Preprint
Review

This version is not peer-reviewed.

Cognitive Hacking and the Evolution of Semantic Attacks: Psychological Mechanisms, AI-Driven Tools, and Countermeasures in Contemporary Information Security: A Comprehensive Literature Review

Submitted:

04 July 2026

Posted:

06 July 2026

You are already at the latest version

Abstract
This literature review synthesizes the growing body of scholarship on cognitive hacking, a form of cyberattack that targets human perception and decision-making rather than technical infrastructure. Cognitive hacking sits squarely within Libicki’s framework of semantic attack, and countermeasures against such attacks are expected to constitute an important area of research in the science of intelligence and security informatics (Thompson, 2004). Drawing on foundational works originating from the Semantic Hacking Project, contemporary studies in behavioral cybersecurity, and recent empirical scholarship on artificial intelligence (AI)–driven disinformation, this review identifies four overarching themes: the definition and taxonomy of cognitive attacks; the psychological mechanisms underlying cognitive exploitation; the technological tools that amplify such attacks; and the countermeasures available to researchers and practitioners. Recent experimental evidence indicates that generative AI systems now produce disinformation that is more compelling than human-written content (Spitale et al., 2023) and can out-persuade human interlocutors when supplied with minimal personal information about their targets (Salvi et al., 2025). With generative AI enabling faster, cheaper, and more convincing tailored disinformation, scholars and policymakers are urgently seeking coordinated ways to regulate and mitigate the impact of deepfakes (Romanishyn et al., 2025). At the same time, meta-analytic and experimental work on psychological inoculation demonstrates that resilience to manipulation can be cultivated at scale (Roozenbeek et al., 2022; van der Linden, 2022). The review identifies significant research gaps, particularly at the intersection of generative AI and cognitive resilience, and concludes that a multidisciplinary approach integrating cognitive psychology, security informatics, and public policy is essential for developing robust defenses.
Keywords: 
;  ;  ;  ;  ;  ;  ;  

1. Introduction

The landscape of information security has undergone a fundamental transformation over the past two decades, shifting from an almost exclusive focus on technical infrastructure toward a growing recognition of the human cognitive dimension as a primary attack surface. Cybersecurity attacks frequently succeed because they target the cognitive and behavioral vulnerabilities of ordinary users and preventing or mitigating such attacks requires user-focused techniques to be researched, fostered, and developed (Montañez et al., 2020). This orientation, once considered peripheral to the mainstream of security research, now constitutes a central concern in both academic and practitioner communities, and it has acquired renewed urgency as generative AI systems lower the cost of producing persuasive deceptive content (Feuerriegel et al., 2023; von Sikorski & Hameleers, 2025).
Two classes of information systems attacks must be distinguished: autonomous attacks and cognitive attacks. Autonomous attacks operate entirely within the fabric of computing and networking infrastructures, whereas cognitive attacks require a human interpretive process to succeed and therefore constitute a fundamentally different category of threat (Cybenko et al., 2002). The Semantic Hacking Project, which ran from 2001 to 2003, focused on how information systems, and the human decisions shaped by them, could be exploited through attacks directed not at code or infrastructure but at meaning itself (Thompson & Guillory, 2025). In the context of information warfare, Libicki (1994) first characterized attacks on computer systems as physical, syntactic, or semantic, the latter describing situations in which systems and their users are misled by an adversary’s misinformation. Cognitive hacking was subsequently defined as an attack directed at the mind of the user of a computer system, and countermeasures against cognitive and semantic attacks were expected to play an important role in the emerging science of intelligence and security informatics (Thompson, 2004).
A brief clarification of terminology is warranted at the outset, because the field’s vocabulary has accumulated in overlapping layers. Cognitive hacking denotes attacks delivered through information systems that achieve their effect by altering user perception (Cybenko et al., 2002); social engineering denotes the broader use of psychological manipulation to induce security-compromising behavior, whether or not a computer mediates the interaction (Wang et al., 2020); disinformation denotes intentionally false or misleading content, distinguished from misinformation by the presence of deceptive intent (van der Linden, 2022); and cognitive warfare denotes the strategic, typically state-directed weaponization of these techniques against whole populations (Miller, 2023; NATO, 2021). These constructs are nested rather than synonymous, and this review treats cognitive hacking as the connective concept linking the computer security, psychology, and political communication literatures.
The empirical case for treating human cognition as a contested security domain has strengthened considerably since these foundational formulations. In a landmark analysis of approximately 126,000 rumor cascades on Twitter, false news was found to diffuse significantly farther, faster, deeper, and more broadly than the truth, an effect driven principally by the novelty of false content and the emotional reactions it provokes rather than by automated accounts (Vosoughi et al., 2018). Susceptibility to such content is not randomly distributed: individual differences in analytic thinking, prior attitudes, and repeated exposure systematically shape who accepts and shares falsehoods (Pennycook & Rand, 2021; van der Linden, 2022). These findings confirm the central intuition of the early cognitive hacking literature, namely that the decisive vulnerabilities in networked information systems are often psychological rather than technical.
The proliferation of disruptive innovations in AI has amplified these attacks, enabling adversaries to execute precise, large-scale cognitive operations with unprecedented speed and sophistication (Romanishyn et al., 2025). Experimental evidence now shows that large language models (LLMs) produce disinformation that participants find more compelling than human-written equivalents (Spitale et al., 2023), that AI-generated news articles are routinely perceived as credible (Kreps et al., 2022), and that GPT-4, when given minimal demographic information about its interlocutor, out-persuades human debaters in a majority of matched contests (Salvi et al., 2025). Parallel work demonstrates that ordinary observers cannot reliably detect deepfake videos or cloned voices, while remaining overconfident in their ability to do so (Barrington et al., 2025; Köbis et al., 2021).
At the same time, the scholarly debate is not monolithic. Some researchers caution that fears about generative AI’s effect on the information ecosystem may be overstated, arguing that the supply of misinformation was already effectively unlimited before LLMs and that attention, rather than content, is the binding constraint on influence (Simon et al., 2023). Large-scale experiments similarly indicate that political deepfakes, while credible, are often no more persuasive than equivalent textual falsehoods (Barari et al., 2025). A rigorous review must therefore weigh alarmist and dismissive narratives against the accumulating empirical record (von Sikorski & Hameleers, 2025).
The purpose of this literature review is to synthesize existing research on cognitive hacking, map its major theoretical contributions, evaluate the role of emerging technologies in accelerating these threats, and critically assess the countermeasures proposed by scholars. The review proceeds as follows. Section 2 organizes the literature into four thematic strands. Section 3 articulates the theoretical frameworks underpinning the field, and Section 4 appraises the methodological approaches employed. Section 5 discusses cross-cutting findings, Section 6 identifies research gaps, and Section 7 and Section 8 present conclusions and recommendations for researchers, practitioners, and policymakers.

2. Literature Review

The scholarly discourse on cognitive hacking has evolved from early conceptual formulations in the first years of the twenty-first century to empirically grounded studies in the era of generative AI. This body of literature can be organized around four interlocking themes: the definition and taxonomy of cognitive attacks; the psychological mechanisms exploited by attackers; the digital tools that operationalize these attacks; and the countermeasures developed in response. As shown in Table 1, the key studies reviewed span conceptual, experimental, review-based, and policy-oriented methods, reflecting the field’s pronounced interdisciplinarity.

