Papers
Topics
Authors
Recent
Search
2000 character limit reached

Intangible Vulnerability: Latent Risks & Uncertainty

Updated 4 July 2026
  • Intangible vulnerability is a multifaceted concept that defines exposures beyond direct physical defects, emphasizing latent risks and context dependency.
  • It spans diverse domains such as software security, cultural heritage preservation, and human-centered economic models with unique measurable impact factors.
  • Its assessment relies on analyzing unseen exploit paths, preservation of heritage through digitization, and socio-technical dynamics to guide resilient practices.

Intangible vulnerability denotes forms of susceptibility whose decisive mechanisms are not exhausted by observable physical deterioration, a single realized exploit path, or a purely technical defect. In recent literature, the term and closely related formulations describe the uncertainty-laden portion of software vulnerability severity, the exposure of intangible cultural artifacts and living heritage to disappearance, the exploitable human-side attack surface in cybersecurity, and the welfare sensitivity of subjective evaluations in intangible-goods environments (Chan, 22 Mar 2025, Grzeszczuk et al., 2024, Ye et al., 28 May 2025, Ben et al., 8 Jun 2026, Papatsaroucha et al., 21 May 2026, Fukuda, 2024). Taken together, these uses suggest a family of concepts centered on latent coupling, incomplete observability, context dependence, and irreversible loss or manipulation before harm is fully specified.

1. Domain-specific meanings and recurring structure

The literature does not present a single unified definition of intangible vulnerability. Instead, the term is instantiated differently across security engineering, cultural heritage preservation, human-centered cybersecurity, and quantum-information models of welfare. The common pattern is that the relevant exposure is mediated by entities, contexts, or states that are not adequately represented by direct exploitability, direct material decay, or direct utility accounting (Chan, 22 Mar 2025, Grzeszczuk et al., 2024, Papatsaroucha et al., 21 May 2026, Fukuda, 2024).

Domain Vulnerable object Primary mechanism
Security bug severity A security bug treated as a set of possible security events Uncertainty, latent coupling, and “known unknowns” operationalized by connectedness
Cultural heritage preservation Living practices, recorded signals, software on legacy media Irreversible loss through decay, obsolescence, loss of context, fragile stewardship, and legal barriers
Intangible Cultural Heritage safeguarding Transmission, documentation, and organization of ICH knowledge Deterioration, disappearance, destruction, and discontinuity of inheritance
Human-centered cybersecurity Cognitive heuristics, affective states, social trust models, and situational contexts Manipulation, error, and socio-technical propagation
Intangible goods economics Experienced welfare or choice probabilities Context-driven perturbations, interference, bias, and nudge sensitivity

A recurring feature is explicit dependence on the operative context. In software severity, the threat model determines which entities count as connected. In preservation, the playback chain, metadata, stewardship model, and rights regime determine whether a digital artifact remains recoverable. In human vulnerability assessment, demographics, training, prior incident experience, socio-cultural conditions, and performance states moderate susceptibility. In the quantum-information formulation, provider, recipient, and their environments are modeled as subsystems in a composite Hilbert-space representation. This suggests that intangible vulnerability is typically relational rather than intrinsic: it inheres in interactions among artifacts, users, infrastructures, and evaluative environments rather than in isolated objects alone.

2. Uncertainty, latent coupling, and software security severity

In software security, intangible vulnerability is articulated most explicitly through the notion of connectedness, introduced as a distinct severity dimension for bugs whose risk is not fully captured by exploitability–impact ratios (Chan, 22 Mar 2025). The paper reframes a security bug not as a single exploit but as a set of possible exploit paths and side effects. Connectedness is then defined as a quantity describing the intensity of a behavior’s connections to other entities, where intensity is qualitatively determined by how many entities are connected and how strong each connection is. The examples are web-centric—HTML elements, attributes, embedded JavaScript, and parser differentials across browsers and libraries—but the broader framing includes systems, components, dependencies and supply-chain links, users and user roles, processes and services, data flows and interfaces, privileges and trust boundaries, third-party integrations, and communication channels.

This formulation is explicitly about uncertainty. Drawing on the distinction between “known knowns” and “known unknowns,” the paper argues that conventional severity frameworks capture the former more readily than the latter. A single CVSS instantiation forces one set of exploitability and impact values and therefore tends to score one exploit path at a time. Connectedness complements base, temporal, and environmental CVSS metrics by representing the breadth and strength of plausible paths and side effects that have not yet been enumerated. No modified scoring formula, weights, adjacency matrices, graph metrics, or probabilistic formulations are proposed; the contribution is conceptual and qualitative rather than algorithmic.

