Image by Arenamontanus
A recent study by an international team of researchers finds that highly technical approaches to protecting against cyberattacks and malware can’t succeed without also addressing “the human element” — in other words, teaching non-technical users to avoid common pitfalls and improve their ability to detect social engineering ploys.
The study, “Insights into User Behavior in Dealing with Internet Attacks,” was conducted by experts at Northeastern University in Boston, Bilkent University in Ankara, Turkey, and Institute Eurecom in Sophia Antipolis, France. After conducting experiments with 164 Internet users with diverse backgrounds, the team concluded that” many non-technical users can exhibit performance comparable to security experts” when it comes to averting relatively simple threats. However, more sophisticated exploits — or those that are easily concealed from non-experts or which come cloaked in social engineering ploys — are likely to trip up uninformed Internet users.
In their conclusions, the researchers wrote the following:
Our findings suggest that many non-technical users can exhibit performance comparable to security experts at averting relatively simple threats that they are frequently exposed to in everyday life. They can do so solely by following their intuition, without actually perceiving the severity of the threat. However, when facing more sophisticated attacks, these non-technical users often rely on misleading cues such as the “size” and “length” of artifacts (e.g., URLs), and hence, fail to protect themselves.
We also show that trick banners that are common in file sharing websites and shortened URLs have high success rates of deceiving non-technical users, thus posing a severe security risk.
For full details, download a copy (PDF) of the study.
{ 2 comments… read them below or add one }
Interesting research. But it is NorthEASTERN, not Northwestern.
Thanks, Karl! My apologies to the fine folks at NorthEASTERN! — Steve