cybersecurity

Researchers Terrify College Students, Prove Important Point About Internet Security

Burning Laptop
Photo: Soren Hald/(c) Soren Hald

Sure, being an academic probably involves a fair bit of drudgery, from faculty meetings to sifting through miles-long spreadsheets of data. But there must also be plenty of upsides, from pursuing research you find interesting to, say, terrorizing undergrad study participants by having fake hacking notices appear on their laptops. That’s what a team from BYU did to better understand how people react to online security warnings. And guess what? Generally, they ignore them.

For the study, published in the Journal of the Association for Information Systems, the researchers asked a group of undergrads a bunch of questions to assess how seriously they rated the threat of internet security breaches, and also had them participate in a game that reveals levels of risk-seeking behavior while hooked up to an EEG machine that recorded their brain waves.

Then they sent the students into a room with their own laptops to play what they were told was a simple game. They’d log onto a website and be presented with a series of images of Batman, and for each one they’d have to indicate with a mouse click, as quickly as possible, whether it was a photo or an animated image of the Caped Crusader.

The real purpose of the task, though, was to see how the students responded to security warnings — “This is probably not the site you are looking for!” and so on — that began popping up. As with real security warnings, students could choose to either back out and not go to the site in question (which would earn them a penalty on the image-sorting task), or ignore the warning and “proceed anyway.”

Halfway through the task, participants were also presented with this scary screen:

After this jarring screen appeared, the students were able to finish the task. Once the researchers sorted through all the data they’d collected from both the pre-task evaluations and the image-sorting task itself, they discovered that up until the scary haxor screen, there was no correlation between how concerned people said they were about internet security and to what extent they ignored the warnings (the unwelcome visit from Guy Fawkes, not surprisingly, seemed to shock people into a state of heightened vigilance). There was, however, a correlation between brain-wave activity indicating risk averseness and people’s internet-security behavior — the more risk averse people were, the less likely they were to ignore the security warnings. In other words, a brain scan provided a more accurate prediction of how vigilant people would be when it came to online security than did simply asking them.

Perhaps most important, the undergrads were legitimately spooked. “A lot of them freaked out — you could hear them audibly make noises from our observation rooms,” said Anthony Vance, assistant professor of information systems, in the study’s press release. “Several rushed in to say something bad had happened.”

Science: making the internet a safer place and simultaneously entertaining its denizens with tales of freaked-out college students.

Everyone Ignores Security Warnings All the Time