The motivating example is XSS and its near-miss variants. Input reflected into responses is connected to many entities—HTML contexts, attribute contexts, JavaScript embedding, and parsing artifacts—so even an “XSS that didn’t make it” may remain highly connected. By contrast, a missing referrer policy can under typical assumptions have fewer plausible exploit paths and side effects, although edge cases remain. The paper’s claim is not that every reflected input is already exploitable, but that richer and closer “known unknowns” warrant higher triage priority than a CVSS-like informational label would imply.

The practical workflow is correspondingly judgment-driven. Practitioners are to define the behavior of interest and the threat model; enumerate entities plausibly interacting with the behavior; assess connection strength by closeness of relation and plausibility of exploitation or side effect; and compare bugs by the number and strength of their connections. The paper explicitly acknowledges the subjectivity of connection-strength estimates, the dependence on the threat model, and the fact that connectedness is not a remedy for unknown unknowns. A plausible implication is that connectedness functions as a triage tie-breaker and forward-looking proxy for emergent exploitability rather than as a replacement for existing scoring systems.

3. Cultural heritage, recorded media, and irreversible loss

In cultural heritage preservation, intangible vulnerability refers to the susceptibility of intangible artifacts to irreversible loss under conditions that combine unstable carriers, vanishing execution environments, missing contextual knowledge, fragile stewardship, and restrictive legal regimes (Grzeszczuk et al., 2024). The scope is intentionally broad. It includes not only living practices, representations, expressions, knowledge, and skills in the UNESCO sense, but also recorded signals and software on legacy media such as Atari cassette tapes, BBS systems, VR software, and Flash code. These are treated as intangibles whose cultural value may be under-recognized yet time-sensitive.

The paper repeatedly contrasts two temporalities. Magnetic and VHS-based media have life expectancy “counted in decades,” whereas the Roman Theatre in Volterra, though exposed to the elements, measures its lifespan “in centuries.” This asymmetry underpins the urgency of intangible preservation. For Atari-era media, the paper highlights deteriorating signals stored on magnetic tapes, mechanical damage during normal use, rare or prototype interfaces such as Turbo Soft’s Videocartridge and the Atari 1090 expansion module, and dependence on defunct software stacks such as 1980s BBS systems. Valuable digital work may exist on “a single person’s server” and “disappear forever.” Legal barriers compound the problem: abandoned software remains under intellectual property, there are no legal-deposit requirements for digital artifacts, and there are no right-to-repair obligations for legacy hardware.

The Volterra Roman Theatre provides the contrast case. Its vulnerabilities are tangible—weathering, erosion, trampling, catastrophic risks such as warfare and disasters—but slower. Even so, the paper emphasizes that digitized reconstructions may become “the only remnant” if the original is later destroyed. Preservation is therefore framed as both documentation and resilience engineering.

The mitigation program is multi-layered. For intangible artifacts, the panel’s core message is that “if digitized in time, they can survive.” It recommends digitizing at-risk magnetic and analog video media early; creating “identical copies” and distributing them widely; avoiding “another bucket of bits” by building structured databases with provenance and context; preserving executable environments through emulation and virtualization, as illustrated by a BBS demonstration in DOSBox; engaging retrocomputing and demoscene communities; and pursuing format and media standardization. For tangible sites, it recommends precise scanning, repeated “snapshots” across excavation and decay phases, and digital/3D reconstruction using Unreal Engine 5 with Nanite and dynamic lighting to support analysis, collaboration, and public engagement without further stressing the site.

The paper also foregrounds policy and ethics. It calls for “urgent legislative activities supporting digital cultural heritage,” including sustainable standards for storage formats and media, clearer digitization rights, and attention to privacy. It notes that generative AI can “fill technical gaps” and “create interactive experiences,” but only with explicit curatorial decisions about authenticity and access. A common misconception is that preservation is achieved once content is copied; the panel instead treats context, execution, rights, and stewardship continuity as integral parts of what must be preserved.

4. Intangible Cultural Heritage, knowledge organization, and domain LLMs

A second cultural-heritage usage narrows the focus to Intangible Cultural Heritage (ICH) and defines its vulnerability as exposure to deterioration, disappearance, destruction, and discontinuity of inheritance under modernization and globalization-driven homogenization (Ye et al., 28 May 2025). The paper emphasizes demographic and infrastructural mechanisms: many bearers are elderly and struggle with digital tools, successors are scarce or unevenly distributed, digitization penetration is low in remote areas, advanced tools have high thresholds and costs, and long-term storage, management, and accessibility remain difficult. By 2024, UNESCO’s ICH Lists and Register encompassed 788 entries, with China maintaining the world’s largest inventory.

