This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIRx Med, is properly cited. The complete bibliographic information, a link to the original publication on https://med.jmirx.org/, as well as this copyright and license information must be included.
Cyber defense is reactive and slow. On average, the time-to-remedy is hundreds of times larger than the time-to-compromise. In response, Human Digital Twins (HDTs) offer the capability of running massive simulations across multiple domains on the Metaverse. Simulated results may predict adversaries' behaviors and tactics, leading to more proactive cyber defense strategies. However, current HDTs’ cognitive architectures are underdeveloped for such use.
This paper aims to make a case for extending the current digital cognitive architectures as the first step toward more robust HDTs that are suitable for realistic Metaverse cybersecurity simulations.
This study formally documented 108 psychology constructs and thousands of related paths based on 20 time-tested psychology theories, all of which were packaged as Cybonto—a novel ontology. Then, this study applied 20 network science centrality algorithms in ranking the Cybonto psychology constructs by their influences.
Out of 108 psychology constructs, the top 10 are Behavior, Arousal, Goals, Perception, Self-efficacy, Circumstances, Evaluating, Behavior-Controllability, Knowledge, and Intentional Modality. In this list, only Behaviors, Goals, Perception, Evaluating, and Knowledge are parts of existing digital cognitive architectures. Notably, some of the constructs are not explicitly implemented. Early usability tests demonstrate that Cybonto can also be useful for immediate uses such as manual analysis of hackers’ behaviors and automatic analysis of behavioral cybersecurity knowledge texts.
The results call for specific extensions of current digital cognitive architectures such as explicitly implementing more refined structures of Long-term Memory and Perception, placing a stronger focus on noncognitive yet influential constructs such as Arousal, and creating new capabilities for simulating, reasoning about, and selecting circumstances.
Humans are well recognized as the weakest link in the cybersecurity defense chain [
DTs are computational models of physical systems, including humans. The DT market is rapidly growing at a compound annual rate of 45.4% [
HDTs should coexist with other DTs within the paradigm of agent-based modeling and simulation for cybersecurity. Nonhuman DTs can be components of an Information Systems (routers, servers, and Internet of Things systems), while HDTs are the system users, system admins, and malicious actors. Agent-based modeling offers cost-effective, rigorous, and risk-free scenario testing that should inspire more proactive cybersecurity defense strategies. The
Zooming out to a broader perspective, the “Metaverse” is a gigantic, persistent, and unified realm of various virtual environments such as DT networks, social networks, digital publishing networks, virtual 3D networks, cyber-physical infrastructures, cloud infrastructures, and blockchains. Lee et al [
The concept of HDTs previously appeared in human-computer interaction studies. In comparison with traditional models, HDTs for the Metaverse have broader scopes with emphasis on both behavioral and cognitive activities. The work of Somers et al [
Such a continuous process of dynamic knowledge acquisition and utilization was described by Zhang et al [
Cognitive frameworks are essential for building HDTs’ cognitive features. ACT-R [
Both SOAR and ACT-R share the same general cognitive cycle and common architectural modules such as perception, short-term memory, declarative learning, declarative long-term memory, procedural long-term memory, procedural learning, action selection, and action. While ACT-R, SOAR, and other cognitive systems rely on the symbolic input or output and rule database, their symbols may contain statistical metadata, and their architectures allow for the integration of deep learning systems.
Ontologies are essential for HDTs’ feedback loop communications, symbolic operations, the building of a knowledge base, and explainability. Ontologies can be manually built from scratch [
Oltramari et al [
Meanwhile, Donalds and Osei-Bryson [
While massive DT projects are underway, digital cognitive twin development is pale in comparison, and HDT for cybersecurity is underdeveloped. This paper examined both ACT-R– and SOAR-published research repositories and found no cybersecurity-dedicated track with topics such as cybersecurity, web-based ethical decisions, cyber criminology, or cyberattack or defense simulations. Recommended explorative questions are as follows: (1) What types of HDT (malicious hackers, groups as single HDT, and defenders) should be built? (2) What will HDT for cybersecurity feedback loops look like? (3) How will existing cognitive architectures be extended to best facilitate those feedback loops? (4) What shall we learn from our continuous observation of those HDTs on the Metaverse?
Current cybersecurity-related autonomous agents focus on narrow tasks and are far from the HDTs that can automatically interact with other DTs while building up their own awareness. For one reason, existing cognitive architectures do not provide enough granularity. This leads to further problems with multimodal understanding and meta-cognition. For example, current long-term memory architecture can be further divided into experiences and beliefs. It is possible for two persons sharing a strong belief to have different interpretations of the same data (difference experiences). Additionally, processing big chunks of data owing to a lack of granularity may lead to cognitive bottlenecks at system levels. Deciding which chunks of data to be loaded, excluded, or be permanently erased from memory remains a challenge.
Finally, we do not have a reference ontology for documenting and sharing behavioral cybersecurity knowledge among humans and DTs. Existing cybersecurity ontologies that have behavioral components are mostly application ontologies with none or weak ontological commitments. Such ontologies will not fit for use in massive networks of DTs on the Metaverse.
Therefore, this paper aims to make a case for extending the current digital cognitive architectures as the first step toward more robust HDTs that are suitable for realistic Metaverse cybersecurity simulations. This paper proposes the Cybonto Conceptual Framework—a grounded and scoped vision on how interconnected DTs and HDTs on a Metaverse may predict real-world behaviors and tactics of hackers. Specifically, the paper unified 20 most cybersecurity-relevant finalists from a knowledge body of over seventy behavioral psychology theories. The theory-informed knowledge and other cybersecurity constructs were then encoded as the novel Cybonto ontology, which sits at the framework’s core and is the paper’s key contribution.
In total, 50 candidate theories were selected from the behavioral or cognitive psychology body of knowledge with more than 70 theories. Each theory was ranked in accordance with its ability to generate research, relevancy to cybersecurity or criminology, and consistency.
For each theory’s original peer-reviewed paper, the total number of citations and the publication year were extracted and used to calculate the citations per year value. The “Google Scholar Results” value (value A) is the total number of Google Scholar search results of the search query (query A) containing the quoted theory’s name and its founder’s last name. The keyword “cybersecurity” was added to the previous search query to form a new query (query B) and get a new search result value (value B). Value B was divided by value A to form the “CySec Density” metric. “CySec impressions“ is the total number of cybersecurity relevant papers within the top 10 papers automatically ranked and displayed by Google Scholar after performing query B. Similarly, “Criminology Impressions” is the result of repeating the same steps for calculating “CySec Impressions” but with the “criminology” keyword instead. All values were normalized into a range from 0 to 10. The final ranking score is the average of “Fitted citations per year,” “CySec Impressions,” “Criminology Impressions,” and “CySec Density Fitted.”
Top 25 cybersecurity applicable behavioral theories.
Theory name | Google Scholar results, n | CySec Impressions | CySec Density Fitted | Criminology impressions | Fitted citations per year | Final score |
Protection Motivation Theory [ |
10,500 | 10 | 9 | 7 | 0 | 6.5 |
Prospect Theory [ |
66,200 | 8 | 1 | 6 | 10 | 6.3 |
General Theory of Crime [ |
13,500 | 9 | 1 | 10 | 1 | 5.3 |
Self-Efficacy Theory [ |
212,000 | 9 | 0 | 6 | 5 | 5 |
Social Norms Theory [ |
47,400 | 7 | 9 | 2 | 0 | 4.5 |
Affective Events Theory [ |
6880 | 10 | 1 | 6 | 0 | 4.3 |
Differential Association Theory [ |
10,700 | 9 | 1 | 7 | 0 | 4.3 |
Extended Parallel Processing Model [ |
412 | 7 | 4 | 6 | 0 | 4.3 |
Focus Theory of Normative Conduct [ |
6220 | 6 | 10 | 1 | 0 | 4.3 |
Containment Theory [ |
2240 | 9 | 1 | 6 | 0 | 4 |
Theory of Planned Behavior [ |
85,800 | 9 | 1 | 3 | 3 | 4 |
Social Identity Theory [ |
66,200 | 7 | 0 | 7 | 1 | 3.8 |
Goal Setting Theory [ |
51,700 | 6 | 1 | 7 | 1 | 3.8 |
