ArticlePDF Available

What is security worth to consumers? Investigating willingness to pay for secure Internet of Things devices

Authors:

Abstract and Figures

Abstract The Internet of Things (IoT) is considered the next technological revolution. IoT devices include once everyday objects that are now internet connected, such as smart locks and smart fridges, but also new types of devices to include home assistants. However, while this increased interconnectivity brings considerable benefits, it can and does increase people’s exposure to crime risk. This is particularly the case as most devices are developed without security in mind. One reason for this is that there is little incentive for manufacturers to make devices secure by design, and the costs of so doing do not encourage it. The principle aim of the current paper was to estimate the extent to which consumers are willing to pay for improved security in internet connected products. The second aim was to examine whether this is conditioned by their exposure to security-related information. Using an experimental design, and a contingent valuation method, we find that people are willing to pay for improved security and that for some devices, this increases if they are exposed to information about security prior to stating their willingness to pay. The implications of our findings for industry and the secure by design agenda are discussed.
This content is subject to copyright. Terms and conditions apply.
Blytheetal. Crime Sci (2020) 9:1
https://doi.org/10.1186/s40163-019-0110-3
RESEARCH
What issecurity worthtoconsumers?
Investigating willingness topay forsecure
Internet ofThings devices
John M. Blythe1, Shane D. Johnson1* and Matthew Manning2
Abstract
The Internet of Things (IoT) is considered the next technological revolution. IoT devices include once everyday
objects that are now internet connected, such as smart locks and smart fridges, but also new types of devices to
include home assistants. However, while this increased interconnectivity brings considerable benefits, it can and does
increase people’s exposure to crime risk. This is particularly the case as most devices are developed without security
in mind. One reason for this is that there is little incentive for manufacturers to make devices secure by design, and
the costs of so doing do not encourage it. The principle aim of the current paper was to estimate the extent to which
consumers are willing to pay for improved security in internet connected products. The second aim was to examine
whether this is conditioned by their exposure to security-related information. Using an experimental design, and a
contingent valuation method, we find that people are willing to pay for improved security and that for some devices,
this increases if they are exposed to information about security prior to stating their willingness to pay. The implica-
tions of our findings for industry and the secure by design agenda are discussed.
Keywords: Internet of Things, Security, Willingness to pay, Priming
© The Author(s) 2020. This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing,
adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and
the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material
in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material
is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the
permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco
mmons .org/licen ses/by/4.0/. The Creative Commons Public Domain Dedication waiver (http://creat iveco mmons .org/publi cdoma in/
zero/1.0/) applies to the data made available in this article, unless otherwise stated in a credit line to the data.
Introduction
e internet has transformed society, generating new
opportunities for social interaction, business opportuni-
ties, and communication. Recently, manufacturers have
taken advantage of the interconnectivity that the inter-
net facilitates to produce electronic products that can
send and receive data over the internet, and be controlled
remotely. Such devices are collectively known as the
Internet of ings (IoT) and include internet connected
security cameras, thermostats, toys, and even fridges.
Like the internet itself, such devices have the potential
to improve our lives in a variety of ways. For instance,
internet connected security cameras allow us to monitor
our homes remotely, making them more secure. Internet
connected thermostats allow us to control the tempera-
ture of our homes from anywhere on the planet, having
the potential to conserve energy as well as increasing
our comfort. e IoT is increasing in ubiquity and Wrap
(2016) estimate that by 2020, the average UK household
will have around 15 internet connected products.
While this increased interconnectivity brings consid-
erable benefits, it can also increase our exposure to risk
and opportunities for crime. In recent years, academics,
policy makers and industry have taken a growing interest
in the security of the consumer IoT (DCMS 2018). e
primary reason for this is that these devices are typically
shipped with inadequate security features and place the
burden for securing them onto the consumer. In fact,
studies have demonstrated that seven out of the ten most
popular IoT devices have security vulnerabilities (Hewlett
Packard Enterprise 2015) and that there are up to forty-
three behaviours expected of consumers to protect these
IoT devices across their lifecycle (Blythe etal. 2017).
Open Access
Crime Science
*Correspondence: Shane.johnson@ucl.ac.uk
1 Dawes Centre for Future Crime at UCL, University College London,
London, UK
Full list of author information is available at the end of the article
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 2 of 9
Blytheetal. Crime Sci (2020) 9:1
More generally, the concerns noted above are well-
founded as this kind of scenario has played out many
times before. As Pease (1997) points out, market inno-
vations—such as products and services—are generally
introduced without those who manufacture or pro-
vide them giving due consideration to their crime and
security implications (see also, Ekblom 1997). Unfor-
tunately, these vulnerabilities are considered by those
who might exploit them, which can lead to a “crime
harvest”. Examples of crime harvests include vehicle
theft in the 1980s and 1990s (e.g. Laycock 2004) and
mobile phone theft in the 1990s and 2010s (see, White-
head and Farrell 2008). While these vulnerabilities may
subsequently be addressed, victims will have already
suffered the consequences of them before retrofitted
(and possibly partial) solutions are implemented.
In the case of the IoT, reports of misuse have already
begun to emerge. For example, devices without ade-
quate security have been misused to launch attacks
(discussed in more detail below) against major online
services such as Netflix and Twitter (BBC News 2017)
and have the potential to leak information regarding
users’ activities and habits. Furthermore, consumer
safety is at risk as critical household services (such as
heating, home security) can be (and are increasingly)
Internet connected and thus, vulnerable to potential
exploitation. Purchasing devices with greater security
features will reduce consumers susceptibility to online
risk, but there is a cost to manufacturing secure devices
and no existing studies have evaluated empirically
whether consumers are willing to pay for this. Given
the associated costs, and an absence of legislation, at
present manufacturers have little incentive to secure
their products, which perhaps explains why many have
been found to be insecure. Arguably, manufactur-
ers will be less likely to produce secure devices unless
they are required to do so, or they perceive a demand
in the market. In this paper, we investigate the extent
to which consumers care about security by estimating
the extent to which: (i) they are willing to pay for the
security of consumer IoT devices; (ii) their willingness
to pay (WTP) is influenced by the level of improvement
in security offered; and (iii) their WTP is influenced by
exposure to security-related information. e rest of
this paper is organised as follows. In the next section,
we briefly review what is currently known about the
security of the IoT, barriers to improving it, and exist-
ing research on consumers’ WTP for online security.
