Log In Sign Up

It was hard to find the words: Using an Autoethnographic Diary Study to Understand the Difficulties of Smart Home Cyber Security Practices

This study considers how well an autoethnographic diary study helps as a method to explore why families might struggle in the application of strong and cohesive cyber security measures within the smart home. Combining two human-computer interaction (HCI) research methods - the relatively unstructured process of autoethnography and the more structured diary study - allowed the first author to reflect on the differences between researchers or experts, and everyday users. Having a physical set of structured diary prompts allowed for a period of 'thinking as writing', enabling reflection upon how having expert knowledge may or may not translate into useful knowledge when dealing with everyday life. This is particularly beneficial in the context of home cyber security use, where first-person narratives have not made up part of the research corpus to date, despite a consistent recognition that users struggle to apply strong cyber security methods in personal contexts. The framing of the autoethnographic diary study contributes a very simple, but extremely powerful, tool for anyone with more knowledge than the average user of any technology, enabling the expert to reflect upon how they themselves have fared when using, understanding and discussing the technology in daily life.


When Googling it doesn't work: The challenge of finding security advice for smart home devices

As users increasingly introduce Internet-connected devices into their ho...

"You Just Assume It Is In There, I Guess": UK Families' Application And Knowledge Of Smart Home Cyber Security

The Internet of Things (IoT) is increasingly present in many family home...

Perspectives of Non-Expert Users on Cyber Security and Privacy: An Analysis of Online Discussions on Twitter

Current research on users` perspectives of cyber security and privacy re...

Cyber security and the Leviathan

Dedicated cyber-security functions are common in commercial businesses, ...

Investigation on Research Ethics and Building a Benchmark

When dealing with leading edge cyber security research, especially when ...

Cyber-Human System for Remote Collaborators

With the increasing ubiquity of technology in our daily lives, the compl...

Knowledge-Base Practicality for Cybersecurity Research Ethics Evaluation

Research ethics in Information and Communications Technology has seen a ...

1. Introduction

Internet of Things (IoT) devices within the home setting are increasingly ubiquitous: 2020 in particular saw a huge growth in the purchases of such devices in the UK, attributed in no small part to the amount of time people were required to stay in their homes as part of public health lockdown measures due to COVID-19 (techUK and GfK, 2021). Home IoT devices111Throughout this paper, “home IoT devices” will be used to mean those devices, and those technologies and services that support them, covered in the UK’s Code of Conduct for Consumer IoT devices (Department for Digital, Culture, Media and Sport, UK Government, 2018). are often left in communal spaces (Chalhoub et al., 2021), and, when set up according to the manufacturer’s instructions, will collect significant amounts of data about every person that is around them, whether or not those people are aware of it — or consent to it (Koshy et al., 2021). Having an understanding of the risks that these devices pose should be a fundamental part of the purchase and use process, however it is not commonly the case that individuals understand these risks or take steps to manage them (Patterson et al., 2021), or that devices are necessarily designed to make security easy to manage (Chalhoub et al., 2020).

Cyber security risks that home IoT devices pose are different to those risks that are posed through browsing the Internet on a computer or smart phone (Omolara et al., 2021); data collected by these devices can be misused in a number of ways, intentionally or otherwise. In addition, the more devices that are connected to a home network, the greater the threat posed to every part of the home through insecure devices, whether specifically targeted or because of more mundane reasons such as unsupported software (Tabassum et al., 2019). Without broad understanding of these risks, users — and in this case study, we will particularly be considering the family unit — can be putting themselves in harm’s way, unnecessarily. And yet, data and security breaches are commonplace in home IoT devices, both as a result of vulnerabilities in software (see, for example, the list in (Srinivas, 2020)), but also because users may have failed to use security settings as intended (Paul, 2020).

This case study draws upon two established research methods within the HCI field: that of the diary study, and also, the practice of autoethnographical research. Cyber security is notorious for its poor uptake amongst users; the difficulty of having a coherent and logical cyber security set up within a home increases with the number of users and devices in the household. Families struggle not only to manage device use appropriately, but also to speak and discuss cyber security in meaningful ways, or even use the same language (Jones et al., 2019). While researchers study home IoT devices in a professional capacity (Williams et al., 2019), many of them also use home IoT devices as a user in a personal capacity. Could an autoethnographic diary study, intentionally applying the research lens to the home life of a researcher, help to pick out the specific issues of engagement with the topic? Can it help to create a sense of empathy surrounding the difficulties that non-expert users might have in their daily device use? And what does that mean for how devices are intended to be used, and — in this case — kept secure? By analysing ourselves as device users during a period of autoethnographic diary study, can we show where, not only as researchers, but also as device manufacturers or even policy makers, we expect too much — or too little — of everyday users?

