It's All About The Benjamins: An Empirical Study On Incentivizing Users To Ignore Security Advice

Abstract

We examine the cost for an attacker to pay users to execute arbitrary code-potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice-not to run untrusted executables-if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00 this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

Open PDF

Document Details

Document Type
Technical Report
Publication Date
Feb 01, 2011
Accession Number
ADA542594

Entities

People

  • Jens Grossklags
  • Nicolas Christin
  • Serge Egelman
  • Timothy Vidas

Organizations

  • Carnegie Mellon University

Tags

Communities of Interest

  • Cyber

DTIC Thesaurus Topics

  • Anti-Virus Software
  • Commerce
  • Computer Network Security
  • Computer Programming
  • Computer Programs
  • Computer Science
  • Computer Security Software
  • Computers
  • Cybersecurity
  • Distributed Computing
  • Institutional Review Board
  • Malware
  • Motivation
  • Operating Systems
  • Security
  • Virtual Machines
  • Websites

Fields of Study

  • Computer science

Readers

  • Database Systems and Applications
  • Educational Psychology
  • Government Contracting/Procurement.

Technology Areas

  • Cyber