It’s All about the Benjamins: An Empirical Study on Incentivizing Users to Ignore Security Advice

  • Nicolas Christin
  • Serge Egelman
  • Timothy Vidas
  • Jens Grossklags
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7035)


We examine the cost for an attacker to pay users to execute arbitrary code—potentially malware. We asked users at home to download and run an executable we wrote without being told what it did and without any way of knowing it was harmless. Each week, we increased the payment amount. Our goal was to examine whether users would ignore common security advice—not to run untrusted executables—if there was a direct incentive, and how much this incentive would need to be. We observed that for payments as low as $0.01, 22% of the people who viewed the task ultimately ran our executable. Once increased to $1.00, this proportion increased to 43%. We show that as the price increased, more and more users who understood the risks ultimately ran the code. We conclude that users are generally unopposed to running programs of unknown provenance, so long as their incentives exceed their inconvenience.


Behavioral Economics Online Crime Human Experiments 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
  2. 2.
  3. 3.
  4. 4.
    Acohido, B.: Are there 6.8 million – or 24 million – botted PCs on the Internet? (Last accessed September 16, 2010)
  5. 5.
    Acquisti, A., Grossklags, J.: Privacy and rationality in individual decision making. IEEE Security & Privacy 3(1), 26–33 (2005)CrossRefGoogle Scholar
  6. 6.
    Baker, W., Hutton, A., Hylender, C., Novak, C., Porter, C., Sartin, B., Tippett, P., Valentine, J.: Data breach investigations report. In: Verizon Business Security Solutions (April 2009)Google Scholar
  7. 7.
    Christin, N., Yanagihara, S., Kamataki, K.: Dissecting one click frauds. In: Proceedings of the Conference on Computer and Communications Security (CCS), Chicago, IL, pp. 15–26 (October 2010)Google Scholar
  8. 8.
    Franklin, J., Paxson, V., Perrig, A., Savage, S.: An inquiry into the nature and causes of the wealth of internet miscreants. In: Proceedings of ACM Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 375–388 (October 2007)Google Scholar
  9. 9.
    Gaechter, S., Fehr, E.: Fairness in the labour market - A survey of experimental results. In: Bolle, F., Lehmann-Waffenschmidt, M. (eds.) Surveys in Experimental Economics, Bargaining, Cooperation and Election Stock Markets. Physica Verlag (2001)Google Scholar
  10. 10.
    Good, N., Dhamija, R., Grossklags, J., Aronovitz, S., Thaw, D., Mulligan, D., Konstan, J.: Stopping spyware at the gate: A user study of privacy, notice and spyware. In: Proceedings of the Symposium on Usable Privacy and Security (SOUPS 2005), Pittsburgh, PA, pp. 43–52 (July 2005)Google Scholar
  11. 11.
    Grossklags, J., Acquisti, A.: When 25 cents is too much: An experiment on willingness-to-sell and willingness-to-protect personal information. In: Proceedings (online) of the Sixth Workshop on Economics of Information Security (WEIS), Pittsburgh, PA (2007)Google Scholar
  12. 12.
    Grossklags, J., Christin, N., Chuang, J.: Secure or insure? A game-theoretic analysis of information security games. In: Proceedings of the 2008 World Wide Web Conference (WWW 2008), Beijing, China, pp. 209–218 (April 2008)Google Scholar
  13. 13.
    Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Proceedings of the New Security Paradigms Workshop (NSPW), Oxford, UK, pp. 133–144 (September 2009)Google Scholar
  14. 14.
    Herley, C., Florêncio, D.: Nobody sells gold for the price of silver: Dishonesty, uncertainty and the underground economy. In: Proceedings (online) of the Eighth Workshop on Economics of Information Security (WEIS) (June 2009)Google Scholar
  15. 15.
    Horton, J., Rand, D., Zeckhauser, R.: The online laboratory: Conducting experiments in a real labor market. Harvard Kennedy School and NBER working paper (May 2010)Google Scholar
