Paper Critique 1

Summary

The Internet of Things (IOT) has been constantly growing and expanding throughout the

21st century. There is nearly a “Smart” version or internet connected version of every common

appliance and accessory commonly used in modern day. These devices can make our life much

more convenient and engaging but there is a major trade off that comes with constantly being

connected to the IoT on multiple devices. IoT devices are often exposed to security risks which

can lead to data and information leakage, which could be detrimental to the users of such

devices (Baltzan, Phillips, Lynch, & Blakey, 2008, p. 66). The security threats facing IoT devices

are of concern to both companies and individual consumers using them but has not always

been a top priority for the manufacturers of such products with many products currently on

market lacking basic security features (Johnson, Blythe, Manning, & Wong, 2020, p. 2). This

highlights the multiple sides facing the security issues of IoT devices, the consumer, and the

manufacturer. In “The Impact of IoT Security Labelling on Consumer Product Choices and

Willingness to Pay” the authors set out to measure the consumer side of this issue. Their work

sets a basis for the desire of consumer to have better security in their IoT devices and sets up a

potential model to both appease consumers wants and create incentive for IoT device

manufacturers to improve their security features. While somewhat limited in its model and

methodology, the work still provides a powerful insight for how companies will need to

consider consumer preferences for security in their products moving forward.

Paper Critique 2

The article itself was focused on measuring consumer desire for security in their IoT

devices. The researchers sought to estimate the Willingness to Pay of consumers, or maximum

amount a consumer will pay for a product, for varying levels of security in IoT devices to gauge

the demand of such security. Manufacturers of IoT devices often leave out basic measures of

security or leave them until the final stages of development, the study aimed to test if the

manufacturers perceived assumption that consumers are not willing to pay more for greater

security in their IoT products (Johnson, et al., 2020, p. 3). Along with this goal, they also sought

to test a method, which would not only communicate the perceived security of an IoT device to

the consumer but would create an incentive for the manufacturers to invest in the security for

their devices. (Johnson, et al., 2020, p. 3). Finally, they wanted to estimate the measure to

which consumers perceived varying levels of implied security meant that an IoT device was safe

from hacking (Johnson, et al., 2020, p. 4).

To accomplish these goals, the researchers chose to use and test three different security

labeling systems to inform consumers of the level of security with a product. The labeling

systems were taken from existing and familiar labeling systems used on products for other

issues, such as energy usage and environmental friendliness. A color coded “A” to “G” labeling

system was created where “A” meant the most secure device and was coded in a green shade

and “G” was the least secure coded in a red shade, with the letters in between signifying the

different levels of security (Johnson, et al., 2020, p. 6). A simple “Seal of Approval” label was

used as a test for a binary label. Either a product would have the security seal of approval, or it

would not, but levels above and below what granted the seal of approval would not be

identified. The final labeling system was an “Information Label,” which contained specific icons
Paper Critique 3

representing specific security features such as regular updates, preventing 3 rd party sharing, and

other important security features included in the IoT product (Johnson, et al., 2020, p. 7).

The method used to gather the data to evaluate the points of research was a Discrete

Choice Experiment relying on a random sample survey of 3,000 participants. The survey asked

participants to make purchasing decisions with regards to two of four different types of IoT

devices including Smart TVs, Smart Security Cameras, Smart Watches, and a Smart Thermostat.

Each participant would also randomly have one of the potential labeling systems assigned to

them and would see a random number of products with or without labels in their decision-

making process. Prices on the product varied starting with a base price for “Standard” products

and increases of 10%, 20%, 30% and 40% for “Premium” products with additional features,

including security features (Johnson, et al., 2020, p. 6). Following the purchasing decision

portion of the survey, participants would then be asked to rate the effectiveness of the labeling

system they had been assigned to and to rate state their perceived likelihood that a product

carrying a label could be hacked (Johnson, et al., 2020, p. 8).

The resulting data from the surveys was put into a mixed logit model to measure the

effects of varying factors on the consumers purchasing decisions in terms of a percentage

change in likelihood to purchase (Johnson, et al., 2020, p. 10). The steady found unsurprisingly,

that with all other factors holding equal, consumers would purchase a cheaper product. With

respect to any additional functionality, the study found “that participants were (on average) 12

times more likely to select a device with some sort of premium specification” (Johnson, et al, p.

