The Economics of Trust: Overcoming Obstacles to Better Consumer IoT Security Thumbnail
Internet of Things (IoT) 29 April 2019

The Economics of Trust: Overcoming Obstacles to Better Consumer IoT Security

By Ceren ÜnalFormer Regional Policy Manager - Europe

In 2018 the Internet Society launched the Trust by Design campaign, to make sure that security and privacy features are built into Internet of Things (IoT) products. We focused our activities on consumer IoT, a segment particularly vulnerable, despite having the biggest share in the IoT market. We believe trust should come as standard, and so we’ve been working with manufacturers and suppliers to make sure privacy and security are included in the initial design phase all the way through the product lifecycle, as outlined in the OTA IoT Trust Framework. Our work does not stop there, as this goal can only be achieved when consumers drive demand for security and privacy capabilities as a market differentiator and policymakers create a policy environment that strengthens trust and enables innovation.

Consumer IoT devices and services without adequate security pose a wide range of risks, from directly threatening the security, privacy, and safety of their owners to the devices themselves turning into botnets that can initiate DDoS attacks against the Internet. As more and more connected devices with weak security are rushed to the market due to competition and cost concerns, missing trust is deeply rooted in economics. To better understand the economic aspects of consumer IoT security, we commissioned an independent study conducted by Plum Consulting that we are pleased to share with you.

The economics of the security of consumer-grade IoT products and services” looks at the consumer IoT market and the current state of security (or lack thereof) and points out the main economic obstacles to better security. Consumers often do not have enough information to identify products with weak security. This results in investment in security not being seen as a competitive differentiator for manufacturers. Additionally, since the cost of security breaches are borne by the device owner or third parties rather than the manufacturer, there is little incentive for manufacturers to invest in security. Finally, effective security by design requires specialized skills, can slow down the process, and can cost extra. Because of these factors, combined with cognitive biases of consumers, manufacturers tend to prioritize reducing cost and quickly sending IoT products to market.

But everyone, from consumers to policymakers, can take steps to incentivize manufacturers and shift demand in the market for strong IoT security. These vary by cost and difficulty and come with pros and cons of their own. The report provides a taxonomy and comes up with recommendations for the industry and policymakers to improve consumer IoT security, including prioritizing consumer guidance, leveraging public procurement procedures for products with strong security, encouraging responsible vulnerability disclosures, developing a trustmark for secure consumer IoT devices, prosecuting misleading claims on security, and prescribing a general set of security principles. Mandated security requirements through regulation is considered a last resort, and only if all other initiatives fail to improve security in the consumer IoT market.

Improving consumer IoT security calls for action from a diverse group of stakeholders and their actions complement each other. The complex IoT ecosystem is only as strong as its weakest link – and a collaborative approach to security is essential for success. It is only by working together that we can make a more secure consumer IoT. The economics say so, too.

Disclaimer: Viewpoints expressed in this post are those of the author and may or may not reflect official Internet Society positions.

Related articles

Building Trust 5 December 2019

Rural Development Special Interest Group Organizes Internet Connectivity Tag 2019

In November, the Internet Society Rural Development Special Interest Group (RD SIG) organized an event called the Internet Connectivity Tag 2019 in Bangalore,...

Building Trust 14 November 2019

IoT Security Policy Platform Wants to Raise the Bar On Global IoT Security

By next year, five Internet of Things (IoT) devices are projected to be in use for every person on...

Building Trust 2 October 2019

Celebrating National Cybersecurity Awareness Month

Every October, we mark National Cybersecurity Awareness Month. From the U.S. Department of Homeland Security website, “Held every October,...