Key Takeaways
✓ SoK (Systematization of Knowledge) is a peer-reviewed research framework, published at IEEE S&P 2022 by researchers from the University of Maryland and Google, that unifies how the security, privacy, and HCI communities study at-risk users.
✓ The framework identifies 10 contextual risk factors across three categories (societal factors, relationships, and personal circumstances) that amplify digital-safety threats to vulnerable populations.
✓ At-risk users include activists under government surveillance, domestic violence survivors, children online, LGBTQ+ individuals in repressive regions, journalists, sex workers, people with disabilities, and immigrants.
✓ SoK maps protective practices (social strategies, distancing behaviors, and technical solutions) adopted by at-risk populations and documents the barriers that prevent these populations from using them effectively.
✓ Risk and compliance professionals can apply SoK’s contextual risk factor model to strengthen data protection impact assessments, inclusive security design, and regulatory compliance programs.
✓ The framework was built on a meta-analysis of 95 peer-reviewed papers from top security and HCI conferences (IEEE S&P, USENIX Security, CHI, SOUPS, NDSS, PETS).
What Is SoK and Why Does At-Risk User Research Need a Unifying Framework?
Anyone can face digital security and privacy threats. But certain people face those threats at far higher rates and suffer disproportionate harm when attacks occur. These are at-risk users: people whose digital safety is amplified or augmented by who they are, what they do, where they live, or who they are with.
Activists under government surveillance. Domestic violence survivors whose abusers control their devices. Children exposed to predatory content. LGBTQ+ individuals in countries where their identity is criminalized.
Journalists protecting confidential sources. Immigrants navigating systems that track their movements. These populations experience overlapping, compounding digital-safety risks that standard security tools and threat models were never designed to address.
The problem is that research on these populations has been fragmented. Individual studies examine specific groups in isolation, using different methods, definitions, and threat models. Until recently, no unifying structure existed to synthesize findings across populations, identify common risk patterns, or guide technology design decisions.
SoK: A Framework for Unifying At-Risk User Research fills that gap. Published at the IEEE Symposium on Security and Privacy (S&P) 2022 by researchers from the University of Maryland and Google, the framework is built on a systematic meta-analysis of 95 peer-reviewed papers.
The result is a structured model that identifies 10 contextual risk factors, catalogs protective practices, and documents the barriers that prevent at-risk users from protecting themselves.
This guide breaks down the SoK framework, explains each contextual risk factor, maps the protective practices and barriers the research identified, and shows how risk management and compliance professionals can apply these concepts in practice.
Before diving in, ground yourself in foundational risk assessment methodology with our step-by-step guide to risk assessment.
The 10 Contextual Risk Factors: How SoK Categorizes At-Risk Populations
The core contribution of SoK is the identification of 10 contextual risk factors organized into three categories. These factors do not describe specific populations. They describe conditions that amplify digital-safety risks. A single individual can experience multiple overlapping factors, and the interaction between factors often creates risks that no single factor would produce alone.
This intersectional approach, grounded in Crenshaw’s framework of intersectionality, recognizes that risk is not additive but multiplicative. A woman in a repressive region who is also a journalist faces compounded threats that exceed the sum of each individual risk factor.
Category 1: Societal Factors
These risk factors are driven by the broader social, political, and cultural environment in which at-risk users operate.
| Risk Factor | Definition | Example Populations | Digital-Safety Impact |
| Marginalization | Belonging to a group that is stigmatized, discriminated against, or excluded from mainstream protections | LGBTQ+ individuals, racial minorities, people with disabilities, immigrants, sex workers | Reluctance to participate online; self-censorship; targeted harassment; coercion through threat of identity exposure |
| Oppression | Living under political, legal, or social systems that actively suppress rights, freedoms, or identity expression | Activists in authoritarian regimes, political dissidents, religious minorities in repressive states | Government surveillance; device seizure; content censorship; physical danger triggered by digital activity |
| Access Disparities | Lacking equitable access to technology, digital literacy, connectivity, or security resources | Low-income populations, rural communities, older adults, people in developing regions | Reliance on shared devices; inability to implement security measures; dependence on insecure public networks |
| Restrictive Social Norms | Informal cultural rules that constrain behavior and create mismatches between technology assumptions and lived experience | Women in conservative societies, gender non-conforming individuals, caste-affected communities | Technology designed around Western/mainstream norms fails to account to cultural constraints; social consequences of digital activity amplified by community policing |
Category 2: Relationship Factors
These risk factors stem from the at-risk user’s direct relationships, especially relationships where power imbalances create digital-safety vulnerabilities.