11). With regards to security specifically, the study found that across all product and label

types, consumers were more likely to purchase a product with a higher security specification.
Paper Critique 4

The likelihood to purchase based off a positive security label was highest for the “Information

Label” system and lowest for the binary “Seal of Approval” system (Johnson, et al, p. 12). These

results were used to calculate an estimated Willingness to Pay for products that carried a

positive security label, which came out showing that consumers would be “willing to pay

between 27 – 63% (mean 40%) of what they were willing to pay for additional functionality”

(Johnson, et al., 2020, p. 13). As well, participants anticipated paying less for products with a

negative or no security label (Johnson, et al., 2020, p. 13). In measuring the perceived safety

implied by the labels, they found that participant perceived those devices with labels implying

the highest level of security still had a 40% chance of being hacked. The participants also

selected the label which had the greatest estimated impact on their decision to purchase, the

“Information Label”, as their most preferred labeling system (Johnson, et al., 2020, p. 15).

Based on these results the article concludes that it is currently difficult for consumers to assess

and differentiate the security levels of their IoT devices and that a labeling system would likely

alleviate this and allow for and incentivize manufacturers to take advantage of the consumers

additional willingness to pay for security in a mutual beneficial exchange. They suggest that

implementing such a labeling system will also help enhance the trust in IoT which is “key to its

adoption “(Johnson, et al., 2020, p. 17).

Critique

The paper and its corresponding research contain a significant amount of valuable

insight into IoT device security, consumer expectations and manufacturer actions. These

insights can provide varying insights into our understanding of management information

systems especially with regards to how consumers preferences for IoT technology products and
Paper Critique 5

devices. Even with the many insights the article can provide, the research is not without its

strengths and weaknesses, many of which the authors themselves point out. Overall, though,

the article is strong and provides a good starting point in management information studies for

research on consumers perceptions and preferences in IoT security in their devices and

potential incentive creating for companies and manufacturers. Whether the researchers

continue to improve upon their existing work or others continue to build upon it with new

research, this paper has certainly laid a strong foundation for the study of these concepts.

The article and its underlying research have an abundance of strengths, which allow us

to take valuable insights from its work. The approach of the problem itself was very well

thought out, as the researchers do not simply set out with the singular goal of measuring

consumer preference for security in IoT devices based on a willingness to pay measure. They

instead look to approach and two additional questions. What type of labeling system would be

most effective at providing information about security levels to the consumer be? How secure

do consumers believe products with such labels to be (Johnson, et al., 2020, p. 5). Approaching

the study in this way provides additional insights over simply how much a consumer is willing to

pay for security by providing a potential preferred method to be implemented and a baseline

understanding of what consumers will perceive of it. This was also in the aim of designing a

system which would help to incentivize manufacturers to put more focus and emphasis on

security in their devices. The study was also very well designed especially the decision to use

and test three different labeling systems based off existing and commonly used labels (Johnson,

et al., 2020, p. 6-7). The implementation and construction of the survey was also done with a

considerable amount of detail and care to ensure the best possible results. Including extreme
Paper Critique 6

detail in the creation of random choice sets for the participant to choose from and anti-bias

training at the beginning of the survey to prevent participants from acting out of the norm

because they were only making hypothetical monetary decisions. Despite these strengths the

article and its underlying research are not without flaws.

Like any well written and legitimate research article, the authors themselves list some of

the potential issues with their work. Despite the extensive effort they put into limiting bias due

to the hypothetical nature of the survey, the authors acknowledged the well-known facet of

research that stated preferences from a hypothetical scenario may differ from actual behaviors.

Often to alleviate this issue researchers will analyze existing real purchasing data to compare

the results, but in the case of this research there is no existing IoT security label system to get

real purchasing data on. The research also did not account for the social and cultural

acceptance and adoption of products. Different cultural or social backgrounds may have

differing perceptions of devices and may be more or less likely to adopt them. The researchers

suggest that this could mediate the impact of the labelling systems on consumer choices

(Johnson, et al., 2020, p. 17). Beyond these limitations pointed out by the researchers

themselves, the work also appeared to be held back in a few other ways. The choice of

products used in the survey was limited to Smart Tv’s, Smart Security Cameras, Smart

Thermostats, and Smart Watches (Johnson, et al., 2020, p. 13). These have varying levels of

personal information, with a Smart Thermostat likely carrying the least of the group. It would

be interesting to see how consumer preferences regarding security labeling for IoT devices

associated with more personal information such as Smart Phones, Smart Tablets, Camera

Portals, and many other devices. As well, while the study aims to test a system that would
Paper Critique 7

incentivize manufacturers to improve and focus on security in their products, this study only

tests the systems impact on consumer choices and consumers view of the systems. Prior

research does show that similar systems do incentivize manufacturers and companies to make

changes to achieve higher labeling status (Kuchler, et al, 2017). As such, this research can likely

take the incentivization of labeling system as an assumption, but it would be beneficial if there

were some ways to analyze and measure a potential impact of the response this would create

for the manufacturers of these IoT devices. While these are some places that the work is

lacking, it’s focus on the consumer preference side of security is certainly an asset to

management information systems.

