Can social influence be exploited to compromise security: An online experimental evaluation

TL;DR

This study experimentally demonstrates that social influence on social media can be exploited to manipulate users into making less secure choices, highlighting the importance of how social signals are presented.

Contribution

It provides empirical evidence that peer influence can be used maliciously to steer users towards suboptimal security decisions, depending on the manner of social signal presentation.

Findings

Social influence can significantly alter security technology choices.

The way social signals are presented affects their persuasive power.

Users can be manipulated into choosing less efficient security options.

Abstract

Social media has enabled users and organizations to obtain information about technology usage like software usage and even security feature usage. However, on the dark side it has also allowed an adversary to potentially exploit the users in a manner to either obtain information from them or influence them towards decisions that might have malicious settings or intents. While there have been substantial efforts into understanding how social influence affects one's likelihood to adopt a security technology, especially its correlation with the number of friends adopting the same technology, in this study we investigate whether peer influence can dictate what users decide over and above their own knowledge. To this end, we manipulate social signal exposure in an online controlled experiment with human participants to investigate whether social influence can be harnessed in a negative way to steer users towards harmful security choices. We analyze this through a controlled game where each participant selects one option when presented with six security technologies with differing utilities, with one choice having the most utility. Over multiple rounds of the game, we observe that social influence as a tool can be quite powerful in manipulating a user's decision towards adoption of security technologies that are less efficient. However, what stands out more in the process is that the manner in which a user receives social signals from its peers decides the extent to which social influence can be successful in changing a user's behavior.