Applying the Lost-Letter Technique to Assess IT Risk Behaviour

E.E.H. Lastdrager, L. Montoya, Pieter H. Hartel, Marianne Junger

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

3 Citations (Scopus)
1 Downloads (Pure)


Information security policies are used to mitigate threats for which a technical prevention is not feasible. Compliance with information security policies is a notoriously difficult issue. Social sciences could provide tools to empirically study compliance with policies. We use a variation of the lost-letter technique to study IT risk behaviour, using USB keys instead of letters. The observational lost-letter study by Farrington and Knight (1979) was replicated in a university setting by dropping 106 USB keys. Labels on the USB keys were used to vary characteristics of the alleged victim. Observers noted characteristics of people who picked a USB key up and whether the USB key was returned. Results show that USB keys in their original box are stolen more than used ones and that people aged 30 or younger and those who place a found USB key in their pocket are more likely to steal. This suggests that the decision to steal a USB key is taken at the moment of pick up, despite ample opportunity to return it. The lost USB key technique proved to be a feasible method of data collection to measure policy compliance and thus also risk behaviour.
Original languageUndefined
Title of host publicationProceedings of the 3rd Workshop on Socio-Technical Aspects in Security and Trust
Place of PublicationPiscataway, New Jersey
Number of pages8
ISBN (Print)978-0-7695-5065-7
Publication statusPublished - 10 Jun 2013
Event3rd Workshop on Socio-Technical Aspects in Security and Trust, STAST 2013 - New Orleans, LA, USA, New Orleans, United States
Duration: 29 Jun 201329 Jun 2013
Conference number: 3

Publication series

PublisherIEEE Computer Society


Workshop3rd Workshop on Socio-Technical Aspects in Security and Trust, STAST 2013
Country/TerritoryUnited States
CityNew Orleans


  • SCS-Cybersecurity
  • EC Grant Agreement nr.: FP7/2007-2013
  • METIS-297444
  • EWI-23424
  • IR-86253
  • EC Grant Agreement nr.: FP7/318003

Cite this