Professional Documents
Culture Documents
IoT Security Paper
IoT Security Paper
IoT Security Paper
Summary
The Internet of Things (IOT) has been constantly growing and expanding throughout the
21st century. There is nearly a “Smart” version or internet connected version of every common
appliance and accessory commonly used in modern day. These devices can make our life much
more convenient and engaging but there is a major trade off that comes with constantly being
connected to the IoT on multiple devices. IoT devices are often exposed to security risks which
can lead to data and information leakage, which could be detrimental to the users of such
devices (Baltzan, Phillips, Lynch, & Blakey, 2008, p. 66). The security threats facing IoT devices
are of concern to both companies and individual consumers using them but has not always
been a top priority for the manufacturers of such products with many products currently on
market lacking basic security features (Johnson, Blythe, Manning, & Wong, 2020, p. 2). This
highlights the multiple sides facing the security issues of IoT devices, the consumer, and the
manufacturer. In “The Impact of IoT Security Labelling on Consumer Product Choices and
Willingness to Pay” the authors set out to measure the consumer side of this issue. Their work
sets a basis for the desire of consumer to have better security in their IoT devices and sets up a
potential model to both appease consumers wants and create incentive for IoT device
manufacturers to improve their security features. While somewhat limited in its model and
methodology, the work still provides a powerful insight for how companies will need to
The article itself was focused on measuring consumer desire for security in their IoT
devices. The researchers sought to estimate the Willingness to Pay of consumers, or maximum
amount a consumer will pay for a product, for varying levels of security in IoT devices to gauge
the demand of such security. Manufacturers of IoT devices often leave out basic measures of
security or leave them until the final stages of development, the study aimed to test if the
manufacturers perceived assumption that consumers are not willing to pay more for greater
security in their IoT products (Johnson, et al., 2020, p. 3). Along with this goal, they also sought
to test a method, which would not only communicate the perceived security of an IoT device to
the consumer but would create an incentive for the manufacturers to invest in the security for
their devices. (Johnson, et al., 2020, p. 3). Finally, they wanted to estimate the measure to
which consumers perceived varying levels of implied security meant that an IoT device was safe
To accomplish these goals, the researchers chose to use and test three different security
labeling systems to inform consumers of the level of security with a product. The labeling
systems were taken from existing and familiar labeling systems used on products for other
issues, such as energy usage and environmental friendliness. A color coded “A” to “G” labeling
system was created where “A” meant the most secure device and was coded in a green shade
and “G” was the least secure coded in a red shade, with the letters in between signifying the
different levels of security (Johnson, et al., 2020, p. 6). A simple “Seal of Approval” label was
used as a test for a binary label. Either a product would have the security seal of approval, or it
would not, but levels above and below what granted the seal of approval would not be
identified. The final labeling system was an “Information Label,” which contained specific icons
Paper Critique 3
representing specific security features such as regular updates, preventing 3 rd party sharing, and
other important security features included in the IoT product (Johnson, et al., 2020, p. 7).
The method used to gather the data to evaluate the points of research was a Discrete
Choice Experiment relying on a random sample survey of 3,000 participants. The survey asked
participants to make purchasing decisions with regards to two of four different types of IoT
devices including Smart TVs, Smart Security Cameras, Smart Watches, and a Smart Thermostat.
Each participant would also randomly have one of the potential labeling systems assigned to
them and would see a random number of products with or without labels in their decision-
making process. Prices on the product varied starting with a base price for “Standard” products
and increases of 10%, 20%, 30% and 40% for “Premium” products with additional features,
including security features (Johnson, et al., 2020, p. 6). Following the purchasing decision
portion of the survey, participants would then be asked to rate the effectiveness of the labeling
system they had been assigned to and to rate state their perceived likelihood that a product
The resulting data from the surveys was put into a mixed logit model to measure the
change in likelihood to purchase (Johnson, et al., 2020, p. 10). The steady found unsurprisingly,
that with all other factors holding equal, consumers would purchase a cheaper product. With
respect to any additional functionality, the study found “that participants were (on average) 12
times more likely to select a device with some sort of premium specification” (Johnson, et al, p.
11). With regards to security specifically, the study found that across all product and label
types, consumers were more likely to purchase a product with a higher security specification.