Transtheoretical Model of Behaviour Change [ |
35,900 | 6 | 0 | 7 | 0 | 3.3 |
Self-Determination Theory [ |
165,000 | 8 | 0 | 4 | 0 | 3 |
Operant Learning Theory [ |
40,500 | 7 | 1 | 4 | 0 | 3 |
Social Cognitive Theory [ |
162,000 | 8 | 0 | 3 | 1 | 3 |
Change Theory [ |
54,700 | 8 | 0 | 2 | 0 | 2.5 |
Precaution Adoption Process Approach [ |
2590 | 6 | 1 | 3 | 0 | 2.5 |
Diffusion of Innovations [ |
96,700 | 4 | 1 | 3 | 2 | 2.5 |
Control Theory [ |
11,500 | 6 | 1 | 1 | 0 | 2 |
Risk as Feelings Theory [ |
550 | 5 | 2 | 1 | 0 | 2 |
Social Learning Theory [ |
145,000 | 2 | 0 | 6 | 0 | 2 |
Norm Activation Theory [ |
4610 | 5 | 1 | 1 | 1 | 2 |
Technology Acceptance Model [ |
48,100 | 2 | 3 | 1 | 2 | 2 |
A full table with links to Google Scholar queries, descriptions of Cybonto in RDF store, the Neo4J relational database, theory ranking details, and other documentation is available at Cybonto-1.0 GitHub repository [
Cybonto elected the BFO as its top-level ontology from more than 30 candidates. BFO [
Materialism is the key ontological commitment. It views the world as a collection of materialized objects existing in space and time [
Cybonto chooses MITRE’s ATT&CK framework [
Cybonto choose MITRE’s Structured Threat Information eXpression (STIX) to describe Asset subclasses and malicious campaigns under Group Activity. STIX subclasses are STIX Tools, STIX Malware, STIX Vulnerability, Cybox, and STIX Campaign [
The use of “Group,” “Asset,” and their subclasses depends on each use case. For example, postarrest investigators may be only interested in Person and Asset classes to answer questions such as “Why did a hacker choose to attack a certain system and not others?” whereas threat intelligence teams may be interested in Person, Asset, Group, and other classes. In other words, usages of classes other than Person are nonconclusive and are subjected to inclusions or exclusions per each use case.
Cybonto's main hierarchies. BFO: Basic Formal Ontology; MF: Mental Functioning.
Top authority centrality (AC) constructs receive influence from constructs that have the most influence on others. Top BC constructs are the ones that sit in the shortest paths among other constructs. BC constructs can serve either as bridges or gatekeepers of other constructs and processes. Top Eigenvector centrality (EC) constructs are the leaders of their cliques. A clique is a group of constructs in which each member has relationships with the others. In the context of the cognitive digital twin, a clique may represent a strong cognitive or behavioral pattern. Not only the top EC constructs are well-connected with their clique members, but also they also have relationships with other cliques.
Contribution centrality is EC on inverse-Jaccard weighted values of the input networks. A link between two constructs has the most contribution weight when the neighbors of one end are most different from the neighbors at the other end. Degree centrality (DC) has two submeasures—out-degree and in-degree. Top out-degree centrality constructs have the most out-links (influencing) to others while top incoming centrality constructs are influenced by the most important incoming neighbors. The top PageRank constructs have relationships with the most influential neighbors whether it is incoming or outgoing.
Cybonto "influence" relationships visualized.
The top 10 constructs across 20 network centrality measures are Behavior, Arousal, Goals, Perception, Self-efficacy, Circumstances, Evaluating, Behavior-Controllability, Knowledge, and Intentional Modality.
A comprehensive report with scores, unscaled scores, and statistics across twenty network centrality scores are available at Cybonto-1.0 GitHub repository [
Among the top 9 most influential constructs shown in
Within cognitive architectures, we may consider implementing Goals, Knowledge, Perception, and Evaluating explicitly and with finer granularity. For example, Perception is more than short-lived sensory perception. Alice perceives Bob as a nice guy, and such perception may persist even when Bob is no longer there with Alice. Finer structures mean more symbolic labels or more nodes in the knowledge graph and may lead to improvements such as more diverse rule firing mechanisms and more explainable information decay.
