social science experiment

Social Science Experiment

Jan-Willem Bullee

2 Cyber-crime Science

Background

Effectiveness of authority on compliance

We can get some of the answers from» Literature (Meta-analysis)

» Attacker stories/interviews

But the answers are inconclusive» Different context

» Hard to measure human nature

» Difficult to standardize behaviour.

3 Cyber-crime Science

Principles of Persuasion

Authority» More likely to listen to an police officer

Conformity» Peer pressure

Commitment» Say yes to something small first

Reciprocity» Return the favour

Liking» People like you and me

Scarcity» Wanting the ungettable

5 Cyber-crime Science

Literature on Authority

Classical Milgram Shock Experiment» 66% full compliance

[Mil63] S. Milgram. Behavioral study of obedience. The Journal of Abnormal and Social Psychology, 67(4), 371–378.

5 Cyber-crime Science

Introduction Key Experiment

Get something from an employee

Equal to password or PIN

Intervention

Impersonate

5 Cyber-crime Science

Experimental Setup

Design

Intervention» Written memo

» Key-chain

» Poster

R1 X OR2 O

5 Cyber-crime Science

Hypotheses

H0: Intervention and Control comply equally

H0: Authority and Control comply equally

H0: Effect of Authority on compliance

5 Cyber-crime Science

Results

351 rooms targeted» N=118 (33,6%) populated

Demographics Targets» Female: 24 (20%) Male: 94 (80%)

» Mage = 34, range (23-63) years

Overall compliance distribution» 52.5%/47.5%

5 Cyber-crime Science

Results

5 Cyber-crime Science

Results

Intervention distribution» 60%/40%

H0: Intervention and Control comply equally» χ²-test

» Hypothesis rejected

5 Cyber-crime Science

Results

Authority distribution» ≈50/50

H0: Authority and Control comply equally» χ²-test

» Hypothesis accepted

5 Cyber-crime Science

Results

Effect of authority» Logistic Regression

» Employees that did not get the intervention are 2.84 times morelikely to give their key away

Intervention Give Key

5 Cyber-crime Science

Results

Effect of authority» Logistic Regression

» Employees that did not get the intervention are 2.84 times morelikely to give their key away

» Authority: No effect

Intervention

Authority

Give Key

5 Cyber-crime Science

Results

Comments:» “Great test!” “Cool Experiment” “Interesting study”

» “I had doubts” “Having an keychain is important”

» “Suspicious looking box”

» “Guy in suit looked LESS trustworthy”

» “Asked for my ID”

» “Trusted me since I looked friendly”

» “I feel stupid”

» “I didn’t wanted to give the key, but did it anyway”

5 Cyber-crime Science

Take Home Message

Children, animals, people never react the way you want.

Limited availability in July and August

You are not important for others

…unless you want to break the system

1/3 of employees works on a Wednesday in September

2.84 times higher odds to get key if no intervention

10 Cyber-crime Science

Charging Mobile Phone

10 Cyber-crime Science

Charging Mobile Phone

What are the security considerations of the users of a public mobile phone charger?» What is the use rate of the device (per number of

people at that location per hour),

» Why do people use (or not) the system?

» How do the safety perceptions of the current users differ between the former users and the non-users.

You are the researchers!

10 Cyber-crime Science

Crime Prevention

CPTED Framework (Crime Prevention Through Environmental Design)

Activity Support» Eyes on the street» Unfortunately: also provides opportunity» Overall crimes are reduced by increasing activity

[Coz05] Cozens, P. M., Saville, G., & Hillier, D. (2005). Crime prevention through environmental design (CPTED): a review and modern bibliography. Property management, 23(5), 328-356.

10 Cyber-crime Science

Hypotheses

H0: Cabinets in busy and quite areas are equally used.

H0: Cabinets with surveillance (e.g. service desk) and with no surveillance are equally used.

H0: Cabinets in lunch hours (e.g. lunch) and lecture hours are equally used.

11 Cyber-crime Science

Our Design

Researchers: You (Student)

Target: Fellow Students and Employee

Goal: Observe» Observe and interview people

Interface: Face 2 Face

Count people and short questionnaire

12 Cyber-crime Science

Method : Our design

2 experimental conditions» Users of the system / non users of the system

6 locations» Experimental: Bastille, Hal-B, Horst and Spiegel» Control: ITC (city center), Ravelijn

13 Cyber-crime Science

Method : Our procedure

Subjects from the experimental building» Teams of 1 researcher» One minute count: the people that pass-by» Approach users of the system

Subjects from the control building» Teams of 2 researchers

» Interview people walking in the area

More details on the course-site

15 Cyber-crime Science

What to do

Before Tuesday 9 September» Register in the Doodle

On 10, 17 (and 24) September» 09:30 - 09:50 Briefing at ZI4047

» Travel to location

» 10:30 - 12:45 Experiment

» 12:45 - 13:30 Break and travel

» 13:30 - 15:45 Experiment part 2

16 Cyber-crime Science

What to do

We have permission to do this only at» UT: Bastille, Hal-B, Horst, Ravelijn, Spiegel and ITC

Enter your data in SPSS» Directly after the attack

» Come to me ZI4047

Earn 0.5 (out of 10) bonus points

17 Cyber-crime Science

Ethical issues

Informed consent not possible

Zero risk for the subjects

Approved by facility management

Consistent with data protection (PII form)

Approved by ethical committee, see http://www.utwente.nl/ewi/en/research/ethics_protocol/

18 Cyber-crime Science

Conclusion

Designing research involves:» Decide what data are needed

» Decide how to collect the data

» Use validated techniques where possible

» Experimental Design, pilot, evaluate and improve

» Training, data gathering

19 Cyber-crime Science

Further Reading[Cia09] R. B. Cialdini. Influence: The Psychology of Persuasion. Harper Collins, 2009. http://www.harpercollins.com/browseinside/index.aspx?isbn13=9780061241895

[Gre96a] T. Greening. Ask and ye shall receive: a study in 'social engineering'. SIGSAC Rev., 14(2):8-14, Apr 1996. http://doi.acm.org/10.1145/228292.228295

[Hof66] C. Hofling, E. Brotzman, S. Dalrymple, N. Graves, and C. Pierce. An experimental study in Nurse-Physician relationships. J. of Nervous & Mental Disease, 143(2):171-180, Aug 1966.