We then describe the methodology employed to esti-
mate consumer WTP for security in the context of the
IoT and present our findings. We conclude with a dis-
cussion of our results, their implications for the secu-
rity of the IoT, and suggestions for further research.
Crime andthesecurity oftheIoT
Presently, one in ten adults are victims of cybercrime
(Office for National Statistics 2017), a figure that is
expected to rise as more products and services become
Internet connected and criminals exploit the opportuni-
ties afforded by greater connectivity. Indeed, a range of
consumer IoT devices have been shown to have vulner-
abilities including smart toys, which allow attackers to
eavesdrop on children’s conversations (Which? 2017),
smart locks which allow unauthorised access to people’s
homes (Ho etal. 2016), and smart TVs which are open
to the potential spreading of misinformation (Bachy
etal. 2015). Cyber criminals can exploit the vulnerabili-
ties in these (and other) IoT devices to access, damage
and destroy consumer data and hardware, and facilitate
cybercrimes. e potential crimes that may be commit-
ted from consumer IoT are far ranging, with horizon
scanning research with experts identifying crimes includ-
ing blackmail, sex crimes and terrorism, to name a few
(Tzezana 2016; for a systematic review, see Blythe and
Johnson 2019).
Some of these may be crimes of the future but the IoT
is already being exploited for malicious purposes. In
2016, the Mirai malware exploited Internet connected IP
cameras and home routers by targeting devices that used
default login credentials and infected them with the mal-
ware. ese infected devices were then combined to form
a ‘botnet’—a network of compromised devices—and used
to launch Distributed Denial of Service (DDoS) attacks
against online services and other connected devices
(BBC News 2017). In simple terms, DDoS attacks involve
sending more requests to a server than it can cope with,
rendering it inoperable. What made Mirai particularly
interesting is that it was the first known example of con-
sumer IoT devices being used in strategic attacks to cause
disruption to online services. In 2017, “Reaper”, an evo-
lution of Mirai was discovered (TrendMicro 2018). is
version uses known and available exploits to compro-
mise devices instead of guessing their passwords. Whilst
Reaper has not been used in any major attacks, it dem-
onstrates how devices can be exploited by cybercriminals
through the lack of adequate security in consumer IoT
devices, and how quickly these attacks can evolve.
In response, there has been a recent push by govern-
ments and security experts to motivate manufacturers to
build security into products at the point of manufacture
(DCMS, 2018; Schneier, 2017). In the past, such appeals
(see Karmen 1981)—which speak to issues of corporate
responsibility—have been made in relation to automo-
biles and other products (Whitebread and Farrell 2008)
and have in some cases been successful (e.g. Laycock
2004). However, providing greater security in devices can
be a barrier to market for manufacturers as the incentive
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 3 of 9
Blytheetal. Crime Sci (2020) 9:1
for being first to market is a key motivation, as well as, the
cost-effectiveness of using existing software and delaying
security until the final stages of product development
(Sadler 2017). Furthermore, security is not considered
a market differentiator as consumers do not currently
prioritise security over the functionality and features of
a product, and do not discriminate between good and
bad security at the point of purchase (DCMS 2018). One
reason for this is that existing well-documented IoT risks
such as DDoS attacks impact upon third parties rather
than the owners of IoT devices (Schneier 2017). How-
ever, at present there is little opportunity for consum-
ers to consistently choose the most secure products as
the security of devices is hard to discern based on the
information provided to consumers (Blythe etal. 2019).
Understanding the purchasing behaviour of consumers
may therefore be key to incentivising manufacturers to
take security more seriously.
Interestingly, consumers purchasing of IoT devices is
not consistent with their attitudes and concerns towards
the security and privacy of consumer IoT devices.
Research has shown that 90% of consumers are wor-
ried about how their data is kept secure and the associ-
ated crime risks that may arise from this insecurity (e
Economist Intelligence Unit 2018). Other research sug-
gests that only 9% of consumers trust that their data is
secure in the IoT, but 42% are not willing to disconnect
due to the value afforded by it (Cisco 2017). is gap in
attitude and behaviour is known as the privacy paradox—
that people have concerns about their privacy but do lit-
tle to protect it (Acquisti etal. 2015). Whilst consumers
have a stated preference for greater security and privacy
and such concerns are a well-documented barrier to IoT
adoption (Accenture 2016; Bullguard 2016), at present it
is difficult for consumers to differentiate between prod-
ucts that are more and less secure, and there is a lack of
research on whether consumers are actually willing to
pay for greater security in consumer IoT devices. Absent
consumer demand, as discussed above, there is currently
little to incentivise manufacturers to improve the secu-
rity of the IoT devices they produce. As such, evidence
concerning consumers WTP for improved security in the
context of the IoT is clearly important and may provide
that incentive, either alone or in conjunction with other
market “levers”.
WTP denotes the maximum amount of money a con-
sumer is willing to pay to acquire a product or service
(Kalish and Nelson 1991). WTP is a useful measure as
it can inform future policies, tactical pricing, the devel-
opment of new products (and services) and customer
segmentation. In the security context, WTP allows
researchers to estimate the highest price a consumer
would be willing to pay for a product, service, or in the
current context, greater inbuilt security or security ser-
vices. Such information is useful for understanding what
form or level of (government) intervention is needed
to leverage manufacturers to take security more seri-
ously. Previous research has shown that consumers are
willing to pay to reduce crime in general (Cohen etal.