Additionally, we should consider adding Arousal and Intentional Modality. Although Arousal is a noncognitive construct, it is ranked in second place and influences several cognitive constructs within the top 10, such as Evaluating and Intentional Modality. Unfortunately, the current state of research regarding Arousal as a part of a digital cognitive process is almost nonexistent. SOAR-related research results show a few papers studying the effects of general emotions. ACT-R research repository shows just 4 papers studying the effects of Arousal on memory management.
Circumstance is another noncognitive construct with a significant influence on behavioral outcomes. The paper recommends expanding the existing Mental Image module in existing cognitive architectures to include nonphysical environment variables such as urgency, group dynamics, and social sentiments. Finally, the paper recommends a new component—Imagining—to enable the HDT to run its own situational simulations and reason about possible circumstances.
Most influential constructs.
Top constructs and their fitted key scores.
Constructs | Fit PRa | Fit ECb | Fit BCc | Fit DCd | Total |
Behavior | 10 | 10 | 10 | 5.333333 | 35.33333 |
Self-efficacy | 2.978651 | 4.09735 | 5.791371 | 10 | 22.86737 |
Arousal | 2.45894 | 6.494922 | 3.033944 | 8 | 19.98781 |
Goals | 2.095989 | 4.048915 | 3.31916 | 6.666667 | 16.13073 |
Prospect | 1.609572 | 2.008954 | 3.335824 | 8.666667 | 15.62102 |
Evaluating | 3.373531 | 5.205153 | 2.811666 | 4 | 15.39035 |
Circumstances | 2.225146 | 2.591971 | 2.975886 | 6.666667 | 14.45967 |
Behavior controllability | 1.079106 | 1.051652 | 2.320296 | 6.666667 | 11.11772 |
Differential associating | 1.938038 | 1.952155 | 4.191495 | 2.666667 | 10.74835 |
Knowledge | 0.971335 | 3.448437 | 0.799434 | 5.333333 | 10.55254 |
Perception | 1.933234 | 2.995944 | 1.233271 | 4 | 10.16245 |
Protection effect | 3.419006 | 0.956777 | 1.811712 | 2 | 8.187495 |
Noetic awareness | 0.800599 | 2.70121 | 0.248913 | 3.333333 | 7.084055 |
Intentional modality | 0.948893 | 1.585625 | 0.357986 | 4 | 6.892503 |
Behavioral schemata | 1.354209 | 4.679314 | 0.091006 | 0.666667 | 6.791195 |
Propositional representations | 0.70164 | 2.70121 | 0.04671 | 3.333333 | 6.782894 |
Satisfaction of needs | 0.381798 | 1.190226 | 1.13073 | 4 | 6.702753 |
Cognitive process | 1.554735 | 2.509832 | 0.514903 | 1.333333 | 5.912803 |
Persistence | 0.647449 | 2.104271 | 0.172818 | 2.666667 | 5.591204 |
aFitted page rank.
bFitted Eigenvector centrality.
cFitted betweenness centrality.
dFitted degree centrality.
Out of 108 psychology constructs, the top 10 are Behavior, Arousal, Goals, Perception, Self-efficacy, Circumstances, Evaluating, Behavior-Controllability, Knowledge, and Intentional Modality. In this list, only Behaviors, Goals, Perception, Evaluating, and Knowledge are parts of existing digital cognitive architectures. Notably, some of the constructs are not explicitly implemented. Early usability tests also demonstrate that Cybonto can be useful in other immediate uses such as manual analysis of hackers’ behaviors and automatic analysis of behavioral-cybersecurity knowledge texts.
The main goal of Cybonto is to provide one more reason for pushing current cognitive system designs, which may appear distant to some audience. Hence, this paper aims to demonstrate that Cybonto can be immediately employed in current cybersecurity-related tasks. Manual analysis of malicious actors’ behaviors is one essential task for cybersecurity intelligence gathering. It is also the first step in designing a virtual human digital twin of a real hacker. The demonstration is as follows.
