Why bother with security software?

The Register reports on an experiment by a team from Google, the University of Illinois Urbana-Champaign, and the University of Michigan. They left about 300 USB drives around the Urbana-Champaign campus. An incredible 48 percent of the drives were taken and plugged into a computer – some within minutes of being left.

“The security community has long held the belief that users can be socially engineered into picking up and plugging in seemingly lost USB flash drives they find…”


“Unfortunately, whether driven by altruistic motives or human curiosity, the user unknowingly opens their organization to an internal attack when they connect the drive – a physical Trojan horse.”

In other words, by plugging in these USB drives, people put the security of their network at risk.

I notice that the drives were left around the University of Illinois Urbana-Champaign campus, and not that of the University of Michigan. Looking back now, I wonder if the researchers from there might have preferred to try the experiment at the Michigan campus! More seriously, it would be interesting to know what the result would be of the same experiment carried out in a city center (not a university campus) or a technology park, or even outside the offices of a cyber security company…

If I were a cyber security consultant, I would find this very troubling. What’s the point of getting the message across not to open strange emails, or click on dodgy links, if some witless individual is going to plug in an unknown USB and do the damage in that way? Or, as they say:

“There is still much work needed to understand the dynamics of social engineering, develop technical defenses, and learn how to effectively teach users how to protect themselves.”

You can read the Register article here.