This case study details the set up and execution of an autoethnographic diary study, as a means of exploring the usefulness of first-person, reflexive research into poorly understood areas of digital technology use — in this case, cyber security habits and practices in the home — and presents the lessons that have been learned from undertaking it. Although the findings can help academic researchers to consider how to approach not only their topic, but also the users of the particular digital technology, in a more empathetic manner prior to engagement, there are lessons that can also be taken by product designers and also policy makers. All three groups, as experts in their specific topics, can use the structured diary prompts to consider how much of their personal experience is guided by having more knowledge and information than the average user of the product or device. They can also reflect upon the extent to which expert knowledge fails when trying to navigate discussions with family, or friends, or deal with real-life situations. Furthermore, product designers — in this particular case, in the home IoT space, but also more generally — may find analysis of what they themselves, their children, friends or family may, or may not, do or know about their product alters their design approach. Policy makers could even apply this method to understand where users may need more education, more support — or increased regulation or other policy tools to keep them as safe and secure as intended, for example.

This case study starts with a brief review of related work and concepts in Section 2. It goes on to describe the methodology in Section 3, and findings in Section 4. Section 5 discusses the lessons that can be taken from the work, prior to conclusions being drawn in Section 6.

2. Relevant Work and Concepts

The term “autoethnographic diary study” is used here to describe a piece of first-person research exploring the topic in relation to the broader societal and cultural setting, but using the feedback-style recording method of a diary study with multiple participants. It builds upon two research methods: the diary study and autoethnography.

Diary studies are a commonly used method within the HCI and CSCW research communities, as they allow for monitoring of participants’ behavior or experiences over an extended period of time, in the moment, rather than relying on recall of events in interview settings. In recent years, diary studies have been used to understand how adolescents (children aged 13-17) and parents manage online harms

(Wisniewski et al., 2016; McHugh et al., 2017; Agha et al., 2021), how new parents approach baby wearable technology (Wang et al., 2017), how children with autism spectrum disorder use mobile applications (Putnam and Mobasher, 2020) and how social groups approach joint privacy and security use of shared applications and devices (Watson et al., 2020; Chalhoub et al., 2021). Garg and Sengupta (2019) used a diary study, capturing information from parents with children aged 4-17, on their smart phone and speaker use. Through the entries in the study, they found that there were differences in how families used, managed and limited technology use dependent upon their socio-economic and ethnic status.

The diary studies mentioned above ranged in duration from two weeks to two months, allowing for significant data collection to occur from the participants, both in paper format and using online tools, with reminder capabilities built in. Watson et al. (2020) noted that the ability to track responses online was important, as they needed to chase a number of participants with phone calls to ensure they completed the diary. Hong et al. (2020) found that paper allowed for more flexibility in responses — although participants found managing paper diaries with digital artefacts hard to manage. Putnam and Mobasher (2020) found different problems with the diary study method: although the adult participants did not find the method of filling in the diary itself problematic, getting the children involved in the study to participate in a way that generated results to discuss in the diaries proved extremely hard.

The type of personal reflection captured in a journal or diary is core to autoethnographic work, although typically in a much less structured manner than a diary study, capturing any reflections on a specific theme over an extended period of time. Chang (2016) describes autoethnography as autobiographical writing that “combines cultural analysis and interpretation with narrative details”, and so is particularly relevant when considering the wider use of digital technologies within different areas of society. Such works can be challenging to understand, as they typically raise concerns in relation to the independence, objectivity and generalizability of the method (Rapp, 2018). However, the collection of personal thoughts and reflections on a topic for a period of time by a researcher can serve as a lightweight research method that, done well, gives the ability to provide nuanced insights that can outweigh the obvious lack of generalizability (Eschler, 2016). Malinverni and Pares (2016) used autoethnography to determine the importance of how personal values shape their work as researchers, leading to more considered and grounded future research, particularly in the participatory design space. Analyzing personal use of devices can provide additional levels of empathy towards users and research participants to be taken forward in the design process (O’Kane et al., 2014; Cunningham and Jones, 2005); conversely, non-use of devices can also provide insights in that it allows for questioning and re-imagination of use (Lucero, 2018). Reflecting on the use of closely related duoethnography as a research method, a 2019 paper highlights the importance of using personal experience to explore the “interactions between diverse users, devices and data” in intimate settings (Garcia and Cifor, 2019); the family unit being one such example.

3. Methodology

Following the receipt of ethical approval from our institution’s Ethics Committee in August 2020, the first author undertook the research in her own home between 12 August and 31 October 2020. The study mostly focused upon interactions within the first author’s immediate family (two children, aged 6 and 3) and husband, although additional interactions with other family members (such as the first author’s parents and parents-in-law) that stayed in the home in this period were also captured when relevant. The additional awareness that both the first author and also her husband, being a software engineer, had of cyber security as a topic of household importance was considered to be relevant, as subsequent analysis of the topics raised from the study could determine how many were raised precisely because of this additional awareness. Drawing upon the autoethnographic format, the first author completed the diary entries alone, based upon her interactions and experiences with her family.

