A recent survey presented at the 32nd USENIX Security Symposium examines the vulnerability that home smart devices are to cyberattacks and how U.S. consumers are willing to pay extra for those same smart devices to have labels specifying they are secure from those same cyberattacks. This survey was led by Duke University and holds the potential to help both scientists and the public better understand the risks associated with smart devices and steps that can be taken to address them. While the White House announced a plan in July 2023 for companies to voluntarily label their smart products based on specific cybersecurity requirements, some companies might not want to participate.
“Device manufacturers that do not care about security and privacy might decide not to disclose at all,” said Dr. Pardis Emami-Naeini, who is assistant professor of computer science at Duke, and lead author of the survey. “That’s not what we want.”
For the survey, the researchers conducted a two-phase online study with 180 participants who were asked to decide between two discounted smart speakers based on the level of security each product’s label provided. The offers were a $15 coupon for a smart speaker with automatic security updates or a $35 coupon for a smart speaker with zero security updates. In the end, the participants indicated they favored the $15 coupon for the smart speaker with automatic security updates, meaning they were prepared to spend $20 more, or 57%, for devices whose labels indicated safeguards against potential cyberattacks.
Additionally, the participants were also asked to decide whether they preferred a device with a label specifying the potential security risks and no label at all, and the researchers found the participants preferred the devices with no label.
“Consumers are willing to pay significant premiums to have security and privacy labels,” said Dr. Emami-Naeini. “However, consumers aren’t as skeptical as we might hope when information is withheld from them.”
Dr. Pardis Emami-Naeini, who is assistant professor of computer science at Duke, and lead author of the survey. (Credit: Duke University)
The respondents noted that the lack of information from having no labels gave them the assumption that the product’s riskiness was acceptable, and possibly even the same level of risk, as similar models currently available.
This is where Dr. Emami-Naeini notes that companies could take advantage of these assumptions by not labeling products with valuable information that they’d rather keep from the consumers, which the study highlights come from the voluntary aspect of labeling products.
“We recommend having a mandatory security and privacy label,” said Dr. Emami-Naeini.
What new discoveries will researchers make about smart devices and their proper labels in the coming years and decades? Only time will tell, and this is why we science!
As always, keep doing science & keep looking up!
Sources: 32nd USENIX Security Symposium, EurekAlert!, The White House, Duke Today