240 red USB sticks, “lost” throughout the country, have all too often been used without taking any precautions. Ten years of awareness-raising have done nothing to change this, says Clusil. (Photo: Shutterstock)

240 red USB sticks, “lost” throughout the country, have all too often been used without taking any precautions. Ten years of awareness-raising have done nothing to change this, says Clusil. (Photo: Shutterstock)

An experiment carried out in Luxembourg this summer shows that, despite ten years of awareness-raising and widely-documented cyber-risks, a significant proportion of the population still pick up and plug into their computers USB keys they come across randomly. An investigation based on facts observed by Clusil, which has ensnared at least one expert and one organisation.

Drop 240 USB sticks in public places and observe how many are picked up and then opened. This was the simple but revealing experiment carried out this summer in Luxembourg. All were carefully prepared, without any malware, and contained only innocuous files and a technical mechanism for identifying whether a single document, disclaimer.html, had been consulted. The keys were deposited in a variety of areas, from railway stations and bus stops to parks, business districts and the outskirts of schools.

The stated aim was to measure real human behaviour when faced with an object that is commonplace but carries documented risks, and to provide factual elements for raising awareness. The results show that 16% of the keys were opened, a figure in line with an American study cited in the report which, in 2015, noted a 17% return rate for keys left in similar public spaces. Despite ten years of media coverage of cyber attacks and increased overall maturity, the human behaviour observed remains surprisingly stable.

Clusil, an acronym for Club de la sécurité de l’information - Luxembourg, is an association founded in 1996 that brings together professionals from private companies, government departments, financial institutions, the academic sector and research. Its official mission is to promote information security in Luxembourg by facilitating peer-to-peer exchange, disseminating best practice and contributing to national awareness. The association regularly organises conferences, working groups and publications that have become benchmarks in Luxembourg’s cyber community.

This is the context in which the USB project is taking place. Clusil conducts occasional experiments aimed at gaining a better understanding of the concrete risks to which citizens and organisations are exposed. The keys used for the 2025 study did not contain any threats; their sole purpose was to measure behaviour. The experiment thus provides factual data on how individuals react to an unknown medium, and on how certain organisations interpret and manage the material discovery of a potentially suspect object.

Near schools, more used than elsewhere

The study also highlights disparities depending on where the keys are deposited. Those placed near schools were collected and then consulted much more often, with a rate of 31%. The report highlights this difference, but offers no proven explanation. Any interpretation of the role of age, curiosity or awareness must therefore be regarded as an inference. All that is known is that, in practice, keys located near schools produced more measurable activity.

The experiment also revealed highly variable timescales between a key being deposited and it being opened. Some were consulted within 30 minutes, others after 133 days. This implies that consultation is not always the result of an impulsive gesture. A key can be picked up, put aside and then opened much later. However, the tracking mechanism does not reveal whether certain keys were connected without the HTML file being opened, or whether they were analysed offline or in an isolated environment. These grey areas are limitations explicitly identified by the authors of the project.

One of the highlights documented concerns the reaction of a Luxembourg organisation that discovered several identical keys on its site. In less than 45 minutes, it called an emergency meeting, issued an internal communication, isolated the media in a secure environment, copied their contents onto a dedicated disk and placed the whole set in a safe. The managers then contacted Clusil after discovering an unusual file. The report presents this reaction as a factual sequence, revealing the level of alert that organisations are now faced with as soon as a potentially suspicious item of material appears. The project was not intended to test companies, but the episode shows the operational, and even anxiety-provoking, significance of an object found within a professional perimeter.

The document also reports on individual feedback, including that of a student who wrote to Clusil after finding a key near a café in Belval. He asked what should be done with it, even though he had already consulted its contents. Another example comes from an SOC analyst who found a key outside his home: he sent a photo to his manager and then opened the key before even knowing what to do with it.

An SOC analyst, i.e. a member of a security operations centre responsible for constantly monitoring an organisation’s IT activity, is precisely one of those profiles whose role consists of spotting anomalies, interpreting alerts and reacting quickly when an incident is suspected. The fact that a specialist used to exercising this vigilance can also open a key found by chance shows the extent to which the transition from technical knowledge to perfectly prudent behaviour remains difficult, even for the best trained. These concrete cases show that knowledge of the risk does not always prevent people from acting on it. The report does not draw any general conclusions about individual motivations, but indicates that curiosity remains the most likely hypothesis, based on the comparative studies cited.

Another aspect explored concerns the environmental impact of the experience. Clusil estimates that around 70 grams of CO2 are emitted to manufacture one key, plus 20 grams for transport and packaging, giving a total of around 27 kilograms for the whole project. These figures are provided unchanged in the report. No comparison with the potential environmental cost of an incident avoided is offered, any extrapolation would be a matter of inference.

On reading the document, the strongest conclusion is that, despite a decade of advances in cybersecurity, public communication and high-profile incidents, human behaviour in relation to unknown media has not changed significantly. This is explicitly stated in the report. The exact causes are not assessed in the study and therefore cannot be attributed to psychological or generational factors without going outside the field of facts. What is measured, and only that, is the persistence of the gesture: picking up a found object, plugging it in, and opening at least one file. As long as this reflex remains common, attacks using USB devices will remain possible, even if the experiment conducted here did not involve any.

The survey based on this project shows that vulnerability is not strictly technological. It resides in a simple interaction between an individual and a seemingly innocuous object. There is nothing in the results to suggest that this behaviour is disappearing. For organisations, this confirms the importance of maintaining policies for controlling external media, incorporating this risk into crisis management plans and raising awareness. For the general public, this study provides a factual benchmark: in 2025, as ten years ago, a USB key found in the street is still a credible risk vector. The act of plugging it in is neither rare nor marginal. Clusil’s experience shows this, with figures to back it up.

Related articles