Risk Management

The Psychology of a Cyber Attack: USB Drop Simulation

What is a USB Drop Simulation?

A simulated USB drop attack is where you place a USB stick with tracking software installed in a commonly travelled area in the workplace, and see if employees follow company policy by handing it in, or if they plug it into their computer.

Plugging an unknown USB into your computer is dangerous for both the company and the individual – and here’s why: attacks against organisations occur regularly where the attacker installs malicious software onto a USB stick, then leaves it where someone is likely to pick it up. This may lead to a data breach, loss of data, and malware infection. It’s critical that employees are trained to spot these kinds of attacks and do the right thing by handing it in.

This is one of the many cyber-services we provide. In this post, we will discuss the kind of person likely to forego company policy and plug a USB in.

Why might someone take a USB?

Because they are curious what’s on it. Humans are naturally curious creatures, so it’s only natural that one might wonder what a USB stick contains. But what would be the drive behind this curiosity? They might be interested to see what personal stuff the owner has on there – such as photos. They also might be curious to see if any sensitive data is on there – humans have a  natural drive to discover the unknown.

Because they have a personal interest in who it belongs to. Someone might be interested to find information they can use against the person – if it is someone they dislike, or to see if they have anything to hide. Perhaps, they might believe it contains information about another company – a rival for example.

Because they feel like they could get use out of it. USB sticks are relatively inexpensive these days – however the prospect of getting something for free might motivate someone to take it for their-self.

Personality Traits

By knowing the traits of a person who is likely to pick up and plug in the USB – we can tailor the content on the USB more-so to their personality, and increase the likelihood of them opening what we want them to.

Unconcerned with consequences – this type of person is likely to be more of an extrovert.

Feeling of entitlement to take what they want – they might have a ‘finders keepers’ attitude – this type of person is also more of an extrovert.

The USB might have something they want on it – if this is the reason they picked it up, then this person is more likely to be introverted.

 

What might make a USB stick attractive for someone to pick up?

For someone who wants to use it –  it should look new, clean, and unlabelled.

For someone curious about the person who owns it – we can label it ‘personal’ or ‘photos’ or something along those lines.

For someone who has a personal business interest –  we could label it ‘finance’, ‘clients’, or ‘confidential’.

For someone generally curious – we can label it something ambiguous or simply leave it blank. Then, the individual might project their own idea of what could be on there, and be driven by curiosity to find out.

By knowing these things, we can effectively pick a type of person to appeal to, and place content on the USB stick to reflect this. Someone is more likely to click on things which appeal to their desires and personality type.

What types of files are people likely to open?

  • Photographs.
  • A journal, diary or log.
  • Financial information.
  • Client information.
  • Passwords.
  • Personal data.

Theory of Curiosity

Curiosity is a form of cognitively induced deprivation that arises from the perception of a gap in knowledge or understanding.

2 forms of curiosity exist:

  • CDT – Curiosity Reduction: A drive state that motivates information seeking related to reducing uncertainty.
  • OAT – Boredom Relief: An optimal arousal state that seeks to satisfy need for knowledge.

Both could motivate behaviour to find out information. Interest (T Type) suggests information is not missing, but there is an opportunity to find something out.

Ignorance (D type) suggests something is missing, and the motivation is to find out something.

By knowing if a person is curious to satisfy boredom, to curious to satisfy a purpose, we can further tailor the appearance and content on the USB to a certain personality type

Conclusion

To sum it all up, there is a wide variety of factors which come in to deciding on a personality type for a targeted attack, and by picking one of these personality types to appeal to – we can increase the likelihood of someone being tempted to pick up and plug in the USB.

 

Sources

Psychology of Curiosity – Loewenstein

Curiosity as a feeling of interest and feeling of deprivation – Litman