Real-World Decision Making: Logging Into Secure vs. Insecure Websites

A novel Two-Alternative Forced Choice experiment was used to evaluate the effects of security indicators on participants’ decision making when identifying potentially risky websites. Participants recruited from Amazons Mechanical Turk were instructed to visit a series of secure and insecure websites, and decide as quickly and as accurately as possible whether or not it was safe to login. Hierarchical linear regression models were used to identify the importance of the presence of security indicators, security domain knowledge, and familiarity with the presented websites to correctly differentiate between secure and insecure websites. An analysis of participants’ mouse trajectories was used to assess how websites were searched before a decision was made. The likelihood to login was modulated by security domain knowledge and familiarity with websites. The mouse tracking data revealed that spoofed websites with security indicators resulted in less search on the website, especially when the browser chrome indicated extended validation. Taken together, these results suggest that participants are aware of security indicators, but their responses are modulated by multiple factors.