Do tech-savvy readers practice what they preach?

While at the Virus Bulletin conference in Dallas last week, Sabina Raluca Datcu and Ioana Jelea of BitDefender gave a presentation entitled “Practise what you preach: a study on tech-savvy readers’ immunity to social engineering techiques.”

In this talk, presenters spoke about a study they conducted – do tech savvy people actually have better security habits than regular ham-and-eggers? The idea is that many people believe “Oh, I would never be a victim because I know all about scams.” But is it accurate?

It’s true that security awareness has increased today, but scammers can still exploit human nature. Having antimalware installed does not prevent sophisticated attackers because the art scamming is a combination of skill and creativity.

To measure this, BitDefender did a survey of 643 tech savvy users defined as people who regularly read and comment on technical articles on the Internet. These are not security professionals but rather people who are tech aware. For example, I regularly read up on stocks and finance and therefore I am stock market aware, but I am not a financial professional.

Anyhow, BitDefender’s study was effectively a collection of qualitative analysis – it’s less about numbers and more about interpretation of data collected. What they found was this – Personal norms help the user (victim) to decide what course of action to take. To put it another way, the way you are in real life is how you behave online.

  • For example, there are people that understand the risks of sharing passwords. You might be setting up a test account somewhere and your co-worker needs access to it. They send you an email saying “Hey, what’s the username and password to that test account?”

What do you do?

Do you say “Ah, it’s probably fine” and then hit reply and send the login information? Many people do. You see the risks but disregard them.

  • Furthermore, many people disbelieve the risks. For example, one respondent in the survey claimed that they have no antivirus on their Mac because it isn’t needed. Mac users never get infected. You don’t have to go very far to see that this belief is rampant among Mac users. It’s usually stated in one form or another:
  • Mac users don’t get viruses.
  • Macs are more secure than PC’s.
  • PC users keep saying that Macs will eventually suffer the same fate as PC’s but it never happens.

And so forth. These statements have some degree of truth to them but the people who say them are taking them to mean more than they should. That is, there is some truth the claim that Macs get fewer malware infections but the risk is not negligible. Not in 2012.

  • BitDefender also found the the more narcissistic the user, the more likely they were to share personal information. If the user was well admired, they would enthusiastically disclose information. This is also unsurprising, people like to talk about themselves. We’ve known this since Dale Carnegie. Social engineers can use this against people.

  • Finally, the lower the level of perceived risk, the more likely users are to break security rules. In our example above of sharing passwords, you might decide to share a username and password combination because you think the odds that someone will intercept that mail and use it for nefarious purposes are small. You might not bother to change your router password because the odds of that are small.

    And so forth.

BitDefender concluded by saying that distance between what people say they would do, and what they would actually do, depends on numerous elements. They combine to affect people’s gullibility factor.

They stated in the Q&A section that more study is needed – larger sample sizes, more in-depth analysis, but I thought that this was a good start.

And that’s what I learned at VB about whether or not tech-savvy users practice what they preach.