2004) and to improve online security in particular. For
example, with respect to the latter, Nguyen etal. (2017)
found users were willing to pay between $9 and $11 per
month extra, as well as wait between 8 and 9 additional
minutes, and forgo access to 21–29 per 100 emails, in
exchange for more effective phishing detection that
reduces the amount of spam and phishing emails they
receive. Rowe and Wood (2013) explored whether con-
sumers would pay for greater security provisions afforded
by their Internet Service Provider to reduce their sus-
ceptibility to risks including identity theft and computer
crashes. ey found that on average they were willing
to pay approximately $7.24/month for greater security,
representing a 16% increase on average US Internet bills.
is research suggests that consumers are willing to pay
for greater security, however to our knowledge, this has
not been assessed in the context of IoT devices. As WTP
is a potential barrier to the Secure by Design agenda as it
relates to consumer IoT, this is clearly an important issue.
In comparison to paying for security for comput-
ers, consumers may be less likely to pay for additional
security for once everyday objects such as thermostats
and watches that conventionally were not susceptible
to online risks. Conversely, for IoT products that are
linked to physical security (such as security cameras) or
to safety critical services (such as thermostats), consum-
ers may be willing to pay more. Research has shown that
WTP judgements are context sensitive (Bettman et al.
1988) and therefore, in the current case, may differ by the
class of IoT device concerned. e current study seeks to
explore these issues by assessing WTP across a range of
IoT devices.
Additionally, human behaviour is known to be influ-
enced by environmental cues which can be manipulated
(for example) through “priming”. Priming is considered
a largely unconscious process in which cues (such as
colour, sensations and presence of positive or negative
imagery) influence behaviour (Dolan 2010). In cyber-
security, research has shown that red (warning) and
green (safe) colour primes in Wi-Fi selection leads users
to choose more secure Wi-Fi networks (Turland et al.
2015). Priming individuals to expect phishing emails also
increases their phishing detection (Parsons et al. 2015).
Finally, research indicates that priming can reduce per-
sonal information disclosure (Acquisti etal. 2012; Grazi-
oli 2004), although this finding is not always consistent
(Junger et al. 2017). Understanding the role of priming
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 4 of 9
Blytheetal. Crime Sci (2020) 9:1
at the point of purchase is important as it may lead indi-
viduals to be more willing to pay for more secure devices.
As well as assessing consumer’s WTP, we seek to explore
whether this can be influenced by priming them with a
security-related task.
e research described here was conducted as part of
a larger study aimed at understanding consumer security
and privacy preferences for different IoT products (see
Blythe and Johnson 2018). e aims of the current paper
are to address the following research questions. First, to
what extent are consumers willing to pay for the secu-
rity of different Internet connected products? Second,
is WTP influenced by the percentage improvement in
security afforded and third, is WTP influenced by expo-
sure to security-related information? To test the hypoth-
eses, we use data collected through an online survey that
examined (amongst other things) consumers’ WTP for
improved security in IoT devices.
Method
Design
We examined participant’s WTP for five different con-
sumer IoT products, as follows: a Smart ermostat, a
Wi-Fi Router, a Smart Watch, a Smart TV and a Smart
Security Camera. ese particular types of IoT devices
were selected for the following reasons. First, they are
already commonly purchased. Second, they vary in terms
of the types and sensitivity of data they collect and, if
intercepted, might reveal about a person. And, third,
because they vary in terms of the extent to which they are
connected to actuators that can affect the environment.
To examine people’s willingness to pay for security, we
would ideally analyse their “revealed preferences” using
data on actual sales. However, for scenarios that concern
hypothetical (or future) situations, such as the one exam-
ined here, such data simply do not exist. Consequently,
we employed a stated preference WTP measure, specifi-
cally contingent valuation. is approach is commonly
used in studies of WTP (see, Cohen et al. 2004; Kling
et al. 2012) and involves asking participants what they
would be willing to pay for a particular good or service.
e specific measure used here was adapted from Rowe
et al. (2013), who asked organizations how much they
would be willing to pay to improve the security effec-
tiveness of their Information Technology systems by
10%. We modified the percentage improvement to either
50% or 90%. is allowed us to assess whether percent-
age improvement played a role in consumers’ WTP esti-
mates. We also tailored the security incidents discussed
in the framing of the question to the IoT context in line
with known consequences associated with breaches in
IoT security (Schneier 2017). e cost of the products
used was derived from the average cost of the ten most
commonly sold products across four online UK retailers
and was specific to the IoT product (Smart ermostat
(£180), Wi-Fi Router (£40), Smart Watch (£230), Smart
TV (£500) and Smart Security Camera (£160).
An example instruction given to participants was as
follows:
“If you were buying a Smart Watch which costs
around £230, how much more would you be willing
to pay for a 50% improvement in the security built
into the product, as measured by the number of
incidents (e.g. loss of your personal data, disruption
to the functioning of your product, viruses on your
product) you experience each year? Please answer
numerically in pound sterling (£): _____________”
Finally, participants were either asked to complete the
WTP task before or after they completed another task
(discussed below) that required them to think about
security. In summary, we used a 5 (Type of IoT prod-
uct: Smart ermostat, Wi-Fi Router, Smart Watch,
Smart TV and Smart Security Camera) × 2 (Percentage
improvement in security afforded: 50%, 90%) × 2 (exp o-
sure to security-related task: pre, post) between-subjects
design yielding 20 experimental conditions.
Participants
Participants were recruited from the online panel com-
pany “prolific.ac” and awarded £0.95 as reimburse-
ment. ey were eligible to take part if they: (i) were
aged 18 years; and (ii) lived in the UK. 971 UK par-
ticipants (484 female and 485 male) with a mean age of
40years (SD = 16, range 18–85) took part.
In terms of education, 2% had no formal qualifica-
tions, 17% had secondary education (GCSE/O-levels or
similar), 20% had post-secondary education or equiva-
lent (e.g. A levels/High school diploma or similar), 12%
had vocational qualifications or equivalent (e.g. Diploma
or similar), 30% had an undergraduate degree (BA, BSc
etc.), 15% had a master’s degree (MA, MSc etc.) and 4%
had a doctorate (PhD, MD).
