honey stick project, security awareness, justification, education, taking action, ROSI, return on security investment
You are not logged in. Access is limited. Login or see membership information. • Streetwise Security Zone Community

To see the list of all blogs, including Scott Wright's Security Views Blog and the Streetwise Security Zone Podcast click HERE. You also can subscribe via an RSS reader, or check the "Watch This" box in the left column to receive news by email of new articles.

Watch this Blog Notify me by e-mail any time a new post is made to this blog.

Group Administrator


65% of honey sticks to date have been used in risky ways that could impact business operations. What's a Honey Stick? - Look for the link at the bottom of any article on this page for an explanation.

Streetwise Customizable Non-Trivial Security Quiz PowerPoint Deck
Product ID: 00000010

Customize your own 5 minute looping PowerPoint presentation or video loop with security awareness quiz questions. It's great for pre-meeting warm-ups as people await the beginning of a security training session. It also works ... More »

Non-Member Price: $199.00 $179.00

April 2010 Posts


  The Honey Stick Project - Measuring risk decisions
Blog Entry

What would make you take action?

Tuesday, April 6th 2010 @ 7:35 AM (not yet rated)    post viewed 7509 times

If you've read any of my pieces on the Honey Stick Project, you may recall that this is an experiment to see how vulnerable people are to risks on the Internet by dropping USB drives in various public locations. If the devices get picked up, my data shows that over 65% of them get plugged into computers and used in a way that I can detect, which suggests that people are putting their computers and networks at risk of getting infected with dangerous viruses that can steal vast amounts of sensitive data. If this conclusion is correct, then we need to get people to take action on educating staff about risks that technology safeguards can't adequately address.

What I would like to do is find a way to get people who find these devices to take positive action toward increasing security awareness education in their organizations. Ideally, if they could let their IT managers know that their organization is vulnerable, and that they could obtain data about how their organization has performed in this experiment, I think there's a good chance the IT managers would use the data to illustrate the need for awareness to their management. But this is often a sensitive topic for people,  and there is always the chance the whole idea would just scare people so much that they would not take any action for fear of the repercussions on their reputation and jobs. So, I'm looking for good ideas that could help all of us in getting managers to see the data for their organizations, and take action on education and awareness.

My first idea is to have a minor warning  upon opening files on the Honey Stick devices that this is just a demonstration to let people know they could have been putting their systems at risk by opening the files. Then, the message would let them know that if they feel this is an important issue, they should take the device and drop it near or in their IT managers' offices. This way, the original finder can remain anonymous, and it leaves an opportunity for others to find and use the device before turning it in. When the IT manager finally gets the device and examines it, I am hoping they will get the message that there's a good chance their staff has used it, putting their systems at risk; and they can get data about its usage by contacting me.

What do you think about this approach? Remember that these devices have no programs or active content on them. It's just simple HTML code with an image URL that lets me log the IP address of the system where the device was opened. So, there is no risk to an organization's systems from these devices.

What content would you put on the devices that would entice people to take action, and get the data to the people who know there is a problem, but have not had the data to justify taking action on educting their staff? What would make you take positive action?

Or do you not think this is something worth worrying about? Please send me your comments, or add a comment on this blog.



Scott Wright

The Streetwise Security Coach

Phone: 1-613-693-0997
Email: scott@streetwise-security-zone.com
Scott Wright on LinkedIn 

To download my FREE Security Management Resource Guide now, and to receive my series of Streetwise Security Tips, as well as my Streetwise Security News and updates click HERE.


Site Meter

 rate this post: very bad poor average good fantastic!

Copyright 2012. Security Perspectives Inc. All Rights Reserved.