Determining the likelihood of a person's computer becoming infected to that person's characteristics, user behaviour and choice of computer security measures: This was the challenge taken up by Professor José M. Fernandez and his team when they conducted the first clinical study applied to computer security, a global first.
Installing computer security software, updating applications regularly and making sure not to open emails from unknown senders are just a few examples of ways to reduce the risk of infection by malicious software, or “malware”. However, even the most security-conscious users are open to attack through unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of poor user choices.
“The reality is that successful malware attacks depend on both technological and human factors,” says Professor José Fernandez. “Although there has been significant research on the technical aspects, there has been much less on human behaviour and how it affects malware and defence measures. As a result, no one at the present time can really say how important these factors are. For example, are users who are older and less computer-savvy more open to infection?” It is therefore necessary to take a closer look at the impact that both technological and human factors have on the success or failure of protective mechanisms.
Fanny Lalonde Lévesque and Prof. José M. Fernandez
To answer this type of question, Prof. Fernandez and his team drew inspiration from the clinical trial method to design the first-ever study applied to computer security. In a fashion similar to medical studies that evaluate the effectiveness of a particular treatment, their experiment was aimed at assessing the performance of anti-virus software and the likelihood that participants' computers would become infected with malware. The four-month study involved 50 subjects who agreed to use laptops that were instrumented to monitor possible infections and gather data on user behaviour. “Analyzing the data allowed us not only to identify which users were most at risk, based on their characteristics and behaviour, but also to measure the effectiveness of various protective measures,” says Polytechnique student Fanny Lalonde Lévesque, who is writing her master's thesis on this project.
This pilot study provided some very interesting results on the effectiveness of computer defences and the risk factors for infection. For example, 38% of the users' computers were exposed to malware and 20% were infected, despite the fact that they were all protected by the same anti-virus product, which was updated regularly. With regard to the users themselves, there did not seem to be any significant difference in exposure rates between men and women. In addition, the most technically sophisticated users turned out to be the group most at risk… This result may seem counter-intuitive, as it contradicts the opinion of some computer experts who argue that people should have a kind of “Internet license” before going online. “The results of this study provide some intriguing insights. Are these ‘expert' users at higher risk because of a false sense of security, or because they are naturally curious and therefore more risk-tolerant? Further research is needed to understand the causes of this phenomenon, so that we can better educate and raise awareness among users,” says Professor Fernandez. In the future, this type of study will help provide scientific data to support decision-making on security management, education, regulation and even computer security insurance. A second phase, which will involve hundreds of users over a period of several months, is already being prepared.
The initial results of this experiment were presented at the ACM Conference on Computer and Communications Security (CCS), which took place November in 2013 in Berlin, Germany.
This research was carried out with the financial support of the Natural Sciences and Engineering Research Council of Canada Internetworked Systems Security Network (NSERC ISSNet), Trend Micro and MITACS.