I. Defining Vulnerability

Cybersecurity refers to the system of practices, technologies, and policies used to protect data, devices, and users against threats, risks, vulnerabilities, and other cyber harms. A cybersecurity “vulnerability” is a weakness or gap that can be exploited; a cybersecurity “threat” refers to malicious actors attempting to gain unauthorized access by exploiting a vulnerability; and a “risk” is the potential loss or damage that results from a threat exploiting a vulnerability. A threat may be due to malware or to the “human factor” (the general understanding that people will make mistakes).¹ According to a 2025 Verizon report, 60 percent of all security breaches include some sort of human error (such as weak passwords, privilege misuse, or social engineering).² Threats or risks may also be due to social engineering (tricking someone to reveal information), phishing attempts (fake emails or messages that contain malware), or viruses.

For the purposes of this report, human vulnerabilities in the context of cybersecurity should be more precisely defined as a subcategory of cybersecurity vulnerabilities that is not limited to technical systems or networks. These human-centered weaknesses (beyond being prone to mistakes or errors) are often the very entry points that are exploited. Accordingly, this report will highlight this subcategory when referring to the phrase “cybersecurity vulnerabilities,” but will retain the two different phrases (“human vulnerabilities” and “cybersecurity vulnerabilities”) to clearly articulate the bridge being built in this report between digital divide and cybersecurity policy.

Although there are disciplines that study the impact of technology on people, or how someone who is vulnerable may be susceptible to certain risks, the definition of vulnerability used here is grounded in feminist and feminist legal theories.³ This choice is intentional: Feminist approaches treat vulnerability not as personal weakness but as a universal and structurally produced condition. By adopting this lens, the analysis shifts from individual blame and instead focuses on how systems create and perpetuate unequal exposures to harm. The result is a more critical examination of the vulnerabilities digital users face, and keener insights into how they might be addressed and eventually eliminated.

Martha Fineman, a leading scholar on critical legal and feminist legal theories and philosophies, describes vulnerability as both universal and situational.⁴ Essentially, everyone is vulnerable in some way, but their particular vulnerability hinges on the specific circumstances they face. This perspective shifts the concept of vulnerability from a given status or identity. Fineman’s definition instead emphasizes the relationship between individuals and the state, which she believes has a responsibility to protect those rendered vulnerable by specific conditions. This report agrees with Fineman: There is a particular role that the government should play for those who are made vulnerable in digital circumstances.

The digital circumstances most relevant to this report are related to digital access, digital literacy, and digital skills. “Digital access” refers simply to access to the internet and other digital tools or systems. For some communities, access is limited not just by infrastructure, but by affordability, language, or cultural barriers. For example, if an artificial intelligence (AI) tool that individuals must use in order to access government-administered services does not provide translation services in the language they are comfortable speaking, that individual cannot be said to have access to that system, even if they have internet access.

Digital access, skills, and literacy are components of what is commonly referred to as the digital divide. In the late 1990s, the digital divide was used to describe the digital “haves and have-nots.”⁵ This understanding of the digital divide guided policy efforts that persist to this day. In 1999, the National Telecommunications and Information Administration published Falling Through the Net, a report that defined the digital divide and provided data on the levels of access in the United States.⁶ Today, despite so many lacking the ability to adequately use technology (that is, those lacking literacy and skills), the term “digital divide” is still primarily used to refer to broadband access.⁷ When this report uses the term, it is referring not just to access, but to digital skills and literacy as well. All three dimensions of the digital divide are framed here as human vulnerabilities, as they increase the risk of exposure to cybersecurity threats. Further, each dimension represents a distinct but interconnected barrier that can increase an individual’s exposure to digital risk.

Digital literacy and skills are often used interchangeably, but there is an important distinction. “Digital literacy” refers to one’s ability to effectively understand, navigate, and evaluate digital outputs. Outputs can be anything from the text of a website to an AI-generated image. As the American Library Association notes, digital literacy includes not just the ability to evaluate digital tools but also critical thinking and the ability to use, interpret, and locate information.⁸

Relatedly, “digital skills” refer to the practical abilities one has to effectively engage with and use digital tools and systems. To differentiate between literacy and skills, consider a hypothetical student named Amy. Amy is a postdoctoral fellow living in affordable but poorly connected student housing. Her underground unit offers only spotty internet, forcing her to spend time at a café across the street to reliably access the internet. Last week, Amy connected to what she thought was the café’s Wi-Fi hotspot. After entering the usual password, she was taken to a screen she did not recognize. It claimed she was “logged in,” so she closed the screen. Unbeknownst to her, Amy had connected to a malicious hotspot with the same name as the café network. Her data was quickly intercepted.

In this scenario, as illustrated in Figure 1 below, digital literacy might have helped her recognize something was amiss. International research indicates that individuals with stronger digital literacy tend to be more aware of security risks and engage in proactive behaviors to mitigate them.⁹ However, recognizing a risk does not automatically translate into action: Amy needed both digital literacy and skills. Digital skills would have enabled her to proactively investigate the network, adjust her security settings, and even install additional protections on her computer.

Thus, lacking sufficient digital literacy or skills, Amy became vulnerable to cybersecurity risks. In fact, her vulnerability began due to her lack of access: She would not have gone to the café if she had had a reliable connection in her home.

When discussing these vulnerabilities, it is important to move beyond surface-level labels and consider how structural conditions shape individual experiences. It may be easy to say that Amy was “vulnerable” simply because she lacked digital access. More accurately, she was rendered vulnerable because of her situation, which is a critical distinction from labeling her as inherently or permanently vulnerable. Vulnerability is context dependent.

In an early comment on digital divide policy, digital librarian Steve Cisler cautioned against labeling people as digital haves or have-nots because it creates overly simplistic binary categories.¹⁰ At any given moment, one could be rendered vulnerable and become a digital have-not due to a specific situation, like a sudden lack of internet access or the inability to navigate a specific system, highlighting the fluidity of vulnerability. The label matters less than understanding the conditions that produced the vulnerability.

This critique of oversimplified labels highlights the importance of understanding feminist theories of vulnerabilities, such as Florencia Luna’s concept of layered vulnerability. Luna argued that vulnerabilities should not be thought of as static traits but as layers that accumulate in specific contexts.¹¹ This layered approach ultimately enables a more nuanced analysis.

Here, each situation that renders someone vulnerable adds a new layer that compounds risk or increases exposure. In Amy’s case, her situation became more precarious not just because she lacked digital access (which could be considered her first layer of vulnerability), but because she also lacked digital literacy and skills (the second and third layers). Thus, affixing the label of “vulnerable” to someone without access, literacy, or skills is not as useful as understanding vulnerability as a universal, context-dependent layered concept. It should be further noted how language is limiting in this situation: While it does make sense, here, to identify Amy as vulnerable due to her lack of access, skills, and literacy, policymakers should explore the hows and the whys of her specific vulnerabilities (in other words, the situation and the context), which can lead to more sophisticated, diverse solutions to addressing them.

Instead of saying, “Amy is digitally vulnerable. She needs X,” policymakers should explore how Amy is vulnerable and try to understand what she needs to address each layer of vulnerability, because “X” alone may not be adequate. If “X” were reliable internet connectivity (either in or outside her home), Amy would have digital access—but she still might lack digital literacy and skills to identify malicious or suspicious activity. In this case, “X”—internet connectivity—would only postpone her exposure to digital risk, not eliminate it. The push for understanding layers of vulnerability is important for this more thorough analysis.