'They're all about pushing the products and shiny things rather than fundamental security' Mapping Socio-technical Challenges in Securing the Smart Home

TL;DR

This paper explores the socio-technical challenges in securing smart home IoT devices, highlighting barriers faced by vendors and discussing policy implications to improve usability and security.

Contribution

It identifies technical, legal, and organizational barriers to making IoT security usable for end-users and discusses policy recommendations based on expert interviews.

Findings

Technical, legal, and organizational barriers identified

Expert interviews reveal key challenges in IoT security support

Policy implications discussed for improving IoT security

Abstract

Insecure connected devices can cause serious threats not just to smart home owners, but also the underlying infrastructural network as well. There has been increasing academic and regulatory interest in addressing cybersecurity risks from both the standpoint of Internet of Things (IoT) vendors and that of end-users. In addition to the current data protection and network security legal frameworks, for example, the UK government has initiated the 'Secure by Design' campaign. While there has been work on how organisations and individuals manage their own cybersecurity risks, it remains unclear to what extent IoT vendors are supporting end-users to perform day-to-day management of such risks in a usable way, and what is stopping the vendors from improving such support. We interviewed 13 experts in the field of IoT and identified three main categories of barriers to making IoT products usably secure: technical, legal and organisational. In this paper we further discuss the policymaking implications of these findings and make some recommendations.