Often when we think of IoT as it pertains to businesses, we can often think of the

technology and IoT devices, systems, and services that companies use to operate and improve

efficiency. As such, when we think of security, we often may be focused on the large amounts

of company data, which may include customer information, which needs to be secured from

IoT threats. We can’t forget that the link between technology, businesses and customers can

also come in the form of the IoT devices sold directly to the consumers themselves. Just as

companies are responsible for securing customer data in their personal databases, they should

hold a share of responsibility in protecting customers by ensuring the IoT devices they create

are safe and secure. The research in this paper highlights this view of management information

systems. It highlights the lack of investment in security by manufacturers of IoT products and

hopes to correct the assumption by such firms that customers do not have a willingness to pay

for their devices to be more secure (James, 2017). The results, ultimately prove this assumption

to be false, finding that consumers are in fact willing to pay for better more secure products
Paper Critique 8

(Johnson, et al., 2020, p. 17). This leaves open the room for further discussion and research on

the consumer side of IoT security and how IoT device manufacturers need to approach securing

their products, shifting focus away from the often-discussed big data security.

While the article provides good insight, results, and recommendations it is likely only a

steppingstone from any large implication in the realm of management information systems.

While the authors recommend the implementation of the very labeling system that they tested,

it is unlikely for this to happen anytime in the near future. Implementing such a system would

likely require the manufacturers to come together to establish some sort of standard and

implementation system, which on its own would take a considerable amount of time. It does

not appear that currently they feel incentivized to create such a system based on their

assumptions of consumer security preferences (Johnson, et al., 2020, p. 3). The second option

would be for the creation and implementation of such a system by the government, which

would also be a lengthy process with numerous hoops to jump through before being completed

(Boon, Alice, Lichtenstein, & Ellen, 2010). However, if a system were ever to be implemented, it

would provide for an immediate way to improve and build upon this study by allowing

researchers to analyze real purchasing data. Even without a true system to study, the paper

does present the idea of researching consumer preferences for security in their IoT devices and

provides a template methodology to be used in future research. As originally stated, this

research can likely be used as a steppingstone for further research into the consumer side of

IoT device security. Some companies may take notice of the work and seek to research the

potential competitive advantage they could create for themselves by focusing on improved

security in their products. While no official labeling system may be created, companies may also
Paper Critique 9

see the advantage of listing their products security measures and information on their product

listings and packaging to influence consumer choices. Another potential expansion of this study

may also be to see how consumer preferences are influenced by company package labeling vs

and official standard labeling system.

Despite sound research and solidifying results, it is unlikely that this article is about to

directly lead to the creation of a IoT device security labeling system as the authors

recommended. While thorough the paper still leaves more room for further study but by

providing evidence that the current standard assumption that consumers lack a willingness to

pay for security, it should attract further attention and research towards the topic. It seems

likely that the papers biggest impact will be having opened the door for growth and expansion

in researching the consumer preferences of IoT device security.

Paper Critique 10

References

Baltzan, P., Phillips, A. L., Lynch, K., & Blakey, P. (2008). Business driven information systems. New

York: McGraw-Hill/Irwin.

Boon, C. S., Lichtenstein, A. H., & Wartella, E. A. (Eds.). (2010). Front-of-package nutrition rating

systems

and symbols: Phase I report. National Academies Press.

James, M. (2017). Secure by Design: Improving the cyber security of consumer Internet of Things

Report. Department for Digital, Culture Media & Sport: London, UK.

Johnson, S. D., Blythe, J. M., Manning, M., & Wong, G. T. (2020). The impact of IoT security labelling on

consumer product choice and willingness to pay. PloS one, 15(1), e0227800.

Kuchler, F., Greene, C., Bowman, M., Marshall, K. K., Bovay, J., & Lynch, L. (2017). Federal Nutrition and

Organic Labels Paved the Way for Single-Trait Label Claims. Amber Waves, 1-10.