| Risk Factor | Definition | Example Populations | Digital-Safety Impact |
| Relationship with Attacker | The at-risk user has a personal relationship with someone who poses a direct digital-safety threat | Intimate partner violence (IPV) survivors, stalking victims, children in abusive households | Attacker has physical access to devices and accounts; coercive control through technology; difficulty separating digital identities |
| Reliance on a Third Party | The at-risk user depends on another person or entity to manage their digital life, creating a power imbalance | Children relying on parents, elderly adults relying on caregivers, people with cognitive disabilities relying on guardians | Third party may make digital-safety decisions that prioritize convenience over protection; monitoring tools can become instruments of control |
| Sensitive Resource Access | The at-risk user controls access to high-value information, systems, or assets that attract targeted attacks | Journalists protecting sources, government employees with classified access, healthcare workers handling patient data, researchers with sensitive datasets | Targeted spear-phishing; social engineering; state-sponsored intrusion attempts; elevated consequences of a breach |
Category 3: Personal Circumstances
These risk factors are driven by individual characteristics and life circumstances that affect digital-safety exposure.
| Risk Factor | Definition | Example Populations | Digital-Safety Impact |
| Prominence | The at-risk user is publicly visible, well-known, or has attributes that attract focused targeting | Content creators, public figures, outspoken advocates, celebrities | Increased attack surface from public exposure; stalking; doxxing; parasocial relationship exploitation; harassment campaigns |
| Socioeconomic Constraints | Financial or material limitations that restrict the at-risk user’s ability to invest in digital safety | Low-income individuals, unhoused populations, workers in precarious employment, people with felony conviction histories | Cannot afford paid security tools; reliance on free/ad-supported services with weaker privacy protections; limited options to replace compromised devices |
| Stigmatized Information | The at-risk user possesses personal information that, if exposed, would cause significant social, legal, or physical harm | People living with HIV, undocumented immigrants, whistleblowers, individuals with mental health conditions, people with non-conforming sexual identities | Blackmail and coercion; involuntary outing; employment and housing discrimination; legal prosecution in jurisdictions that criminalize identity or status |
Understanding these risk factors is essential to building security and privacy systems that work beyond the “average user” assumption.
Your enterprise risk management framework should account to how organizational technology decisions affect at-risk populations, especially in customer-facing systems, HR platforms, and data governance.
Protective Practices: How At-Risk Users Defend Themselves
SoK catalogs the technical and non-technical practices that at-risk populations adopt to protect themselves. These practices fall into three broad categories.
| Practice Category | Description | Examples from the Research |
| Social Strategies | Relying on trusted relationships and community networks to manage digital-safety threats | Sharing account credentials with trusted allies (IPV survivors); seeking advice from security-literate friends; using community-based warning systems; creating collective response networks to counter harassment |
| Distancing Behaviors | Reducing digital footprint or withdrawing from online spaces to limit exposure | Deleting social media accounts; using pseudonyms; limiting personal information shared online; avoiding specific platforms known to host harassment; self-censoring political or identity-related expression |
| Technical Solutions | Adopting tools and configurations designed to enhance security, privacy, or safety | Using encrypted messaging (Signal, WhatsApp); enabling two-factor authentication; using VPNs and Tor; adjusting platform privacy settings; using password managers; installing anti-stalkerware tools |
A critical finding from SoK: most at-risk users adopt protective practices only after experiencing a serious safety incident, not proactively. This reactive pattern means that by the time protection is in place, harm has already occurred.
Building proactive risk identification into organizational security programs, informed by these protective practice categories, can close that gap. See our Key Risk Indicators complete guide to learn how KRIs provide early warning before incidents escalate.
