Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products

by   Philipp Morgner, et al.

With the expansion of the Internet of Things (IoT), the number of security incidents due to insecure and misconfigured IoT devices is increasing. Especially on the consumer market, manufacturers focus on new features and early releases at the expense of a comprehensive security strategy. Hence, experts have started calling for regulation of the IoT consumer market, while policymakers are seeking for suitable regulatory approaches. We investigate how manufacturers can be incentivized to increase sustainable security efforts for IoT products. We propose mandatory security update labels that inform consumers during buying decisions about the willingness of the manufacturer to provide security updates in the future. Mandatory means that the labels explicitly state when security updates are not guaranteed. We conducted a user study with more than 1,400 participants to assess the importance of security update labels for the consumer choice by means of a conjoint analysis. The results show that the availability of security updates (until which date the updates are guaranteed) accounts for 8 depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Moreover, provisioning time for security updates (how quickly the product will be patched after a vulnerability is discovered) additionally accounts for 7 The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.


Ask the Experts: What Should Be on an IoT Privacy and Security Label?

Information about the privacy and security of Internet of Things (IoT) d...

Exploring Security Economics in IoT Standardization Efforts

The Internet of Things (IoT) propagates the paradigm of interconnecting ...

Security, Availability, and Multiple Information Sources: Exploring Update Behavior of System Administrators

Experts agree that keeping systems up to date is a powerful security mea...

Toward Identification and Characterization of IoT Software Update Practices

Software update systems are critical for ensuring systems remain free of...

Incentivized Delivery Network of IoT Software Updates Based on Trustless Proof-of-Distribution

The prevalence of IoT devices makes them an ideal target for attackers. ...

How to make Firmware Updates over LoRaWAN Possible

Embedded software management requirements due to concerns about security...

TAOS-CI: Lightweight Modular Continuous Integration System for Edge Computing

With the proliferation of IoT and edge devices, we are observing a lot o...

Please sign up or login with your details

Forgot password? Click here to reset