Abstract
We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice—not to run untrusted executables—if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Fair Trade USA, http://www.transfairusa.org/
Turker nation, http://www.turkernation.com
Turkopticon, http://turkopticon.differenceengines.com
Acohido, B.: Are there 6.8 million – or 24 million – botted PCs on the Internet? http://lastwatchdog.com/6-8-million-24-million-botted-pcs-internet/ (Last accessed September 16, 2010)
Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005)
Baker, W., Hutton, A., Hylender, C., Novak, C., Porter, C., Sartin, B., Tippett, P., Valentine, J.: Data breach investigations report. In: Verizon Business Security Solutions (April 2009)
Christin, N., Yanagihara, S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the Conference on Computer and Communications Security (CCS), Chicago, IL, pp. 15–26 (October 2010)
Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 375–388 (October 2007)
Gaechter, S., Fehr, E.: Fairness in the labour market - A survey of experimental results. In: Bolle, F., Lehmann-Waffenschmidt, M. (eds.) Surveys in Experimental Economics, Bargaining, Cooperation and Election Stock Markets. Physica Verlag (2001)
Good, N., Dhamija, R., Grossklags, J., Aronovitz, S., Thaw, D., Mulligan, D., Konstan, J.: Stopping spyware at the gate: A user study of privacy, notice and spyware. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2005), Pittsburgh, PA, pp. 43–52 (July 2005)
Grossklags, J., Acquisti, A.: When 25 cents is too much: An experiment on willingness-to-sell and willingness-to-protect personal information. In: Proceedings (online) of the Sixth Workshop on Economics of Information Security (WEIS), Pittsburgh, PA (2007)
Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)
Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Proceedings of the New Security Paradigms Workshop (NSPW), Oxford, UK, pp. 133–144 (September 2009)
Herley, C., Florêncio, D.: Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In: Proceedings (online) of the Eighth Workshop on Economics of Information Security (WEIS) (June 2009)
Horton, J., Rand, D., Zeckhauser, R.: The online laboratory: Conducting experiments in a real labor market. Harvard Kennedy School and NBER working paper (May 2010)
Jakobsson, M.: Experimenting on Mechanical Turk: 5 How Tos (July 2009), http://blogs.parc.com/blog/2009/07/experimenting-on-mechanical-turk-5-how-tos/
Kahneman, D., Tversky, A.: Choices, values and frames. Cambridge University Press, Cambridge (2000)
Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 3–14 (October 2008)
Kittur, A., Chi, E., Suh, B.: Crowdsourcing User Studies with Mechanical Turk. In: Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2008), Florence, Italy, pp. 453–456 (2008)
Kucera, K., Plaisent, M., Bernard, P., Maguiraga, L.: An empirical investigation of the prevalence of spyware in internet shareware and freeware distributions. Journal of Enterprise Information Management 18(6), 697–708 (2005)
Matwyshyn, A.: Penetrating the zombie collective: Spam as an international security issue. SCRIPT-ed 4 (2006)
Moore, T., Clayton, R., Anderson, R.: The economics of online crime. Journal of Economic Perspectives 23(3), 3–20 (2009)
Moore, T., Edelman, B.: Measuring the Perpetrators and Funders of Typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)
Namestnikov, Y.: The economics of botnets. In: Analysis on Viruslist. com, Kapersky Lab (2009)
Peltzman, S.: The effects of automobile safety regulation. Journal of Political Economy 83(4), 677–726 (1975)
Reeder, R., Arshad, F.: SOUPS 2005. IEEE Security & Privacy 3(5), 47–50 (2005)
Ross, J., Zaldivar, A., Irani, L., Tomlinson, B.: Who are the Turkers? Worker Demographics in Amazon Mechanical Turk. Technical Report SocialCode-2009-01, University of California, Irvine (2009)
Rutkowska, J.: Red pill.. or how to detect VMM using (almost) one CPU instruction (November 2004), http://invisiblethings.org/papers/redpill.html
Saroiu, S., Gribble, S., Levy, H.: Measurement and analysis of spyware in a university environment. In: Proceedings of the 1st USENIX Symposium on Networked Systems Design & Implementation (NSDI 2004), San Francisco, CA, pp. 141–153 (2004)
Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover. In: Proceedings of the Conference on Computer and Communications Security (CCS), Chicago, IL, pp. 635–647 (October 2009)
Symantec Corp. Symantec global internet security threat report trends for 2009 (April 2010)
Thomas, R., Martin, J.: The underground economy: Priceless. Login 31(6), 7–16 (2006)
United Nations Statistics Division. Composition of macro geographical (continental) regions, geographical sub-regions, and selected economic and other groupings (April 2010), http://unstats.un.org/unsd/methods/m49/m49regin.htm
Wilson, C.: Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. In: Library of Congress Washington DC Congressional Research Service (January 2008)
Zeltser, L.: So long script kiddies. Information Security Magazine (2007)
Author information
Authors and Affiliations
Editor information
Rights and permissions
Copyright information
© 2012 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Christin, N., Egelman, S., Vidas, T., Grossklags, J. (2012). It’s All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice. In: Danezis, G. (eds) Financial Cryptography and Data Security. FC 2011. Lecture Notes in Computer Science, vol 7035. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-27576-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-642-27576-0_2
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-27575-3
Online ISBN: 978-3-642-27576-0
eBook Packages: Computer ScienceComputer Science (R0)