Students at the University of Twente have stolen thirty laptops from various members of the university’s staff. They were not prosecuted for this, so they could just get on with their studies. Indeed, these students even received ECTS credits for these thefts. UT researcher Trajce Dimkov asked the students to steal the machines as part of a scientific experiment. Stealing these laptops turned out to be a pretty simple matter.
Trajce Dimkov will be awarded his PhD at the University of Twente on 23 February. His doctoral research dealt with organizations’ security policies. Under the pretext of conducting a user survey, Dimkov loaned laptops to thirty, randomly selected, university staff members. He then asked students to steal these laptops as part of a scientific experiment. The students made sixty attempts to steal these machines, thirty of which were successful. The study revealed that no matter how good an organization’s security is, its effectiveness (or otherwise) is largely determined by human behaviour. Dimkov notes that “For instance, some people forgot to lock their door. In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians. Some claimed to have left their laptop in their supervisor’s office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick.”
The members of staff who had loaned the laptops were asked to make sure that these machines were always chained to their desks. They were also asked to lock the door when leaving their room, and to secure the laptop with a password. The university’s security staff were informed in advance, to make sure that the students involved did not end up in jail.
To prevent such thefts in the future, Dimkov has developed a prototype model (a sort of navigation system) to identify ways in which laptops can be stolen. First, you have to enter data into this model, such as a map, information about members of staff, rules, locks, and security codes. The model uses special algorithms to link these items of data together, then generates scenarios that can be used to identify any “gaps” in the security system. Dimkov notes that “Without the input data, this system is of no use whatsoever to criminals. After all, what use is a navigation system without a map?”
Trajce Dimkov conducted his doctoral research in the Department of Distributed and Embedded Security, at the CTIT research institute. He was supervised by Prof. Pieter Hartel and Dr Wolter Pieters. This research was partly funded by the STW Technology Foundation.
Note to the press
For further details, or an electronic version of the PhD thesis entitled “Alignment of Organizational Security Policies, Theory and Practice”, please contact the Science Information Officer, Kim Bekmann, +31 (0)53 4892131/+31 (0)6 22436275.