The technical response is ICH-Qwen, a domain-specific LLM built on the Qwen family to support protection, inheritance, and dissemination. The pipeline comprises multi-source corpus acquisition and preprocessing, rule-based cleansing, granular annotation with tags such as <ICH-TITLE>, <ICH-PLACE>, and <ICH-TERM>, continued pretraining on ICH corpora, and instruction-based fine-tuning with LoRA. The corpus includes five categories—domestic policies and regulations, news, thematic reports, UNESCO documentation and academic resources, and ICH project inventory materials—plus 49,093 ICH-related journal abstracts. Qwen2.5-7B-Chat was selected as the most suitable base among seven state-of-the-art dialog LLMs, while Qwen2-72B-Instruct was used to generate synthetic data that were then manually verified by experts. The experimental stack used LlamaFactory on PyTorch + Transformers, 3×NVIDIA RTX A6000 (48 GB) and 6×Quadro RTX 8000 (45 GB), and a learning rate of 2e-4.

The evaluation protocol used ROUGE-N-F, BLEU-N, and chrF, all normalized to [0,1][0,1], with 100 evaluation samples per task category.

Task ICH-Qwen result Comparative statement
Knowledge Q&A ROUGE-1-F 25.04; ROUGE-2-F 7.58; ROUGE-L-F 20.88; BLEU-4 6.32 Leads in ROUGE-1-F, ROUGE-L-F, and BLEU-4
Context-aware Knowledge Q&A ROUGE-1-F 37.21; ROUGE-2-F 10.48; ROUGE-L-F 27.74; BLEU-4 11.99 Outperforms all baselines across seven metrics
Terminology Interpretation ROUGE-1-F 23.82; ROUGE-2-F 8.63; ROUGE-L-F 18.69; BLEU-1 25.41; BLEU-2 15.82; BLEU-3 11.01; BLEU-4 8.41 Best performance across all metrics

The paper interprets these results as evidence that domain-specific LLMs can mitigate information and archival vulnerability by organizing dispersed textual resources into a structured, queryable, and pedagogically usable knowledge base. The reported gain in context-aware grounding—ROUGE-1-F improving from 25.04 to 37.21 and BLEU-4 from 6.32 to 11.99—supports the claim that explicit contextualization improves reference-faithful narratives. The paper further proposes multilingual and dialectal adaptations, multimodal integration of speech and video, and knowledge-graph construction for item–place–bearer–ritual linkages.

The limitations are equally explicit. ICH is predominantly oral and multimodal, whereas the present system is text-focused. Coverage may be uneven across regions and subdomains. Hallucination risk is acknowledged but not quantified. Most importantly, the authors treat LLMs as complements to, not replacements for, living practice and community-led transmission. This suggests that digital mitigation reduces one class of intangible vulnerability—fragmented knowledge organization—while leaving the social substrate of transmission indispensable.

5. Human systems as an attack surface

In cybersecurity, intangible vulnerability is increasingly used to designate the exploitable properties of the human system rather than the software stack. The HVE framework defines it as cognitive heuristics, affective states, social trust models, and situational contexts that create pathways for manipulation and error independent of software or hardware flaws (Ben et al., 8 Jun 2026). Attackers exploit these patterns because they are fast, generalizable, composable, context-sensitive, and under-defended. The framework explicitly grounds this claim in dual-process theory, prospect theory, social influence frameworks, and visceral state models. In this formulation, an intangible vulnerability is not a label for a person but a structured description of the human-side exploit chain in a specific interaction: what cognitive mechanism was activated, by whom, in what trust scenario, through which channel, and with what grooming depth.

Operationally, the framework introduces HVE records for attack patterns, HWE records for victim-side susceptibility factors, HVSS for severity scoring, and HVPs for intervention bundles. HVE identifiers take the form HVE-YYYY-<FAMILY>-NNNN; the concrete example HVE-2026-AUTH-0042 encodes year, family, and sequence number. Core machine-readable fields include Family, Persona Archetype, Social Engineering Tactics, Grooming Depth, Exposure Channel, Indicators & Evidence, Associated Patch Pack, Response Playbook, and references. HVSS is defined as a contextual 0–10 composite:

HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),

with

B=wII+wXX+wGG+wEE,C=wSS+wMM+wVVwRR.B = w_I I + w_X X + w_G G + w_E E,\qquad C = w_S S + w_M M + w_V V - w_R R.

The framework also emits a Spell Intensity flag, with illustrative thresholds subject to calibration: Low for HVSS <4.0< 4.0, Medium for 4.0HVSS<7.04.0 \le \text{HVSS} < 7.0, and High for HVSS 7.0\ge 7.0.

The broader assessment literature portrays this human-side attack surface as multidimensional and socio-technical rather than reducible to susceptibility to phishing alone (Papatsaroucha et al., 21 May 2026). The taxonomy spans psychological dimensions such as personality traits, emotions, conformity, credulity, moral disengagement, and attitudes; cognitive dimensions such as awareness, digital literacy, trust and technology perceptions, risk/protection appraisal, and human–AI cognitive interaction; behavioral dimensions including risk-taking, policy non-compliance, careless verification, online self-disclosure, and browsing habits; performance states such as fatigue, time pressure, multitasking, and interruptions; and contextual moderators such as demographics, training, incident experience, and socio-cultural conditions. The review followed PRISMA over 2017–2025, identified 4,036 records, screened 2,501 titles and abstracts, evaluated 330 full texts, and included 52 studies plus 2 honorable mentions; it classified 26 models, 17 methods, and 11 instruments. Most work targeted unintentional threats, with roughly 62% of studies in that category, roughly 30% on intentional threats, and roughly 8% covering both.

