Monday, June 16, 2014

Internet users ignore security advice for 1-5 $ cents

After all the discussions we had in class about internet safety I found the following study by Carnegie Mellon University very surprising about the behavior of internet users and safety. The study included the following:

We examine the cost for an attacker to pay users to execute arbitrary
code—potentially malware. We asked users at home to download and run an exe-
cutable we wrote without being told what it did and without any way of knowing
it was harmless. Each week, we increased the payment amount. Our goal was to
examine whether users would ignore common security advice—not to run un-
trusted executables—if there was a direct incentive, and how much this incentive
would need to be. We observed that for payments as low as $0.01, 22% of the peo-
ple who viewed the task ultimately ran our executable. Once increased to $1.00,
this proportion increased to 43%. We show that as the price increased, more and
more users who understood the risks ultimately ran the code. We conclude that
users are generally unopposed to running programs of unknown provenance, so
long as their incentives exceed their inconvenience

Link:
https://www.andrew.cmu.edu/user/nicolasc/publications/CEVG-FC11.pdf 

Apparently internet users are much less afraid to install all kinds of malware on their computers for very low financial incentives than the average student in our class. This is something very important to keep in mind for coming discussions about internet safety. Discussions should now start about the willingness/ necessity to "protect internet users against themselves"

No comments: