Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products

Philipp Morgner, Christoph Mai, Nicole Koschate-Fischer, F. Freiling, Z. Benenson
{"title":"Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products","authors":"Philipp Morgner, Christoph Mai, Nicole Koschate-Fischer, F. Freiling, Z. Benenson","doi":"10.1109/SP40000.2020.00021","DOIUrl":null,"url":null,"abstract":"With the expansion of the Internet of Things (IoT), the number of security incidents due to insecure and misconfigured IoT devices is increasing. Especially on the consumer market, manufacturers focus on new features and early releases at the expense of a comprehensive security strategy. Hence, experts have started calling for regulation of the IoT consumer market, while policymakers are seeking for suitable regulatory approaches. We investigate how manufacturers can be incentivized to increase sustainable security efforts for IoT products. We propose mandatory security update labels that inform consumers during buying decisions about the willingness of the manufacturer to provide security updates in the future. Mandatory means that the labels explicitly state when security updates are not guaranteed. We conducted a user study with more than 1,400 participants to assess the importance of security update labels for the consumer choice by means of a conjoint analysis. The results show that the availability of security updates (until which date the updates are guaranteed) accounts for 8% to 35% impact on overall consumers’ choice, depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Moreover, provisioning time for security updates (how quickly the product will be patched after a vulnerability is discovered) additionally accounts for 7% to 25% impact on consumers’ choices. The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.","PeriodicalId":6849,"journal":{"name":"2020 IEEE Symposium on Security and Privacy (SP)","volume":"32 1","pages":"429-446"},"PeriodicalIF":0.0000,"publicationDate":"2019-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"26","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"2020 IEEE Symposium on Security and Privacy (SP)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/SP40000.2020.00021","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 26

Abstract

With the expansion of the Internet of Things (IoT), the number of security incidents due to insecure and misconfigured IoT devices is increasing. Especially on the consumer market, manufacturers focus on new features and early releases at the expense of a comprehensive security strategy. Hence, experts have started calling for regulation of the IoT consumer market, while policymakers are seeking for suitable regulatory approaches. We investigate how manufacturers can be incentivized to increase sustainable security efforts for IoT products. We propose mandatory security update labels that inform consumers during buying decisions about the willingness of the manufacturer to provide security updates in the future. Mandatory means that the labels explicitly state when security updates are not guaranteed. We conducted a user study with more than 1,400 participants to assess the importance of security update labels for the consumer choice by means of a conjoint analysis. The results show that the availability of security updates (until which date the updates are guaranteed) accounts for 8% to 35% impact on overall consumers’ choice, depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Moreover, provisioning time for security updates (how quickly the product will be patched after a vulnerability is discovered) additionally accounts for 7% to 25% impact on consumers’ choices. The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.
安全更新标签:建立物联网消费产品安全补丁的经济激励机制
随着物联网(IoT)的扩展,由于物联网设备不安全和配置错误而导致的安全事件越来越多。特别是在消费者市场,制造商专注于新功能和早期发布,而牺牲了全面的安全策略。因此,专家们开始呼吁对物联网消费市场进行监管,政策制定者也在寻找合适的监管方法。我们研究了如何激励制造商增加物联网产品的可持续安全工作。我们建议强制性安全更新标签,告知消费者在购买决策时制造商是否愿意在未来提供安全更新。强制意味着标签显式地声明何时不保证安全更新。我们对1400多名参与者进行了一项用户研究,通过联合分析来评估安全更新标签对消费者选择的重要性。结果表明,安全更新的可用性(直到保证更新的日期)对总体消费者选择的影响为8%至35%,这取决于产品类别的感知安全风险。对于具有高感知安全风险的产品,此可用性的重要性是其他高排名产品属性的两倍。此外,安全更新的准备时间(在发现漏洞后修补产品的速度)对消费者的选择也有7%至25%的影响。拟议的标签可以被消费者直观地理解,在发布之前不需要第三方的产品评估,并且有可能激励制造商提供可持续的安全支持。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
自引率
0.00%
发文量
0
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信