2.1. Defining and Taxonomizing Cognitive Attacks

The foundational intellectual contribution to this field was made by Cybenko et al. (2002), who provided the first peer-reviewed definition of cognitive hacking in the IEEE journal Computer. Cognitive hackers manipulate a user’s perception and rely on the user’s changed actions to carry out the attack; effective countermeasures must therefore aim at preventing misinformation through mechanisms such as authentication, collaborative filtering, and linguistic analysis (Cybenko et al., 2002). The authors delineated two classes of information systems attacks: autonomous attacks, which operate entirely within the computing and networking infrastructure, and cognitive hacks, which constitute a defined category of computer security exploit directed at the interpretive processes of the human user (Cybenko et al., 2002). A subsequent and more comprehensive treatment distinguished single-source from multiple-source cognitive attacks and organized candidate countermeasures accordingly, establishing the first structured taxonomy in this domain (Cybenko et al., 2004).
The early literature grounded these definitions in documented incidents rather than hypothetical scenarios. Cybenko et al. (2002) analyzed cases in which fabricated information injected into trusted channels produced immediate, measurable behavioral consequences, most famously the fraudulent press release that briefly destroyed more than half of Emulex Corporation’s market capitalization in 2000 after being picked up and redistributed by legitimate financial news services. Such episodes illustrate the defining mechanics of a cognitive hack: the technical infrastructure functions exactly as designed, every packet is delivered intact, and yet the system is compromised because the meaning conveyed to human decision-makers has been corrupted at its source (Cybenko et al., 2002, 2004). The same mechanics operate in slower and subtler registers, including pump-and-dump stock schemes conducted through pseudonymous message board postings, in which a small number of actors simulate independent consensus to move markets (Cybenko et al., 2004).
Thompson (2004) generalized the concept by situating cognitive hacking within Libicki’s (1994) framework of semantic attack and by discussing the role of semantic attacks and countermeasures in the context of an emerging science of intelligence and security informatics. This framework carries an important organizational implication: because the cognitive attacker can be a trusted insider, an organization’s computer system should maintain a cost model of its information assets as well as a model of each insider’s normal use of the system (Thompson, 2004). Definitional work in the adjacent social engineering literature followed a similar consolidating trajectory. After documenting substantial conceptual fragmentation across decades of usage, Wang et al. (2020) proposed a systematic definition of social engineering in cybersecurity, thereby stabilizing a construct that overlaps substantially with cognitive hacking whenever deception is delivered through information systems.
As presented in Table 2, the definitional evolution of cognitive hacking reflects a progressive broadening of scope: from a computer security exploit aimed at an individual user’s perception, through a general class of semantic attacks on meaning, to a strategic domain of state-level competition over entire populations’ cognition.
The securitization of these ideas proceeded rapidly in the following decade. Waltzman’s 2017 congressional testimony popularized the term “cognitive security” in national security circles, and NATO began engaging formally with these concepts through its Innovation Hub and subsequent symposia (Thompson & Guillory, 2025). NATO’s (2021) publication on countering cognitive warfare brought the vocabulary of awareness and resilience into broader use across allied military structures, framing the human mind itself as a contested domain. Philosophical scholarship has since sharpened the concept’s boundaries: Miller (2023) analyzes cognitive warfare as the weaponization of disinformation by state actors to undermine adversaries’ epistemic autonomy and institutional knowledge, distinguishing it from both kinetic warfare and legitimate persuasion, and arguing that its distinctive harm lies in corroding the rational agency on which liberal-democratic institutions depend.
More recently, Thompson and Guillory (2025) revisited the foundational scholarship of the Semantic Hacking Project and assessed its contemporary relevance. The project anticipated many of today’s challenges, including disinformation campaigns, social media manipulation, and AI-generated narratives, and it did so not only in technical terms but also in philosophical and linguistic terms (Thompson & Guillory, 2025). At the heart of the project’s concern was a question that has only grown more urgent in the era of generative AI: what happens when the inputs to a person’s belief system can be manipulated without the person knowing it (Thompson & Guillory, 2025)? Figure 1 situates these definitional milestones within the broader trajectory of the field, from Libicki’s (1994) original taxonomy through the securitization of cognitive defense to the present generative AI era.
Viewed across this thirty-year arc, the taxonomic literature displays a notable continuity: each successive reformulation preserves the original insight that the target of the attack is interpretation rather than infrastructure, while widening the unit of analysis from the individual user to organizations, electorates, and alliances. This continuity matters for contemporary research because it means that countermeasure concepts developed for single-user exploits, such as source authentication and credibility scoring, remain structurally relevant to population-scale influence operations, even as their implementation must be rethought for algorithmically mediated environments (Cybenko et al., 2004; Thompson & Guillory, 2025).

2.2. Psychological Mechanisms of Exploitation

A second major strand of research concerns the specific psychological vulnerabilities that cognitive attackers exploit. Social engineering cyberattacks are a major threat because they often precede sophisticated and devastating intrusions, and they constitute a kind of psychological attack that exploits weaknesses in human cognitive functions (Montañez et al., 2020). Treating social engineering cyberattacks as a particular kind of psychological attack has independent theoretical value because it lays the foundation for a field that may be called cybersecurity cognitive psychology, which extends and adapts principles of cognitive psychology to satisfy cybersecurity’s needs while embracing concepts unique to the domain (Montañez et al., 2020). Within this emerging field, persuasion has been identified as a central explanatory construct for understanding how attackers convert psychological pressure into compliant behavior (Montañez et al., 2020).
Complementing this psychological turn, Wang et al. (2021) developed a conceptual model that provides an integrative and structural perspective on how social engineering attacks work, identifying three core entities: the effect mechanism, the human vulnerability, and the attack method. The model’s value lies in tracing the causal pathway from attacker technique through exploited disposition to behavioral outcome, a structure that anticipates the attack lifecycle perspective adopted later in this review. Siddiqi et al. (2022) extended the empirical base through a systematic review, observing that as cybersecurity defenses become more robust, cybercriminals mutate their attacks to be more evasive and increasingly exploit the human factor in an organization’s security architecture. Social engineering attacks exploit specific human attributes to bypass technical security measures, and they are comparatively convenient for adversaries because compromising a human is often easier than discovering a technical vulnerability; moreover, such attacks are difficult to counter because they follow no fixed pattern (Siddiqi et al., 2022).
Within the cybersecurity cognitive psychology program, Montañez et al. (2020) further decompose victim-side vulnerability into interacting factors spanning cognition, personality, awareness, and emotional state, and they map attacker techniques onto established principles of persuasion, showing that most documented social engineering attacks recombine a small set of influence primitives, including authority, scarcity, reciprocity, and social proof, rather than inventing new ones. This decomposition has practical significance for defense: if attack diversity at the surface conceals a limited set of underlying persuasion mechanisms, then training and detection systems that target the mechanisms, rather than the surface features of particular scams, should generalize far better across novel attack variants (Montañez et al., 2020; Wang et al., 2021).
The cognitive science of misinformation supplies the mechanistic detail that the security literature often lacks. Belief in false claims is driven less by motivated reasoning alone than by failures of analytic attention: people who reason more reflectively discern truth from falsehood better regardless of ideological congeniality, and much sharing of falsehood occurs simply because attention is focused on factors other than accuracy (Pennycook & Rand, 2021). Ecker et al. (2022) synthesized the drivers of misinformation belief, showing that repetition breeds familiarity and perceived truth, that emotional content and source cues shortcut deliberation, and that corrections frequently fail because retracted information continues to influence reasoning, a phenomenon known as the continued influence effect. Susceptibility is further patterned by individual differences: van der Linden (2022) documents that intuitive processing styles, prior worldviews, and repeated exposure jointly shape vulnerability, framing misinformation as a pathogen whose spread can be modeled and, critically, immunized against. Consistent with this account, individuals with high emotionality and intuitive cognitive styles are more susceptible to disinformation, including deepfakes, than those with more rational processing styles (von Sikorski & Hameleers, 2025).
Siddiqi et al. (2022) add an important cultural dimension to this discussion, arguing that the manipulation of human behavior and emotions in cyberattacks presents a challenging variable for security experts and that culture plays a significant role in shaping behavior, beliefs, morals, decisions, and attitudes. This observation implies that the effectiveness of cognitive hacking is not universal but modulated by sociocultural context, a conclusion reinforced by cross-national research showing that structural conditions, including media trust, polarization, and platform ecology, produce systematically different levels of national resilience to online disinformation (Humprecht et al., 2020). Table 3 consolidates the principal psychological triggers documented across this literature, together with the mechanisms through which each is exploited.
Two features of Table 3 deserve emphasis. First, the triggers operate at different loci of the persuasion process: some (authority, urgency, fear) are properties of the message; others (inattention, intuitive style, overconfidence) are properties of the receiver; and still others (social proof, repetition) emerge from the information environment itself. Effective attacks typically layer triggers across all three loci, which helps explain why single-point interventions so often disappoint (Ecker et al., 2022; Wang et al., 2021). Second, the most recently documented triggers, inattention and detection overconfidence, are distinctive precisely because they do not require the target to hold any false belief about the attacker; they require only that scarce attentional resources be allocated elsewhere, an insight with direct implications for the accuracy-prompt and inoculation interventions reviewed in Section 2.4 (Köbis et al., 2021; Pennycook & Rand, 2021).
The trigger taxonomy also carries direct organizational implications. Because attackers recombine a finite repertoire of persuasion primitives, security training built around simulated attacks can sample that repertoire systematically rather than chasing the latest scam template (Montañez et al., 2020; Wang et al., 2021). The economics of attack generation sharpen this requirement: now that large language models can produce individually tailored deceptive messages at negligible cost, organizations should expect the volume and personalization of trigger-laden communications to rise even where their underlying psychology remains unchanged (Heiding et al., 2024). And because the trusted insider enters the interpretive chain with authority and familiarity already established, insider-focused monitoring and information asset cost models remain a necessary complement to perimeter-oriented awareness programs (Thompson, 2004).