Paper Critique 4
The likelihood to purchase based off a positive security label was highest for the “Information
Label” system and lowest for the binary “Seal of Approval” system (Johnson, et al, p. 12). These
results were used to calculate an estimated Willingness to Pay for products that carried a
positive security label, which came out showing that consumers would be “willing to pay
between 27 – 63% (mean 40%) of what they were willing to pay for additional functionality”
(Johnson, et al., 2020, p. 13). As well, participants anticipated paying less for products with a
negative or no security label (Johnson, et al., 2020, p. 13). In measuring the perceived safety
implied by the labels, they found that participant perceived those devices with labels implying
the highest level of security still had a 40% chance of being hacked. The participants also
selected the label which had the greatest estimated impact on their decision to purchase, the
“Information Label”, as their most preferred labeling system (Johnson, et al., 2020, p. 15).
Based on these results the article concludes that it is currently difficult for consumers to assess
and differentiate the security levels of their IoT devices and that a labeling system would likely
alleviate this and allow for and incentivize manufacturers to take advantage of the consumers
additional willingness to pay for security in a mutual beneficial exchange. They suggest that
implementing such a labeling system will also help enhance the trust in IoT which is “key to its
Critique
The paper and its corresponding research contain a significant amount of valuable
insight into IoT device security, consumer expectations and manufacturer actions. These
insights can provide varying insights into our understanding of management information
systems especially with regards to how consumers preferences for IoT technology products and
Paper Critique 5
devices. Even with the many insights the article can provide, the research is not without its
strengths and weaknesses, many of which the authors themselves point out. Overall, though,
the article is strong and provides a good starting point in management information studies for
research on consumers perceptions and preferences in IoT security in their devices and
potential incentive creating for companies and manufacturers. Whether the researchers
continue to improve upon their existing work or others continue to build upon it with new
research, this paper has certainly laid a strong foundation for the study of these concepts.
The article and its underlying research have an abundance of strengths, which allow us
to take valuable insights from its work. The approach of the problem itself was very well
thought out, as the researchers do not simply set out with the singular goal of measuring
consumer preference for security in IoT devices based on a willingness to pay measure. They
instead look to approach and two additional questions. What type of labeling system would be
most effective at providing information about security levels to the consumer be? How secure
do consumers believe products with such labels to be (Johnson, et al., 2020, p. 5). Approaching
the study in this way provides additional insights over simply how much a consumer is willing to
pay for security by providing a potential preferred method to be implemented and a baseline
understanding of what consumers will perceive of it. This was also in the aim of designing a
system which would help to incentivize manufacturers to put more focus and emphasis on
security in their devices. The study was also very well designed especially the decision to use
and test three different labeling systems based off existing and commonly used labels (Johnson,
et al., 2020, p. 6-7). The implementation and construction of the survey was also done with a
considerable amount of detail and care to ensure the best possible results. Including extreme
Paper Critique 6
detail in the creation of random choice sets for the participant to choose from and anti-bias
training at the beginning of the survey to prevent participants from acting out of the norm
because they were only making hypothetical monetary decisions. Despite these strengths the
Like any well written and legitimate research article, the authors themselves list some of
the potential issues with their work. Despite the extensive effort they put into limiting bias due
to the hypothetical nature of the survey, the authors acknowledged the well-known facet of
research that stated preferences from a hypothetical scenario may differ from actual behaviors.