The diary study topic looked at how the cyber security of home IoT devices was managed and discussed between parents, children and any other relevant individuals within the home. Using a “feedback” style of diary (Carter and Mankoff, 2005) in order to elicit broad responses to consider these answers, a set of daily diary prompts posed a series of open-ended questions intended for the first author to reflect on the events of each day pertaining to home IoT device use and cyber security. The questions focused on what was said, done, and what emotions events raised, not dissimilar to the type of responses received in (Wisniewski et al., 2016) (for example, “Was the conversation home IoT device use or cyber security related?” “Were there any subjects relating to devices or cyber security of those devices that you avoided talking about today? If so, why?”). The daily diary prompts were printed and kept in a purple folder, along with pens and sufficient additional paper, next to the first author’s bed, in order to serve as a visual reminder to log instances at the end of each day (see Figure 0(a)). Entries were only to be recorded when there was something of relevance to be captured during the day. For the full list of prompts, see Appendix A.

The prompts did not change throughout the period, and daily reflections were collected primarily on paper, not electronically (see Figure 0(b)). This was for two reasons: the type of activities being considered were unlikely to be done routinely, meaning that using an electronic method for the purposes of eliciting immediate responses through reminders would not be beneficial; also, the use of paper allowed space for more reflection through unstructured feedback (Ayobi et al., 2018). The hand-written entries were typed up weekly. Any relevant information that was seen online (for example, social media posts) were treated as additional artefacts: they were collated and saved electronically, printed as necessary and analyzed alongside the typed-up diary entries. In the end, the finished diary comprised of written entries, screenshots of social media, school curricula, scans of text books and e-mails, as well as a list of all home IoT devices (and those devices or digital technologies that interacted with the devices) (see Figure 0(c)).

Once collated, the complete diary was subjected to thematic analysis (Braun and Clarke, 2006) by the first author. Following McDonald et al. (2019), it was determined that thematic analysis should only be performed by the first author to preserve the personal and reflexive nature of the research, with broader discussions around the results taking place between all authors.

(a) Bright folder kept by the bed to prompt
daily reflection

[Placement of folder to prompt reflection]This photograph shows a bright pink folder on a shelf next to the first author’s bed, next to a radio and clock: the folder is placed in between the radio and clock, meaning neither can be used without the author seeing the folder.

(b) The pages of the diary prompts,
incorporating free writing

[Handwritten diary prompts]This photograph shows three days’ diary entries, with handwritten text that covers the backs of two of the sheets of paper, and the third diary entry is one with arrows and other markings around the pre-typed text of the diary prompt sheet.

(c) The full printed diary, with diary entries
and printed artefacts

[The full diary and artefacts]A photograph showing the written pages of the diary entries alongside several other printed sheets making up the remaining artefacts of the study.

Figure 1. The diary study process and sample artefacts

4. Findings

4.1. How well did the feedback diary method work?

4.1.1. Frequency of reporting

The pilot diary study lasted 80 days, significantly longer than many documented diary studies, although shorter than many autoethnographic pieces of work. It generated 30 individual diary entries; in addition to the written diary there were 15 screenshots, two e-mails and the list of devices. Many of the diary entries were between 100-300 words in length, with the longest over 700. Despite placing the diary prompts in a convenient location for writing up, the first author felt very aware of the number of days where there was little to nothing to report, based upon the prompts. Electronically saved information often had to be additionally printed to ensure that the thoughts about them were collected at the end of the day.

4.1.2. What was directly captured in the entries

The first author found the feedback diary method, in particular with its open-ended questions, helpful as a means of being able to consider and reflect freely upon the situations arising during the diary period. The completed diary covered an extensive range of events, from buying new devices, to discussing reported security breaches and dealing with family device problems, to reflections upon the use of specific software on the first author’s smart phone.

Further analysis found that not all of the entries, however, directly contributed to the overall research questions. The entries and artefacts show that two types of cyber security arose in the diary: the “housework”, of cyber security that is directly applicable within the home, typically relating to things like to device setup, and the “wider universe”, reflecting interesting or concerning news stories about cyber security issues that cannot either be directly managed within the home, or that are not directly relevant. In particular, the diary entries allowed the quantification of the time spent considering each type: reading about the cyber security “wider universe” appeared in six entries; “housework” references to researching new devices prior to purchase, installation of those devices, and device management occurred four times in total.

Those entries that did reflect “housework” management of cyber security within the immediate family showed an important element: they were, typically, one-off events. For example, purchasing a new eReader for the first author’s eldest child allowed for discussion with the child about setting strong passwords, setting WiFi access, and discussion about how and when books could be purchased or borrowed; this was recorded at the time of setup, and not subsequently.

Once set up in the home, however, questions of device security did not come up. Repeated use of devices seemed to breed familiarity and a level of comfort around its use. When devices were in situ and just functioned as needed, there was no further consideration about the invisible processes in the background that may need further consideration or management. Diary entries discuss long-used devices only in terms of the habitual nature of their use — both by parents and children, once the device was considered part of the family’s setup. “The kids are only used to streaming services, and so will often ask to watch programmes via the Chromecast, which allows for useful parental control of what they’re watching (as we turn off autoplay). However, this also means that short programs…sees them asking for the next episode almost before the prior one has begun. This is tricky as it can see tired or impatient children grabbing the phone…” — diary entry, 13 September.