2.3. AI-Driven Tools and the Amplification of Cognitive Attacks

The third major theme concerns the role of emerging digital technologies in scaling the reach and persuasiveness of cognitive attacks. A scoping review of 64 peer-reviewed studies published between 2021 and 2024 on the intersection of generative AI and disinformation identified six key thematic areas and found that generative AI plays a dual role: it enables the rapid creation and targeted dissemination of synthetic content, yet it also offers new opportunities for detection, verification, and public education (López-Borrull & Lopezosa, 2025). The environment into which such content flows is one of extraordinary saturation: approximately 5.31 billion social media accounts were in use in early 2025, representing 64.7% of the global population, with users averaging between 143 and 147 minutes per day on social platforms, conditions that allow disinformation to propagate rapidly as generative systems enable low-cost, scalable content production and targeting (Romanishyn et al., 2025).
The technical repertoire available to attackers has been mapped comprehensively. Mirsky and Lee (2021) survey the generative architectures underlying deepfakes across reenactment, replacement, editing, and synthesis, and they document a persistent arms race in which detection methods trail generation capabilities. AI tools now facilitate realistic multimodal content, including deepfake video and AI-generated voice recordings, that is difficult to distinguish from authentic material; a prominent example is the AI-generated robocall mimicking President Joe Biden’s voice during the 2024 Democratic primaries, which illustrates how generative AI can directly interfere with electoral communication (von Sikorski & Hameleers, 2025). The threat extends to targeted attacks on individuals and organizations: large language models can automate the entire spear-phishing pipeline, producing deceptive emails at a small fraction of previous cost while achieving click-through rates comparable to messages crafted with human expertise (Heiding et al., 2024). As shown in Table 4, these tools span a continuum from fully synthetic media to low-technology manipulation.
What distinguishes the current period from earlier waves of computer-mediated deception is the accumulation of controlled experimental evidence on human susceptibility. Spitale et al. (2023) found that participants not only failed to distinguish GPT-3-generated tweets from human-written ones but rated accurate synthetic tweets as true more often, and false synthetic tweets as true more often, than their organic counterparts, leading the authors to conclude that GPT-3 both informs and disinforms more effectively than humans. Salvi et al. (2025) extended this line of work from judgment to interactive persuasion: in a preregistered randomized controlled trial, GPT-4 equipped with minimal sociodemographic information about its opponent achieved significantly higher post-debate agreement shifts than human persuaders in the majority of contests. On the detection side, Köbis et al. (2021) showed that people cannot reliably identify deepfake videos, exhibit a systematic bias toward judging content authentic, and remain overconfident even when warned; Groh et al. (2022) found that ordinary observers achieve accuracy comparable to a leading computer vision model, with the two making different kinds of errors, such that machine-informed crowds outperform either alone; and Barrington et al. (2025) demonstrated that listeners perform poorly at distinguishing cloned from authentic voices. Table 5 consolidates this rapidly growing experimental record.
Read together, the studies in Table 5 support three interpretive conclusions. First, the discrimination problem is real and general: across modalities of text, audio, and video, unaided humans perform near chance at identifying synthetic content, and the deficit is compounded by overconfidence (Barrington et al., 2025; Groh et al., 2022; Köbis et al., 2021). Second, the persuasion advantage of AI-generated content is now documented experimentally rather than merely conjectured, and it grows when generation is coupled with personalization (Salvi et al., 2025; Spitale et al., 2023). Third, however, the effects literature counsels against technological determinism: deepfakes often function less as instruments of outright deception than as generators of uncertainty and distrust (Vaccari & Chadwick, 2020), their persuasive edge over cheaper textual falsehoods is modest or absent (Barari et al., 2025), and supply-side abundance does not automatically translate into demand-side influence (Simon et al., 2023). Indeed, systematic analysis of visual disinformation emphasizes that low-technology cheap fakes remain far more prevalent than sophisticated synthetic media in documented political manipulation (Weikmann & Lecheler, 2023), an empirical regularity that Thompson and Guillory (2025) likewise stress. Benchmark comparisons nonetheless confirm an accelerating trajectory, with reported fivefold rises in deepfake volume and tens of millions of fabricated identities mirroring global surges in those phenomena (Romanishyn et al., 2025), and the ethical and legal frameworks required to contain these techniques remain fragmented and slow to adapt, leaving a governance gap that challenges existing models of truth mediation and democratic oversight (von Sikorski & Hameleers, 2025).
A final feature of this literature deserves attention: the same generative systems that empower attackers are simultaneously reshaping the institutions that defend the information environment. The scoping review evidence shows generative AI transforming journalism, scientific communication, media literacy education, and fact-checking practice, often in ways that strengthen rather than weaken verification capacity (López-Borrull & Lopezosa, 2025). Credibility effects are also conditional rather than uniform: Kreps et al. (2022) found that partisan congeniality moderated the perceived believability of synthetic news, indicating that audience predispositions, not generation quality alone, govern uptake. Assessments of recent election cycles similarly report that feared waves of decisive AI-driven manipulation have so far failed to materialize at scale, even as documented incidents accumulate (von Sikorski & Hameleers, 2025). The tools literature therefore describes not a one-sided armament but an unstable equilibrium in which offensive and defensive applications of the same underlying models co-evolve, a dynamic taken up in the countermeasures theme that follows.

2.4. Countermeasures: Technical, Psychological, and Institutional

The fourth major theme addresses the development of effective countermeasures. The foundational technical framework proposed by Cybenko et al. (2002) remains widely cited: because cognitive hackers rely on changed user actions, defenses must aim at preventing misinformation from taking hold, through authentication of source, collaborative filtering and reliability reporting, detection of collusion by information sources, and linguistic analysis. The Semantic Hacking Project, though primarily conceptual, culminated in a working prototype of one proposed countermeasure and produced one of the first structured taxonomies of cognitive threats and defenses in the information domain (Thompson & Guillory, 2025). Revisiting that agenda with modern technology in view, Thompson and Guillory (2025) argue that several early concepts have become newly feasible: collaborative filtering and trust reporting could lower the credibility of unverified accounts making bold claims, information trajectory modeling could flag sudden anomalies, and linguistic analysis could reveal that hundreds of seemingly independent posts were authored by only a few people.
On the technical frontier, detection research has matured into a discipline of its own. Mirsky and Lee (2021) catalogue artifact-based, spatiotemporal, and biological-signal approaches to deepfake detection while cautioning that each is vulnerable to adversarial adaptation, and Groh et al. (2022) provide experimental grounds for hybrid architectures in which model predictions inform, rather than replace, human judgment. Generative AI itself offers powerful tools for fact-checking: AI technologies can analyze large volumes of data in real time, identifying patterns and anomalies that may indicate false information, enabling fact-checkers to work more efficiently and reducing the time needed to identify and debunk falsehoods (López-Borrull & Lopezosa, 2025). Beyond detection, a growing research agenda emphasizes provenance infrastructure, including watermarking and content credentials, alongside systematic measurement of real-world prevalence, as preconditions for effective platform and regulatory action (Feuerriegel et al., 2023).
The psychological countermeasure literature has advanced even more rapidly. Drawing on inoculation theory, van der Linden (2022) synthesizes evidence that preemptive exposure to weakened doses of manipulation techniques confers measurable resistance to subsequent disinformation. The approach scales: in seven preregistered studies culminating in a field experiment on YouTube, short inoculation videos improved viewers’ recognition of manipulation techniques, their discernment of untrustworthy content, and the quality of their sharing decisions (Roozenbeek et al., 2022). Complementary interventions operate through attention rather than knowledge: simple accuracy prompts that shift attention back to truthfulness reliably improve the quality of sharing decisions (Pennycook & Rand, 2021). Corrective approaches remain necessary but face well-documented limits, as the continued influence effect means that debunking rarely eliminates reliance on retracted claims entirely (Ecker et al., 2022). Notably, generative AI can also serve corrective ends: in extended dialogues, a GPT-4-based system durably reduced belief in conspiracy theories by roughly 20%, with effects persisting for at least two months, suggesting that tailored counterevidence delivered conversationally can succeed where generic corrections fail (Costello et al., 2024).
Each psychological countermeasure carries documented boundary conditions that temper enthusiasm without negating effectiveness. Inoculation effects decay over weeks unless refreshed by booster interventions, and their magnitude, while robust, is moderate rather than transformative (van der Linden, 2022). Accuracy prompts improve average sharing quality but operate only at the moment of decision and leave entrenched beliefs untouched (Pennycook & Rand, 2021). Conversely, the durability of AI-delivered corrective dialogues, with effects persisting for months, suggests that depth of engagement may compensate for the brevity limits of lighter-touch interventions (Costello et al., 2024). Digital literacy programs face the additional challenge of reaching the populations most at risk, since participation in voluntary training correlates with precisely the analytic dispositions that already confer resistance (Pennycook & Rand, 2021; Siddiqi et al., 2022). These boundary conditions argue for portfolios of psychological defenses deployed in combination and evaluated longitudinally rather than for reliance on any single intervention.
At the institutional level, researchers have proposed expanding cognitive psychology into a dedicated subfield of cybersecurity cognitive psychology to provide a systematic foundation for studying social engineering and related attacks, with persuasion as a central organizing construct (Montañez et al., 2020). Cross-national comparative work adds that countermeasure effectiveness is conditioned by structural context, since countries differ systematically in their resilience to online disinformation as a function of media trust, polarization, and platform environments (Humprecht et al., 2020). Table 6 provides a comparative overview of the countermeasure categories documented across this literature, organized by type, mechanism, target, and implementation difficulty.
The comparative pattern in Table 6 highlights a structural complementarity: technical measures act principally on the supply and distribution of deceptive content, psychological measures act on the demand side by hardening the receiver, and institutional and regulatory measures reshape the environment in which both operate. No single layer is sufficient. Detection models degrade under adversarial pressure (Mirsky & Lee, 2021), inoculation effects decay without boosting (van der Linden, 2022), and regulation moves more slowly than generation technology (Romanishyn et al., 2025). The literature therefore converges on defense-in-depth as the governing design principle; an architecture developed further in Section 3 and operationalized in the recommendations of Section 8.

