The document discusses using Amazon Mechanical Turk (MTurk) for security and privacy research. It describes some examples of previous studies that used MTurk, such as analyzing phishing susceptibility and malware installation rates. The document also notes some challenges of using MTurk, such as ensuring incentive alignment, validity of results given participant demographics and habits, and potential ethical issues.

1. Alan Nochenson
IST 501
10/9/2012

2.  Launched in 2005
 Allows requestors to post Human Interface
Tasks (HITs) which are completed by people
for a small prices

4.  Security: “The state of being free from
danger or threat.”
 Privacy: “The state or condition of being free
from being observed or disturbed by other
people.”
 Behavioral economics: concerned with
decision-making and rationality

5.  E.g. Grossklags UPSEC ‘08
 Recruited participants in from a university into a
lab study
 Had them play an economic game (weakest link)
in a security context
 Compared actual behavior to predicted behavior
and found a number of differences
 Small scale, time-consuming to organize

6.  Online surveys and simple task-based surveys
 Facebook privacy desired settings (Liu et al.)
 Targeted ad taglines (Leon et al.)
 Comparing privacy policy designs (Kelley et al.)

7.  More involved uses
 Phishing susceptibility (Sheng et al.)
 Malware installations (Christin et al., Kanich et al.)

8.  Study by Christin et al. aimed to see how
much you need to pay people to install an
unknown application

9.  70% of participants that ran the program
realized the danger

10.  Follow up by Kanich et al.
 Investigated what vulnerabilities were active on
computers of people that downloaded the
program
 Found that it costs about $50 to infect 1000 hosts
(taking into account payment and vulnerability
rates)

11.  Incentives (payment)
 Validity
 Demographics
 Habitual participants
 Online effects (Horton et al., Paolacci et al.)
 Attrition
 Cheating
 Ethics/legality