You’re better at spotting malware than you think, new study suggests

When it comes to cybersecurity, humans are often seen as the weakest link, but new research suggests that with a little help, people can do a surprisingly effective job at identifying malware.

In a first-of-its-kind study, researchers from the University of Waterloo’s Cheriton School of Computer Science teamed up with University of Guelph cybersecurity experts to test how users, ranging from tech novices to experts, can respond to real-time legitimate and malicious software download requests in a simulated office setting.

The study, “I’m regretting that I hit run’: In-situ Assessment of Potential Malware,” appeared in the proceedings of the 34th USENIX Security Symposium.

“Most existing malware research analyzes ‘after action’ reports, that is, investigations into what went wrong after a successful attack,” said Daniel Vogel, a professor of computer science at Waterloo, and a co-author of the study. “Our study, which featured novice, intermediate and expert users, is the first malware research to observe user strategies in real time.”

Three-dozen participants received messages from fake coworkers in a Microsoft Teams-like environment, prompting them to download and install various programs. Participants had full control over whether to install the software and could research their choices however they liked.

In the initial trial, users identified malware with 75% accuracy. Novice users were right 68% of the time, while expert users achieved 81% accuracy.

“It was interesting how novice users sometimes flagged legitimate software as malware due to a typo or poor interface design yet missed real malware when the clue was unusual system behavior, like high processor usage,” said Brandon Lit, a Ph.D. student in Waterloo’s Cheriton School of Computer Science and the lead author of the study.

In a second round of testing, the researchers provided participants with an enhanced task manager, as well as instructions about what red flags to look for, such as software accessing large numbers of files or network connections to other countries. With that modest support, the group’s malware detection rate increased to 80%.

“Just having a bit of information puts beginner users on par with computer scientists,” Lit said. “Fostering critical thinking is one of the most important things we can do to increase security.”