Attention and past behavior, not security knowledge, modulate users’ decisions to login to insecure websites

Abstract

Purpose Modern browsers are designed to inform users as to whether it is secure to login to a website, but most users are not aware of this information and even those who are sometimes ignore it. This study aims to assess users’ knowledge of security warnings communicated via browser indicators and the likelihood that their online decision-making adheres to this knowledge. Design/methodology/approach Participants from Amazon’s Mechanical Turk visited a series of secure and insecure websites and decided as quickly and as accurately as possible whether it was safe to login. An online survey was then used to assess their knowledge of information security. Findings Knowledge of information security was not necessarily a good predictor of decisions regarding whether to sign-in to a website. Moreover, these decisions were modulated by attention to security indicators, familiarity of the website and psychosocial stress induced by bonus payments determined by response times and accuracy. Practical implications Even individuals with security knowledge are unable to draw the necessary conclusions about digital risks when browsing the web. Users are being educated through daily use to ignore recommended security indicators. Originality/value This study represents a new way to entice participants into risky behavior by monetizing both speed and accuracy. This approach could be broadly useful as a way to study risky environments without placing participants at risk.