  16. 16.
    Jakobsson, M.: Experimenting on Mechanical Turk: 5 How Tos (July 2009),
  17. 17.
    Kahneman, D., Tversky, A.: Choices, values and frames. Cambridge University Press, Cambridge (2000)zbMATHGoogle Scholar
  18. 18.
    Kanich, C., Kreibich, C., Levchenko, K., Enright, B., Voelker, G., Paxson, V., Savage, S.: Spamalytics: An empirical analysis of spam marketing conversion. In: Proceedings of the Conference on Computer and Communications Security (CCS), Alexandria, VA, pp. 3–14 (October 2008)Google Scholar
  19. 19.
    Kittur, A., Chi, E., Suh, B.: Crowdsourcing User Studies with Mechanical Turk. In: Proceedings of the ACM Conference on Human Factors in Computing Systems (CHI 2008), Florence, Italy, pp. 453–456 (2008)Google Scholar
  20. 20.
    Kucera, K., Plaisent, M., Bernard, P., Maguiraga, L.: An empirical investigation of the prevalence of spyware in internet shareware and freeware distributions. Journal of Enterprise Information Management 18(6), 697–708 (2005)CrossRefGoogle Scholar
  21. 21.
    Matwyshyn, A.: Penetrating the zombie collective: Spam as an international security issue. SCRIPT-ed 4 (2006)Google Scholar
  22. 22.
    Moore, T., Clayton, R., Anderson, R.: The economics of online crime. Journal of Economic Perspectives 23(3), 3–20 (2009)CrossRefGoogle Scholar
  23. 23.
    Moore, T., Edelman, B.: Measuring the Perpetrators and Funders of Typosquatting. In: Sion, R. (ed.) FC 2010. LNCS, vol. 6052, pp. 175–191. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  24. 24.
    Namestnikov, Y.: The economics of botnets. In: Analysis on Viruslist. com, Kapersky Lab (2009)Google Scholar
  25. 25.
    Peltzman, S.: The effects of automobile safety regulation. Journal of Political Economy 83(4), 677–726 (1975)CrossRefGoogle Scholar
  26. 26.
    Reeder, R., Arshad, F.: SOUPS 2005. IEEE Security & Privacy 3(5), 47–50 (2005)CrossRefGoogle Scholar
  27. 27.
    Ross, J., Zaldivar, A., Irani, L., Tomlinson, B.: Who are the Turkers? Worker Demographics in Amazon Mechanical Turk. Technical Report SocialCode-2009-01, University of California, Irvine (2009)Google Scholar
  28. 28.
    Rutkowska, J.: Red pill.. or how to detect VMM using (almost) one CPU instruction (November 2004),
  29. 29.
    Saroiu, S., Gribble, S., Levy, H.: Measurement and analysis of spyware in a university environment. In: Proceedings of the 1st USENIX Symposium on Networked Systems Design & Implementation (NSDI 2004), San Francisco, CA, pp. 141–153 (2004)Google Scholar
  30. 30.
    Stone-Gross, B., Cova, M., Cavallaro, L., Gilbert, B., Szydlowski, M., Kemmerer, R., Kruegel, C., Vigna, G.: Your botnet is my botnet: Analysis of a botnet takeover. In: Proceedings of the Conference on Computer and Communications Security (CCS), Chicago, IL, pp. 635–647 (October 2009)Google Scholar
  31. 31.
    Symantec Corp. Symantec global internet security threat report trends for 2009 (April 2010)Google Scholar
  32. 32.
    Thomas, R., Martin, J.: The underground economy: Priceless. Login 31(6), 7–16 (2006)Google Scholar
  33. 33.
    United Nations Statistics Division. Composition of macro geographical (continental) regions, geographical sub-regions, and selected economic and other groupings (April 2010),
  34. 34.
    Wilson, C.: Botnets, cybercrime, and cyberterrorism: Vulnerabilities and policy issues for congress. In: Library of Congress Washington DC Congressional Research Service (January 2008)Google Scholar
  35. 35.
    Zeltser, L.: So long script kiddies. Information Security Magazine (2007)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Nicolas Christin
    • 1
  • Serge Egelman
    • 2
  • Timothy Vidas
    • 3
  • Jens Grossklags
    • 4
  1. 1.INI/CyLabCarnegie Mellon UniversityUSA
  2. 2.National Institute of Standards and TechnologyUSA
  3. 3.ECE/CyLabCarnegie Mellon UniversityUSA
  4. 4.ISTPennsylvania State UniversityUSA

Personalised recommendations