I can’t bribe my preschooler with a penny anymore, but, sadly, a consortium of Carnegie Mellon University, NIST and Penn State University found that 22% of respondents through Amazon’s Mechanical Turk were willing to run a dodgy unknown executable in return for a penny. Fifty-eight percent would do it for 50 cents, and 64 percent would do it for a dollar.
I’ve been telling people for 17 years not to take executable files from strangers. I know the percentage of people who will bend down to pick up a penny off the ground when they see one is less than 22%, so this saddens me. Perhaps the news isn’t quite all bad.
Ironically, the results also yielded some insight into users’ behavior that seems to be somewhat security conscious. Those running antivirus and fully patched machines, for example, were more willing to download the executable thinking the security software would protect their computers.
This tells me people see value in running antivirus software and installing security patches. But it also tells me they greatly overestimate the ability of those things to protect you against running random dodgy executable files, and perhaps that explains the success of certain botnets such as Zeus. People do the bare minimum, think doing the bare minimum makes them invincible, and thus willing to run stuff that gets them infected.
I struggle sometimes to get people to do the minimum, but if there’s one thing I don’t like, it’s a false sense of security.
I find this quote worrying:
“Even though around 70 percent of all our survey participants understood that it was dangerous to run unknown programs downloaded from the Internet, all of them chose to do so once we paid them,” the researchers said.
Our information security awareness training doesn’t seem to be working very well.