Real-World Decision Making: Logging Into Secure vs. Insecure Websites

A novel Two-Alternative Forced Choice experiment was used to evaluate the effects of security indicators on participants’ decision making when identifying potentially risky websites. Participants recruited from Amazons Mechanical Turk were instructed to visit a series of secure and insecure websites, and decide as quickly and as accurately as possible whether or not it was safe to login. Hierarchical linear regression models were used to identify the importance of the presence of security indicators, security domain knowledge, and familiarity with the presented websites to correctly differentiate between secure and insecure websites. An analysis of participants’ mouse trajectories was used to assess how websites were searched before a decision was made. The likelihood to login was modulated by security domain knowledge and familiarity with websites. The mouse tracking data revealed that spoofed websites with security indicators resulted in less search on the website, especially when the browser chrome indicated extended validation. Taken together, these results suggest that participants are aware of security indicators, but their responses are modulated by multiple factors.

[1]  Steven D. Levitt,et al.  What Do Laboratory Experiments Measuring Social Preferences Reveal About the Real World , 2007 .

[2]  W. Revelle psych: Procedures for Personality and Psychological Research , 2017 .

[3]  F. Plessow,et al.  Stress reduces use of negative feedback in a feedback-based learning task. , 2010, Behavioral neuroscience.

[4]  Santo Fortunato,et al.  Ranking web sites with real user traffic , 2008, WSDM '08.

[5]  Douglas Stebila,et al.  Reinforcing bad behaviour: the misuse of security indicators on popular websites , 2010, OZCHI '10.

[6]  Stuart E. Schechter,et al.  The Emperor's New Security Indicators An evaluation of website authentication and the effect of role playing on usability studies † , 2007 .

[7]  Lorrie Faith Cranor,et al.  Crying Wolf: An Empirical Study of SSL Warning Effectiveness , 2009, USENIX Security Symposium.

[8]  Robert Biddle,et al.  Exploring User Reactions to New Browser Cues for Extended Validation Certificates , 2008, ESORICS.

[9]  Bennett I. Bertenthal,et al.  Tracking Risky Behavior On The Web: Distinguishing Between What Users ‘Say' And ‘Do' , 2015, HAISA.

[10]  Sonia Chiasson,et al.  Why phishing still works: User strategies for combating phishing attacks , 2015, Int. J. Hum. Comput. Stud..

[11]  J. Kalaska,et al.  Neural Correlates of Reaching Decisions in Dorsal Premotor Cortex: Specification of Multiple Direction Choices and Final Selection of Action , 2005, Neuron.

[12]  Hadley Wickham,et al.  ggplot2 - Elegant Graphics for Data Analysis (2nd Edition) , 2017 .

[13]  R Core Team,et al.  R: A language and environment for statistical computing. , 2014 .

[14]  L. Jean Camp,et al.  Comparative eye tracking of experts and novices in web single sign-on , 2013, CODASPY '13.

[15]  Rick Dale,et al.  The Cognitive Dynamics of Negated Sentence Verification , 2011, Cogn. Sci..

[16]  Cleotilde Gonzalez,et al.  Effects of cyber security knowledge on attack detection , 2015, Comput. Hum. Behav..

[17]  Joseph G. Johnson,et al.  The response dynamics of preferential choice , 2013, Cognitive Psychology.

[18]  Michael J. Spivey,et al.  Graded motor responses in the time course of categorizing atypical exemplars , 2007, Memory & cognition.

[19]  Kori Inkpen Quinn,et al.  Gathering evidence: use of visual security cues in web browsers , 2005, Graphics Interface.

[20]  Michael J. Spivey,et al.  Continuous Dynamics in Real-Time Cognition , 2006 .

[21]  J. Freeman,et al.  Advanced mouse-tracking analytic techniques for enhancing psychological science , 2015 .

[22]  Sunny Consolvo,et al.  Your Reputation Precedes You: History, Reputation, and the Chrome Malware Warning , 2014, SOUPS.

[23]  D. Barr,et al.  Random effects structure for confirmatory hypothesis testing: Keep it maximal. , 2013, Journal of memory and language.

[24]  K. Nakayama,et al.  Role of focal attention on latencies and trajectories of visually guided manual pointing. , 2006, Journal of vision.

[25]  Hadley Wickham,et al.  The Split-Apply-Combine Strategy for Data Analysis , 2011 .

[26]  D. Bates,et al.  Fitting Linear Mixed-Effects Models Using lme4 , 2014, 1406.5823.

[27]  Sanford Weisberg,et al.  An R Companion to Applied Regression , 2010 .

[28]  Joseph Hilbe,et al.  Data Analysis Using Regression and Multilevel/Hierarchical Models , 2009 .

[29]  L. Jean Camp,et al.  End User Perception of Online Risk under Uncertainty , 2012, 2012 45th Hawaii International Conference on System Sciences.

[30]  Thomas A. Farmer,et al.  Hand in Motion Reveals Mind in Motion , 2011, Front. Psychology.

[31]  G. Andrew,et al.  arm: Data Analysis Using Regression and Multilevel/Hierarchical Models , 2014 .

[32]  C. Prablanc,et al.  Large adjustments in visually guided reaching do not depend on vision of the hand or perception of target displacement , 1986, Nature.

[33]  Michael J. Spivey,et al.  Action Dynamics Reveal Parallel Competition in Decision Making , 2008, Psychological science.

[34]  J. Tukey Comparing individual means in the analysis of variance. , 1949, Biometrics.