Effectiveness of Physical, Social and Digital Mechanisms against Laptop Theft in Open Organizations

Organizations rely on physical, digital and social mechanisms to protect their IT systems. Of all IT systems, laptops are probably the most troublesome to protect, since they are easy to remove and conceal. When the thief has physical possession of the laptop, it is also difficult to protect the data inside. In this study, we look at the effectiveness of the security mechanisms against laptop theft in two universities. The study considers the physical and social protection of the laptops. We analyze the logs from laptop thefts in both universities and complement the results with penetration tests. The results from the study show that the effectiveness of security mechanisms from the physical domain is limited, and it depends mostly from the social domain. The study serves as a motivation to further investigate the analysis of the alignment of the mechanisms across all three security domains to protect the IT assets in an organization.

[1]  Michael Workman,et al.  Gaining Access with Social Engineering: An Empirical Study of the Threat , 2007, Inf. Secur. J. A Glob. Perspect..

[2]  Serban I. Gavrila,et al.  Proximity-Based Authentication for Mobile Devices , 2005, Security and Management.

[3]  Luca Cardelli,et al.  Mobile Ambients , 1998, FoSSaCS.

[4]  Sven Türpe,et al.  Attacking the BitLocker Boot Process , 2009, TRUST.

[5]  Pieter H. Hartel,et al.  Two methodologies for physical penetration testing using social engineering , 2009, ACSAC '10.

[6]  Jon Crowcroft,et al.  Containment: From context awareness to contextual effects awareness , 2005 .

[7]  Pieter H. Hartel,et al.  Laptop theft: a case study on the effectiveness of security mechanisms in open organizations , 2010, CCS '10.

[8]  Tadayoshi Kohno,et al.  Privacy-Preserving Location Tracking of Lost or Stolen Devices: Cryptographic Techniques and Replacing Trusted Third Parties with DHTs , 2008, USENIX Security Symposium.

[9]  D. A. Elliott Opportunities , 2020, Journal of the American Institute of Electrical Engineers.

[10]  S. Berg Snowball Sampling—I , 2006 .

[11]  David Scott Abstracting application-level security policy for ubiquitous computing , 2005 .

[12]  Pieter H. Hartel,et al.  Portunes: Representing Attack Scenarios Spanning through the Physical, Digital and Social Domain , 2010, ARSPA-WITS.

[13]  Roy H. Campbell,et al.  BootJacker: compromising computers using forced restarts , 2008, CCS.

[14]  Neil Barrett,et al.  Penetration testing and social engineering: Hacking the weakest link , 2003, Inf. Secur. Tech. Rep..

[15]  David J. Scott,et al.  Spatial policies for sentient mobile applications , 2003, Proceedings POLICY 2003. IEEE 4th International Workshop on Policies for Distributed Systems and Networks.

[16]  D. Cornish OPPORTUNITIES, PRECIPITATORS AND CRIMINAL DECISIONS: A REPLY TO WORTLEY'S CRITIQUE OF SITUATIONAL CRIME PREVENTION , 2003 .

[17]  Jon Crowcroft,et al.  Information exposure control through data manipulation for ubiquitous computing , 2004, NSPW '04.

[18]  P Drummond,et al.  Can your computer keep a secret? , 1983, Health and social service journal.