The diaries also helped to reflect on the ability of children to consider security, and what that meant for discussions and learning opportunities. There were four detailed discussions about cyber security with the children — exclusively with the elder child. The younger child was captured in the diary as showing awareness of devices in the home,222In particular the Google Chromecast that facilitated streaming TV shows. but had no concept of the need for security. Some of these events allowed for moments of family discussion and collective reflection: for example, password use being mentioned in a television show allowed for a brief discussion of what a password is. In total, passwords were discussed with children three times and unauthorized purchasing once.

4.1.3. What was indirectly captured in the entries

The diary prompts did not have questions that required the first author to consider aspects of her role and status, both within the domestic setting and also more broadly in terms of gender and economic status within society. Despite this, both aspects were strongly present within the diary entries, and add a further level of nuance to be included in the analysis. Without a clear understanding of the space in which the researcher inhabits, it may be hard to understand where their experience differs from that of an average user.

Of particular note in this case was the economic status that the first author’s family has. The amount spent on new devices and security software in the period led to reflection upon how expensive maintaining appropriate device hygiene can be. The ability to replace those devices that are out of supported software life or use paid-for cyber security software such as password managers may well reflect best practice, but they are options that require sufficient disposable income to make the decision to do so. For many, it could well be a poor decision — or an impossibility — to replace otherwise functional devices, or pay for cyber security services in a world where data breaches are common, but obviously tangible downsides are few.

4.2. How well did the autoethnographic aspect work?

4.2.1. An additional level of knowledge

Using the autoethnographic approach of having only the first author record diary entries was important: in using the reflexive requirement of the study, would it be possible to further deconstruct the reasons why users may typically struggle with managing home IoT device cyber security? The additional level of knowledge held by the first author about requirements and risks associated with device use was clear in a number of entries, giving an idea of privacy and security concerns that might not be considered by those without an interest. Sometimes the entries explored the difficulties of trying to set up devices in ways that are more privacy-preserving and allow for more controlled security: “[The eReader] is defaulted to have WiFi on all the time, with limited restrictions on access to the store. Switching off the WiFi results in it warning you that it will cause problems…” — diary entry, 15 October.

Other reported instances of acting out of a heightened interest in security were triggered by external events: for example, trying to find out more about a vulnerability, reported by a technology news site, in microchips used in her and her husband’s smart phones:333 really felt that there was little we could do… we’d have to rely on our phone’s manufacturer to manage the patching. It unnerved us a bit, in thinking about it, that we found this in specialised press only -–- and certainly not in mainstream news sources. It’s tricky having a little bit of knowledge: it often leaves you in a state of uncomfortable inaction…!” — diary entry, 18 August.

4.2.2. Where knowledge did not help

Having the written diary entry was helpful to contrast and explore the emotions felt when cyber security was working as expected — and when it was proving too complex. Negative sentiments were common throughout the diary, with words like “infuriating”, “uncomfortable”, “frustrated” and “frustrating” occurring three times each (in some 6,600 words of the full diary). Dealing with situations that were unresolvable, or that required significant time, knowledge and investment was hard — even when, as in the first author’s case, there was an interest in having the most appropriate security setup at home.

More positive words were less common — “amazing” occurred once, “benefit” and “excellent” twice each. Interestingly, these more positive records related to the potential use of devices, not aspects associated with security — there were, in fact, no records commenting that a device’s security ostensibly worked. These entries again, help to underline the types of experiences that stick in the mind when using devices as part of life: the first author was inclined to think about security and go out of her way to apply techniques and settings that she knew of, and even then, security activities were framed negatively within the diary.

The diary entries recorded a number of instances where having cyber security knowledge did not actually help resolve the situation at hand. This was particularly the case when trying to help or communicate about cyber security issues with others. Trying to help a relative manage some unusual activity on a computer should have been an opportunity to help them walk through and improve their cyber security knowledge and use. Instead, the relative was so overwhelmed by the situation, and happy once their bank had confirmed no financial loss had occurred as a result of the activity, that they did not listen further. “What struck us [first author and her husband] was the complete lack of understanding, backed up with a defensiveness about cyber security practices…Almost everything we tried – both in terms of explanations of mitigating steps, and practically looking at and reviewing the devices – failed.” — diary entry, 17 August.

