The Internet is a lucrative medium for criminals targeting Internet users. Most common Internet attacks require some form of user interaction such as clicking on an exploit link. Hence, the problem at hand is not only a technical one, but it also has a strong human aspect. Although the security community has proposed many technical solutions to common attacks, the behavior of users when they face current threats, and the way they evaluate the security implications of their actions remain largely unexplored. In this paper we describe an online experiment platform we built for testing the behavior of users when they are confronted with prevalent, concrete attack scenarios such as reflected cross-site scripting, session fixation, and file sharing scams. We conducted experiments with 164 Internet users with diverse backgrounds. Our findings suggest that many non-technical users can exhibit performance comparable to security experts at averting relatively simple threats that they are frequently exposed to in everyday life. They can do so solely by following their intuition, without actually perceiving the severity of the threat. However, when facing more sophisticated attacks, these non-technical users often rely on misleading cues such as the "size" and "length" of artifacts (e.g., URLs), and hence, fail to protect themselves. We also show that trick banners that are common in file sharing websites and shortened URLs have high success rates of deceiving non-technical users, thus posing a severe security risk.
and is available at :