Procedure
Before commencement of this study, full ethical approval
was received from the Department for Security and
Crime Science at University College London. All par-
ticipants were recruited to the study via a link listed on
the prolific platform where they were notified that they
would receive a flat rate of £0.95 for participation in the
study. Participants were first provided with information
about the study and asked to provide consent to take
part. ey were then randomly allocated to one of the 20
conditions.
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 5 of 9
Blytheetal. Crime Sci (2020) 9:1
Participants were asked about their WTP for increased
security for one IoT device, either before or after com-
pleting a task concerned with device security. For the
security task, participants were provided with informa-
tion about (existing) consumer labelling schemes they
may be familiar with such as the traffic light system used
for food products, and the energy efficiency labels used
for electronic devices (see Blythe and Johnson 2018).
ey were then informed that we were interested in
developing a similar label for Internet connected prod-
ucts based on what is important to consumers. Par-
ticipants were asked to rank-order 17 attributes (e.g.
whether software updates are automatic or not, the sup-
port period of the device, whether default passwords are
used) in terms of what information they would like such
a label to communicate to them prior to making pur-
chasing decisions. For this and the WTP task, they were
asked to do this for one particular product and were pro-
vided with a short description alongside that item. We
chose not to explain the risks or benefits associated with
each feature so as not to influence participant responses.
e survey concluded with questions concerning par-
ticipants’ demographics (e.g. age, gender) and debriefing
information.
Results
e aggregate mean WTP values are shown in Table1.
e mean values are significantly greater than zero in all
cases. With the exception of Smart TVs, those who were
asked about their WTP before completing the security
rating task reported a lower WTP than those who were
asked about their WTP after completing it. Overall, the
raw mean WTP value was highest for the Smart Watch,
followed by the Smart TV, Security Camera, ermostat
and Wi-Fi Router. In relative terms, however, participants
were willing to pay the most for better security in Wi-Fi
Routers (62.5% of the product price) and Security Cam-
eras (40% of the product price), and the least for Smart
Watches (32% of the product price), ermostats (28%
of the product price) and Smart TVs (14% of the product
price).
Figure 1 shows the mean amount that participants
reported that they would be willing to pay to enjoy a (50%
or 90%) reduction in cybercrime risk for each type of
product as a percentage of the product price. is varies
by product, and prima facie it appears that participants
tended to be willing to pay more to enjoy a greater reduc-
tion in risk.
Prior to statistical analysis, we inspected the data and
found that it was right skewed and hence transformed
all values using a logarithmic transformation. We also
removed outliers (identified as extreme values from box-
plots1) from the dataset. A 2 (50% vs 90% reduction in
risk) × 5 (product type) analysis of variance (ANOVA) of
the log transformed data showed that there was a main
effect of product type (F(4,943) = 52.25 p < 0.001), and a
marginally non-significant main effect associated with
the level of reduction in anticipated risk (F(1,943) = 3.0,
p < 0.10). e interaction failed to reach statistical signifi-
cance (F(4,943) = 1.87, p > 0.10).
However, the above analysis ignores the order in which
participants completed the WTP and rating tasks. Fig-
ure2 takes account of this. A 2 (50% vs 90% reduction
in risk) × 5 (product type) × Order (WTP first vs WTP
second) ANOVA of the log transformed data showed
Table 1 Means (and standard deviations) ofWTP byproduct type andexposure tosecurity task inpounds sterling (£)
a Cost of device
Thermostat (£180)aWi-Fi router (£40)aSmart watch (£230)aSmart TV (£500)aSecurity camera (£160)a
Pre-security task 38.86 (49.44, N = 98) 22.69 (17.73, N = 111) 70.12 (81.61, N = 83) 69.01 (54.99, N = 96) 52.68 (64.69, N = 105)
Post security task 62.07 (81.24, N = 96) 27.98 (19.39, N = 100) 76.24 (91.22, N = 91) 68.37 (62.22, N = 91) 78.22 (74.17, N = 82)
Overall 50.29 (67.83, n = 194) 25.20 (18.68, n = 211) 73.03 (86.45, n = 174) 68.82 (54.99, n = 187) 63.86 (69.81, n = 187)
01020304050607
08
0
Thermostat (£180)
Security Camera (£160)
Wifi Router 40)
Smart Watch (£230)
Smart TV (£500)
Willingness to Pay (% of product price)
90% Reducon in risk 50% Reducon in risk
Fig. 1 Mean amount participants reported that they were willing to
pay for different types of products and different levels of reduction in
risk (cost of device shown in parentheses)
1 Eighteen participants provided WTP values of over £500 (£500–£100).
ese were extreme relative to the overall distribution of WTP values (being
over 10 times the interquartile range above the third quartile of the data) and
for the products for which they were provided. We suspect that these were
typing errors and so excluded them. However, while the inclusion of these
data affected the mean values for some products (Smart TVs and WiFi Rout-
ers) they did not affect the trends or (with the exception of one interaction)
the outcomes of the statistical analyses. Analyses that include the outliers are
reported in Appendix A.
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 6 of 9
Blytheetal. Crime Sci (2020) 9:1
that there were significant main effects of product type
(F(4,933) = 52.93, p < 0.001), the order in which partici-
pants completed the tasks (F(1,933) = 4.37, p < 0.05) and
a non-significant main effect associated with the level
of reduction in anticipated risk (F(1,933) = 2.42, p > 0.1).
Considering the interaction terms, all were non-signif-
icant (ps > 0.1) except for one case. e exception was
the interaction between product type and the order with
which participants completed the tasks (F(4,933) = 2.53,
p < 0.05). us, the amount participants’ reported being
willing to pay was largely influenced by the type of prod-
uct under consideration, the order in which they com-
pleted the WTP and rating tasks, and the interaction
between the two. Pair-wise follow-up tests of the esti-
mated marginal means revealed that the interaction was
largely due to the effect of order on participants’ WTP
for smart security cameras (F(1,933) = 7.85, p < 0.005). In
all other cases, the differences observed were non-signif-
icant (p > 0.1).