3. Theoretical Framework

The literature reviewed in this study draws on two principal theoretical traditions. The first is the semantic attack framework, originating with Libicki’s (1994) taxonomy of information warfare and subsequently developed by Cybenko, Giani, and Thompson across multiple publications between 2002 and 2004. Libicki (1994) characterized attacks on computer systems as physical, syntactic, and semantic, with semantic attacks operating through an adversary’s misinformation rather than through damage to hardware or protocol logic. Cognitive hacking was defined within this tradition as an attack directed at the mind of the user of a computer system, and countermeasures against cognitive and semantic attacks were positioned as central problems for the science of intelligence and security informatics (Thompson, 2004). The Semantic Hacking Project sought to understand and model attacks that target human judgment, language, and interpretation, introducing the concept of cognitive attacks and exploring a range of countermeasures aimed at defending decision-making (Thompson & Guillory, 2025). Although the term cognitive security had not yet crystallized during the project’s lifetime, later strategic formulations, including NATO’s (2021) treatment of cognitive warfare and Miller’s (2023) ethical analysis, mirror the project’s insights regarding framing, deception, and interpretive manipulation.
The second theoretical tradition is cognitive and behavioral psychology, particularly the study of heuristic processing, cognitive biases, and the conditions under which deliberative reasoning fails. Treating social engineering cyberattacks as a particular kind of psychological attack lays the foundation for cybersecurity cognitive psychology, which adapts principles of cognitive psychology to cybersecurity’s needs (Montañez et al., 2020). Within this tradition, dual-process accounts hold that belief in and sharing of falsehoods reflect, to a substantial degree, insufficient engagement of analytic reasoning rather than protected motivated cognition (Pennycook & Rand, 2021), while the misinformation literature specifies the environmental drivers, repetition, emotional arousal, and source cues, that entrench false belief and resist correction (Ecker et al., 2022). Inoculation theory extends this psychological tradition from diagnosis to defense, positing that exposure to weakened forms of manipulation confers durable attitudinal resistance, an approach validated experimentally at platform scale (Roozenbeek et al., 2022; van der Linden, 2022). Table 7 summarizes the theoretical frameworks that structure the field and their principal scholars.
Together, these traditions imply that a comprehensive theory of cognitive hacking must account simultaneously for the structural properties of information systems and the psychological properties of the human users embedded within them. The semantic attack tradition supplies the system-level vocabulary of sources, channels, and integrity, and the psychological tradition supplies the receiver-level vocabulary of attention, heuristics, and belief revision; neither alone explains why a fabricated narrative moves from generation to behavioral effect. Synthesizing the two, Figure 2 presents an integrated conceptual model of the cognitive attack lifecycle, tracing the pathway from content creation through algorithmic amplification, perception, and belief formation to change behavior, and aligning each stage with the countermeasure families identified in Section 2.4.
The lifecycle model in Figure 2 offers three analytic advantages. First, it locates each empirical literature within a common causal chain: generation studies (Spitale et al., 2023) concern stage one, diffusion studies (Vosoughi et al., 2018) concern stage two, detection studies (Groh et al., 2022; Köbis et al., 2021) concern stage three, and persuasion and correction studies (Costello et al., 2024; Salvi et al., 2025) concern stages four and five. Second, it makes it explicit that countermeasures differ in their point of intervention, which clarifies why they are complements rather than substitutes. Third, it accommodates the insider threat emphasized by Thompson (2004), since a trusted insider simply enters the lifecycle at the perception stage with pre-established credibility, by passing the amplification defenses entirely.

4. Methodology of Reviewed Literature

Before appraising the methods of the reviewed studies, the corpus assembled for this review merits brief description. The synthesis draws on peer-reviewed journal articles, indexed conference proceedings, and a small number of seminal policy documents published between 1994 and 2025, identified through searches of major scholarly databases using combinations of the terms cognitive hacking, semantic attack, social engineering, cognitive security, cognitive warfare, disinformation, and deepfake, supplemented by backward and forward citation chasing from the foundational Semantic Hacking Project publications. Gray literature was admitted only where it has demonstrably shaped the scholarly conversation, as with NATO’s (2021) treatment of cognitive warfare. The resulting corpus deliberately spans computer science, psychology, communication research, political science, and applied ethics, since restricting the synthesis to any single discipline would reproduce the fragmentation that this review seeks to overcome.
The methodological approaches employed across the reviewed literature vary considerably, reflecting the field’s interdisciplinary character. Foundational works are primarily conceptual and taxonomic, drawing on case analysis and theoretical reasoning to develop definitions and classification systems (Cybenko et al., 2002, 2004; Thompson, 2004). Initial results of the Semantic Hacking Project were presented at workshops beginning in 2002, and a more comprehensive treatment appeared in a 2004 volume of Advances in Computers (Thompson & Guillory, 2025). Philosophical methods also remain in use, as in Miller’s (2023) normative analysis of cognitive warfare.
Review methodologies anchor the field’s cumulative claims. López-Borrull and Lopezosa (2025) applied a scoping review protocol to 64 peer-reviewed studies published between 2021 and 2024; Siddiqi et al. (2022) conducted a systematic review of the psychology of social engineering attacks; Weikmann and Lecheler (2023) synthesized the visual disinformation literature; and narrative syntheses in psychology consolidated the drivers of misinformation belief and its correction (Ecker et al., 2022; Pennycook & Rand, 2021; van der Linden, 2022). In the social engineering domain specifically, Wang et al. (2021) note that much remains unknown about what leads to attack success, and their conceptual model provides an integrative and structural perspective for describing how such attacks work.
The most significant methodological development of the past five years is the maturation of experimental designs. Controlled and often preregistered experiments now quantify credibility judgments of synthetic news (Kreps et al., 2022), discrimination of deepfake video and cloned audio (Barrington et al., 2025; Groh et al., 2022; Köbis et al., 2021), the persuasive effects of microtargeted deepfakes (Dobber et al., 2021), the comparative compellingness of LLM-generated disinformation (Spitale et al., 2023), interactive persuasion by LLMs (Salvi et al., 2025), phishing effectiveness (Heiding et al., 2024), and the efficacy of inoculation delivered as advertising on a live platform (Roozenbeek et al., 2022). Observational computational studies complement these designs at ecosystem scale (Vosoughi et al., 2018), while policy-oriented work employs qualitative case and regulatory analysis (Romanishyn et al., 2025).
Three methodological limitations nevertheless recur across this literature. First, longitudinal studies tracking the effectiveness of countermeasures as attack strategies evolve remain scarce; most studies assess attack mechanics or defense design in isolation and at a single point in time. Second, participant samples are drawn disproportionately from Western, educated, industrialized, rich, and democratic populations, constraining generalization precisely where cultural moderation is theorized to matter most (Humprecht et al., 2020; Siddiqi et al., 2022). Third, laboratory measures of credibility and detection may not capture field behavior, where attention, context, and repeated exposure differ substantially from experimental conditions (Pennycook & Rand, 2021; Vaccari & Chadwick, 2020). These limitations frame the research gaps elaborated in Section 6.

