It's All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice

We examine the cost for an attacker to pay users to execute arbitrary code--potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice--not to run untrusted executables--if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

[1]  E. Fehr,et al.  Fairness in the Labour Market – A Survey of Experimental Results , 2001 .

[2]  Cormac Herley,et al.  Nobody Sells Gold for the Price of Silver: Dishonesty, Uncertainty and the Underground Economy , 2009, WEIS.

[3]  David Hylender,et al.  Data Breach Investigations Report , 2011 .

[4]  Nicolas Christin,et al.  Dissecting one click frauds , 2010, CCS '10.

[5]  Robert W. Reeder,et al.  Soups 2005 , 2005, IEEE Secur. Priv..

[6]  Chris Kanich,et al.  Spamalytics: an empirical analysis of spam marketing conversion , 2009, CACM.

[7]  David G. Rand,et al.  The online laboratory: conducting experiments in a real labor market , 2010, ArXiv.

[8]  Y. Namestnikov,et al.  The economics of botnets , 2009 .

[9]  C. Wilson Botnets, Cybercrime, and Cyberterrorism: Vulnerabilities and Policy Issues for Congress , 2008 .

[10]  Alessandro Acquisti,et al.  When 25 Cents is Too Much: An Experiment on Willingness-To-Sell and Willingness-To-Protect Personal Information , 2007, WEIS.

[11]  Aniket Kittur,et al.  Crowdsourcing user studies with Mechanical Turk , 2008, CHI.

[12]  Ross J. Anderson,et al.  The Economics of Online Crime , 2009 .

[13]  Reinhard Selten,et al.  Surveys in experimental economics : bargaining, cooperation and election stock markets , 2002 .

[14]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[15]  Team Cymru,et al.  The Underground Economy: Priceless , 2006, login Usenix Mag..

[16]  Bill Tomlinson,et al.  Who are the Turkers? Worker Demographics in Amazon Mechanical Turk , 2009 .

[17]  G. Paquet Underground Economy , 2020, Encyclopedia of the UN Sustainable Development Goals.

[18]  Stefan Savage,et al.  An inquiry into the nature and causes of the wealth of internet miscreants , 2007, CCS '07.

[19]  A. Tversky,et al.  Choices, Values, and Frames , 2000 .

[20]  Cormac Herley,et al.  So long, and no thanks for the externalities: the rational rejection of security advice by users , 2009, NSPW '09.

[21]  Stefan Saroiu,et al.  Measurement and analysis of spywave in a university environment , 2004 .

[22]  Stefan Saroiu,et al.  Measurement and Analysis of Spyware in a University Environment , 2004, NSDI.

[23]  Joseph Bonneau,et al.  What's in a Name? , 2020, Financial Cryptography.

[24]  S. Peltzman The Effects of Automobile Safety Regulation , 1975, Journal of Political Economy.

[25]  AcquistiAlessandro,et al.  Privacy and Rationality in Individual Decision Making , 2005, S&P 2005.

[26]  Alessandro Acquisti,et al.  Privacy and rationality in individual decision making , 2005, IEEE Security & Privacy.

[27]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[28]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[29]  Tyler Moore,et al.  Measuring the Perpetrators and Funders of Typosquatting , 2010, Financial Cryptography.

[30]  A. Matwyshyn Penetrating the Zombie Collective: Spam as an International Security Issue , 2006 .

[31]  Michel Plaisent,et al.  An empirical investigation of the prevalence of spyware in internet shareware and freeware distributions , 2005, J. Enterp. Inf. Manag..

[32]  Deirdre K. Mulligan,et al.  Stopping spyware at the gate: a user study of privacy, notice and spyware , 2005, SOUPS '05.