Discussion
In this paper we aimed to assess the extent to which
consumers are willing to pay for the security of differ-
ent Internet connected products, whether their WTP is
influenced by the percentage improvement in security
afforded and their exposure to security-related infor-
mation. e current data suggest that participants are
willing to pay more for a secure device but the relative
percentage in risk reduction offered did not significantly
impact on WTP. Furthermore, we found that the simple
presentation of security-related information (in this case
a security task) may act as a nudge to encourage consum-
ers to pay more for secure devices. In other words, the
presence of security information may prime consumers
and consequently influence their purchasing behaviour.
e current study thus supports existing research
that has found that consumers are willing to pay more
for secure services or products (Nguyen et al. 2017;
Rowe and Wood 2013), in this case, internet connected
devices. is suggests that there is an economic incentive
for manufacturers to take this issue more seriously and
to place greater priority on security during the product
development cycle. Furthermore, recent work has dem-
onstrated that the potential crime risks of the consumer
IoT are wide ranging and include crimes such as burgla-
ries, stalking and domestic violence (Blythe and Johnson
2019). us, whilst the current well-publicised security
risks associated with the IoT, such as DDoS attacks, may
represent an externality that does not affect consum-
ers directly, in the near future, crimes facilitated by the
IoT have the potential to do so. Reducing such risks rep-
resents an incentive for consumers to purchase secure
devices over insecure ones and hence for manufacturers
to ship products with better security by design. Moreo-
ver, although the WTP estimates presented in Table1
may not appear particularly large, when expressed rela-
tive to their current cost (Figs.1, 2), they are substantial.
is was particularly evident for WiFi routers for which
participants were prepared to pay an additional 63% for a
secure product. at participants reported that they were
willing to pay the most (in relative terms) for security for
a router is perhaps unsurprising given that routers are
the gateway to the home network and hence a first line of
defence against cyber-attacks. Apropos the other devices,
participants reported being willing to pay the least (in
percentage terms) for the Smart TV. is might be
explained by the fact that the other devices collect more
sensitive or personal data (e.g. the smart watch and secu-
rity camera) and control physical systems (the thermo-
stat) that would be perceived as important to consumers.
While our data do not allow us to test these hypotheses,
the findings demonstrate the importance of consider-
ing the type of product in empirical work and any policy
interventions.
To some extent, the effect of the security task is sup-
ported by existing work on nudging and cybersecurity
behaviour more generally (Acquisti etal. 2012; Parsons
02040608
01
00
Thermostat (£180)
Security Camera (£160)
Wifi Router (£40)
Smart Watch (£230)
Smart TV (£500)
WtP task completed first
90% Reducon in risk 50% Reducon in risk
02040608
01
00
Thermostat (£180)
Security Camera (£160)
Wifi Router (£40)
Smart Watch (£230)
Smart TV (£500)
WtP task completed second
90% Reducon in risk 50% Reducon in risk
Fig. 2 Mean (prior to log transformation) amount participants
reported that they were willing to pay for different types of products
and different levels of reduction in risk as a function of the order that
they completed tasks (cost of device shown in parentheses)
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 7 of 9
Blytheetal. Crime Sci (2020) 9:1
etal. 2015; Turland etal. 2015). is has shown that the
presentation of information (such as social proof, infor-
mation about consequences) reduces the likelihood a
user will follow the less protective choice, although none
of these have explored consumer purchasing behaviour.
Further research might explore the range of nudging
and behaviour change techniques that can be employed
(Dolan 2010; Michie etal. 2013) to influence consum-
ers IoT purchasing behaviour. As governments are cur-
rently setting their policy agendas around consumer IoT,
there have been a number of calls for a labelling scheme
to inform consumer choice by governments (DCMS
2018), industry (Jamieson 2016) and academics (Blythe
and Johnson 2018). ese echo calls that have previ-
ously been made for electronic goods more generally
from which lessons might be learned (see Armitage and
Pease 2008). e current study has implications for this
agenda as it suggests that priming individuals with secu-
rity information (e.g. using a label) may influence their
purchasing choices. Future research might look at this in
greater depth by priming individuals with different types
of labels or other forms of communication and assess-
ing their effectiveness in nudging consumer purchasing
behaviour.
e current study is, of course, not without its limita-
tions. First is the fact that we used a contingent valuation
approach to estimate WTP to explore consumers stated
preferences. e reason for this is that access to data
about actual purchasing behaviour (i.e. revealed prefer-
ences) are not available. ere are some limitations asso-
ciated with this approach. Research has suggested that
consumers sometimes overestimate their WTP on con-
tingent valuation questions (Loomis et al. 2011) which
may mean that their WTP for security is slightly over-
estimated. Despite this, the current study is the first to
explore WTP for the security of consumer IoT devices.
Future research would benefit from using other methods
to elicit WTP, such as discrete choice experiments, which
allow a more nuanced understanding of how consumers
make trade-offs in their decisions around the attributes
of different products or services that are important to
them (Tinelli 2016).
Studies might also look at consumers’ revealed pref-
erences by assessing the extent to which they actually
purchase more secure devices over less secure ones. At
present, such a study would be difficult since it is hard
to systematically assess device security (see Blythe etal.
2019), and market data are hard to acquire. e former
challenge, however, would be easier to address if devices
were to feature a label that indicated if they were secure
by design (or not).
Additionally, studies might consider what citizens are
willing to pay to reduce the risk of IoT-based crime for
wider society as well as themselves. Cohen etal. (2004)
examined such a question in relation to urban crime
by asking what participants would be willing to pay to
reduce crime by ten percent in their community. Taking a
similar approach in the context of the IoT may provide a
more complete picture of the extent to which customers
would be willing to pay to secure the consumer IoT.
