden, 2022). Accuracy prompts improve average sharing quality but operate only at the moment of decision and leave entrenched beliefs untouched (Pennycook & Rand, 2021). Conversely, the durability of AI-delivered corrective dialogues, with effects persisting for months, suggests that depth of engagement may compensate for the brevity limits of lighter-touch interventions (Costello et al., 2024). Digital literacy programs face the additional challenge of reaching the populations most at risk, since participation in voluntary training correlates with precisely the analytic dispositions that already confer resistance (Pennycook & Rand, 2021; Siddiqi et al., 2022). These boundary conditions argue for portfolios of psychological defenses deployed in combination and evaluated longitudinally rather than for reliance on any single intervention.
At the institutional level, researchers have proposed expanding cognitive psychology into a dedicated subfield of cybersecurity cognitive psychology to provide a systematic foundation for studying social engineering and related attacks, with persuasion as a central organizing construct (Montañez et al., 2020). Cross-national comparative work adds that countermeasure effectiveness is conditioned by structural context, since countries differ systematically in their resilience to online disinformation as a function of media trust, polarization, and platform environments (Humprecht et al., 2020).
Table 6 provides a comparative overview of the countermeasure categories documented across this literature, organized by type, mechanism, target, and implementation difficulty.
The comparative pattern in
Table 6 highlights a structural complementarity: technical measures act principally on the supply and distribution of deceptive content, psychological measures act on the demand side by hardening the receiver, and institutional and regulatory measures reshape the environment in which both operate. No single layer is sufficient. Detection models degrade under adversarial pressure (Mirsky & Lee, 2021), inoculation effects decay without boosting (van der Linden, 2022), and regulation moves more slowly than generation technology (Romanishyn et al., 2025). The literature therefore converges on defense-in-depth as the governing design principle; an architecture developed further in
Section 3 and operationalized in the recommendations of
Section 8.