Humans are often considered the weakest link in cybersecurity, but a new study shows they can effectively identify malware with minimal assistance. Researchers from the University of Waterloo’s Cheriton School of Computer Science and the University of Guelph conducted a pioneering experiment, observing how users of varying expertise—novices to experts—handled real-time software download requests in a simulated office environment.
Unlike most malware studies that analyze post-attack reports, this research, led by Professor Daniel Vogel, observed user strategies live. “Our study is the first to watch how novice, intermediate, and expert users respond to malware in real time,” Vogel noted.
In the experiment, 36 participants received messages mimicking a Microsoft Teams-like platform, prompting them to download and install software. They had full freedom to decide whether to install and could research as needed. In the first trial, participants detected malware with 75% accuracy—novices at 68% and experts at 81%.
“Novices sometimes misidentified legitimate software as malware due to minor issues like typos or poor design but overlooked real threats when subtle cues, like high processor usage, were present,” said Brandon Lit, the study’s lead author and a PhD student at Waterloo.
In a follow-up test, participants used an enhanced task manager and received guidance on red flags, such as software accessing numerous files or connecting to foreign servers. This boosted the group’s detection rate to 80%. “A little information brings novices’ performance close to that of experts,” Lit said. “Encouraging critical thinking is key to improving cybersecurity.”
- Press release – University of Waterloo