A second limitation concerns our examination of the
effect of different levels of risk reduction on willingness
to pay. We asked participants to say what they would be
willing to pay to enjoy a 50% or 90% reduction in risk,
with the effect of this manipulation being tested using a
between-subjects design. We find a trend whereby par-
ticipants reported that they would be willing to pay more
for greater reductions in risk, but this was not statisti-
cally significant. ere are at least two explanations for
this. First, our study may have been underpowered in
statistical terms, meaning that we were unable to detect
an effect reliably even though one existed. at there
was a clear trend in the data speaks to the plausibility of
this possibility.2 Second, it may be the case that partici-
pants found it difficult to understand what a 50% (or 90%)
increase in security meant as we did not provide details
of the baseline level of risk (as this is unknown). If they
perceived the risk to already be low, then they may be
willing to pay to meaningfully reduce this further (e.g. by
50%), but less inclined to pay still more for further reduc-
tions. Future research might explore this in more detail
using larger samples, using a within-subjects design
(which would increase statistical power), looking at dif-
ferent levels of risk reduction (e.g. 10% versus 90%), or by
providing participants with the baseline level of risk and
examining the effect of varying this on their WTP.
In conclusion, the results of our study suggest that con-
sumers are willing to pay more for secure IoT devices,
but that this is not dependent on the level of risk reduc-
tion offered. Moreover, priming individuals with a secu-
rity task appears to influence their WTP, and represents
a promising approach to affect behaviour change in
consumers. e findings thus have implications for the
Secure by Design agenda for consumer IoT devices and
suggest that manufacturers should take this issue more
seriously.
Authors’ contributions
JB and SDJ designed the study, collected and analysed the data and authored
the article. MM advised on the study design and co-authored the paper. All
authors read and approved the final manuscript.
2 We avoid computing a post hoc power analysis here and note that it would
have been difficult to conduct a power analysis ex ante, as doing so requires
estimates of effect size and standard errors from previous studies, which sim-
ply do not exist.
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 8 of 9
Blytheetal. Crime Sci (2020) 9:1
Funding
This research was supported with funding from the Engineering and Physical
Sciences Research Council (Award EP/N02334X/1) and the Dawes Centre for
Future Crime at UCL.
Availability of data and materials
The data reported in the paper will be made available if the article is
published.
Competing interests
The authors declare that they have no competing interests.
Author details
1 Dawes Centre for Future Crime at UCL, University College London, London,
UK. 2 ANU Centre for Social Research and Methods, The Australian National
University, Canberra, Australia.
Appendix A
ANOVA results withoutliers included
As noted in the main body of the text, we removed 18
data points from the analysis as they were clearly out-
liers. For transparency, Fig. 3 shows the same plot as
Fig.1 but for the data including the outliers. As would be
expected—given the presence of outliers—the mean val-
ues and standard errors increased for some of the devices
(Smart TV and WiFi Router). Below, we also report the
ANOVA results with and without the outliers. As dis-
cussed in the main body of the text, aside from one inter-
action (which was of only minor interest), all trends were
identical to those reported in the main text.
A 2 (50% vs 90% reduction in risk) × 5 (product type)
analysis of variance (ANOVA) of the log transformed
data showed that there was a main effect of product type
(FULL DATA SET: F(4,961) = 42.68, p < 0.001; SUBSET
WITHOUT OUTLIERS: F(4,943) = 52.25 p < 0.001), and
a marginally non-significant main effect associated with
the level of reduction in anticipated risk (FULL DATA
SET: F(1,963) = 3.10, p < 0.10; SUBSET WITHOUT
OUTLIERS: F(1, 943) = 3.0, p < 0.10). e interaction
failed to reach statistical significance (FULL DATA SET:
F(4,963) = 1.73, p > 0.10; SUBSET WITHOUT OUTLI-
ERS: F(4,943) = 1.87, p > 0.10).
However, the above analysis ignores the order in
which participants completed the WTP and rating
tasks. A 2 (50% vs 90% reduction in risk) × 5 (product
type) × Order (WTP first vs WTP second) ANOVA of
the log transformed data showed that there were sig-
nificant main effects of product type (FULL DATA SET:
F(4,951) = 42.94, p < 0.001; SUBSET WITHOUT OUT-
LIERS: F(4,933) = 52.93, p < 0.001), the order in which
participants completed the tasks (FULL DATA SET:
F(1,951) = 7.38, p < 0.01; SUBSET WITHOUT OUTLI-
ERS: F(1,933) = 4.37, p < 0.05) and a non-significant main
effect associated with the level of reduction in anticipated
risk (FULL DATA SET: F(1,951) = 2.39, p > 0.1; SUBSET
WITHOUT OUTLIERS: F(1,933) = 2.42, p > 0.1). Con-
sidering the interaction terms, all were non-significant
(ps > 0.1) except for one case for the subset of data that
excluded the outliers. e exception was the interac-
tion between product type and the order with which
participants completed the tasks (FULL DATA SET:
F(4,951) = 1.6, p > 0.1; SUBSET WITHOUT OUTLIERS:
F(4, 933) = 2.53, p < 0.05). us, the amount participants’
reported being willing to pay was largely influenced by
the type of product under consideration, the order in
which they completed the WTP and rating tasks, and
(for the subset of data excluding outliers) the interac-
tion between the two. Pair-wise follow-up tests of the
estimated marginal means revealed that the interaction
was largely due to the effect of order on participants’
WTP for smart security cameras (FULL DATA SET:
F(1,951) = 9.73, p < 0.005; SUBSET WITHOUT OUTLI-
ERS: F(1,933) = 7.85, p < 0.005). As can be seen, despite
the interaction term failing to reach statistical signifi-
cance for the full set of data, the results of the follow-up
tests were identical. In all other cases, the differences
observed were non-significant for both the full set of data
and that which excluded the outliers (p > 0.1).
Received: 22 December 2018 Accepted: 19 December 2019
References
Accenture. (2016). Igniting growth in consumer technology (pp. 1–15).
Acquisti, A., Brandimarte, L., & Loewenstein, G. (2015). Privacy and human
behavior in the age of information. Science, 347(6221), 509–515. https ://
doi.org/10.2139/ssrn.25804 11.
