The Theory Behind CSD | Cyber Innovations Ltd.
Research Foundation

The theory behind Cyber Self Defence

Cyber Self Defence is not built on general guidance or best practice. It is grounded in two original conceptual models developed through academic research: the Human Layer Kill Chain and Human Indicators of Compromise. Together they explain why people behave as they do before, during, and after a cyber incident, and how to design training that makes a measurable difference.

Explore Cyber Self Defence Read the Published Paper

Two original models

01
Human Layer Kill Chain (HLKC)

Maps the attacker's progression through human vulnerabilities, identifying where and how people can intervene at each stage of an attack.

02
Human Indicators of Compromise (HIOCs)

Observable signs in human behaviour that signal a cyber incident is unfolding, extending technical IoC frameworks into the human layer.

03
Sociotechnical Kill Plane (STKP)

Integrates the HLKC with the technical Cyber Kill Chain, creating a unified map of attacks across both human and technical dimensions.

Katos, V., Rosenorn-Lanng, E., et al. (2025). The Human Layer Kill Chain. arXiv preprint. View on arXiv →

Why the human layer matters

Over 74% of data breaches involve a human element. Yet most frameworks model only the technical kill chain. The HLKC and HIOCs fill that gap by mapping human behaviour with the same rigour as technical indicators.

How these models inform CSD

Every element of Cyber Self Defence, from the training activities to the Toolkit playbooks, is structured around HLKC stages and HIOC categories, so participants learn to recognise and respond at every point in an attack.

Published and citable

This is not proprietary methodology. The models are published on arXiv (Katos et al., 2025) and available for use in academic, policy, and practice contexts, with a full DOI publication pathway underway.

Model 01

Human Layer Kill Chain

The Human Layer Kill Chain (HLKC) models how attackers progress through the human layer of an organisation, from initial targeting through to exploitation and impact. Unlike purely technical kill chain models, the HLKC maps the psychological and behavioural mechanisms that attackers exploit and that defenders can act upon.

Each stage of the HLKC corresponds to a point where human behaviour determines the outcome of an attack, creating clear intervention points for training, policy, and response design.

  • Maps attacker progression through human, not technical, vulnerabilities
  • Identifies specific intervention points for training and response
  • Grounded in real-world incident analysis and academic literature
  • Published in Katos et al. (2025), arXiv preprint
The Human Layer Kill Chain (HLKC) — Katos et al., 2025. Interactive model: explore each stage.
Model 02

Human Indicators of Compromise

Technical Indicators of Compromise (IoCs) are widely used in cybersecurity to detect that a breach has occurred or is in progress. Human Indicators of Compromise (HIOCs) extend that logic into the human layer: observable behavioural, psychological, and organisational signals that indicate a cyber incident is underway or has already affected an individual or team.

Behavioural indicators

Changes in how an individual acts following a suspected incident, including hesitation, over-reporting, avoidance, or uncharacteristic secrecy around devices and accounts.

Psychological indicators

Stress responses, cognitive overload, and emotional reactions that impair incident reporting or decision-making, including shame, fear of blame, and paralysis.

Communication indicators

Unusual patterns in how people communicate during or after an incident, including over-normalising suspicious events, delayed disclosure, or inconsistent accounts.

Decision-making indicators

Atypical choices made during an incident, such as bypassing normal reporting channels, making unauthorised payments, or dismissing warnings without escalation.

Organisational indicators

Cultural and structural signals that increase human-layer risk, including a blame culture that suppresses reporting, unclear escalation paths, or low psychological safety.

Recovery indicators

Signs that individuals or teams are struggling to return to normal function following an incident, including sustained anxiety, rumination, reduced performance, and social withdrawal.

How HIOCs connect to the HLKC

HIOCs are not independent of the HLKC. Each category of human indicator maps to a specific stage of the Human Layer Kill Chain, enabling responders to identify not only that something has happened but where in the attack progression the human element was compromised. This mapping is built into the CSD Toolkit's playbooks and response guidance.

Model 03

Attack Vectors and the Human Layer

Different malicious campaign types exploit the human layer in different ways and at different stages of the kill chain. Each follows a distinct human-layer pathway, targeting specific vulnerabilities in cognition, trust, and access behaviour.

Human risk intelligence
Malicious campaigns

How modern social-engineering attacks actually unfold, step by step. Most don't start with broken code. They start with a moment of trust.

3 attack types
23 steps mapped
Romance scam
  1. 1Research dating platforms and identify vulnerable profiles
  2. 2Analyse emotional vulnerabilities (recent loss, loneliness)
  3. 3Create attractive fake profiles with stolen or deepfake photos
  4. 4Initial contact and emotional connection
  5. 5Build deep emotional dependency
  6. 6Request financial help with fabricated emergency
  7. 7Delete profile and online presence
Business email compromise
  1. 1Gather organisation information and employee data
  2. 2Profile target executives
  3. 3Create spoofed email address
  4. 4Establish legitimacy
  5. 5Deploy urgency payment request
  6. 6Execute fund transfer
Ransomware
  1. 1Identify low-value target or employee
  2. 2Create malicious email
  3. 3Create spoofed PDF attachment
  4. 4Send email
  5. 5CVE exploitation (Common Vulnerabilities and Exposures)
  6. 6Malicious executables and persistence
  7. 7Establish HTTP channel
  8. 8Deliver ransomware note
  9. 9Payment negotiation
  10. 10Crypto payment support
Cyber Innovations the human side of cyber
Sociotechnical Kill Plane
The Sociotechnical Kill Plane — integrating HLKC with the Cyber Kill Chain
Model 04

Sociotechnical Kill Plane

The Sociotechnical Kill Plane (STKP) combines the Human Layer Kill Chain with Lockheed Martin's Cyber Kill Chain to create a unified, two-dimensional model of attacks. The vertical axis maps the technical progression of an attack; the horizontal axis maps the human layer. The intersection reveals the sociotechnical attack surface.

The STKP makes visible what single-dimension models miss: that technical and human attack vectors are not separate pathways, but interact at every stage of a real-world incident.

  • Unifies human and technical kill chains in a single model
  • Reveals the sociotechnical attack surface for any incident type
  • Enables more targeted training, policy, and response design
  • Interactive version available on the Cyber Innovations website
Explore the interactive STKP →
How the models work together

From attack to response: a joined-up framework

The HLKC, HIOCs, and STKP are not separate models to be used independently. They are designed to work together, giving organisations a complete picture of the human attack surface and the tools to act on it at every stage.

See how CSD applies these models
01
Map the attack surface

Use the STKP to identify where human and technical vulnerabilities intersect in your organisation's specific threat context.

02
Identify the human layer stages

Use the HLKC to understand which stages of an attack your people are most exposed to, and where intervention will have the most impact.

03
Recognise and respond

Apply HIOCs to detect human-layer compromise in real time and use CSD training and Toolkit resources to respond with confidence.

Publications

Cite the research

These models are published and available for use in academic, policy, and practice contexts. If you use the HLKC, HIOCs, or STKP in your own work, please cite the primary paper below.

Primary Reference

Katos, V., Rosenorn-Lanng, E., et al. (2025). The Human Layer Kill Chain: A Framework for Modelling Human-Layer Cyber Attack Progression. arXiv preprint arXiv:2505.24685.

Available at: https://arxiv.org/pdf/2505.24685

A DOI-assigned journal publication is in progress. In the interim, the arXiv preprint is the citable version.

See the theory in action

Cyber Self Defence is built on these models. Explore how the HLKC and HIOCs translate into practical training, playbooks, and ongoing resilience resources.

Explore Cyber Self Defence Book a Discovery Call
Scroll to Top