A research project its leaders call the first “clinical” study of computer network security has concluded that technically sophisticated end-users are more likely to suffer security problems than those who are less technically sophisticated. More importantly, it concluded that the greatest risk isn’t from level of knowledge, but from the willingness to visit any of nine categories of high-risk web site, the number of sites visited, and number of applications a particular end user installs.
The counter-intuitive result contradicts the assumptions of many IT and security professionals, who argue that most security issues arise due to users who choose simplistic passwords or make other choices that leave them vulnerable due to their own ignorance about which sites to visit or which security rules to disregard, according to researchers at Montreal Polytechnique University.
A raft of earlier studies pinned much of the blame for security problems on the behavior of end-users who choose overly simplistic passwords, take secure documents out of secure systems to share with colleagues, connect to insecure systems without taking extra security precautions, and other failures.
A few have even found that even datacenter- and security specialists are often surprisingly ignorant of the source of security problems plaguing their own companies, or their role in creating security flaws.
Few studies have connected specific behaviors with resultant breaches of security, however, according to Jose Fernandez, assistant professor of computer engineering who led the research team that conducted a four-month study of end-user behavior using, essentially, keyloggers.
The study involved 50 users who agreed to use laptops set up to monitor their behavior, the sites they visited, security procedures they followed, and any malware infections or other security breaches.
The data showed that 38 percent of the laptops were exposed to malware and 20 percent were infected, even though all the machines had been prepared with identical security measures, and updated on identical schedules.
“Analyzing the data allowed us not only to identify which users were most at risk, based on their characteristics and behavior, but also to measure the effectiveness of various protective measures,” according to Fanny Lalonde Lévesque, the graduate student basing her master’s thesis on the study. (PDF of full paper available here.)
Statistical analysis of the characteristics of each user and each malware infection showed no link between increased risk and gender, age, or employment status. The type of browser also had nothing to do with how likely a user was to be infected.
Users with higher levels of expertise were infected more often than the others.
Level of expertise was not, in itself, a risk factor. The three things that did seem to cause more malware infections were the total number of applications a user installed, total number of web sites they visited, and type of sites they visited.
The more applications users installed, and more sites they visited, the more often they were to be infected, according to the paper, which was published in the Proceedings of the 2013 ACM Conference on Computer and Communications Security in Dec. 2013.
Installing more apps and visiting more web sites increases the chances of exposure through simple volume, Levesque said. The third risk factor – the type of web site visited – showed the highest chance of infection came from visiting sites in nine specific categories: streaming media/MP3, infrastructure sites, software download, sports, computers/Internet, gambling, pornography, illegal/questionable [porn, gambling, etc.], and translators or cached sites.
The results are promising and incriminating, but not definitive, partly because of the small size of the initial sample, Fernandez said in a statement announcing the study.
A second phase will expand the scope to track hundreds of users over the course of months.
Image: Carsten Reisinger