Close Menu
    An experiment deployed over the summer showed that many still plug in unknown USB sticks in Luxembourg, proving curiosity remains a major driver of avoidable cyber risk.
    Luxembourg

    When curiosity kills your computer: Luxembourgers still plug in mystery USBs

    A social experiment by cybersecurity association Club de la Sécurité des Systèmes d’Information Luxembourg (CLUSIL) has revealed that despite years of awareness campaigns, many people in Luxembourg still plug in unknown USB drives, potentially exposing themselves and their employers to serious cyber risks.

    Over the summer, the organisation scattered 240 USB sticks in public places across the country – train stations, parks, business hubs, even near schools – to observe how often passersby would pick them up and open them.

    Of the 240 keys, 39 were accessed representing a 16% engagement rate, nearly identical to results from similar international studies.

    USBs placed near schools had a 31% access rate, suggesting that younger individuals may be more willing to take the risk out of curiosity.

    USBs placed near schools had a 31% access rate, report shows © Photo credit: CLUSIL

    Some drives were explored within 30 minutes, while others remained untouched for more than four months. Eight were opened on the same day they were dropped.

    Also read:Esch programme offers 2-year path to cybersecurity jobs

    The experiment also generated memorable anecdotes: at least one cybersecurity professional was “caught” by the test. An organisation triggered an emergency internal response within 45 minutes of finding multiple suspicious keys, isolating and storing them before calling a community emergency response team.

    CLUSIL stressed that the project was carried out ethically: the devices contained no malware, only harmless files and a tracking mechanism that simply logged access through a benign web request. The emergency teams were informed in advance, and the project’s estimated environmental impact – about 27 kg of CO₂ – was also factored into the planning.

    At an event at the Luxembourg House of Cybersecurity on Monday, CLUSIL presented its full findings, concluding that human behaviour, not technology, remains the weakest link.

    “Preventing even a single incident through awareness can protect thousands of sensitive records,” the organisers noted in their press release.

    Also read:A day in the life of the head of cyber offence at Ferrero

    Add A Comment

    Comments are closed.