280 likes | 394 Views
Social Science Experiment. Jan-Willem Bullee. Background. Effectiveness of authority on compliance We can get some of the answers from Literature (Meta-analysis) Attacker stories/interviews But the answers are inconclusive Different context Hard to measure human nature
E N D
Social Science Experiment • Jan-Willem Bullee
Background • Effectiveness of authority on compliance • We can get some of the answers from • Literature (Meta-analysis) • Attacker stories/interviews • But the answers are inconclusive • Different context • Hard to measure human nature • Difficult to standardize behaviour. 2 Cyber-crime Science
Principles of Persuasion • Authority • More likely to listen to an police officer • Conformity • Peer pressure • Commitment • Say yes to something small first • Reciprocity • Return the favour • Liking • People like you and me • Scarcity • Wanting the ungettable 3 Cyber-crime Science
[Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378. Literature on Authority • Classical Milgram Shock Experiment • 66% full compliance 5 Cyber-crime Science
Introduction Key Experiment • Get something from an employee • Equal to password or PIN • Intervention • Impersonate 5 Cyber-crime Science
Experimental Setup • Design • Intervention • Written memo • Key-chain • Poster 5 Cyber-crime Science
Hypotheses • H0: Intervention and Control comply equally • H0: Authority and Control comply equally • H0: Effect of Authority on compliance 5 Cyber-crime Science
Results • 351 rooms targeted • N=118 (33,6%) populated • Demographics Targets • Female: 24 (20%) Male: 94 (80%) • Mage = 34, range (23-63) years • Overall compliance distribution • 52.5%/47.5% 5 Cyber-crime Science
Results 5 Cyber-crime Science
Results • Intervention distribution • 60%/40% • H0: Intervention and Control comply equally • χ²-test • Hypothesis rejected 5 Cyber-crime Science
Results • Authority distribution • ≈50/50 • H0: Authority and Control comply equally • χ²-test • Hypothesis accepted 5 Cyber-crime Science
Results • Effect of authority • Logistic Regression • Employees that did not get the intervention are 2.84 times morelikely to give their key away Give Key Intervention 5 Cyber-crime Science
Results • Effect of authority • Logistic Regression • Employees that did not get the intervention are 2.84 times morelikely to give their key away • Authority: No effect Give Key Intervention Authority 5 Cyber-crime Science
Results • Comments: • “Great test!” “Cool Experiment” “Interesting study” • “I had doubts” “Having an keychain is important” • “Suspicious looking box” • “Guy in suit looked LESS trustworthy” • “Asked for my ID” • “Trusted me since I looked friendly” • “I feel stupid” • “I didn’t wanted to give the key, but did it anyway” 5 Cyber-crime Science
Take Home Message • Children, animals, people never react the way you want. • Limited availability in July and August • You are not important for others • …unless you want to break the system • 1/3 of employees works on a Wednesday in September • 2.84 times higher odds to get key if no intervention 5 Cyber-crime Science
Charging Mobile Phone 10 Cyber-crime Science
Charging Mobile Phone • What are the security considerations of the users of a public mobile phone charger? • What is the use rate of the device (per number of people at that location per hour), • Why do people use (or not) the system? • How do the safety perceptions of the current users differ between the former users and the non-users. • You are the researchers! 10 Cyber-crime Science
Crime Prevention [Coz05] Cozens, P. M., Saville, G., & Hillier, D. (2005). Crime prevention through environmental design (CPTED): a review and modern bibliography. Property management, 23(5), 328-356. • CPTED Framework (Crime Prevention Through Environmental Design) • Activity Support • Eyes on the street • Unfortunately: also provides opportunity • Overall crimes are reduced by increasing activity 10 Cyber-crime Science
Hypotheses • H0: Cabinets in busy and quite areas are equally used. • H0: Cabinets with surveillance (e.g. service desk) and with no surveillance are equally used. • H0: Cabinets in lunch hours (e.g. lunch) and lecture hours are equally used. 10 Cyber-crime Science
Our Design • Researchers: You (Student) • Target: Fellow Students and Employee • Goal: Observe • Observe and interview people • Interface: Face 2 Face • Count people and short questionnaire 11 Cyber-crime Science
Method : Our design • 2 experimental conditions • Users of the system / non users of the system • 6 locations • Experimental: Bastille, Hal-B, Horst and Spiegel • Control: ITC (city center), Ravelijn 12 Cyber-crime Science
Method : Our procedure • Subjects from the experimental building • Teams of 1 researcher • One minute count: the people that pass-by • Approach users of the system • Subjects from the control building • Teams of 2 researchers • Interview people walking in the area • More details on the course-site 13 Cyber-crime Science
What to do • Before Tuesday 9 September • Register in the Doodle • On 10, 17 (and 24) September • 09:30 - 09:50 Briefing at ZI4047 • Travel to location • 10:30 - 12:45 Experiment • 12:45 - 13:30 Break and travel • 13:30 - 15:45 Experiment part 2 15 Cyber-crime Science
What to do • We have permission to do this only at • UT: Bastille, Hal-B, Horst, Ravelijn, Spiegel and ITC • Enter your data in SPSS • Directly after the attack • Come to me ZI4047 • Earn 0.5 (out of 10) bonus points 16 Cyber-crime Science
Ethical issues • Informed consent not possible • Zero risk for the subjects • Approved by facility management • Consistent with data protection (PII form) • Approved by ethical committee, see http://www.utwente.nl/ewi/en/research/ethics_protocol/ 17 Cyber-crime Science
Conclusion • Designing research involves: • Decide what data are needed • Decide how to collect the data • Use validated techniques where possible • Experimental Design, pilot, evaluate and improve • Training, data gathering 18 Cyber-crime Science
[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895 [Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295 [Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966. Further Reading 19 Cyber-crime Science