A small group of cybersecurity professionals working in one of the US Federal Reserve Bank’s branches participated in a Cybonto workshop. Group members had to choose either Snowden’s biography or Pavlovich’s biography as their reading assignment before the workshop. Both Snowden and Pavlovich are notorious cyber actors. In the workshop, participants were taught a simplified version of Cybonto. Notably, most of the members do not have a background in behavioral psychology. A table with columns of Knowledge, Expectation, Attitudes, Behavioral Belief, Normative Belief, Control belief, Intents, Subjective Norms, Perceived Behavioral Control, Actual Behavioral Control, Social Involvements, Social Attachment, and Social Commitment was provided. The goal was to have members establish a basic behavioral profile for each actor by filling values ranging from 0 to 6 in each of the table’s columns.
Members of the group who read Snowden’s biography book (the Snowden group) presented evidence for each column. The strength of evidence would determine the relevant column’s score. Members in the other group (the Pavlovich group) may debate about the Snowden group’s analysis and scoring. In the case of a stalemate, the author would assist with negotiating the scores. The same process was used for establishing Pavlovich’s behavioral profile. The workshop lasted 2 hours and produced results shown in
Overall, this usability test has shown that (1) Cybonto can be friendly to the professionals who do not have a behavioral psychology background; (2) Cybonto is descriptive and can help with pointing out the behavioral differences between two distinct cyber actors; (3) Cybonto is consistent so that consensus in a manual analysis of cyber actors can be reached within a reasonable amount of time.
Behavioral differences between Snowden and Pavlovich. BE: belief; CO: cognitive; Ctrl: control; IN: intentions; SO: social bonds; PE: personality.
Cybonto can also be used in machine learning–assisted domain knowledge analysis. For a demonstration, more than 3000 full texts of behavioral cybersecurity research within the past 5 years were downloaded from Google Scholar. A total of 2380 PDF files were selected and converted to plain text files. Natural language processing techniques were deployed on the text files and produced a concept list. The automatically generated list was then manually inspected and mapped into corresponding Cybonto constructs. A meta-network of related Cybonto’s constructs in each document was generated. Then, analysis was carried out on a unionized meta-network of all document-level meta-networks.
Overall, this simple experiment shows that Cybonto can be used to automatically analyze texts within the intersection of behavioral psychology and cybersecurity. Analyzed results may provide insights such as knowledge gaps and imbalance. Such interdisciplinary capabilities can be beneficial to teams with limited expertise. Future general artificial intelligence agents may also leverage Cybonto for their automatic knowledge analysis and acquisition.
Analysis snapshot of behavioral cybersecurity research papers within the past 5 years.
The novel Cybonto conceptual framework aims to provide general directions on answering the previously mentioned questions regarding the vision of DTs and HDTs for cybersecurity. The framework targets the cognitive process of a malicious actor as an HDT within a DT system. Cognitive space is defined by the behavioral or cognitive component of the Cybonto ontology. The action space is limited by the HDT's set of encoded actions, its ability to improvise new moves, and the other DTs’ interaction interfaces.
The Cybonto conceptual framework was formed upon analysis of the Cybonto ontology.
The Cybonto conceptual framework.
The internal environment (INE) is private to each DT. It contains both cognitive components and noncognitive components. Opposite to the internal environment is the societal environment (SOE) where everything is public. In between, the in-group environment (IGE) connects INE with SOE. All environments follow the Bronfenbrenner Ecological System Theory [
The IGE and the SOE are relative to the malicious HDT. The IGE is equivalent to the Bronfenbrenner Micro and Meso systems. The microsystem is the most influential external environment with members such as family, close friends, school, lovers, and mentors. SOE is equivalent to the Bronfenbrenner Exo, Macro, and Chrono systems. The Cybonto conceptual framework requires four representatives from 4 DT groups. We need one attacker HDT and one defender HDT. Unlike traditional models to which data and feature specifications were explicitly fed, an attacker HDT must collect the data by itself. Group-related data cannot be inferred if the fundamental group structure is not met. Hence, we then need at least two more DTs to present IGE and SOE identities.
