A group of researchers have discovered a depressing fact: some computer users will download and run an executable that they can’t be sure isn’t malicious for as little as one cent, and over 40 percent of them will do the same if they are offered to earn a dollar.
The researchers have conducted the experiment via Amazon’s Mechanical Turk, and they asked users to download and run a program named “Distributed Computing Client” for one hour in exchange for a payment.
The polled users didn’t know what the software actually did, but they were led to believe that they would be participating in a research study on the fictitious “CMU Distributed Computing Project.”
“We reposted the task to Mechanical Turk every week for five weeks,” they explained. “We increased the price each subsequent week to examine how our results changed based on the offer- ing price. Thus, the first week we paid participants $0.01, the second week $0.05, the third week $0.10, the fourth week $0.50, and the fifth week $1.00.” Participants were told that they could not participate more than once.
The application in question was designed to report anonymous statistics such as whether participants were executing the application in either the experimental (UAC) or control condition, the OS version they use (and if it’s up-to-date), the process list (to see whether they are running AV software or using a Virtual Machine to run the app). Also, after the experiment ended, they were asked to answer a few questions.
What they discovered is that:
- The proportion of participants who executed the program significantly increased with price
- The participants weren’t put off from downloading and running the program by Windows’ User Account Control warnings
- At least 1.8 percent of the total (965) participants took the precaution of using a VM to execute the code
- At least 16.4 percent had a malware infection, and 79.4 percent had security software running and, curiously enough, participants with security software were more likely to also have malware infections.
“Even though around 70% of all our survey participants understood that it was dangerous to run un-known programs downloaded from the Internet, all of them chose to do so once we paid them,” the researchers pointed out.
“This study serves as a clarion call to security researchers and practitioners: security guidance should not only create incentives for compliance with advice and policies, but also explicitly include mechanisms to support users who are prone to trade away security cheaply.”
More details about this fascinating study can be found here.