Applying the Lost-Letter Technique to Assess IT Risk Behaviour

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

2 Citations (Scopus)

Abstract

Information security policies are used to mitigate threats for which a technical prevention is not feasible. Compliance with information security policies is a notoriously difficult issue. Social sciences could provide tools to empirically study compliance with policies. We use a variation of the lost-letter technique to study IT risk behaviour, using USB keys instead of letters. The observational lost-letter study by Farrington and Knight (1979) was replicated in a university setting by dropping 106 USB keys. Labels on the USB keys were used to vary characteristics of the alleged victim. Observers noted characteristics of people who picked a USB key up and whether the USB key was returned. Results show that USB keys in their original box are stolen more than used ones and that people aged 30 or younger and those who place a found USB key in their pocket are more likely to steal. This suggests that the decision to steal a USB key is taken at the moment of pick up, despite ample opportunity to return it. The lost USB key technique proved to be a feasible method of data collection to measure policy compliance and thus also risk behaviour.
Original languageUndefined
Title of host publicationProceedings of the 3rd Workshop on Socio-Technical Aspects in Security and Trust
Place of PublicationPiscataway, New Jersey
PublisherIEEE Computer Society
Pages2-9
Number of pages8
ISBN (Print)978-0-7695-5065-7
DOIs
Publication statusPublished - 10 Jun 2013

Publication series

Name
PublisherIEEE Computer Society

Keywords

  • SCS-Cybersecurity
  • EC Grant Agreement nr.: FP7/2007-2013
  • METIS-297444
  • EWI-23424
  • IR-86253
  • EC Grant Agreement nr.: FP7/318003

Cite this