An HDT can perform two main types of behaviors: the artifact-creating or -altering behavior and the nonartifact behavior. An artifact can range from a piece of code to a complex noncognitive digital twin. Viewing a malware’s codes is a nonartifact behavior, while running the codes can be an artifact-altering behavior if the codes make changes to other artifacts. The perceptual layer sits on the border between the internal and external environments (IGE and SOE). Different perceptual layers in combination with different cognitive systems will have different perceptions of the same data streams. Refined perceptions constitute only a small part of a digital cognitive system. The Cybonto ontology details thousands of cognitive paths for processing initial perceptions. The result of a cognitive processing chain will be either a nonartifact behavior or an artifact-creating or -altering behavior. The behaviors (data streams) will be observed by other HDTs, and a new round of feedback loops begins. It is essential to note that a behavior can be kept secret within the in-group environment.
In this framework, (1) HDTs have the complete freedom to interact with other DTs per published protocols, and automatically seek whatever data are made available to them. (2) By releasing their behaviors, HDTs generate new data, which may then be consumed by other HDTs. (3) The cognitive architecture within each HDT determines its cognitive capabilities, which should include awareness and adaptation. (4) Cybonto DT simulation’s objectives should be more about discovering new knowledge (the
The biggest internal threat to validity is the maturation of the Cybonto ontology. The current Cybonto version should be treated as the “alpha release,” and numerous development steps will be needed. First, the mapping of each theory to triplets of (construct, influence, and construct) must be cross-checked by more psychologists. Second, missing and duplicated constructs must be identified by careful vetting and deliberations. Finally, ontology testing steps must be carried out. The risk of bias theory selection should be minimal as more theories will be incorporated over time.
The biggest external threat to validity is the various implementations of Cybonto. Understandably, solution developers should only implement the Cybonto constructs that are needed for solving their practical problems. In other cases, solution developers must add new constructs that were not packaged with Cybonto. Uncareful addition and removal of constructs may weaken Cybonto integrity leading to faulty performance. Additionally, certain feedback loops must exist for certain psychology or cognitive paths to “fire.” For instance, an HDT may need to gather enough information about a situation from other HDTs and DTs before it can reason about the situation. Hopefully, the proposed Cybonto Conceptual Framework will help with minimizing these external threats to validity.
Booker and Musman [
According to Francia et al [
Thomson et al [
DCTs and HDTs are gaining popularity, but they are not necessarily new concepts. A good body of prior works involves “autonomous agents” with various applications in security and cybersecurity. However, autonomous agents have been designed in specific ways for solving specific problems. HDTs are fundamentally different from autonomous agents. Most HDTs consist of a cognitive system and a noncognitive system, and most cognitive systems can combine cognitive reasoning (symbolic) with deep learning models (subsymbolic). Furthermore, HDTs and DTCs should be able to perform in a much wider set of situations than autonomous agents as DCTs are parts of HDTs that are in turn a part of the Metaverse strategy. Once massive noncognitive digital twin systems transition to the internet, adding human cognitive digital twins will be the only logical next step.
The vision of letting human digital twins ”run free“ in connected digital twin worlds (the Metaverse) and observing them is realistic and offers a new paradigm in knowledge mining. The Cybonto conceptual framework demonstrates how such an ecosystem can be leveraged for shaping proactive cybersecurity defense strategies. In the context of studying malicious cybersecurity behaviors, the key is building a digital human cognitive twin that models well malicious hackers' cognitive patterns. Specifically, cognitive reasoning with adequate granularity and a well-designed ontology allows us to observe, understand, and—more importantly—explain the HDTs’ behaviors. Hence, the paper also proposes the Cybonto ontology as a recommendation on how current cognitive systems can be extended.
Notably, medical researchers may take Cybonto core ontology and fit it to their applications such as virtual patients for applied psychology training, automatic behavioral annotations, analysis of electronic health records, and virtual agents for community psychology experiments. Future work may involve further framework development, fine-tuning and expanding the ontology, human cognitive cloning, and building different practical HDTs.
authority centrality
betweenness centrality
Basic Formal Ontology
degree centrality
Digital Cognitive Twin
Digital Twin
Eigenvector centrality
Human Digital Twin
in-group environment
internal environment
Mental Functioning
societal environment
Structured Threat Information eXpression
None declared.