Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products

With the expansion of the Internet of Things (IoT), the number of security incidents due to insecure and misconfigured IoT devices is increasing. Especially on the consumer market, manufacturers focus on new features and early releases at the expense of a comprehensive security strategy. Hence, experts have started calling for regulation of the IoT consumer market, while policymakers are seeking for suitable regulatory approaches. We investigate how manufacturers can be incentivized to increase sustainable security efforts for IoT products. We propose mandatory security update labels that inform consumers during buying decisions about the willingness of the manufacturer to provide security updates in the future. Mandatory means that the labels explicitly state when security updates are not guaranteed. We conducted a user study with more than 1,400 participants to assess the importance of security update labels for the consumer choice by means of a conjoint analysis. The results show that the availability of security updates (until which date the updates are guaranteed) accounts for 8% to 35% impact on overall consumers’ choice, depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Moreover, provisioning time for security updates (how quickly the product will be patched after a vulnerability is discovered) additionally accounts for 7% to 25% impact on consumers’ choices. The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.

[1]  Jacob Cohen Statistical Power Analysis for the Behavioral Sciences , 1969, The SAGE Encyclopedia of Research Design.

[2]  Mark I. Alpert,et al.  Identification of Determinant Attributes: A Comparison of Methods , 1971 .

[3]  Ian T. Jolliffe,et al.  Discarding Variables in a Principal Component Analysis. I: Artificial Data , 1972 .

[4]  J. Jacoby,et al.  The Components of Perceived Risk , 1972 .

[5]  P. Green,et al.  Conjoint Analysis in Consumer Research: Issues and Outlook , 1978 .

[6]  Mark V. Pauly,et al.  Readings in the economics of contract law: The economics of moral hazard: comment , 1982 .

[7]  Scott B. MacKenzie,et al.  The Role of Attitude toward the Ad as a Mediator of Advertising Effectiveness: A Test of Competing Explanations: , 1986 .

[8]  Daniel Kahneman,et al.  Fairness and the Assumptions of Economics , 1986 .

[9]  H. Bozdogan Model selection and Akaike's Information Criterion (AIC): The general theory and its analytical extensions , 1987 .

[10]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[11]  Morris B. Holbrook,et al.  Conjoint Analysis on Objects with Environmentally Correlated Attributes: The Questionable Importance of Representative Design , 1990 .

[12]  Joel Huber,et al.  The Effectiveness of Alternative Preference Elicitation Procedures in Predicting Choice , 1993 .

[13]  Dick R. Wittink,et al.  Commercial use of conjoint analysis in Europe: Results and critical reflections , 1994 .

[14]  Dick R. Wittink,et al.  The metric quality of full-profile judgments and the number-of-attribute-levels effect in conjoint analysis , 1994 .

[15]  M Ryan,et al.  Using conjoint analysis to assess women's preferences for miscarriage management. , 1997, Health economics.

[16]  Kevin Ashton,et al.  That ‘Internet of Things’ Thing , 1999 .

[17]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[18]  Paul E. Green,et al.  Thirty Years of Conjoint Analysis: Reflections and Prospects , 2001, Interfaces.

[19]  Bryan K. Orme,et al.  Which Conjoint Method Should I Use? , 2001 .

[20]  Martin Natter,et al.  Real world performance of choice-based conjoint models , 2002, Eur. J. Oper. Res..

[21]  Paul A. Pavlou,et al.  Predicting E-Services Adoption: A Perceived Risk Facets Perspective , 2002, Int. J. Hum. Comput. Stud..

[22]  Kirk L. Wakefield,et al.  Situational price sensitivity: the role of consumption occasion, social context and income , 2003 .

[23]  Joseph W. Alba,et al.  Consumer Perceptions of Price (Un)Fairness , 2003 .

[24]  Edward E. Rigdon,et al.  Play, Flow, and the Online Search Experience , 2004 .

[25]  G. Zinkhan,et al.  An integrated framework for the conceptualization of consumers’ perceived-risk processing , 2004 .

[26]  Katherine N. Lemon,et al.  Return on Marketing: Using Customer Equity to Focus Marketing Strategy , 2004 .

[27]  Rolf Wüstenhagen,et al.  The influence of eco‐labelling on consumer behaviour – results of a discrete choice analysis for washing machines , 2006 .

[28]  Armin Scholl,et al.  Solving multiattribute design problems with analytic hierarchy process and conjoint analysis: An empirical comparison , 2005, Eur. J. Oper. Res..

[29]  Patrick De Pelsmacker,et al.  Do Consumers Care about Ethics? Willingness to Pay for Fair‐Trade Coffee , 2005 .

[30]  Manoj. T. Thomas,et al.  Penny Wise and Pound Foolish: The Left‐Digit Effect in Price Cognition , 2005 .

[31]  David W. Stewart,et al.  Branding strategies, marketing communication, and perceived brand meaning: The transfer of purposive, goal-oriented brand meaning to brand extensions , 2005 .

[32]  Tamara Dinev,et al.  An Extended Privacy Calculus Model for E-Commerce Transactions , 2006, Inf. Syst. Res..

[33]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[34]  George A. Akerlof,et al.  The Market for “Lemons”: Quality Uncertainty and the Market Mechanism , 1970 .

[35]  Miles A. McQueen,et al.  Ideal Based Cyber Security Technical Metrics for Control Systems , 2007, CRITIS.

[36]  Yeu-Pong Lai,et al.  Using the vulnerability information of computer systems to improve the network security , 2007, Comput. Commun..

[37]  Alessandro Acquisti,et al.  The Effect of Online Privacy Information on Purchasing Behavior: An Experimental Study , 2011, WEIS.

