Attention and past behavior, not security knowledge, modulate users’ decisions to login to insecure websites
Abstract
Purpose
Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes ignore it. This study aims to assess users’ knowledge of security warnings communicated via browser indicators and the likelihood that their online decision-making adheres to this knowledge.
Design/methodology/approach
Participants from Amazon’s Mechanical Turk visited a series of secure and insecure websites and decided as quickly and as accurately as possible whether it was safe to login. An online survey was then used to assess their knowledge of information security.
Findings
Knowledge of information security was not necessarily a good predictor of decisions regarding whether to sign-in to a website. Moreover, these decisions were modulated by attention to security indicators, familiarity of the website and psychosocial stress induced by bonus payments determined by response times and accuracy.
Practical implications
Even individuals with security knowledge are unable to draw the necessary conclusions about digital risks when browsing the web. Users are being educated through daily use to ignore recommended security indicators.
Originality/value
This study represents a new way to entice participants into risky behavior by monetizing both speed and accuracy. This approach could be broadly useful as a way to study risky environments without placing participants at risk.
Keywords
Acknowledgements
This research was sponsored by the Army Research Laboratory and was accomplished under cooperative agreement number W911NF-13-2-0045 (ARL Cyber Security CRA). The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Army Research Laboratory or the US Government. The US Government is authorized to reproduce and distribute reprints for government purposes notwithstanding any copyright notation here on. Additional funding was provided by the NSWC Crane. The authors would also like to acknowledge the following people for their assistance: L. Jean Camp, Prashanth Rajivan, Rachel Huss and Tom Denning.
Citation
Kelley, T. and Bertenthal, B.I. (2016), "Attention and past behavior, not security knowledge, modulate users’ decisions to login to insecure websites", Information and Computer Security, Vol. 24 No. 2, pp. 164-176. https://doi.org/10.1108/ICS-01-2016-0002
Publisher
:Emerald Group Publishing Limited
Copyright © 2016, Emerald Group Publishing Limited