Applying the Lost-Letter Technique to Assess IT Risk Behaviour

Information security policies are used to mitigate threats for which a technical prevention is not feasible. Compliance with information security policies is a notoriously difficult issue. Social sciences could provide tools to empirically study compliance with policies. We use a variation of the lost-letter technique to study IT risk behaviour, using USB keys instead of letters. The observational lost-letter study by Farrington and Knight (1979) was replicated in a university setting by dropping 106 USB keys. Labels on the USB keys were used to vary characteristics of the alleged victim. Observers noted characteristics of people who picked a USB key up and whether the USB key was returned. Results show that USB keys in their original box are stolen more than used ones and that people aged 30 or younger and those who place a found USB key in their pocket are more likely to steal. This suggests that the decision to steal a USB key is taken at the moment of pick up, despite ample opportunity to return it. The lost USB key technique proved to be a feasible method of data collection to measure policy compliance and thus also risk behaviour.

[1]  D. Fessler Return of the lost letter: Experimental framing does not enhance altruism in an everyday context , 2009 .

[2]  Hossein Saiedian,et al.  Security Threats and Mitigating Risk for USB Devices , 2010, IEEE Technology and Society Magazine.

[3]  C B MERRITT,et al.  The pecuniary honesty of the public at large. , 1948, Journal of abnormal psychology.

[4]  Steven E. Stern,et al.  The lost e-mail method: Milgram’s lost-letter technique in the age of the Internet , 1997 .

[5]  Two non-reactive field experiments on stealing from a 'lost' letter. , 1979, The British journal of social and clinical psychology.

[6]  Brad J. Bushman,et al.  You've got mail: Using e-mail to examine the effect of prejudiced attitudes on discrimination against Arabs , 2004 .

[7]  O. Tykocinski,et al.  The Lost E‐Mail Technique: Use of an Implicit Measure to Assess Discriminatory Attitudes Toward Two Minority Groups in Israel , 2009 .

[8]  B. J. Knight,et al.  Stealing From a "Lost" Letter , 1980 .

[9]  T. Gabor,et al.  Probing the public's honesty: a field experiment using the lost letter technique , 1989 .

[10]  Leon Mann,et al.  THE LOST-LETTER TECHNIQUE: A TOOL OF SOCIAL RESEARCH , 1965 .

[11]  Jeroen Vaes,et al.  The lost e-mail: prosocial reactions induced by uniquely human emotions. , 2002, The British journal of social psychology.

[12]  Antonio S Silva,et al.  Lost Letter Measure of Variation in Altruistic Behaviour in 20 Neighbourhoods , 2012, PloS one.

[13]  K. Deaux Anonymous Altruism: Extending the Lost Letter Technique , 1974 .

[14]  B. Rienzi,et al.  Assessing Attitudes toward Gay Marriage among Selected Christian Groups Using the Lost-Letter Technique , 2000, Psychological reports.

[15]  Gordon B. Forbes,et al.  Regional differences in willingness to help strangers: A field experiment with a new unobtrusive measure☆☆☆ , 1972 .

[16]  M. Felson,et al.  Crime and Everyday Life , 1998 .

[17]  Hubert Klüpfel,et al.  The simulation of crowd dynamics at very large events — Calibration, empirical data, and validation , 2007 .

[18]  Ali Ahmed Muslim Discrimination: Evidence From Two Lost-Letter Experiments , 2010 .

[19]  M. Felson,et al.  Opportunity Makes the Thief Practical theory for crime prevention , 1998 .

[20]  H. Akaike,et al.  Information Theory and an Extension of the Maximum Likelihood Principle , 1973 .

[21]  Robert Forsythe,et al.  A VALIDATION OF THE LOST-LETTER TECHNIQUE , 1970 .

[22]  Gordon B. Forbes,et al.  Willingness to Help Strangers as a Function of Liberal, Conservative or Catholic Church Membership: A Field Study with the Lost-Letter Technique , 1971 .

[23]  K. R. Hardy,et al.  Assessing Prejudice toward Negroes at Three Universities Using the Lost-Letter Technique , 1971 .

[24]  F. S. Bridges,et al.  Extensions of the Lost Letter Technique to Divisive Issues of Creationism, Darwinism, Sex Education, and Gay and Lesbian Affiliations , 2002, Psychological reports.

[25]  S. Kennison,et al.  Measuring Gender Differences in Attitudes Using the Lost-Letter Technique , 2010 .