Similarly, the diary entries showed how having knowledge about how to make devices safe did not help when trying to explain why it was necessary to the children, even when they were keen to listen. The concepts were too hard and too abstract. For example, the children were particularly interested in the first author’s new smart phone: “It was hard to find the words to explain why I had replaced it – I wanted them to understand that phones are only expected to have a life of around 3 years, but at the same time….they won’t understand it! Not happy with the words that fell out of my mouth (‘because…it could be dangerous.’). Not that they prodded further – they just loved that the cover wasn’t black… They now don’t care.” — diary entry, 15 October. The smart phone had been replaced as it had reached the end of its supported life: without guaranteed software updates, it could pose a security risk. The complexity of these ideas, coupled with the uncertainty of the risk (it could pose a risk, should there be a particular set of circumstances), made it a conversation too difficult to have.

Similarly, when the elder child asked what the router did, the best the first author and her husband could do was say “well, it’s how the Internet comes into the house”, which “felt useless even as we said it…”. Even if the words were there, the attention span of children for such discussions is extremely limited — the first author concluded this entry in the diary with a feeling of relief at how quickly the child “showed little interest…” — diary entry, 12 September. One of the artefacts collected alongside the diary entries was the elder child’s school curriculum for the year, which detailed the computing skills to be taught during the year. A combination of using a computer (“how to use or navigate with a mouse”) and learning about “the dangers that the Internet can portray” made it clear how ubiquitous computing and the concepts associated with it are not something that the children can hope to learn about at school alongside encountering it at home.

5. Lessons Learned

The autoethnographic diary study method has not previously been used as a way of considering how users of home IoT devices manage cyber security in their homes, and with their families, despite the potential for reflection on day-to-day issues. Although the topic of this study was cyber security, it could be applied to any situation where adoption of understanding of a digital technology is poorer than designers or researchers would hope.

Undertaking a diary study with prompts allowing free-form responses, and the addition of any relevant artefacts, enabled the first author to reflect upon why users find cyber security difficult and unimportant and consider specific reasons for the lack of engagement. The use of a reflexive diary by someone with an expert understanding of what can and should be done to use a digital technology of any kind as intended can be important to show where the process might fail, or to understand those users who are less interested or aware of the steps that might be necessary. Such a method can be powerful in helping not only researchers, but also device designers and policy makers, make recommendations, and base their actions in the mundane of the everyday situation. In particular:

  • The frequency with with topics arise, and the emotions they generate can help to understand how often a non-expert user might consider the issues, and whether they may actively avoid processes or activities that feel uncomfortable or unpleasant.

  • Analysis of how and why a topic arises in the diary entry provides some ability to consider how being an expert affects being a user of a device. In particular, allowing for free writing and the addition of artefacts helps to show how and where topics arise: are they from situations and venues non-expert users would encounter?

  • Analyzing being a user can point out where being an expert does not help. Things remain hard, unexpected, or impossible, even for experts: learning from these experiences is helpful to understand the limits of what users should be expected to endure.

Below, we go into more detail on each of these points.

5.1. The frequency of reports

The inability of the first author to make daily diary entries felt like a concern, when analysis was performed. As recorded, in the 80 days of the study, the first author produced 30 diary entries; a small number compared with similar studies with more participants such as Garg and Sengupta (2019), where the average participant entry rate over an eight-week period was 110, when asked to record information about all types of device use. Furthermore, only six of these entries captured active discussions with the immediate family about cyber security in the context of device use. However, in this respect, the autoethnographic diary method provides the person undertaking the study with a helpful guide as to when and how the topic fits into everyday life. If the individual performing the diary study, who has more interest and specific knowledge than an average user, reports infrequently, this in itself helps to get into the mindset of an average user and stops assuming a level of engagement that may not exist. In this case, for example: if cyber security is only managed at key points of device use, how do you ensure that those brief windows of time are maximized for the best security setup?

5.2. How and why diary entries arise

Deciding to use diary prompts requiring answers written on paper, rather than through an online system, facilitated what has been referred to as “writing as thinking” (Oatley and Djikic, 2008). When there is something to report, having no limitations on the responses allows for a more reflexive experience, a process referred to as “critical subjectivity” in (Garcia and Cifor, 2019), even if some of the entries end up being outside of the topic of interest at the point of analysis. In particular, when considering a concept that is not widely understood by an average user — such as cyber security — the process of writing about instances of dealing with the concept as a more informed researcher helps to understand whether it is reasonable for an average user to consider it too. The majority of diary entries in this case covered wrestling with considerations that came as a result of having researched, and being concerned about, the area for a number of years, and did not spend as much time upon non-specific actions to be taken in the home. If the average user is unlikely to take action, to, for example, limit device use to stop additional data collection, what policy measures might be needed to keep such data safe and used appropriately?

Being able to add in artefacts was another benefit of having a relatively unstructured reporting setup. As previously reported by Hong et al. (2020), keeping artefacts exclusively digitally was not practical for ensuring inclusion and consideration in the wider diary entries, so needed to be printed to ensure this happened. The artefacts were of particular value, however, in bringing the outside world into the home, and reminding the first author of the wider cyber security environment. Again, the chance nature of seeing news items, or social media posts should remind the individual performing the diary study of their particular framing of the world — would an average user see these posts, or regularly read the news sources that the person performing the diary study considers part of their everyday life?

