Cognitive security is the interception between cognitive science and artificial intelligence techniques used to protect institutions against cyberattacks. much attention has been paid to proactive cybersecurity solutions, acceptable cybersecurity practices, and cybersecurity hygiene strategies for mitigating cyberattacks. In this context, the use of cognitive science techniques has grown significantly. In general, cognitive science is being used to understand the behavior of adversaries to minimize the impact of cyberattacks.
Cybersecurity attacks have been relevant since the appearance of the first computers. However, their evolution due to the level of techniques and tools has converted them into the world’s main risk. The World Economic Forum 
has classified cyberattack as one of the top ten worldwide risks. Its impact is considered more significant than a food crisis due to its scope in modern society and its probability of occurrence. Reactive solutions focus mainly on attack alleviation processes, while proactive solutions could predict possible cyberattacks and generate self-protection systems. This scenario has motivated companies and researchers in the cybersecurity field to look for alternatives for replacing reactive solutions with proactive ones. One approach used by specialized firms and researchers is to establish anomaly detection processes that discover possible attack patterns and identify attackers’ behaviors. In the last three years (2019–2021), several contributions to anomaly detection have been developed in different domains such as SCADA systems, smart grids, smart cities, critical infrastructures, and Cyber-Physical Systems (CPS) 
The anomaly detection process requires identifying features or components that differ from typical behaviors 
. In the initial phase of this anomaly detection process, modeling cybersecurity expert knowledge and cognitive processes are relevant for building better proactive solutions. However, the large volume of data generated by the different interconnected devices in the digital world makes the identification process more challenging to implement 
. Several alternatives have been defined for supporting analysts’ cognitive processes (i.e., augmented cognition) by using computational models that simulate the cognitive processes performed by cybersecurity experts. The identification of security risk patterns based on the analysts’ cognitive processes can be approached through the Observe–Orient–Decide–Act model (OODA) or the Monitor–Analyze–Plan–Execute model (MAPE-K) 
Researchers have proposed the automation and support of the cognitive processes defined in the OODA and MAPE-K models through different machine learning techniques 
. In the same research line, it
found that several works from 2019 to 2021 used convolution networks, K-means, or deep learning for detecting phishing, ransomware, and even attacks against smart grids 
Researchers have identified that the possible actions or strategies of adversaries can be studied using game theory models with incomplete information based on Stackelberg’s proposals 
. This approach could support identifying a possible future attack and the possible strategies used by the adversary. In this way, cybersecurity research’s central objective is to expand security analysts’ cognitive capacity through data analysis, machine learning techniques, and game theory in cybersecurity 
2. Adversarial and User Analysis
In cyberattack scenarios, a competitive advantage by the adversary could exist in the first instance. Table 1
shows the adversary has valuable information such as personal user information, type of operating system, and user applications. Additionally, the adversary has information about the types of security vulnerabilities that can be exploited. The adversary has been trained in several cybersecurity areas, such as ethical hacking, vulnerability analysis, and reverse engineering. In this context, a user has a clear disadvantage, and from the perspective of game theory, rw
are faced with a game scenario with incomplete information from the user’s side. The user does not know information related to the adversary, such as the type of cyberattack it could perform, which techniques will be used to execute the attack, and which kind of resources are available. Establishing an optimal defense/security attack strategy requires more information from a user perspective 
Table 1. Comparative of resources adversarial versus user.
||Office or Home Desktop
||No information related to the adversaries
||Tactics, Techniques, and Procedures (TTP)
|Perimetral security (Firewall, IPS, IDS)|
are used for modeling user response time. Simmons et al. 
propose the characterization of cyberattacks based on five major classifiers: attack vector, operational impact, attack target, defense, and informational impact. The adversary’s characterization is based on two aspects: Risk adverseness and Experience level. Venkatesan et al. 
propose that the modeling of the adversary behavior considers at least the following aspects:
|Security Event Management (SIEM)|
|No or low information related to adversaries.||Adversaries could use VPN or deep network to hide their information and maintain anonymity.
||Offensive approaches (hacking, vulnerability scans, deep network)
MITRE ATT&CK defines 245 techniques of attacks, distributed in 14 categories.
Lateral Movement Frameworks
Remote access trojans
|Data from Social networks (Facebook, Instagram, twitter)
Data from personal or enterprise blogs or web pages.
Data for deep network.
Alternatively, another drawback for the user is the stimulus that affects his/her decision criteria. For example, the COVID-19 pandemic has created a scenario where adversaries interact with web pages with drug procurement for the virus or access to free entertainment platforms 
. In this context, the response time window in which the user must decide between clicking or abstaining from clicking is critical. For gathering information related to the adversary, pattern recognition techniques are used 
. Meanwhile, decision-making models based on Bayesian networks 
and diffusion models
At this point, incorporating cognitive sciences can improve the development of proactive cybersecurity solutions.
3. Cognitive Sciences
Research on cognitive sciences applied to cybersecurity acknowledges the importance of the human factor in cybersecurity; this is particularly relevant with the challenges generated by the growth of technologies such as cloud, mobile, IoT, and social networks [20,21]
. Cognitive science could enhance the processes of perception, comprehension, and projection used by cybersecurity analysts to detect cyberattacks and establish future defense actions 
4. Cognitive Process
Currently, information is increasing fast, and the availability of processing data surpasses human capacities. According to 
, cognitive architectures and models have primarily been developed using Artificial Intelligence to serve as decision aids to human users. Analyzing the rational cognitive process can allow the design of the computational level of cognitive prediction. Cassenti et al. 
mention that by using technology based on adaptive aids, the user’s cognitive state can be obtained and difficulties detected at any stage of cognition. Additionally, Cassenti mentions that one missing element in technology models concerns the human learning process, providing feedback that allows technology to adapt to the user and accomplish goals. According to Cameron 
, cognitive strategies are mental processes developed by humans to regulate the thought processes inside the mind to achieve goals or solve problems (See, Figure 1
Figure 1. Relation between Information, Technology aids, and Cognitive Processes.
5. Cognitive Security
Cognitive security is the ability to generate cognition for efficient decision-making in real-time by modeling human thought processes to detect cybersecurity attacks and develop defense strategies. Specifically, it responds to the need to build situational awareness of cybersecurity related to the environment of technology systems and the insights about itself. In addition, cognitive security allows programmers to develop defense actions by analyzing structured or unstructured information using cognitive sciences approaches, for instance, by incorporating Artificial Intelligence techniques such as data mining, machine learning, natural language processing, human-computer interaction, data analytics, big data, stochastic processes, and game theory. These emulate the human thought process for generating continuous learning, decision making, and security analysis 
65. Prisma Methodology
The PRISMA methodology is divided into four stages: identification, screening, eligibility analysis, and inclusion 
. The identification stage includes the development of the following phases: study selection, inclusion and exclusion criteria, manual search, and duplicate removal. The screening stage consists of choosing papers according to relevant titles and abstracts. Next, the eligibility analysis stage includes the process of reading the full texts that accomplished the screening criteria. Finally, the inclusion stage consists of the relevant data extraction from full pape