http://www.eurekalert.org/pub_releases/2013-12/pm-fcs121613.php
Contact: Annie Touchette
annie.touchette/at/polymtl.ca
514-231-8133
Polytechnique Montréal
Montreal, December 16, 2013 - Installing computer security software,
updating applications regularly and making sure not to open emails from
unknown senders are just a few examples of ways to reduce the risk of
infection by malicious software, or "malware". However, even the most
security-conscious users are open to attack through unknown
vulnerabilities, and even the best security mechanisms can be circumvented
as a result of poor user choices.
"The reality is that successful malware attacks depend on both
technological and human factors," says Professor José Fernandez. "Although
there has been significant research on the technical aspects, there has
been much less on human behaviour and how it affects malware and defence
measures. As a result, no one at the present time can really say how
important these factors are. For example, are users who are older and less
computer-savvy more open to infection?" It is therefore necessary to take
a closer look at the impact that both technological and human factors have
on the success or failure of protective mechanisms.
To answer this type of question, Prof. Fernandez and his team drew
inspiration from the clinical trial method to design the first-ever study
applied to computer security. In a fashion similar to medical studies that
evaluate the effectiveness of a particular treatment, their experiment was
aimed at assessing the performance of anti-virus software and the
likelihood that participants' computers would become infected with
malware. The four-month study involved 50 subjects who agreed to use
laptops that were instrumented to monitor possible infections and gather
data on user behaviour. "Analyzing the data allowed us not only to
identify which users were most at risk, based on their characteristics and
behaviour, but also to measure the effectiveness of various protective
measures," says Polytechnique student Fanny Lalonde Lévesque, who is
writing her master's thesis on this project.
This pilot study provided some very interesting results on the
effectiveness of computer defences and the risk factors for infection. For
example, 38% of the users' computers were exposed to malware and 20% were
infected, despite the fact that they were all protected by the same
anti-virus product, which was updated regularly. With regard to the users
themselves, there did not seem to be any significant difference in
exposure rates between men and women. In addition, the most technically
sophisticated users turned out to be the group most at risk… This result
may seem counter-intuitive, as it contradicts the opinion of some computer
experts who argue that people should have a kind of "Internet license"
before going online. "The results of this study provide some intriguing
insights. Are these 'expert' users at higher risk because of a false sense
of security, or because they are naturally curious and therefore more
risk-tolerant? Further research is needed to understand the causes of this
phenomenon, so that we can better educate and raise awareness among
users," says Professor Fernandez. In the future, this type of study will
help provide scientific data to support decision-making on security
management, education, regulation and even computer security insurance. A
second phase, which will involve hundreds of users over a period of
several months, is already being prepared.
The initial results of this experiment were presented at the ACM
Conference on Computer and Communications Security (CCS), which took place
November in 2013 in Berlin, Germany.
### This research was carried out with the financial support of the
Natural Sciences and Engineering Research Council of Canada Internetworked
Systems Security Network (NSERC ISSNet), Trend Micro and MITACS.
--
Find the best InfoSec talent without breaking your
IT recruiting budget! Save 50 percent off our normal
rate by using the discount code - XMAS2013
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