Acquisti, A., John, L. K., & Loewenstein, G. (2012). The impact of relative stand-
ards on the propensity to disclose. Journal of Marketing Research, 49(2),
160–174. https ://doi.org/10.1509/jmr.09.0215.
Armitage, R., & Pease, K. (2008). Predicting and preventing the theft of elec-
tronic products. European Journal on Criminal Policy and Research, 14(1),
11–37.
Bachy, Y., Basse, F., Nicomette, V., Alata, E., Kaaniche, M., Courrege, J. C., &
Lukjanenko, P. (2015). Smart-TV security analysis: practical experiments.
In Proceedings of the 45th annual IEEE/IFIP international conference on
dependable systems and networks smart-TV (pp. 497–504). https ://doi.
org/10.1109/DSN.2015.41.
020406080100 12
01
40
Thermostat (£180)
Security Camera (£160)
Wifi Router 40)
Smart Watch (£230)
Smart TV (£500)
Willingness to Pay (% of product price)
90% Reducon in risk 50% Reducon in risk
Fig. 3 Mean amount participants reported that they were willing to
pay for different types of products and different levels of reduction in
risk (cost of device shown in parentheses)
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
Page 9 of 9
Blytheetal. Crime Sci (2020) 9:1
BBC News. (2017). Mirai botnet: Three admit creating and running attack tool.
Retrieved from http://www.bbc.co.uk/news/techn ology -42342 221.
Bettman, J. R., Luce, M. F., & Payne, J. W. (1988). Constructive consumer choice
processes. Journal of Consumer Research, 25(3), 187–217.
Blythe, J. M., & Johnson, S. D. (2018). The Consumer Security Index for IoT: A
protocol for developing an index to improve consumer decision making
and to incentivize greater security provision in IoT devices. In Proceedings
of the living in the internet of things: Cybersecurity of the IoT conference.
Blythe, J. M., & Johnson, S. D. (2019). A systematic review of crime facilitated
through consumer IoT devices. Journal of Experimental Criminology, 15,
1–29.
Blythe, J. M., Michie, S., Watson, J., & Lefevre, C. E. (2017). Internet of Things in
Healthcare: Identifying key malicious threats, end-user protective and
problematic behaviours. Frontiers in Public Health. https ://doi.org/10.3389/
conf.FPUBH .2017.03.00021 .
Blythe, J. M., Sombatruang, N., & Johnson, S. D. (2019). What security features
and crime prevention advice is communicated in consumer IoT device
manuals and support pages? Journal of Cybersecurity, 5(1), tyz005.
Bullguard. (2016). Despite fast adoption of Internet of Things, a shocking
72 per cent of consumers don’t know how to secure their connected
devices. Retrieved from http://www.bullg uard.com/press /lates t-press
-relea ses/2016/03-17.aspx.
Cisco. (2017). The IoT Value/Trust Paradox.
Cohen, M. A., Rust, R. T., Steen, S., & Tidd, S. T. (2004). Willingness-to-pay for
crime control programs. Criminology, 42(1), 89–110.
DCMS. (2018). Secure by design: Improving the cyber security of consumer Internet
of Things report. Retrieved from https ://asset s.publi shing .servi ce.gov.uk/
gover nment /uploa ds/syste m/uploa ds/attac hment _data/file/68608 9/
Secur e_by_Desig n_Repor t_.pdf.
Dolan, P. (2010). Influencing the financial behaviour of individuals: The
mindspace way. In A. Oliver (Ed.), Behavioural Public Policy (pp. 191–215).
Cambridge: Cambridge University Press. https ://doi.org/10.1017/CBO97
81107 33719 0.009.
Ekblom, P. (1997). Gearing up against crime: A dynamic framework to help
designers keep up with the adaptive criminal in a changing world. Inter-
national Journal of Risk, Security and Crime Prevention., 2(4), 249–265.
Grazioli, S. (2004). Where did they go wrong? An analysis of the failure of
knowledgeable Internet consumers to detect deception over the
internet. Group Decision and Negotiation, 13(2), 149–172. https ://doi.
org/10.1023/B:GRUP.00000 21839 .04093 .5d.
Hewlett Packard Enterprise. (2015). Internet of Things Research Study 2015
Report. Retrieved from http://forti fypro tect.com/HP_IoT_Resea rch_Study
.pdf.
Ho, G., Leung, D., Mishra, P., Hosseini, A., Song, D., & Wagner, D. (2016). Smart
locks: Lessons for securing commodity internet of things devices. In Pro-
ceedings of the 11th ACM on Asia conference on computer and communica-
tions security (pp. 461–472). https ://doi.org/10.1145/28978 45.28978 86.
Jamieson, A. (2016). IoT Security—It’s in the Stars! Retrieved from https ://www.
slide share .net/Andre wRJam ieson /iot-secur ity-its-in-the-stars -169-v2016
05241 355.
Junger, M., Montoya, L., & Overink, F. J. (2017). Priming and warnings are not
effective to prevent social engineering attacks. Computers in Human
Behavior, 66, 75–87. https ://doi.org/10.1016/j.chb.2016.09.012.
Kalish, S., & Nelson, P. (1991). A comparison of ranking, rating and reservation
price measurement in conjoint analysis. Marketing Letters, 2(4), 327–335.
Karmen, A. A. (1981). Auto Theft and Corporate Responsibility. Comtemporary
Crises, 5, 63–81.
Kling, C. L., Phaneuf, D. J., & Zhao, J. (2012). From Exxon to BP: Has some num-
ber become better than no number? Journal of Economic Perspectives, 26,
3–26.
Laycock, G. (2004). The UK car theft index: An example of government lever-
age. In Crime Prevention Studies 17 (pp. 25–44). Cullomptun, Devon: Willan.
Loomis, J. B., González-Cabán, A., & Chami, J. (2011). Testing the roubstness of
contingent valuation estimates of WTP to survey mode and treatment
of protest responses. In The international handook on non-market environ-
mental evaluation (pp. 102–121).