Barriers to Protection: Why At-Risk Users Remain Exposed
SoK identifies persistent barriers that prevent at-risk users from adopting or maintaining protective practices, even when those practices exist.
| Barrier | How the Barrier Operates | Populations Most Affected |
| Lack of Knowledge | At-risk users are unaware of available security tools or do not understand how to configure them correctly | Older adults, children, low-income populations, people in developing regions, communities with limited digital literacy |
| Usability Gaps | Security tools require technical expertise that at-risk users do not possess; interfaces assume a “power user” who does not match the at-risk population | People with disabilities, elderly users, non-English speakers, users with low technical confidence |
| Cost Barriers | Effective security tools require paid subscriptions, newer devices, or reliable internet access that at-risk users cannot afford | Low-income individuals, unhoused populations, people in developing regions, people with felony conviction histories re-entering society |
| Loss of Utility | Adopting protective measures reduces the functionality, convenience, or social participation that the at-risk user depends on | IPV survivors who lose contact with support networks when deleting accounts; activists who lose organizing platforms when abandoning social media; immigrants who lose access to community information channels |
| Attacker Adaptation | Attackers with direct access (intimate partners, state actors) can observe and circumvent protective measures as they are deployed | IPV survivors whose abusers check devices; activists whose governments deploy counter-surveillance; children whose online predators adjust tactics to evade parental controls |
| Institutional Distrust | At-risk users do not trust the institutions (platforms, government, law enforcement) that provide or recommend security tools | Undocumented immigrants; communities with histories of over-policing; LGBTQ+ individuals in jurisdictions with anti-queer laws; whistleblowers |
These barriers are not individual failures. They are systemic gaps in how security and privacy tools are designed, distributed, and supported.
Technology organizations, policymakers, and risk managers all have a role in closing these gaps. Our operational risk management guide covers the control design principles that can reduce barrier exposure in organizational systems.
Applying SoK to Enterprise Risk Management and Compliance
SoK was designed as an academic research framework, but the concepts translate directly to enterprise risk management, data governance, and regulatory compliance. Organizations building or deploying technology that serves diverse populations must consider how their systems affect at-risk users.
Data Protection Impact Assessments (DPIAs)
GDPR and emerging US state privacy laws require impact assessments before processing personal data that presents high risk to individuals.
SoK’s 10 contextual risk factors provide a structured checklist to identify which user populations face amplified risk from your data processing activities.
Map each risk factor against your system’s user base to determine where standard privacy protections may be insufficient.
Inclusive Security Design
Security features designed around the “average user” often fail at-risk populations. SoK’s barrier analysis (usability gaps, cost barriers, loss of utility) provides a framework to evaluate and redesign security features so they work across diverse user contexts. This is especially relevant when designing authentication, reporting mechanisms, content moderation, and account recovery flows. Align security design with your risk appetite statement to define the acceptable residual risk to at-risk user populations.
Regulatory Compliance and AI Governance
The EU AI Act, Colorado AI Act, and related legislation specifically address algorithmic discrimination against vulnerable populations. SoK’s risk factor model helps identify which AI outputs disproportionately affect at-risk users, informing bias testing requirements and fairness audits.
Organizations building responsible AI frameworks should integrate at-risk user considerations into their model governance and testing protocols.
Third-Party Risk Management
When evaluating vendors that handle data from at-risk populations (healthcare platforms, educational tools, social services technology), SoK’s framework provides assessment criteria beyond standard security questionnaires.
Ask vendors how their systems account to marginalization, access disparities, relationship-with-attacker scenarios, and stigmatized information exposure. Our third-party risk management framework guide covers the vendor assessment methodology to build this into your TPRM program.
