Computer users can be manipulated into divulging more information than they would normally simply by the layout of webpages, new research has revealed.
A team at Israel’s Ben-Gurion University of the Negev (BGU) presented its study, Online Disclosure Depends on How You Ask for Information, at the International Conference on Information Systems last week.
They examined the behavior of 2504 users who were asked to provide their country, full name, phone number, and email address as part of the sign-up process for Tel Aviv-based digital bank, Rewire.
Successful tactics included asking for relatively non-sensitive info first and then gradually scaling up the requests to more private details. Similarly, by placing information requests on separate but consecutive web pages, the researchers were also able to elicit more personal data from the participants.
The research garnered impressive results.
“We found that both manipulations independently increased the likelihood of sign-up and conversion,” said Lior Fink, head of the BGU Behavioral Information Technologies (BIT) Lab and a member of the Department of Industrial Management and Engineering.
“The ascending privacy intrusion manipulation increased sign-up by 35% and the multiple-page manipulation increased sign-up by 55%.”
Lead researcher Naama Ilany-Tzur added that regulators and members of the public should be made aware of such tactics, as they may help social engineering attackers to bypass users’ natural caution when divulging personal details online.
However, on a less security-centric note, the BGU student also heralded the research as an important discovery for marketers trying to find the optimal way to capture as much data on individuals as possible.
Ideally, the findings of research like this would be built into security awareness training courses. However, research released this week revealed that just 8% of UK firms carry out regular training in the first place.
The iomart study found that a quarter (28%) of employers offer no cybersecurity training for remote workers, while a further 42% do but only to select employees. Yet even the majority of those that get training are given a short briefing rather than the regular sessions that are required to keep up-to-date with evolving threats.
A team at Israel’s Ben-Gurion University of the Negev (BGU) presented its study, Online Disclosure Depends on How You Ask for Information, at the International Conference on Information Systems last week.
They examined the behavior of 2504 users who were asked to provide their country, full name, phone number, and email address as part of the sign-up process for Tel Aviv-based digital bank, Rewire.
Successful tactics included asking for relatively non-sensitive info first and then gradually scaling up the requests to more private details. Similarly, by placing information requests on separate but consecutive web pages, the researchers were also able to elicit more personal data from the participants.
The research garnered impressive results.
“We found that both manipulations independently increased the likelihood of sign-up and conversion,” said Lior Fink, head of the BGU Behavioral Information Technologies (BIT) Lab and a member of the Department of Industrial Management and Engineering.
“The ascending privacy intrusion manipulation increased sign-up by 35% and the multiple-page manipulation increased sign-up by 55%.”
Lead researcher Naama Ilany-Tzur added that regulators and members of the public should be made aware of such tactics, as they may help social engineering attackers to bypass users’ natural caution when divulging personal details online.
However, on a less security-centric note, the BGU student also heralded the research as an important discovery for marketers trying to find the optimal way to capture as much data on individuals as possible.
Ideally, the findings of research like this would be built into security awareness training courses. However, research released this week revealed that just 8% of UK firms carry out regular training in the first place.
The iomart study found that a quarter (28%) of employers offer no cybersecurity training for remote workers, while a further 42% do but only to select employees. Yet even the majority of those that get training are given a short briefing rather than the regular sessions that are required to keep up-to-date with evolving threats.