5. Discussion

The literature reviewed demonstrates that cognitive hacking is not a peripheral concern but a central and increasingly urgent dimension of information security. Several critical observations emerge from a synthesis of the evidence.
First, the threat is not reducible to any single technology or technique. The tools documented in Section 2.3 range from state-of-the-art voice cloning (Barrington et al., 2025) to crude out-of-context video clips (Weikmann & Lecheler, 2023), and the psychological triggers they exploit predate all of them (Cybenko et al., 2002). The robocall mimicking President Biden’s voice during the 2024 primaries is emblematic not because the underlying technology was novel but because it fused a mature manipulation format, the deceptive phone call, with newly cheap synthesis (von Sikorski & Hameleers, 2025). Defensive strategies keyed to technologies will therefore age quickly, whereas strategies keyed to the underlying interpretive vulnerabilities have proven durable across two decades of technological change (Thompson & Guillory, 2025).
Second, the asymmetry between attack and defense is a persistent structural feature of this domain. As Cybenko et al. (2002) argued in early work and Thompson and Guillory (2025) confirm in their retrospective, the cost of generating and distributing cognitive attacks is far lower than the cost of detecting and correcting them, and generative AI has widened this gap dramatically: LLMs collapse the cost of producing tailored deception toward zero (Heiding et al., 2024; Spitale et al., 2023), while corrections must contend with the continued influence effect and reach audiences that the original falsehood has already primed (Ecker et al., 2022). The very intangibility of attacks on meaning renders them resistant to conventional security controls (Thompson & Guillory, 2025).
Third, the societal consequences of successful cognitive hacking extend well beyond individual targets. The proliferation of online disinformation, particularly deepfakes, threatens the fabric of societies worldwide, eroding individuals’ sense of reality and trust (Romanishyn et al., 2025). Importantly, the experimental record suggests that erosion of trust may be the primary effect rather than a side effect: deepfakes frequently fail to convince viewers of specific falsehoods yet reliably increase generalized uncertainty and reduce trust in news (Vaccari & Chadwick, 2020). This dynamic also enables the inverse attack, in which authentic evidence is dismissed as fabricated, a possibility foreshadowed by the Semantic Hacking Project’s warning that the very definition of what is real is vulnerable to manipulation (Thompson & Guillory, 2025).
Fourth, there is a productive tension in the literature between the urgency of AI-driven threats and the empirical evidence on their marginal impact. Cheap fakes remain more prevalent than AI-generated content in documented electoral disinformation (Thompson & Guillory, 2025; Weikmann & Lecheler, 2023); deepfake videos are often no more persuasive than equivalent textual lies (Barari et al., 2025); and skeptics argue that because the supply of misinformation was never the binding constraint on influence, generative AI changes less than alarmist narratives suggest (Simon et al., 2023). Yet the counterevidence is equally concrete: synthetic disinformation is now measurably more compelling than the human-written baseline (Spitale et al., 2023), personalization confers a demonstrated persuasion advantage (Salvi et al., 2025), and attack automation is documented in the phishing domain (Heiding et al., 2024). The responsible synthesis is neither alarmism nor complacency but a nuanced, evidence-based appraisal that tracks which specific capabilities change adversary economics (Feuerriegel et al., 2023; von Sikorski & Hameleers, 2025).
Fifth, the human detection deficit reframes the defensive problem. If ordinary users cannot reliably identify synthetic media even when warned (Köbis et al., 2021), then interventions premised on individual vigilance face a hard ceiling. The more promising results come from architectures that redistribute the detection burden: machine-informed crowds that combine human contextual judgment with model consistency (Groh et al., 2022), provenance infrastructure that shifts verification from perception to cryptography (Feuerriegel et al., 2023), and inoculation that targets manipulation techniques, which generalize across content, rather than individual claims, which do not (Roozenbeek et al., 2022).
Sixth, as the sophistication of these techniques evolves, the ethical and legal frameworks required to contain them remain fragmented and slow to adapt, with deepfakes representing not merely a technological anomaly but a governance gap that challenges existing models of truth mediation and democratic oversight (von Sikorski & Hameleers, 2025). Miller (2023) supplies the normative vocabulary for this gap, arguing that cognitive warfare’s distinctive harm, degradation of the epistemic autonomy on which democratic self-governance depends, justifies defensive institutional design that neither censors legitimate speech nor leaves populations undefended.
Seventh, the dual-use character of AI is itself a strategic resource for defenders. The same generative capabilities that produce compelling disinformation also power real-time analytic support for fact-checkers (López-Borrull & Lopezosa, 2025), enable machine-informed crowds that outperform either humans or models alone (Groh et al., 2022), and deliver personalized corrective dialogues of unprecedented durability (Costello et al., 2024). The policy question is therefore not whether to permit powerful generative models but how to shape the institutional and economic conditions under which their defensive applications scale as quickly as their offensive ones (Feuerriegel et al., 2023; Romanishyn et al., 2025).
Eighth, epistemic institutions occupy a pivotal and exposed position in this contest. Journalism both suffers cognitive attacks, as when fabricated content is laundered through legitimate outlets, and mediates society’s defenses, since news organizations are the principal institutional fact-checkers and framers of public understanding of synthetic media (von Sikorski & Hameleers, 2025). The scoping review evidence indicates that generative AI is simultaneously destabilizing newsroom verification routines and equipping them with more capable tools (López-Borrull & Lopezosa, 2025), while experimental findings on uncertainty suggest that sensationalized coverage of deepfakes may itself contribute to the generalized distrust that attackers seek to cultivate (Vaccari & Chadwick, 2020). How journalism metabolizes this dual disruption will substantially determine the ambient level of societal resilience within which all other countermeasures operate.
Finally, the cultural and demographic dimensions of cognitive vulnerability remain understudied. Siddiqi et al. (2022) note that culture modulates susceptibility in ways not yet systematically integrated into theoretical models or countermeasure design, and cross-national comparisons confirm that resilience varies with structural conditions such as media trust and polarization (Humprecht et al., 2020). Because most experimental evidence originates in North American and Western European samples, the field’s strongest findings rest on its narrowest empirical base, a mismatch with obvious implications for the global applicability of countermeasures.

6. Research Gaps and Future Directions

The synthesis above yields a structured agenda for future inquiry. The gaps are not merely enumerable omissions; they are systematically related, in that each reflects the field’s historical separation of system-level and receiver-level analysis and its reliance on cross-sectional, culturally narrow evidence. Table 8 organizes the key research gaps identified across the literature, mapped against the thematic areas of the review and accompanied by recommended directions for future work.
Two of these gaps deserve particular emphasis because they intersect. The scarcity of longitudinal designs and the narrowness of studied populations jointly mean that the field cannot yet answer its most practically important question: whether the defenses validated in short-term Western experiments retain their effectiveness across time, cultures, and adversarial adaptation. Priority should accordingly be given to internationally coordinated panel studies that administer inoculation and accuracy-prompt interventions across heterogeneous media systems and track both decay and adversary response (Humprecht et al., 2020; Roozenbeek et al., 2022; van der Linden, 2022).
Beyond the specific gaps in Table 8, the field also needs formal theory. The cost asymmetry between generation and correction, the interaction between attention scarcity and content abundance, and the co-evolution of detection and evasion are all dynamics that lend themselves to formal modeling, yet the literature currently characterizes them only verbally (Cybenko et al., 2004; Simon et al., 2023). Formalizing the lifecycle model of Figure 2, for example as a sequential game between generator and defender with attention as the contested resource, would allow competing intuitions about the marginal impact of generative AI to be expressed as testable comparative statics rather than rhetorical positions.

7. Conclusions

This literature review has synthesized a body of scholarship spanning more than two decades, from the foundational taxonomic work of the Semantic Hacking Project to the most recent experimental studies of AI-driven disinformation and persuasion. The through line is striking: the questions posed between 2001 and 2003 about how information systems could be exploited through attacks on meaning rather than on code remain the field’s central questions, now posed under conditions in which generative AI has transformed the economics of attack (Thompson & Guillory, 2025).
The evidence supports three summary conclusions. First, cognitive attacks exploit stable features of human cognition, heuristic processing, inattention to accuracy, and responsiveness to repetition and emotion, that no technical patch can remove (Ecker et al., 2022; Montañez et al., 2020; Pennycook & Rand, 2021). Second, generative AI materially strengthens the attacker’s position, producing disinformation that is more compelling, more personal, and vastly cheaper than its human-crafted predecessors (Heiding et al., 2024; Salvi et al., 2025; Spitale et al., 2023), even though its real-world marginal impact relative to abundant low-technology manipulation remains contested (Barari et al., 2025; Simon et al., 2023). Third, effective defense is achievable but necessarily layered, combining provenance and detection infrastructure, scalable psychological inoculation, organizational governance, and adaptive regulation (Feuerriegel et al., 2023; Roozenbeek et al., 2022; Romanishyn et al., 2025). The field would benefit most from longitudinal evaluations of countermeasure effectiveness, cross-cultural studies of susceptibility, and unified theoretical models that integrate the semantic, psychological, and institutional dimensions of cognitive hacking.
A quarter century after the Semantic Hacking Project posed its central question, what happens when the inputs to a person’s belief system can be manipulated without the person knowing it, the question has moved from the margins of computer security to the center of democratic self-understanding (Thompson & Guillory, 2025). The stakes articulated by the ethics literature are commensurately high: what cognitive attacks ultimately threaten is not any particular belief but the epistemic autonomy that makes deliberation, consent, and accountable governance possible (Miller, 2023). The scholarship reviewed here suggests that this asset, like any other critical infrastructure, can be defended, but only if the defense is designed with the same interdisciplinary seriousness that adversaries have brought to the attack.

8. Recommendations

Based on this review, the following recommendations are directed at researchers, practitioners, and policymakers.
For the research community, priority should be given to longitudinal and cross-cultural studies that track cognitive vulnerability and countermeasure effectiveness over time. The proposed expansion of cognitive psychology into cybersecurity cognitive psychology offers a disciplinary home for this agenda, extending established principles while embracing concepts unique to security contexts (Montañez et al., 2020). Research designs should follow the emerging exemplars of preregistered, platform-scale field experimentation (Roozenbeek et al., 2022; Salvi et al., 2025) and should measure not only immediate judgment accuracy but also downstream behavior, decay, and adversarial adaptation (Feuerriegel et al., 2023).
For practitioners and organizations, the evidence supports the adoption of a multi-layered defense strategy. Effective countermeasures must aim at preventing misinformation through authentication, collaborative filtering, and linguistic analysis (Cybenko et al., 2002), updated with modern implementations: trust reporting that lowers the credibility of unverified accounts making bold claims, trajectory modeling that flags sudden informational anomalies, and stylometric analysis that reveals coordinated authorship (Thompson & Guillory, 2025). Because unaided employees cannot reliably detect synthetic media (Köbis et al., 2021), organizations should pair technical screening with machine-informed human review (Groh et al., 2022), embed inoculation-based training against manipulation techniques rather than content-specific warnings (van der Linden, 2022), and maintain insider-focused cost models of their information assets (Thompson, 2004).
For policymakers, the evidence supports investment in public digital literacy and prebunking programs as foundational components of national cognitive security, given demonstrated scalability through advertising channels on major platforms (Roozenbeek et al., 2022). Generative AI should be harnessed for defense as well as feared for offense: AI systems can analyze large volumes of content in real time to support factchecking (López-Borrull & Lopezosa, 2025) and can deliver tailored corrective dialogues that durably reduce entrenched false beliefs (Costello et al., 2024). Regulatory frameworks governing AI-generated content, provenance disclosure, and platform accountability should be developed in close coordination with the academic research community to ensure that policy responses are evidence-based and adaptive (Feuerriegel et al., 2023; Romanishyn et al., 2025). Figure 3 integrates these recommendations into a layered defense architecture, ordering the countermeasure families reviewed in this article around the asset they ultimately protect: the integrity of human perception, belief, and decision-making.
The implementation sequence matters. Psychological and technical layers can be deployed unilaterally and quickly by organizations and platforms, whereas institutional and regulatory layers require coordination across jurisdictions and therefore longer horizons (Romanishyn et al., 2025). A realistic national strategy consequently begins with scalable inoculation and provenance infrastructure while building the cross-jurisdictional governance capacity that systemic reduction of AI-driven disinformation will ultimately require (Feuerriegel et al., 2023; von Sikorski & Hameleers, 2025).