The Four Pillars of At-Risk User Research: Safety, Consent, Privacy, and Ethics
Conducting research with at-risk populations demands heightened ethical rigor. A companion study, SoK: Safer Digital-Safety Research Involving At-Risk Users (2024), analyzed 196 academic papers and identified 14 research risks and 36 safety practices. The original SoK framework embeds four non-negotiable pillars that govern every research interaction with at-risk users.
| Pillar | What Gets Required | Why Standard Protocols Fall Short |
| Safety | Physical and psychological safety of participants throughout the research process; researcher safety when studying adversarial contexts; secure data handling that prevents participant identification | Standard IRB protocols may not account to the specific threat models facing at-risk populations (e.g., a government adversary with access to telecommunications infrastructure) |
| Informed Consent | Participants fully understand the study purpose, data collection methods, risks of participation, and their right to withdraw at any point without consequence | At-risk users may face coercion (from abusers, authorities, or community members) that undermines voluntary consent; consent processes must account to power dynamics and potential surveillance |
| Privacy | Personal information is never shared without explicit permission; data is stored with encryption and access controls matching the threat model; de-identification methods account to small population sizes where re-identification risk is elevated | Standard anonymization techniques may be insufficient when the at-risk population is small or the adversary has significant prior knowledge; pseudonymization can fail when contextual details are unique |
| Ethics | Compliance with applicable laws, institutional review board requirements, and professional codes of conduct; equitable treatment of participants; avoidance of extractive research that takes from communities without giving back | Traditional ethical review processes often lack domain expertise on the specific risks facing at-risk populations; researchers need specialized training to conduct studies responsibly |
Organizations conducting user research, customer research, or employee surveys involving at-risk populations should integrate these four pillars into their research governance. Align your research protocols with your compliance risk assessment framework to ensure ethical and legal requirements are met.
90-Day Roadmap: Integrating At-Risk User Considerations into Your Risk Program
| Phase | Timeline | Key Activities | Deliverables |
| Phase 1: Assess | Days 1–30 | Map organizational systems and products against SoK’s 10 contextual risk factors; identify which at-risk populations interact with your technology; review existing DPIAs and security design against barrier analysis | At-risk user impact mapping; gap analysis report; executive briefing |
| Phase 2: Design | Days 31–60 | Update data protection impact assessments to include at-risk user considerations; revise security design guidelines to address usability, cost, and utility barriers; develop at-risk-user-informed vendor assessment criteria; update AI bias testing to cover marginalized population impacts | Updated DPIA templates; revised security design standards; vendor assessment addendum; AI fairness testing protocol |
| Phase 3: Embed | Days 61–90 | Train product, security, and compliance teams on at-risk user risk factors; pilot revised processes on one high-impact product or vendor; establish KRIs to monitor at-risk user outcomes; deliver board-level report on organizational exposure to at-risk user risks | Training completion records; pilot assessment reports; KRI dashboard; board risk briefing |
After Day 90, shift to continuous improvement. Review at-risk user impact assessments annually, update threat models as research evolves, and feed lessons learned into your risk management lifecycle.
Common Pitfalls When Addressing At-Risk User Risks
| Pitfall | Root Cause | How to Avoid |
| Treating at-risk users as a single category | Organizations lump all “vulnerable populations” into one bucket without distinguishing between contextual risk factors | Use SoK’s 10-factor model to differentiate populations by their specific risk profiles; design protections that address the actual risk factors present |
| Designing security around the average user | Product teams build security features assuming a technically literate, English-speaking, well-resourced user | Conduct usability testing with diverse populations; apply SoK’s barrier analysis (usability gaps, cost barriers, institutional distrust) to evaluate security feature design |
| Ignoring intersectionality | Risk assessments evaluate risk factors in isolation rather than considering how multiple factors combine to amplify harm | Apply SoK’s intersectional approach: assess how marginalization + relationship with attacker + socioeconomic constraints (as an example) create compounded risk profiles |
| Reactive posture only | Organizations address at-risk user risks only after incidents or regulatory penalties occur | Proactively integrate at-risk user risk factors into DPIAs, security design reviews, and vendor assessments before products launch or contracts are signed |
| Extractive research practices | Organizations conduct user research that extracts data from at-risk populations without providing benefit or protection in return | Follow SoK’s four pillars (safety, consent, privacy, ethics); design research protocols that give back to communities and protect participant welfare |
| Assuming technology alone solves the problem | Organizations deploy security tools without addressing the social, economic, and institutional barriers that prevent at-risk users from adopting them | Pair technical solutions with education, community engagement, and policy advocacy; design tools that account to the full barrier landscape SoK identifies |
Our risk mitigation in project management guide covers the response strategy selection logic (avoid, transfer, mitigate, accept, escalate) that applies to at-risk user risk treatment decisions.
