Study shows valid hacking victim blame
A recent research project may have taught some participants about the dangers of internet complacency, and showed the level of ignorance about easy security measures.
A trio of university researchers in the US simulated hacking into study participants’ personal laptops.
They left a message from an “Algerian hacker” with a laughing skull and crossbones, a 10 second countdown timer and the words; “Say goodbye to your computer”.
The hack was not real, but the fact that all of the participants got the message by ignoring web security warnings was.
“A lot of them freaked out - you could hear them audibly make noises from our observation rooms,” said Anthony Vance, assistant professor of Information Systems at Brigham Young University.
“Several rushed in to say something bad had happened.”
The team found that while people say they care about keeping their computers secure, most behave otherwise - in this case, by ploughing through malware warnings without a second glance.
“We see these messages so much that we stop thinking about them,” Vance said.
“In a sense, we don’t even see them anymore, and so we often ignore them and proceed anyway.”
To complete the study, researchers first asked participants how they felt about online security.
Then, in a seemingly unrelated task, participants were told to use their own laptops to log on to a website to categorise pictures of Batman as animated or photographed.
Students were told their image classification project was being used to check the accuracy of a computer algorithm to do the same task.
As they clicked through, warning signs would randomly pop up indicating malware issues with the site they were accessing.
If they ignored the message enough times, they were ‘hacked’.
“A lot of people don’t realize that they are the weakest link in their computer security,” said Kirwan, assistant professor of Psychology and Neuroscience at BYU.
“The operating systems we use have a lot of built-in security and the way for a hacker to get control of your computer is to get you to do something.”
In another fascinating dimension of the study, an additional experiment used EEG machines to measure brain responses to risk.
Results showed that people say they care about web security but behave like they do not; they do however behave in line with what their brains say.
In other words, people’s brainwaves better predict how risky they are with online security.
Anderson, an associate professor of Information Systems, echoed the need to focus on one’s personal weaknesses as well as software flaws, quoting security expert Bruce Schneier: “Only amateurs attack machines; professionals target people.”