Physical location of smart key activators – a building security penetration test

Abstract

Purpose When security managers choose to deploy a smart lock activation system, the number of units needed and their location needs to be established. This study aims to present the results of a penetration test involving smart locks in the context of building security. The authors investigated how the amount of effort an employee has to invest in complying with a security policy (i.e. walk from the office to the smart key activator) influences vulnerability. In particular, the attractiveness of a no-effort alternative (i.e. someone else walking from your office to the key activators to perform a task on your behalf) was evaluated. The contribution of this study relates to showing how experimental psychology can be used to determine the cost-benefit analysis (CBA) of physical building security measures. Design/methodology/approach Twenty-seven different “offenders” visited the offices of 116 employees. Using a script, each offender introduced a problem, provided a solution and asked the employee to hand over their office key. Findings A total of 58.6 per cent of the employees handed over their keys to a stranger; no difference was found between female and male employees. The likelihood of handing over the keys for employees close to a key activator was similar to that of those who were further away. Research limitations/implications The results suggest that installing additional key activators is not conducive to reducing the building’s security vulnerability associated with the handing over of keys to strangers. Originality/value No research seems to have investigated the distribution of smart key activators in the context of a physical penetration test. This research highlights the need to raise awareness of social engineering and of the vulnerabilities introduced via smart locks (and other smart systems).