Funding

This work was supported and funded by the Deanship of Scientific Research at Imam Mohammad ibn Saud Islamic University (IMSIU) (grant number IMSIU-DDRSP2602).

Conflicts of Interest

The authors declare no conflicts of interest.

Ethics Declaration

Not applicable.

References

  1. Barari, S.; Lucas, C.; Munger, K. Political deepfakes are as credible as other fake media and (sometimes) real media. J. Politics 2025, 87(2), 510–526. [Google Scholar] [CrossRef]
  2. Barrington, S.; Cooper, E. A.; Farid, H. People are poorly equipped to detect AI-powered voice clones. Sci. Rep. 15 2025, Article 11004. [Google Scholar] [CrossRef] [PubMed]
  3. Costello, T. H.; Pennycook, G.; Rand, D. G. Durably reducing conspiracy beliefs through dialogues with AI. Science 2024, 385(6714), eadq1814. [Google Scholar] [CrossRef] [PubMed]
  4. Cybenko, G.; Giani, A.; Thompson, P. Cognitive hacking: A battle for the mind. Computer 2002, 35(8), 50–56. [Google Scholar] [CrossRef]
  5. Cybenko, G.; Giani, A.; Thompson, P. Cognitive hacking. In Advances in computers; Zelkowitz, M. V., Ed.; Elsevier, 2004; Vol. 60, pp. 35–73. [Google Scholar] [CrossRef]
  6. Dobber, T.; Metoui, N.; Trilling, D.; Helberger, N.; de Vreese, C. Do (microtargeted) deepfakes have real effects on political attitudes? Int. J. Press. 2021, 26(1), 69–91. [Google Scholar] [CrossRef]
  7. Ecker, U. K. H.; Lewandowsky, S.; Cook, J.; Schmid, P.; Fazio, L. K.; Brashier, N.; Kendeou, P.; Vraga, E. K.; Amazeen, M. A. The psychological drivers of misinformation belief and its resistance to correction. Nat. Rev. Psychol. 2022, 1(1), 13–29. [Google Scholar] [CrossRef]
  8. Feuerriegel, S.; DiResta, R.; Goldstein, J. A.; Kumar, S.; Lorenz-Spreen, P.; Tomz, M.; Pröllochs, N. Research can help to tackle AI-generated disinformation. Nat. Hum. Behav. 2023, 7(11), 1818–1821. [Google Scholar] [CrossRef] [PubMed]
  9. Groh, M.; Epstein, Z.; Firestone, C.; Picard, R. Deepfake detection by human crowds, machines, and machine-informed crowds. Proc. Natl. Acad. Sci. 2022, 119(1), e2110013119. [Google Scholar] [CrossRef] [PubMed]
  10. Heiding, F.; Schneier, B.; Vishwanath, A.; Bernstein, J.; Park, P. S. Devising and detecting phishing emails using large language models. IEEE Access 12 2024, 42131–42146. [Google Scholar] [CrossRef]
  11. Humprecht, E.; Esser, F.; Van Aelst, P. Resilience to online disinformation: A framework for cross-national comparative research. Int. J. Press. 2020, 25(3), 493–516. [Google Scholar] [CrossRef]
  12. Köbis, N. C.; Doležalová, B.; Soraperra, I. Fooled twice: People cannot detect deepfakes but think they can. iScience 2021, 24(11), Article 103364. [Google Scholar] [CrossRef] [PubMed]
  13. Kreps, S.; McCain, R. M.; Brundage, M. All the news that’s fit to fabricate: AI-generated text as a tool of media misinformation. J. Exp. Political Sci. 2022, 9(1), 104–117. [Google Scholar] [CrossRef]
  14. Libicki, M. C. The mesh and the net: Speculations on armed conflict in a time of free silicon (McNair Paper 28); National Defense University Press, 1994; Available online: https://apps.dtic.mil/sti/tr/pdf/ADA278484.pdf.
  15. López-Borrull, A.; Lopezosa, C. Mapping the impact of generative AI on disinformation: Insights from a scoping review. Publications 2025, 13(3), Article 33. [Google Scholar] [CrossRef]
  16. Miller, S. Cognitive warfare: An ethical analysis. Ethics Inf. Technol. 2023, 25(3), 46. [Google Scholar] [CrossRef]
  17. Mirsky, Y.; Lee, W. The creation and detection of deepfakes: A survey. ACM Comput. Surv. 2021, 54(1), Article 7. [Google Scholar] [CrossRef]
  18. Montañez, R.; Golob, E.; Xu, S. Human cognition through the lens of social engineering cyberattacks. Front. Psychol. 11 2020, 1755. [Google Scholar] [CrossRef] [PubMed]
  19. NATO. Countering cognitive warfare: Awareness and resilience. NATO Review. 20 May 2021. Available online: https://www.nato.int/docu/review/articles/2021/05/20/countering-cognitive-warfare-awareness-and-resilience/.
  20. Pennycook, G.; Rand, D. G. The psychology of fake news. Trends Cogn. Sci. 2021, 25(5), 388–402. [Google Scholar] [CrossRef] [PubMed]
  21. Romanishyn, A.; Malytska, O.; Goncharuk, V. AI-driven disinformation: Policy recommendations for democratic resilience. Front. Artif. Intell. 8 2025, Article 1569115. [Google Scholar] [CrossRef] [PubMed]
  22. Roozenbeek, J.; van der Linden, S.; Goldberg, B.; Rathje, S.; Lewandowsky, S. Psychological inoculation improves resilience against misinformation on social media. Sci. Adv. 2022, 8(34), Article eabo6254. [Google Scholar] [CrossRef] [PubMed]
  23. Salvi, F.; Horta Ribeiro, M.; Gallotti, R.; West, R. On the conversational persuasiveness of GPT-4. Nat. Hum. Behav. 2025, 9(8), 1645–1653. [Google Scholar] [CrossRef] [PubMed]
  24. Siddiqi, M. A.; Pak, W.; Siddiqi, M. A. A study on the psychology of social engineering-based cyberattacks and existing countermeasures. Appl. Sci. 2022, 12(12), Article 6042. [Google Scholar] [CrossRef]
  25. Simon, F. M.; Altay, S.; Mercier, H. Misinformation reloaded? Fears about the impact of generative AI on misinformation are overblown. Harv. Kennedy Sch. Misinformation Rev. 2023, 4(5). [Google Scholar] [CrossRef]
  26. Spitale, G.; Biller-Andorno, N.; Germani, F. AI model GPT-3 (dis)informs us better than humans. Sci. Adv. 2023, 9(26), Article eadh1850. [Google Scholar] [CrossRef] [PubMed]
  27. Thompson, P. Cognitive hacking and intelligence and security informatics. In Proceedings of SPIE; Trevisani, D. A., Sisti, A. F., Eds.; SPIE, 2004; Vol. 5423, pp. 142–151. [Google Scholar] [CrossRef]
  28. Thompson, P.; Guillory, S. The history of the semantic hacking project and the lessons it teaches for modern cognitive security. Front. Artif. Intell. 8 2025, 1616447. [Google Scholar] [CrossRef] [PubMed]
  29. Vaccari, C.; Chadwick, A. Deepfakes and disinformation: Exploring the impact of synthetic political video on deception, uncertainty, and trust in news. Soc. Media Soc. 2020, 6(1). [Google Scholar] [CrossRef]
  30. van der Linden, S. Misinformation: Susceptibility, spread, and interventions to immunize the public. Nat. Med. 2022, 28(3), 460–467. [Google Scholar] [CrossRef] [PubMed]
  31. von Sikorski, C.; Hameleers, M. Disinformation in the age of artificial intelligence (AI): Implications for journalism and mass communication. Journal. Mass Commun. Q. 2025, 102(4), 941–957. [Google Scholar] [CrossRef]
  32. Vosoughi, S.; Roy, D.; Aral, S. The spread of true and false news online. Science 2018, 359(6380), 1146–1151. [Google Scholar] [CrossRef] [PubMed]
  33. Wang, Z.; Sun, L.; Zhu, H. Defining social engineering in cybersecurity. IEEE Access 8 2020, 85094–85115. [Google Scholar] [CrossRef]
  34. Wang, Z.; Zhu, H.; Sun, L. Social engineering in cybersecurity: Effect mechanisms, human vulnerabilities and attack methods. IEEE Access 9 2021, 11895–11910. [Google Scholar] [CrossRef]
  35. Weikmann, T.; Lecheler, S. Visual disinformation in a digital age: A literature synthesis and research agenda. New Media Soc. 2023, 25(12), 3696–3713. [Google Scholar] [CrossRef]
Figure 1. Chronological Development of Cognitive Hacking Research, 1994–2025. Note. Authors’ synthesis of the field’s development based on Libicki (1994), Cybenko et al. (2002, 2004), Thompson (2004), Montañez et al. (2020), Wang et al. (2020, 2021), NATO (2021), Roozenbeek et al. (2022), Spitale et al. (2023), Salvi et al. (2025), and Thompson and Guillory (2025). ISI = intelligence and security informatics; LLM = large language model.
Figure 1. Chronological Development of Cognitive Hacking Research, 1994–2025. Note. Authors’ synthesis of the field’s development based on Libicki (1994), Cybenko et al. (2002, 2004), Thompson (2004), Montañez et al. (2020), Wang et al. (2020, 2021), NATO (2021), Roozenbeek et al. (2022), Spitale et al. (2023), Salvi et al. (2025), and Thompson and Guillory (2025). ISI = intelligence and security informatics; LLM = large language model.
Preprints 221623 g001
Figure 2. Integrated Conceptual Model of the Cognitive Attack Lifecycle and Corresponding Countermeasure Layers. Note. Authors’ synthesis integrating the semantic attack framework (Cybenko et al., 2002, 2004; Thompson, 2004), the social engineering effect model (Wang et al., 2021), dual-process accounts of misinformation (Ecker et al., 2022; Pennycook & Rand, 2021), and countermeasure taxonomies (López-Borrull & Lopezosa, 2025; Thompson & Guillory, 2025). LLM = large language model.
