Team for Research in
Ubiquitous Secure Technology

It's All About the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice
Nicolas Christin, Serge Egelman, Timothy Vidas, Jens Grossklags

Citation
Nicolas Christin, Serge Egelman, Timothy Vidas, Jens Grossklags. "It's All About the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice". Proceedings Financial Crypto 2011, February, 2011.

Abstract
We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware.We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice—not to run untrusted executables—if there was a direct incentive, and how much this incentive would need to be.We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.

Electronic downloads


Internal. This publication has been marked by the author for TRUST-only distribution, so electronic downloads are not available without logging in.
Citation formats  
  • HTML
    Nicolas Christin, Serge Egelman, Timothy Vidas, Jens
    Grossklags. <a
    href="http://www.truststc.org/pubs/785.html"
    >It's All About the Benjamins: An Empirical Study on
    Incentivizing Users to Ignore Security Advice</a>,
    Proceedings Financial Crypto 2011, February, 2011.
  • Plain text
    Nicolas Christin, Serge Egelman, Timothy Vidas, Jens
    Grossklags. "It's All About the Benjamins: An Empirical
    Study on Incentivizing Users to Ignore Security
    Advice". Proceedings Financial Crypto 2011, February,
    2011.
  • BibTeX
    @inproceedings{ChristinEgelmanVidasGrossklags11_ItsAllAboutBenjaminsEmpiricalStudyOnIncentivizingUsers,
        author = {Nicolas Christin and Serge Egelman and Timothy
                  Vidas and Jens Grossklags},
        title = {It's All About the Benjamins: An Empirical Study
                  on Incentivizing Users to Ignore Security Advice},
        booktitle = {Proceedings Financial Crypto 2011},
        month = {February},
        year = {2011},
        abstract = {We examine the cost for an attacker to pay users
                  to execute arbitrary code—potentially malware.We
                  asked users at home to download and run an
                  executable we wrote without being told what it did
                  and without any way of knowing it was harmless.
                  Each week, we increased the payment amount. Our
                  goal was to examine whether users would ignore
                  common security advice—not to run untrusted
                  executables—if there was a direct incentive, and
                  how much this incentive would need to be.We
                  observed that for payments as low as $0.01, 22% of
                  the people who viewed the task ultimately ran our
                  executable. Once increased to $1.00, this
                  proportion increased to 43%. We show that as the
                  price increased, more and more users who
                  understood the risks ultimately ran the code. We
                  conclude that users are generally unopposed to
                  running programs of unknown provenance, so long as
                  their incentives exceed their inconvenience.},
        URL = {http://www.truststc.org/pubs/785.html}
    }
    

Posted by Nicolas Christin on 1 Oct 2011.
For additional information, see the Publications FAQ or contact webmaster at www truststc org.

Notice: This material is presented to ensure timely dissemination of scholarly and technical work. Copyright and all rights therein are retained by authors or by other copyright holders. All persons copying this information are expected to adhere to the terms and constraints invoked by each author's copyright.