Often to alleviate this issue researchers will analyze existing real purchasing data to compare
the results, but in the case of this research there is no existing IoT security label system to get
real purchasing data on. The research also did not account for the social and cultural
acceptance and adoption of products. Different cultural or social backgrounds may have
differing perceptions of devices and may be more or less likely to adopt them. The researchers
suggest that this could mediate the impact of the labelling systems on consumer choices
(Johnson, et al., 2020, p. 17). Beyond these limitations pointed out by the researchers
themselves, the work also appeared to be held back in a few other ways. The choice of
products used in the survey was limited to Smart Tv’s, Smart Security Cameras, Smart
Thermostats, and Smart Watches (Johnson, et al., 2020, p. 13). These have varying levels of
personal information, with a Smart Thermostat likely carrying the least of the group. It would
be interesting to see how consumer preferences regarding security labeling for IoT devices
associated with more personal information such as Smart Phones, Smart Tablets, Camera
Portals, and many other devices. As well, while the study aims to test a system that would
Paper Critique 7
incentivize manufacturers to improve and focus on security in their products, this study only
tests the systems impact on consumer choices and consumers view of the systems. Prior
research does show that similar systems do incentivize manufacturers and companies to make
changes to achieve higher labeling status (Kuchler, et al, 2017). As such, this research can likely
take the incentivization of labeling system as an assumption, but it would be beneficial if there
were some ways to analyze and measure a potential impact of the response this would create
for the manufacturers of these IoT devices. While these are some places that the work is
lacking, it’s focus on the consumer preference side of security is certainly an asset to
Often when we think of IoT as it pertains to businesses, we can often think of the
technology and IoT devices, systems, and services that companies use to operate and improve
efficiency. As such, when we think of security, we often may be focused on the large amounts
of company data, which may include customer information, which needs to be secured from
IoT threats. We can’t forget that the link between technology, businesses and customers can
also come in the form of the IoT devices sold directly to the consumers themselves. Just as
companies are responsible for securing customer data in their personal databases, they should
hold a share of responsibility in protecting customers by ensuring the IoT devices they create
are safe and secure. The research in this paper highlights this view of management information
systems. It highlights the lack of investment in security by manufacturers of IoT products and
hopes to correct the assumption by such firms that customers do not have a willingness to pay
for their devices to be more secure (James, 2017). The results, ultimately prove this assumption
to be false, finding that consumers are in fact willing to pay for better more secure products
Paper Critique 8
(Johnson, et al., 2020, p. 17). This leaves open the room for further discussion and research on
the consumer side of IoT security and how IoT device manufacturers need to approach securing
their products, shifting focus away from the often-discussed big data security.
While the article provides good insight, results, and recommendations it is likely only a
steppingstone from any large implication in the realm of management information systems.
While the authors recommend the implementation of the very labeling system that they tested,
it is unlikely for this to happen anytime in the near future. Implementing such a system would
likely require the manufacturers to come together to establish some sort of standard and
implementation system, which on its own would take a considerable amount of time. It does
not appear that currently they feel incentivized to create such a system based on their
assumptions of consumer security preferences (Johnson, et al., 2020, p. 3). The second option
would be for the creation and implementation of such a system by the government, which
would also be a lengthy process with numerous hoops to jump through before being completed
(Boon, Alice, Lichtenstein, & Ellen, 2010). However, if a system were ever to be implemented, it
would provide for an immediate way to improve and build upon this study by allowing
researchers to analyze real purchasing data. Even without a true system to study, the paper
does present the idea of researching consumer preferences for security in their IoT devices and
research can likely be used as a steppingstone for further research into the consumer side of
IoT device security. Some companies may take notice of the work and seek to research the
potential competitive advantage they could create for themselves by focusing on improved
security in their products. While no official labeling system may be created, companies may also
Paper Critique 9
see the advantage of listing their products security measures and information on their product
listings and packaging to influence consumer choices. Another potential expansion of this study
may also be to see how consumer preferences are influenced by company package labeling vs
Despite sound research and solidifying results, it is unlikely that this article is about to
directly lead to the creation of a IoT device security labeling system as the authors
recommended. While thorough the paper still leaves more room for further study but by
providing evidence that the current standard assumption that consumers lack a willingness to
pay for security, it should attract further attention and research towards the topic. It seems
likely that the papers biggest impact will be having opened the door for growth and expansion
References
Baltzan, P., Phillips, A. L., Lynch, K., & Blakey, P. (2008). Business driven information systems. New
York: McGraw-Hill/Irwin.
Boon, C. S., Lichtenstein, A. H., & Wartella, E. A. (Eds.). (2010). Front-of-package nutrition rating
systems
James, M. (2017). Secure by Design: Improving the cyber security of consumer Internet of Things
Johnson, S. D., Blythe, J. M., Manning, M., & Wong, G. T. (2020). The impact of IoT security labelling on
Kuchler, F., Greene, C., Bowman, M., Marshall, K. K., Bovay, J., & Lynch, L. (2017). Federal Nutrition and
Organic Labels Paved the Way for Single-Trait Label Claims. Amber Waves, 1-10.