Forward Look: Where At-Risk User Research Is Heading
AI and algorithmic harm. As AI systems increasingly make decisions affecting employment, housing, credit, and criminal justice, at-risk users face amplified exposure to algorithmic discrimination. SoK’s risk factor model will become essential to AI fairness auditing and bias impact assessments under emerging legislation like the EU AI Act and Colorado’s AI Act.
Expanding beyond Western populations. SoK’s authors acknowledge that the research base skews heavily toward Western, specifically U.S., populations. Future research is expanding to non-Western contexts where different combinations of risk factors (oppression, restrictive social norms, access disparities) create threat models that current frameworks do not fully capture.
Safer research methodologies. The companion 2024 SoK paper on safer research practices analyzed 196 papers to identify 14 research risks and 36 safety practices. This work is building standardized protocols that will make at-risk user research more consistent, ethical, and reproducible across the security and HCI communities.
Regulatory integration. Privacy regulations (GDPR, state-level US privacy laws) and accessibility mandates (ADA, EAA) are converging with at-risk user research to create compliance obligations that explicitly require consideration of vulnerable populations in technology design and deployment. Stay current with our ISO 27001 risk assessment guide to understand how information security controls intersect with at-risk user protection.
Start Building At-Risk User Protections Into Your Risk Program
SoK demonstrates that digital-safety risk is not distributed equally. People who face marginalization, oppression, abusive relationships, socioeconomic constraints, or public prominence experience threat landscapes that mainstream security tools do not address.
Risk management professionals, compliance leaders, product teams, and security architects all have a role to play. Map your systems against SoK’s 10 contextual risk factors. Identify where your protections fall short. Redesign with at-risk users in mind. Then monitor, iterate, and improve.
The organizations that build inclusive digital safety now will earn the trust of their most vulnerable users and lead the industry as regulatory expectations catch up.
Explore More on riskpublishing.com:
• Enterprise Risk Management Frameworks
• Key Risk Indicators: The Complete Guide
• Risk Appetite Statement: How to Build One
• Responsible AI Framework: Principles to Operationalization
• COSO ERM vs ISO 31000: Which Framework to Choose
• Operational Risk Management: The Practitioner’s Guide
• Risk Register: The Complete Guide
• ISO 27001 Risk Assessment Guide
• Compliance Risk Assessment Framework
• Risk Assessment Step-by-Step Guide
• NIST Cybersecurity Framework Key Risk Indicators
• Risk Mitigation in Project Management
• Third-Party Risk Management Framework
• Definition of Control Risk and Risk Assessment
References
1. Warford, N. et al. “SoK: A Framework for Unifying At-Risk User Research.” IEEE S&P 2022
2. Warford, N. et al. SoK Paper (arXiv preprint, updated Nov 2025)
3. Bellini, R. et al. “SoK: Safer Digital-Safety Research Involving At-Risk Users.” IEEE S&P 2024
4. Google Research — SoK: A Framework for Unifying At-Risk User Research
5. PRISM — Center for Privacy and Security for Marginalized and Vulnerable Populations
7. NIST AI Risk Management Framework (AI RMF 1.0)
8. ISO/IEC 42001:2023 — AI Management System
9. EU Artificial Intelligence Act
11. IIA Three Lines Model (2020)
12. New America — Why Weakening Encryption Hurts Women and Gender Minorities
13. Digital Frontiers Institute — Cybersecurity and Privacy in an Inclusive Digital Economy
Chris Ekai is a Risk Management expert with over 10 years of experience in the field. He has a Master’s(MSc) degree in Risk Management from University of Portsmouth and is a CPA and Finance professional. He currently works as a Content Manager at Risk Publishing, writing about Enterprise Risk Management, Business Continuity Management and Project Management.