Exploring foreign interference in research and innovation through the lens of the Human Layer Kill Chain
Professor Vasilis Katos, Chief Technology Officer at Cyber Innovations Ltd. and Professor of Cyber Forensics at Bournemouth University, was among the distinguished speakers at this year’s ESET European Cybersecurity Day. The event brought together thought leaders from the National Cyber Security Centre (NCSC), University College London, and ESET, focusing on the geopolitical and human dimensions of cybersecurity in an increasingly AI-enabled world.
In his presentation, Foreign Interference in Research and Innovation, Professor Katos examined how cyber threat actors exploit the intersection between open knowledge, academic collaboration, and digital trust. Drawing from his recent research on the Human Layer Kill Chain (HLKC) and Sociotechnical Kill Plane frameworks (Katos et al., 2025), he demonstrated how behavioural and psychological factors can be manipulated across complex systems of people and technology.
The Sci-Hub Case: A Human-Layer Perspective
Using the well-known Sci-Hub network as a case study, Professor Katos illustrated how the narrative of “open access to research” evolved into a mechanism for large-scale data compromise over more than a decade.
Between 2011 and 2019, the movement gained traction through social-media activism promoting the idea that “sharing is caring” — an emotionally resonant message that appealed to academics and students worldwide. However, beneath this ethos of openness, credentials from university libraries and research institutions began to be harvested through unauthorised access platforms, often under the guise of supporting free knowledge.
From 2019 onwards, the landscape changed significantly. As public enthusiasm for Sci-Hub declined and legitimate open-access frameworks matured, malicious actors adapted their approach. Technical sophistication increased, shifting the attack pattern from simple credential reuse to targeted phishing campaigns, fake authentication panels, and automated credential harvesting designed to infiltrate institutional repositories and private research folders.
This progression, mapped across the Sociotechnical Kill Plane, demonstrates how a socially engineered narrative transitioned into a technically advanced intrusion campaign. It captures the full arc of the Human Layer Kill Chain (HLKC) — beginning with trust establishment and emotional appeal, and culminating in sustained engagement, action manipulation, and operational cleanup. The case exemplifies how social and technical factors interact dynamically, transforming ideological movements into vectors for cyber exploitation.
Linking Research and Practice
Professor Katos’s talk underscored the importance of understanding cyber incidents not just as technical breaches, but as human-layer manipulations. This perspective underpins the work of Cyber Innovations Ltd., whose flagship programme Cyber First Aid (CFA) translates these research insights into practical, psychologically informed training for organisations. By equipping non-technical staff to recognise, respond to, and recover from human-centred attacks, CFA directly operationalises the HLKC framework in workplace resilience training.
A Shared Mission for Academia and Industry
Speaking after the event, Professor Katos noted that “foreign interference in research increasingly operates through trusted relationships — not just firewalls.” His dual role at Bournemouth University and Cyber Innovations enables a unique bridge between academic theory and applied resilience training, ensuring that cutting-edge research informs real-world practice.
For more information on the Human Layer Kill Chain and Cyber First Aid, visit www.cyberinnovations.co.uk or explore the full preprint Katos et al., 2025 on arXiv.org/abs/2505.24685.