5.3. Learning from unexpected and hard things

Even though performed in a period of enhanced social distancing measures as a result of the COVID-19 pandemic, the diary study allowed for reporting not only of interactions with the first author’s nuclear family, but also gave an interesting insight into how the external world encroaches into the home. Giving space to explore the unexpected events in a home setting can prepare researchers, designers and policy makers to think more broadly about the context that they are working in. Prior research has already shown that individuals can find negotiating shared security difficult, even when there is prior agreement as to the importance (Watson et al., 2020), and that bystanders pose a particular set of security questions when considering home IoT devices. However, the lived difficulty of these situations may not be truly understood. To consider two examples from the diary study here: first, the situation where the relative may or may not have had a compromised device with access to the first author’s home network allowed for exploring the difficulties of acting positively in emotive situations. If the victim of a security issue acts defensively, there is little that anyone else can do, even with a perfect knowledge of the theoretical steps to take.

Second, involving young children is hard. We know that adults and children often use different languages to talk about cyber security (Jones et al., 2019), but when the concepts are too complex or too abstract for either the adult to explain or the child to understand, how is that knowledge transfer expected to happen? The diary entries provided space for reflection on how frail the concept of security within the home could be, and that hoping for users to manage this themselves is hard. The artefacts — school curriculum and text books — helped to put the inability to talk about this with the children into context: as much as the first author and her husband could not find the words for the cyber security issues they tried to discuss with their children, so the educational system does not set children up to learn about it in enough depth. It also underlines that even when children have parents who understand the reasons for and means of promoting good cyber security in the home, they will not necessarily find the opportunity for discussion and learning at home. This is particularly important to consider from a policy perspective: home IoT devices are increasingly pervasive, yet it is not reasonable to consider that parents have the correct knowledge or vocabulary to discuss safe and secure use of such devices with their children, yet the risks of such device use is not being taught in schools in the UK in any substantive way (Department for Education, UK Government, 2013).

6. Conclusions

This case study reports upon the use of an autoethnographic diary study examining the ways the first author’s family manage and discuss the cyber security of home IoT devices. Autoethnographic studies and diary studies with multiple participants are relatively common research methods within the HCI field: this case study combined the format of feedback-style diary entries with the reflexive nature of autoethnography. Although autoethnographic work is not generalizable, it was hoped that the reflexivity afforded by such a study might help to further not only understanding why cyber security is poorly understood and managed, but whether the process of performing the diary study could be helpful in understanding where the role of a researcher (or product designer or policy maker, for example), and the role of a user, differs.

The first author found that the diary method, created as it was, to be hand written at the end of every day, allowed for significant opportunities for “thinking as writing”, unpackaging not only the role of the researcher and the role of the user, but also the complexity of emotions and language around the topic. Having the physical diary entries allowed for analysis of not only the words and language used, and the situations that such language was used, but also for the types of entries, and the frequency of events that were recorded.

This was particularly valuable in approaching the topic of cyber security, where, despite a consistent recognition that users struggle to apply strong cyber security methods, first-person narratives can help explain the difficulties that even competent users can have with applying good practices in the real world. These findings help to show, in this instance, where cyber security is, and is not, important in a family setting, which can help to frame considerations for not only future research, but also for manufacturers and policy makers. As such, the autoethnographic diary study, despite its simple premise, could be an effective means of providing an expert individual with the reflexive analysis required to unpick problems where users do not act as hoped, by allowing the space for reflection of what it is reasonable for users to know and do, based on the individual’s own experiences and reactions.

Appendix A Daily Diary Prompts

Prompt questions: home IoT device use and cyber security discussions
How did it arise?
Was the conversation home IoT device use or cyber security related?
How long did it last?
Did everyone participate?
Did the children engage (ask questions, seem to take it in)?
What questions did they ask?
Did they use metaphors/examples? What were they and how did they seem to relate to the topic being discussed?
Have you discussed this before?
Did you ask any questions?
Did you use metaphors/examples from other areas? What were they?
Did this help in furthering the conversation or making a more meaningful interaction?
Did you refer to anything else?
Was it a helpful conversation? What went well? What didn’t?
Were there any conversations on digital technologies or cyber security that you avoided having today? - About what? Why?
Table 1. Daily Diary Prompts


