Internet Service Providers' and Individuals' Attitudes, Barriers, and Incentives to Secure IoT

TL;DR

This study explores the attitudes, barriers, and incentives of ISPs and individuals in Japan regarding IoT security, highlighting the need for coordinated efforts and external support to improve IoT device security.

Contribution

It provides a comprehensive, stakeholder-inclusive analysis of IoT security challenges and incentives, supported by multi-method research involving surveys, workshops, and interviews.

Findings

Individuals desire government regulation and ISP filtering interventions.

Participants are willing to pay for better IoT monitoring and security.

ISPs face technological, organizational, and recognition barriers.

Abstract

Internet Service Providers (ISPs) and individual users of Internet of Things (IoT) play a vital role in securing IoT. However, encouraging them to do so is hard. Our study investigates ISPs' and individuals' attitudes towards the security of IoT, the obstacles they face, and their incentives to keep IoT secure, drawing evidence from Japan. Due to the complex interactions of the stakeholders, we follow an iterative methodology where we present issues and potential solutions to our stakeholders in turn. For ISPs, we survey 27 ISPs in Japan, followed by a workshop with representatives from government and 5 ISPs. Based on the findings from this, we conduct semi-structured interviews with 20 participants followed by a more quantitative survey with 328 participants. We review these results in a second workshop with representatives from government and 7 ISPs. The appreciation of challenges by each party has lead to findings that are supported by all stakeholders. Securing IoT devices is neither users' nor ISPs' priority. Individuals are keen on more interventions both from the government as part of regulation and from ISPs in terms of filtering malicious traffic. Participants are willing to pay for enhanced monitoring and filtering. While ISPs do want to help users, there appears to be a lack of effective technology to aid them. ISPs would like to see more public recognition for their efforts, but internally they struggle with executive buy-in and effective means to communicate with their customers. The majority of barriers and incentives are external to ISPs and individuals, demonstrating the complexity of keeping IoT secure and emphasizing the need for relevant stakeholders in the IoT ecosystem to work in tandem.