Not only was stealing a laptop not a crime in this story, students successfully lifting the laptops from University of Twente in the Netherlands could count as university credit. Who says crime doesn't pay?
Okay, for the record, stealing a laptop from your professor — or anyone for that matter — is technically a crime. In this case, it was an experiment set up by PhD student and researcher Trajce Dimkov in the Distributed and Embedded Security Group at the University of Twente. He wanted to help identify holes in security practices.
Thirty laptops were distributed to University staff and were told upfront that students would be on the prowl looking to steal them. The idea was that if they were forewarned staff would go the extra mile to keep them safe.
Well, they tried. And they failed.
It took 60 attempts, but in the end, all thirty laptops were lifted. Some of the thefts were easier than others, but the students weren't afraid to get more elaborate in their schemes. "For instance, some people forgot to lock their door," Dimkov noted. "In other cases, the students were able to think up a cover story that was sufficiently convincing to get a cleaner or caretaker to open the door for them. Other students were able to obtain the laptops by posing as technicians. Some claimed to have left their laptop in their supervisor's office, and that they needed it urgently, to complete an assignment. People tend to make an effort to be helpful, and a good cover story often does the trick."
It all sounds like fun and games, but the purpose of the experiment actually has real implications. And it is not to diss the janitorial staff.
Organizational security is big business as anyone who has had their laptop or wallet stolen from their desk will tell you. That's nothing compared to customer data.
Dimkov was trying to model how human behavior models into a security of an organization — especially when the done in isolation from standard practices in place. The experiment highlighted the negative impact mistakes in human behavior can have on a security system. Dimkov used that information and other variables to create a road map for highlighting security issues within the system — in his case the University.
Remember all those embarrassing documents that landed on Wikileaks after Pfc. Bradley Manning smuggled out on a CD with "Lady Gaga" written on it? Dimkov's modeling as a result of what we'll call "the Great University Laptop Caper," would have probably caught that.
From there it is just a small leap to applying the model in a corporate setting. Dimkov's modeling includes maps and floor plans, security clearances vs. access, people's movement and behavior, security codes and the like. It may seem intuitive, but often companies have had the same security systems in place for years and procedures have not caught up with the times or with the collateral that may be at risk. This could be data or physical equipment.
It's not just traditional corporations at stake. Security modeling could be used for major public events such as the Olympics, or in outdoor spaces in conjunction with satellite maps. Beyond the obvious battlefield implications, the military could likely benefit from operational security overhaul.
According to a statement released by the University of Twente, "Trajce Dimkov will be awarded his PhD."