Students at the University of Twente stole 30 laptops from university staff across campus. Were they prosecuted? No -- instead, they received extra credit.
As part of a scientific research project, UT researcher Trajce Dimkov requested that the students attempt to steal the devices from campus -- and it seems to have been a very simple task to ask of them.
The researcher's PhD thesis, entitled "Alignment of Organizational Security Policies, Theory and Practice" explored the ways in which security practices can be thwarted by human behaviour and habits, such as forgetting to lock a door or not completing tasks due to the effort involved.
Under the guise of conducting a user survey, Dimkov loaned out the laptops to university staff members that were selected randomly. These members of staff were asked to make sure that the machines were chained to their desks, to secure them with a password, and to lock the door when they left their office.
In anticipation of the student thefts, university security were informed so that the research participants wouldn't find themselves in jail for taking part in the experiment.
The students were then asked to steal the laptops.
In total, sixty documented attempts were made, half of which were successful. Dimkov concluded that no matter how watertight a security system appears to be, its effectiveness is determined by human behaviour. The researcher said:
"Some people forgot to lock their door. In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians.
Some claimed to have left their laptop in their supervisor's office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick."
In an attempt to thwart such 'thefts', Dimkov has developed a prototype navigation system which identifies the ways in which such devices can be stolen. Once data is submitted into the system, including data concerning location, rules, security locks and codes, the prototype uses algorithms to generate a number of sequences in order to find any weak spots in security protocol.