[38]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[39]  Edgar Erdfelder,et al.  G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences , 2007, Behavior research methods.

[40]  Winfried J. Steiner,et al.  Are consumers heterogeneous in their preferences for odd and even prices? Findings from a choice-based conjoint study , 2007 .

[41]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[42]  Franziska Völckner,et al.  The dual role of price: decomposing consumers’ reactions to price , 2008 .

[43]  Peter J. Lenk,et al.  Market Share Constraints and the Loss Function in Choice-Based Conjoint Analysis , 2008, Mark. Sci..

[44]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[45]  Felix Eggers,et al.  Hybrid individualized two-level choice-based conjoint (HIT-CBC): A new method for measuring preference structures with many attribute levels , 2009 .

[46]  Lorrie Faith Cranor,et al.  A "nutrition label" for privacy , 2009, SOUPS.

[47]  Julia H. Schroedter,et al.  Datenhandbuch GESIS-Mikrozensus-Trendfile: Harmonisierung der Mikrozensen 1962 bis 2006 , 2010 .

[48]  Lorrie Faith Cranor,et al.  Standardizing privacy notices: an online study of the nutrition label approach , 2010, CHI.

[49]  A. Drewnowski,et al.  Testing consumer perception of nutrient content claims using conjoint analysis , 2010, Public Health Nutrition.

[50]  J. Louviere,et al.  Discrete Choice Experiments Are Not Conjoint Analysis , 2010 .

[51]  Xin Luo,et al.  Examining multi-dimensional trust and multi-faceted risk in initial acceptance of emerging technologies: An empirical study of mobile banking services , 2010, Decis. Support Syst..

[52]  Klaus Miller,et al.  How Should Consumers’ Willingness to Pay be Measured? An Empirical Comparison of State-of-the-Art Approaches , 2011 .

[53]  P. Wilczynski,et al.  Colour Me In – an empirical study on consumer responses to the traffic light signposting system in nutrition labelling , 2011, Public Health Nutrition.

[54]  Mike Bond,et al.  How Certification Systems Fail: Lessons from the Ware Report , 2012, IEEE Security & Privacy.

[55]  Hunter Gehlbach,et al.  Using the Theory of Satisficing to Evaluate the Quality of Survey Data , 2011, Research in Higher Education.

[56]  Viswanath Venkatesh,et al.  Consumer Acceptance and Use of Information Technology: Extending the Unified Theory of Acceptance and Use of Technology , 2012, MIS Q..

[57]  Niraj Dawar,et al.  Base-Rate Information in Consumer Attributions of Product-Harm Crises , 2012 .

[58]  Venkatesh Shankar,et al.  Are Multichannel Customers Really more Valuable? The Moderating Role of Product Category Characteristics , 2013 .

[59]  The CBC System for Choice-Based Conjoint Analysis , 2013 .

[60]  Energy and Water Use Labeling for Consumer Products Under the Energy Policy and Conservation Act ( Energy Labeling Rule ) , 2014 .

[61]  Rick Wash,et al.  Betrayed by updates: how negative experiences affect future security , 2014, CHI.

[62]  Kami Vaniea,et al.  Tales of Software Updates: The process of updating software , 2016, CHI.

[63]  Wayne D. Hoyer,et al.  When will price increases associated with company donations to charity be perceived as fair? , 2016 .

[64]  Michael Steiner,et al.  Platform Adoption in System Markets: The Roles of Preference Heterogeneity and Consumer Expectations , 2015 .

[65]  Nicolas Christin,et al.  Do or Do Not, There Is No Try: User Engagement May Not Improve Security Outcomes , 2016, SOUPS.

[66]  Andy P. Field,et al.  Discovering Statistics Using Ibm Spss Statistics , 2017 .

[67]  Yi Zhou,et al.  Understanding the Mirai Botnet , 2017, USENIX Security Symposium.

[68]  Franziska Roesner,et al.  End User Security and Privacy Concerns with Smart Homes , 2017, SOUPS.

[69]  Akira Yamada,et al.  Self-Confidence Trumps Knowledge: A Cross-Cultural Study of Security Behavior , 2017, CHI.

[70]  V. Srinivasan,et al.  An approach to improve the predictive power of choice-based conjoint analysis , 2017 .

[71]  Marshini Chetty,et al.  the Thirteenth Symposium on Usable Privacy and Security (SOUPS , 2022 .

[72]  Zinaida Benenson,et al.  Exploring Security Economics in IoT Standardization Efforts , 2018, ArXiv.

[73]  L. Pupillo,et al.  Software Vulnerability Disclosure in Europe: Technology, Policies and Legal Challenges. Report of a CEPS Task Force. CEPS Task Force Reports 28 June 2018 , 2018 .

[74]  Elissa M. Redmiles,et al.  Dancing Pigs or Externalities?: Measuring the Rationality of Security Decisions , 2018, EC.

[75]  Blase Ur,et al.  Rethinking Access Control and Authentication for the Home Internet of Things (IoT) , 2018, USENIX Security Symposium.

[76]  Lorrie Faith Cranor,et al.  Exploring How Privacy and Security Factor into IoT Device Purchase Behavior , 2019, CHI.

[77]  Richard Clayton,et al.  Standardisation and Certification of the ‘Internet of Things’ , 2019 .

[78]  Elissa M. Redmiles,et al.  How Well Do My Results Generalize? Comparing Security and Privacy Survey Results from MTurk, Web, and Telephone Samples , 2019, 2019 IEEE Symposium on Security and Privacy (SP).

[79]  S. Matthew Weinberg,et al.  Selling a Single Item with Negative Externalities , 2019, WWW.