Figure 2. Integrated Conceptual Model of the Cognitive Attack Lifecycle and Corresponding Countermeasure Layers. Note. Authors’ synthesis integrating the semantic attack framework (Cybenko et al., 2002, 2004; Thompson, 2004), the social engineering effect model (Wang et al., 2021), dual-process accounts of misinformation (Ecker et al., 2022; Pennycook & Rand, 2021), and countermeasure taxonomies (López-Borrull & Lopezosa, 2025; Thompson & Guillory, 2025). LLM = large language model.
Preprints 221623 g002
Figure 3. Layered Defense Architecture for Cognitive Security. Note. Authors’ synthesis of countermeasure families identified in the reviewed literature (Costello et al., 2024; Cybenko et al., 2002; Feuerriegel et al., 2023; López-Borrull & Lopezosa, 2025; Roozenbeek et al., 2022; Romanishyn et al., 2025; Thompson & Guillory, 2025). Layers act on distinct stages of the attack lifecycle shown in Figure 2 and are complements rather than substitutes. AI = artificial intelligence.
Figure 3. Layered Defense Architecture for Cognitive Security. Note. Authors’ synthesis of countermeasure families identified in the reviewed literature (Costello et al., 2024; Cybenko et al., 2002; Feuerriegel et al., 2023; López-Borrull & Lopezosa, 2025; Roozenbeek et al., 2022; Romanishyn et al., 2025; Thompson & Guillory, 2025). Layers act on distinct stages of the attack lifecycle shown in Figure 2 and are complements rather than substitutes. AI = artificial intelligence.
Preprints 221623 g003
Table 1. Key Literature on Cognitive Hacking by Theme, Method, and Contribution.
Table 1. Key Literature on Cognitive Hacking by Theme, Method, and Contribution.
Author(s) Year Theme Method Key Contribution
Cybenko, Giani, & Thompson 2002 Definition and taxonomy Conceptual/case analysis First formal definition of cognitive hacking in IEEE Computer
Thompson 2004 Definition and taxonomy Conceptual/theoretical Placed cognitive hacking in Libicki’s semantic attack framework
Cybenko, Giani, & Thompson 2004 Definition and taxonomy Conceptual Comprehensive taxonomy of attacks and countermeasures
Wang, Sun, & Zhu 2020 Definition and taxonomy Systematic conceptualization Systematic definition of social engineering in cybersecurity
Montañez, Golob, & Xu 2020 Psychological mechanisms Theoretical framework Proposed cybersecurity cognitive psychology subfield
Pennycook & Rand 2021 Psychological mechanisms Narrative review Inattention-based account of fake news belief and sharing
Wang, Zhu, & Sun 2021 Psychological mechanisms Conceptual model Three-entity model of social engineering effect mechanisms
Ecker et al. 2022 Psychological mechanisms Narrative review Drivers of misinformation belief and resistance to correction
Siddiqi, Pak, & Siddiqi 2022 Psychological mechanisms Systematic review Psychology of social engineering; culture as a moderating variable
Roozenbeek et al. 2022 Countermeasures Field/online experiments Scalable psychological inoculation against manipulation techniques
Spitale, Biller-Andorno, & Germani 2023 AI tools and disinformation Online experiment GPT-3 disinformation more compelling than human-written content
Miller 2023 Definition and taxonomy Philosophical analysis Ethical analysis and conceptual boundaries of cognitive warfare
Heiding et al. 2024 AI tools and disinformation Field experiment LLM-automated phishing rivals human expert performance
Romanishyn, Malytska, & Goncharuk 2025 AI tools and disinformation Policy and practice review Policy recommendations for AI-driven democratic resilience
Thompson & Guillory 2025 AI tools and taxonomy Historical/applied Semantic Hacking Project lessons for modern cognitive security
López-Borrull & Lopezosa 2025 AI tools and disinformation Scoping review Dual role of generative AI across 64 peer-reviewed studies
Salvi et al. 2025 AI tools and disinformation Randomized controlled trial Personalized GPT-4 out-persuades human debaters
von Sikorski & Hameleers 2025 AI disinformation Conceptual/review Working definition of AI disinformation; evidence-based appraisal
Note. Overview of principal studies synthesized in this review, ordered chronologically. Compiled by the authors from the sources cited in the corresponding rows.
Table 2. Definitional Evolution of Cognitive Hacking in Foundational and Contemporary Scholarship.
Table 2. Definitional Evolution of Cognitive Hacking in Foundational and Contemporary Scholarship.
Source Year Core Definition Offered
Cybenko, Giani, & Thompson 2002 An attack in which hackers manipulate a user’s perception and rely on the user’s changed actions to carry out the attack
Thompson 2004 A class of exploit operating through changed human perception, placed within Libicki’s semantic attack framework
Cybenko, Giani, & Thompson 2004 A computer security exploit directed at the cognitive processes of a human user of an information system
NATO 2021 Cognitive warfare as the weaponization of public opinion to alter how populations think, decide, and act
Miller 2023 Cognitive warfare as the weaponization of disinformation and related epistemic means to degrade adversaries’ rational decision-making short of kinetic conflict
Thompson & Guillory 2025 Attacks not on code or infrastructure but on meaning, targeting how people come to hold the beliefs they do
Note. Definitions are paraphrased from the cited sources. The progression illustrates the concept’s expansion from individual-level computer security exploit to population-level strategic competition.
Table 3. Psychological Triggers Exploited in Cognitive Hacking Attacks.
Table 3. Psychological Triggers Exploited in Cognitive Hacking Attacks.
Psychological Trigger Description Primary Sources
Authority Impersonation of high-ranking officials or trusted institutions to compel compliance Cybenko et al. (2002); Siddiqi et al. (2022)
Urgency Creation of time pressure to bypass deliberative cognition Wang et al. (2021); Montañez et al. (2020)
Fear Visceral threat appeals that activate automatic stress responses Siddiqi et al. (2022)
Social proof Use of multiple pseudonymous accounts to simulate consensus Cybenko et al. (2002); Thompson & Guillory (2025)
Trust and familiarity Exploitation of established relationships or brand recognition Wang et al. (2021)
Curiosity Enticing content that lures targets into clicking or disclosing information Wang et al. (2021)
Novelty and emotion Novel, arousing content that is shared farther and faster than accurate content Vosoughi et al. (2018); Ecker et al. (2022)
Repetition (illusory truth) Repeated exposure that increases perceived accuracy of false claims Ecker et al. (2022); Pennycook & Rand (2021)
Inattention to accuracy Sharing decisions made while attention is directed away from truthfulness Pennycook & Rand (2021)
Intuitive processing style High emotionality and intuitive cognition increase susceptibility to disinformation von Sikorski & Hameleers (2025); van der Linden (2022)
Overconfidence in detection Inflated confidence in one’s ability to recognize manipulated media Köbis et al. (2021)
Cultural susceptibility Variability in attack effectiveness across cultural and demographic groups Siddiqi et al. (2022); Humprecht et al. (2020)
Note. Triggers are analytically distinct but frequently combined within a single attack. Compiled by the authors from the sources cited in the corresponding rows.
Table 4. Digital Tools Used in Cognitive Hacking Operations.
Table 4. Digital Tools Used in Cognitive Hacking Operations.
Tool Category Description Documented Impact Source(s)
Deepfake video AI-synthesized video impersonating real individuals Electoral interference; financial fraud; erosion of institutional trust Mirsky & Lee (2021); Romanishyn et al. (2025)
AI voice cloning Synthetic audio replication of real voices Robocall electoral manipulation; social engineering; poor human detection Barrington et al. (2025); von Sikorski & Hameleers (2025)
Large language models AI-generated persuasive text at scale Disinformation judged more compelling than human-written content; personalized persuasion Spitale et al. (2023); Salvi et al. (2025); Kreps et al. (2022)
LLM-automated phishing Automated generation of targeted deceptive email Human-expert-level click-through at drastically reduced cost Heiding et al. (2024)
Social bots Automated or semi-automated social media accounts Amplification of misinformation; fabricated consensus Thompson & Guillory (2025); Romanishyn et al. (2025)
Microtargeted delivery Audience segmentation for tailored deception Amplified attitudinal effects among targeted groups Dobber et al. (2021)
“Cheap fakes” Low-technology manipulation: out-of-context clips, misleading captions Highly prevalent; outnumber AI-generated fakes in documented electoral disinformation Weikmann & Lecheler (2023); Thompson & Guillory (2025)
Synthetic identities Fabricated digital personas for influence operations Fake review amplification; coordinated inauthentic behavior Romanishyn et al. (2025)
