What would you pay for security?
It is often said that people don't place a high enough value on the security of their data, but new research suggests the situation is even worse than anyone expected.
Security researchers at Carnegie Mellon University undertook a study in which they constructed a harmless piece of executable code and mailed people asking them to download and run it, to see how many would do so, despite all the warnings people have had for years against the dangers of running unknown and unsolicited code.
The objective of the study was to see how much they would have to offer people as payment before people would run the code. The recipients were not told that they were taking part in an academic study, and the code did nothing other than collect some system stats, run a timer, and periodically report back to the researchers that it was still running.
The results are worrying. 43% of people ran the code when they were offered as little as one dollar in payment. What is most shocking is that this was the top amount they offered and you didn't need to offer that much money to get some people to run the code. 36% of people who were offered 50 cents ran it, and incredibly, offer people a derisory singe cent of payment and 22% of that sample still ran the code. Clearly, in line with basic economic principles, the more money you offer, the more people will be willing to put their data at risk, but even with incredibly small incentives, many computer users will happily ignore the security risks.
Some of the sample were shown a fake Windows alert box before running the program which warned they were running software from an unknown publisher but researchers found this warning made no significant difference. Neither did they find any significant different by age, gender, or even people's self-assessed degree of computing skills.
Another interesting fact to have emerged from this and similar studies is that people infected by botnet software often had more than one infection on their machines, and despite the impact it has on other users, most users seem reluctant to do anything about clearing infections unless their own machines become unusable.
This tallies with our own experience that people with machines emitting spam will do nothing about it no matter how often they are warned, because it doesn't hurt them personally, but as soon as they wind up on the blacklists and discover they can no longer send or receive email, it becomes the worst problem in the world.
24th June 2014
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.