  • (1)
  • Agha et al. (2021) Zainab Agha, Reza Ghaiumy Anaraky, Karla Badillo-Urquiola, Bridget McHugh, and Pamela Wisniewski. 2021. ‘Just-in-Time’ Parenting: A Two-Month Examination of the Bi-directional Influences Between Parental Mediation and Adolescent Online Risk Exposure. In HCI for Cybersecurity, Privacy and Trust, Abbas Moallem (Ed.). Springer International Publishing, Cham, 261–280.
  • Ayobi et al. (2018) Amid Ayobi, Tobias Sonne, Paul Marshall, and Anna L. Cox. 2018. Flexible and Mindful Self-Tracking: Design Implications from Paper Bullet Journals. Association for Computing Machinery, New York, NY, USA, 1–14.
  • Braun and Clarke (2006) Virginia Braun and Victoria Clarke. 2006. Using thematic analysis in psychology. Qualitative Research in Psychology 3, 2 (Jan. 2006), 77–101.
  • Carter and Mankoff (2005) Scott Carter and Jennifer Mankoff. 2005. When Participants Do the Capturing: The Role of Media in Diary Studies. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Portland, Oregon, USA) (CHI ’05). Association for Computing Machinery, New York, NY, USA, 899–908.
  • Chalhoub et al. (2020) George Chalhoub, Ivan Flechais, Norbert Nthala, Ruba Abu-Salma, and Elie Tom. 2020. Factoring User Experience into the Security and Privacy Design of Smart Home Devices: A Case Study. In Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI EA ’20). Association for Computing Machinery, New York, NY, USA, 1–9.
  • Chalhoub et al. (2021) George Chalhoub, Martin J Kraemer, Norbert Nthala, and Ivan Flechais. 2021. “It Did Not Give Me an Option to Decline”: A Longitudinal Analysis of the User Experience of Security and Privacy in Smart Home Products. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, NY, USA, Article 555, 16 pages.
  • Chang (2016) Heewon Chang. 2016. Autoethnography as Method (1 ed.). Routledge, New York, NY, USA.
  • Cunningham and Jones (2005) Sally Jo Cunningham and Matt Jones. 2005. Autoethnography: A Tool for Practice and Education. In Proceedings of the 6th ACM SIGCHI New Zealand Chapter’s International Conference on Computer-Human Interaction: Making CHI Natural (Auckland, New Zealand) (CHINZ ’05). Association for Computing Machinery, New York, NY, USA, 1–8.
  • Department for Digital, Culture, Media and Sport, UK Government (2018) Department for Digital, Culture, Media and Sport, UK Government. 2018. Code of Practice for Consumer IoT Security. Technical Report. Department for Digital, Culture, Media and Sport (DCMS), UK Government. 24 pages.
  • Department for Education, UK Government (2013) Department for Education, UK Government. 2013. National curriculum in England: computing programmes of study. Governmental report.
  • Eschler (2016) Jordan Eschler. 2016. A Critical Reflection on Social Media Research Using an Autoethnographic Approach. In Proceedings of the 2016 49th Hawaii International Conference on System Sciences (HICSS ’16). IEEE Computer Society, USA, 1871–1880.
  • Garcia and Cifor (2019) Patricia Garcia and Marika Cifor. 2019. Expanding Our Reflexive Toolbox: Collaborative Possibilities for Examining Socio-Technical Systems Using Duoethnography. Proceedings of the ACM on Human-Computer Interaction 3, CSCW, Article 190 (Nov. 2019), 23 pages.
  • Garg and Sengupta (2019) Radhika Garg and Subhasree Sengupta. 2019. ”When You Can Do It, Why Can’t I?”: Racial and Socioeconomic Differences in Family Technology Use and Non-Use. Proc. ACM Hum.-Comput. Interact. 3, CSCW, Article 63 (Nov. 2019), 22 pages.
  • Hong et al. (2020) Matthew K. Hong, Udaya Lakshmi, Kimberly Do, Sampath Prahalad, Thomas Olson, Rosa I. Arriaga, and Lauren Wilcox. 2020. Using Diaries to Probe the Illness Experiences of Adolescent Patients and Parental Caregivers. Association for Computing Machinery, New York, NY, USA, 1–16.
  • Jones et al. (2019) Simon L. Jones, Emily I.M. Collins, Ana Levordashka, Kate Muir, and Adam Joinson. 2019. What is ‘Cyber Security’? Differential Language of Cyber Security Across the Lifespan. In Extended Abstracts of the 2019 CHI Conference on Human Factors in Computing Systems (Glasgow, Scotland Uk) (CHI EA ’19). Association for Computing Machinery, New York, NY, USA, Article LBW0269, 6 pages.
  • Koshy et al. (2021) Vinay Koshy, Joon Sung Sung Park, Ti-Chung Cheng, and Karrie Karahalios. 2021. “We Just Use What They Give Us”: Understanding Passenger User Perspectives in Smart Homes. In Proceedings of the 2021 CHI Conference on Human Factors in Computing Systems. Association for Computing Machinery, New York, NY, USA, Article 41, 14 pages.