Note. LLM = large language model. Categories are ordered from high-synthesis to low-technology tools. Compiled by the authors from the sources cited in the corresponding rows.
Table 5. Recent Empirical Evidence on Human Susceptibility to AI-Generated and Manipulated Content, 2020–2025.
Table 5. Recent Empirical Evidence on Human Susceptibility to AI-Generated and Manipulated Content, 2020–2025.
Study Design Key Finding
Vaccari & Chadwick (2020) Online experiment (United Kingdom) Political deepfakes rarely deceive outright but heighten uncertainty and reduce trust in news encountered on social media
Dobber et al. (2021) Online experiment (Netherlands) A microtargeted political deepfake worsened attitudes toward the depicted politician, with effects amplified in the targeted group
Köbis et al. (2021) Incentivized online experiment Participants could not reliably detect deepfake videos, showed a bias toward guessing “authentic,” and were overconfident; awareness raising did not improve accuracy
Kreps et al. (2022) Three online experiments (United States) Readers found AI-generated news stories broadly credible, and partisans rated congenial synthetic content as more believable
Groh et al. (2022) Two large online experiments Ordinary observers matched a leading detection model’s accuracy; machine-informed crowds outperformed either humans or the model alone
Spitale et al. (2023) Online experiment (697 participants) GPT-3-generated disinformation was more compelling than human-written disinformation, and participants could not distinguish synthetic from organic tweets
Heiding et al. (2024) Field-style phishing experiment LLM-automated phishing achieved click-through rates comparable to human-expert messages at a fraction of the cost
Barari et al. (2025) Two preregistered experiments (N ≈ 7,500) Political deepfake videos were as credible as textual fake media, but no more so, qualifying claims of a unique deepfake threat
Barrington et al. (2025) Perceptual listening experiments Listeners were poorly equipped to distinguish AI-cloned voices from authentic recordings
Salvi et al. (2025) Preregistered randomized controlled trial (900 participants) GPT-4 with access to minimal personal information out-persuaded human debaters in a majority of matched contests
Note. Studies are ordered chronologically. LLM = large language model. Compiled by the authors from the sources cited in the corresponding rows.
Table 6. Countermeasure Categories for Cognitive Hacking: Comparative Overview.
Table 6. Countermeasure Categories for Cognitive Hacking: Comparative Overview.
Countermeasure Type Specific Mechanisms Target Implementation Difficulty Primary Source(s)
Technical: Authentication and provenance Source authentication; watermarking; content credentials Prevent impersonation and untraceable synthetic content Moderate Cybenko et al. (2002); Feuerriegel et al. (2023)
Technical: Collaborative filtering Trust scoring; credibility weighting of information sources Reduce reach of unverified claims Moderate Cybenko et al. (2002); Thompson & Guillory (2025)
Technical: Linguistic and forensic analysis Authorship detection; bot identification; deepfake forensics Identify coordinated inauthentic behavior and synthetic media High Mirsky & Lee (2021); Thompson & Guillory (2025)
Technical: AI-assisted fact-checking Real-time anomaly detection; machine-informed crowds Automated identification of disinformation High López-Borrull & Lopezosa (2025); Groh et al. (2022)
Psychological: Prebunking and inoculation Preemptive exposure to weakened manipulation techniques Improve individual resilience before exposure Low to moderate Roozenbeek et al. (2022); van der Linden (2022)
Psychological: Attention and correction Accuracy prompts; tailored AI debunking dialogues Improve sharing decisions; reduce entrenched false beliefs Low to moderate Pennycook & Rand (2021); Costello et al. (2024)
Psychological: Digital literacy Education in recognizing triggers and manipulated media Build population-level resistance Low cost; high scale needed Siddiqi et al. (2022); Montañez et al. (2020)
Institutional: Cross-functional governance Coordinated pre- and post-attack organizational response Organizational resilience Moderate Romanishyn et al. (2025)
Regulatory: AI content governance Synthetic media rules; platform accountability Systemic disinformation reduction Very high Romanishyn et al. (2025); von Sikorski & Hameleers (2025)
Note. Implementation difficulty reflects the qualitative assessments of the cited sources rather than a standardized metric. Compiled by the authors from the sources cited in the corresponding rows.
Table 7. Theoretical Frameworks Underpinning Cognitive Hacking Research.
Table 7. Theoretical Frameworks Underpinning Cognitive Hacking Research.
Framework Origin Core Claim Principal Scholars
Semantic attack framework Libicki (1994); Cybenko et al. (2002, 2004) Attacks on meaning, not data, constitute a distinct and undertheorized category of security threat Libicki; Cybenko; Giani; Thompson
Cybersecurity cognitive psychology Montañez et al. (2020) Cognitive psychology principles must be adapted to explain how attackers exploit human decision-making Montañez; Golob; Xu
Social engineering effect model Wang et al. (2021) Three core entities, effect mechanism, human vulnerability, and attack method, explain social engineering success Wang; Zhu; Sun
Dual-process account of misinformation Pennycook & Rand (2021); Ecker et al. (2022) Failures of analytic attention, amplified by repetition and emotion, drive belief in and sharing of falsehoods Pennycook; Rand; Ecker; Lewandowsky
Inoculation theory van der Linden (2022); Roozenbeek et al. (2022) Preemptive exposure to weakened manipulation techniques confers scalable psychological resistance van der Linden; Roozenbeek; Lewandowsky
Cognitive warfare framework NATO (2021); Miller (2023); Thompson & Guillory (2025) Manipulation of cognition at scale is a strategic security domain distinct from traditional information operations NATO; Miller; Thompson; Guillory
Note. Frameworks are listed in approximate order of historical emergence. Compiled by the authors from the sources cited in the corresponding rows.
Table 8. Identified Research Gaps and Recommended Future Directions.
Table 8. Identified Research Gaps and Recommended Future Directions.
Research Gap Thematic Area Recommended Direction Relevant Source(s)
Absence of a unified theoretical model integrating semantic and psychological analysis Theoretical framework Development of an interdisciplinary lifecycle model of cognitive attack from content creation to behavioral impact Cybenko et al. (2002); Montañez et al. (2020)
Scarcity of longitudinal countermeasure effectiveness studies Methodology Longitudinal field studies tracking defensive efficacy, including inoculation decay, as attack strategies evolve Roozenbeek et al. (2022); Thompson & Guillory (2025)
Limited cross-cultural research on cognitive vulnerability Psychological mechanisms Systematic cross-cultural surveys and experiments across diverse populations and media systems Siddiqi et al. (2022); Humprecht et al. (2020)
Mixed evidence on the real-world marginal impact of AI-generated disinformation AI tools Preregistered field studies linking exposure to synthetic content with downstream attitudes and behavior Barari et al. (2025); Simon et al. (2023); Feuerriegel et al. (2023)
Overemphasis on AI-generated disinformation relative to cheap fakes AI tools Balanced empirical research on low-technology manipulation alongside generative AI threats Weikmann & Lecheler (2023); Thompson & Guillory (2025)
Underdeveloped institutional governance frameworks for AI content Countermeasures Policy research on AI content regulation, provenance standards, and platform accountability mechanisms Romanishyn et al. (2025); von Sikorski & Hameleers (2025)
Insufficient integration of psychological profiling in organizational security protocols Countermeasures Applied research on human factors integration, including insider-threat cost models, in organizational security strategy Montañez et al. (2020); Thompson (2004); Wang et al. (2021)
Note. Gaps are ordered from theoretical to applied. Compiled by the authors from the sources cited in the corresponding rows.
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.
Prerpints.org logo

Preprints.org is a free preprint server supported by MDPI in Basel, Switzerland.

Subscribe

© 2026 MDPI (Basel, Switzerland) unless otherwise stated

Accessibility

Disclaimer

Terms of Use

Privacy Policy

Privacy Settings