The methods are correspondingly heterogeneous. They include self-report instruments such as HAIS-Q, SeBIS, StP-II, CSEC, ODPS, and BCISQ; experimental and simulation frameworks such as SDVA, Bayesian multi-armed-bandit phishing testing, RPA-powered phishing simulation, and SPEL; continuous telemetry and anomaly-detection systems such as UEBA/UBA, PIDE, LSTM–CNN, session autoencoders, DNNs, decision trees, and random forests; hybrid context-aware frameworks such as contextual ISA and smartphone ISA; and socio-technical architecture models such as HoS-ML and HoS-ADL. The review’s principal finding is fragmentation: human vulnerability assessment remains more dynamic than before, but still behavior-centric, insufficiently standardized, weak on socio-cultural moderators, and limited in explicit propagation modeling across individuals and systems.

Two controversies recur. First, the literature resists stigmatizing “weakness” as a personal defect; both HVE and the SLR treat vulnerability as patterned susceptibility embedded in context. Second, operationalization raises governance problems: tiered access is proposed for HWE and full HVPs to limit dual use, while continuous monitoring and AI-driven profiling trigger privacy, explainability, and consent constraints.

6. Welfare susceptibility, quantum-information formalization, and cross-domain implications

A mathematically explicit usage appears in work on bias and nudges for intangible goods. There, Intangible Vulnerability is defined as the sensitivity of experienced welfare or choice probabilities to small, context-driven perturbations in the intangible goods environment (Fukuda, 2024). Providers, recipients, and their environments are represented by density operators on Hilbert spaces; evaluations are represented by POVMs. Customer satisfaction is modeled through

Smerit(x;p())=p()log ⁣(xp()+1),S_{\text{merit}}(x; p(\uparrow)) = p(\uparrow)\log\!\left(\frac{x}{p(\uparrow)} + 1\right),

with subjectivity entering through p()p(\uparrow) and p()=1p()p(\downarrow)=1-p(\uparrow). Decision utility uses a classical weight, whereas experienced utility includes an interference term depending on amplitudes and relative phases. Bias is the divergence between decision and experienced utility, formalized as internality,

Λ=SmeritdecSmeritexp.\Lambda = S_{\text{merit}}^{dec} - S_{\text{merit}}^{exp}.

Within this framework, nudges are modeled as CPTP maps on states, deformations of measurements, or both. The paper defines a basic vulnerability metric as

HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),0

with elasticity

HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),1

where HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),2 parameterizes nudge strength or bias magnitude. Gross social surplus is

HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),3

Because HVSS=10clip ⁣(0,1,θBB+θCC),\text{HVSS} = 10 \cdot \operatorname{clip}\!\left(0,\, 1,\, \theta_B \cdot B + \theta_C \cdot C \right),4 depends on interference and environment coupling, small contextual shifts can produce large welfare effects. The paper’s central claim is that customized nudges can reduce internality, raise repeat rates, and under feasible phase alignment even make gross social surplus larger than in standard economics.

Taken together, these bodies of work suggest that intangible vulnerability is best understood as a problem of latent state, contextual dependence, and incomplete observability rather than of direct defect alone. In software security, the latent object is the space of plausible exploit paths and side effects. In heritage preservation, it is the dependence of meaning and executability on carriers, metadata, hardware, rights, and communities. In human-centered cybersecurity, it is the interaction among cognition, affect, behavior, channel, and organizational context. In quantum-information welfare models, it is the sensitivity of subjective valuation to environmental perturbation and measurement design (Chan, 22 Mar 2025, Grzeszczuk et al., 2024, Ben et al., 8 Jun 2026, Papatsaroucha et al., 21 May 2026).

The limitations are equally cross-cutting. Connectedness does not solve unknown unknowns and has no formal scoring function. Digitization does not by itself preserve context, authenticity, or lawful access. Domain LLMs remain modality-limited and require human verification. Human vulnerability scoring requires calibration, ethical gating, and anti-stigmatization safeguards. Quantum-like models may be underdetermined and raise autonomy and fairness concerns. A plausible implication is that the chief analytical value of intangible vulnerability lies not in collapsing these domains into one metric, but in forcing assessment frameworks to represent uncertainty, latent relations, context dependence, and socio-technical coupling as first-class objects of analysis rather than as residuals left outside the model.

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Intangible Vulnerability.