Page 487 -
P. 487
15.3 Care and handling of research participants 479
might influence participant behavior. When this happens, researchers might resort
to a bit of misdirection. Deceptive studies ask participants to perform tasks that are
described as relating to a particular goal, when the researcher is actually interested in
addressing a different question unrelated to the goal presented to the user. Although
concealing the true nature of the study does present some concerns regarding the va-
lidity of informed consent, this practice is often necessary, particularly in situations
where full disclosure might compromise the realism of the study.
A study involving security and usability provides an example of the use of decep-
tion in HCI research (Schechter et al., 2007). This study had two goals: to determine
the influence of security feedback and to see if participants using their own data
would behave more or less securely than those who were role-playing using some-
one else's data. As the researchers were concerned that study participants would not
behave naturally if they were told that usability was being studied, they were told that
the purpose of the study was to “help make online banking better” (Schechter et al.,
2007). Participants were asked to perform online banking tasks. Some participants
were “role-playing”—they were asked to pretend that they were a specific individual
with specific goals in mind; others used their own bank accounts. In addition to
finding that security indicators were not particularly helpful, this study found that
people using their own bank accounts behaved more securely than those who were
role-playing (Schechter et al., 2007).
Schechter et al. (2007) used deceit as a means of setting up conditions that maxi-
mized the realism of the experiment. By presenting users with real online banking
tasks, they focused the experiment on how actual users might behave when using on-
line banking on their own. If participants had been told that the experiment was exam-
ining their behavior regarding security and privacy, they might have paid extra attention
to their behavior in these areas. This use of deception may be useful and valid, but it
does have its limits. These limits arise from the established psychological concept of
demand characteristics (Orne, 1962), which states that participants in a research study
may act in a manner that attempts to validate the hypotheses being tested. In this study,
participants may have taken the goal of improving online banking to heart, perhaps act-
ing more insecurely than they otherwise might have (Patrick, 2007a).
A notable phishing study provides another example of the complexities of con-
ducting research without full prior disclosure of goals and participant consent.
Researchers at Indiana University harvested email addresses from publicly available
sources and then conducted a phishing attack that encouraged students to log in to
a university server that would verify (but not store) their authentication credentials.
Arguing that no real harm would come to participants, and that disclosure and con-
sent would sensitize participants to the goals of the project, and therefore invalidate
results, the developers of this study worked closely with the appropriate IRB to care-
fully design a study protocol that would not require explicit consent. This process
required extensive review of relevant regulations and legislation, leading to a novel
study design that allowed the research to proceed without compromising on ethical
concerns or participant privacy or security (Finn and Jakobsson, 2007a,b; Jagatic
et al., 2007; Jakobsson et al., 2008).