  • Lucero (2018) Andrés Lucero. 2018. Living Without a Mobile Phone: An Autoethnography. In Proceedings of the 2018 Designing Interactive Systems Conference (Hong Kong, China) (DIS ’18). Association for Computing Machinery, New York, NY, USA, 765–776.
  • Malinverni and Pares (2016) Laura Malinverni and Narcis Pares. 2016. An Autoethnographic Approach to Guide Situated Ethical Decisions in Participatory Design with Teenagers. Interacting with Computers 29, 3 (10 2016), 403–415. arXiv:
  • McDonald et al. (2019) Nora McDonald, Sarita Schoenebeck, and Andrea Forte. 2019. Reliability and Inter-Rater Reliability in Qualitative Research: Norms and Guidelines for CSCW and HCI Practice. Proceedings of the ACM on Human-Computer Interaction 3, CSCW, Article 72 (Nov. 2019), 23 pages.
  • McHugh et al. (2017) Bridget Christine McHugh, Pamela J. Wisniewski, Mary Beth Rosson, Heng Xu, and John M. Carroll. 2017. Most Teens Bounce Back: Using Diary Methods to Examine How Quickly Teens Recover from Episodic Online Risk Exposure. Proc. ACM Hum.-Comput. Interact. 1, CSCW, Article 76 (Dec. 2017), 19 pages.
  • Oatley and Djikic (2008) Keith Oatley and Maja Djikic. 2008. Writing as Thinking. Review of General Psychology 12, 1 (2008), 9–27.
  • O’Kane et al. (2014) Aisling Ann O’Kane, Yvonne Rogers, and Ann E. Blandford. 2014. Gaining Empathy for Non-Routine Mobile Device Use through Autoethnography. In Proceedings of the 2014 SIGCHI Conference on Human Factors in Computing Systems (Toronto, Ontario, Canada) (CHI ’14). Association for Computing Machinery, New York, NY, USA, 987–990.
  • Omolara et al. (2021) Abiodun Esther Omolara, Abdullah Alabdulatif, Oludare Isaac Abiodun, Moatsum Alawida, Abdulatif Alabdulatif, Wafa’ Hamdan Alshoura, and Humaira Arshad. 2021. THE INTERNET OF THINGS SECURITY: A SURVEY ENCOMPASSING UNEXPLORED AREAS AND NEW INSIGHTS. Computers & Security 112, 102494 (2021), 31 pages.
  • Patterson et al. (2021) Lisa Patterson, Sue Chard, Bryan Ng, and Ian Welch. 2021. Internet of Things (IoT) Privacy and Security: A User-Focused Study of Aotearoa New Zealand Home Users. In Proceedings of the 54th Hawaii International Conference on System Sciences (HICSS). Hawaii International Conference on System Sciences (HICSS), Honolulu, HI, USA, 11 pages.
  • Paul (2020) Kari Paul. 2020. Dozens sue Amazon’s Ring after camera hack leads to threats and racial slurs. The Guardian.
  • Putnam and Mobasher (2020) Cynthia Putnam and Bamshad Mobasher. 2020. Children with Autism and Technology Use: A Case Study of the Diary Method. In Extended Abstracts of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI EA ’20). Association for Computing Machinery, New York, NY, USA, 1–8.
  • Rapp (2018) Amon Rapp. 2018. Autoethnography in Human-Computer Interaction: Theory and Practice. In New Directions in Third Wave Human-Computer Interaction. Springer International Publishing, Switzerland.
  • Srinivas (2020) Rudra Srinivas. 2020. 10 IoT Security Incidents That Make You Feel Less Secure. CISO Mag.
  • Tabassum et al. (2019) Madiha Tabassum, Tomasz Kosinski, and Heather Richter Lipford. 2019. ”I don’t own the data”: End User Perceptions of Smart Home Device Data Practices and Risks. In Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019). USENIX Association, Santa Clara, CA, 435–450.
  • techUK and GfK (2021) techUK and GfK. 2021. The State of the Connected Home 2021. Industry Report. techUK.
  • Wang et al. (2017) Junqing Wang, Aisling Ann O’Kane, Nikki Newhouse, Geraint Rhys Sethu-Jones, and Kaya de Barbaro. 2017. Quantified Baby: Parenting and the Use of a Baby Wearable in the Wild. Proc. ACM Hum.-Comput. Interact. 1, CSCW, Article 108 (Dec. 2017), 19 pages.
  • Watson et al. (2020) Hue Watson, Eyitemi Moju-Igbene, Akanksha Kumari, and Sauvik Das. 2020. “We Hold Each Other Accountable”: Unpacking How Social Groups Approach Cybersecurity and Privacy Together. In Proceedings of the 2020 CHI Conference on Human Factors in Computing Systems (Honolulu, HI, USA) (CHI ’20). Association for Computing Machinery, New York, NY, USA, Article 478, 12 pages.
  • Williams et al. (2019) Meredydd Williams, Jason R C Nurse, and Sadie Creese. 2019.

    Smartwatch games: encouraging privacy-protective behaviour in a longitudinal study.

    Computers in Human Behavior 99 (2019), 38–54.
  • Wisniewski et al. (2016) Pamela Wisniewski, Heng Xu, Mary Beth Rosson, Daniel F. Perkins, and John M. Carroll. 2016. Dear Diary: Teens Reflect on Their Weekly Online Risk Experiences. Association for Computing Machinery, New York, NY, USA, 3919–3930.