Michie, S., Richardson, M., Johnston, M., Abraham, C., Francis, J., Hardeman, W.,
et al. (2013). The behavior change technique taxonomy (v1) of 93 hierar-
chically clustered techniques: Building an international consensus for the
reporting of behavior change interventions. Annals of Behavioral Medicine,
46(1), 81–95. https ://doi.org/10.1007/s1216 0-013-9486-6.
Nguyen, K. D., Rosoff, H., & John, R. S. (2017). Valuing information security from
a phishing attack. Journal of Cybersecurity, 3(3), 159–171. https ://doi.
org/10.1093/cybse c/tyx00 6.
Office for National Statistics. (2017). Crime survey for England and Wales. Lon-
don: Office for National Statistics.
Parsons, K., McCormac, A., Pattinson, M., Butavicius, M., & Jerram, C. (2015).
The design of phishing studies: Challenges for researchers. Computers &
Security. https ://doi.org/10.1016/j.cose.2015.02.008.
Pease, K. (1997). Crime reduction. In M. Maguire, et al. (Eds.), The oxford hand-
book of criminology (2nd ed.). Oxford: Clarendon Press.
Rowe, B., Pokryshevskiy, I. D., Link, A. N., & Reeves, D. S. (2013). Economic analy-
sis of an inadequate cyber security technical infrastructure. Gaithersburg:
National Institute of Standards and Technology.
Rowe, B., & Wood, D. (2013). Are home internet users willing to pay ISPs for
improvements in cyber security? In B. Rowe (Ed.), Economics of informa-
tion security and privacy III (pp. 193–212). New York, NY: Springer.
Sadler, M. (2017). Securing our connected world. Retrieved from https ://dcmsb
log.uk/2017/10/secur ing-conne cted-world /.
Schneier, B. (2017). Click here to kill everyone. Retrieved from http://nymag
.com/selec tall/2017/01/the-inter net-of-thing s-dange rous-futur e-bruce
-schne ier.html.
The Economist Intelligence Unit. (2018). What the Internet of Things means for
consumer privacy.
Tinelli, M. (2016). Applying discrete choice experiments in social care research.
Methods Review, 16, 12.
TrendMicro. (2018). New rapidly-growing IoT Botnet—REAPER.
Turland, J., Coventry, L., Jeske, D., Briggs, P., & van Moorsel, A. (2015). Nudging
towards security: Developing an application for wireless network selec-
tion for android phones. In Proceedings of the 2015 British HCI conference
onBritish HCI’15 (pp. 193–201). New York, New York, USA: ACM Press.
https ://doi.org/10.1145/27834 46.27835 88.
Tzezana, R. (2016). Scenarios for crime and terrorist attacks using the internet
of things. European Journal of Futures Research, 4(1), 18. https ://doi.
org/10.1007/s4030 9-016-0107-z.
Which? (2017). Safety alert: see how easy it is for almost anyone to hack
your child’s connected toys. Retrieved from https ://www.which .co.uk/
news/2017/11/safet y-alert -see-how-easy-it-is-for-almos t-anyon e-to-
hack-your-child s-conne cted-toys/.
Whitehead, S., & Farrell, G. (2008). Anticipating Mobile Phone ‘Smart
Wallet’Crime: Policing and Corporate Social Responsibility. Policing: A
Journal of Policy and Practice, 2(2), 210–217.
Wrap (2016). Smart Devices and Secure Data Eradication. Last accessed Nov
2019. http://www.wrap.org.uk/sites /files /wrap/Data%20Era dicat ion%20
rep ort%20Def ra.pdf.
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in pub-
lished maps and institutional affiliations.
Content courtesy of Springer Nature, terms of use apply. Rights reserved.
1.
2.
3.
4.
5.
6.
Terms and Conditions
Springer Nature journal content, brought to you courtesy of Springer Nature Customer Service Center GmbH (“Springer Nature”).
Springer Nature supports a reasonable amount of sharing of research papers by authors, subscribers and authorised users (“Users”), for small-
scale personal, non-commercial use provided that all copyright, trade and service marks and other proprietary notices are maintained. By
accessing, sharing, receiving or otherwise using the Springer Nature journal content you agree to these terms of use (“Terms”). For these
purposes, Springer Nature considers academic use (by researchers and students) to be non-commercial.
These Terms are supplementary and will apply in addition to any applicable website terms and conditions, a relevant site licence or a personal
subscription. These Terms will prevail over any conflict or ambiguity with regards to the relevant terms, a site licence or a personal subscription
(to the extent of the conflict or ambiguity only). For Creative Commons-licensed articles, the terms of the Creative Commons license used will
apply.
We collect and use personal data to provide access to the Springer Nature journal content. We may also use these personal data internally within
ResearchGate and Springer Nature and as agreed share it, in an anonymised way, for purposes of tracking, analysis and reporting. We will not
otherwise disclose your personal data outside the ResearchGate or the Springer Nature group of companies unless we have your permission as
detailed in the Privacy Policy.
While Users may use the Springer Nature journal content for small scale, personal non-commercial use, it is important to note that Users may
not:
use such content for the purpose of providing other users with access on a regular or large scale basis or as a means to circumvent access
control;
use such content where to do so would be considered a criminal or statutory offence in any jurisdiction, or gives rise to civil liability, or is
otherwise unlawful;
falsely or misleadingly imply or suggest endorsement, approval , sponsorship, or association unless explicitly agreed to by Springer Nature in
writing;
use bots or other automated methods to access the content or redirect messages
override any security feature or exclusionary protocol; or
share the content in order to create substitute for Springer Nature products or services or a systematic database of Springer Nature journal
content.
In line with the restriction against commercial use, Springer Nature does not permit the creation of a product or service that creates revenue,
royalties, rent or income from our content or its inclusion as part of a paid for service or for other commercial gain. Springer Nature journal
content cannot be used for inter-library loans and librarians may not upload Springer Nature journal content on a large scale into their, or any
other, institutional repository.
These terms of use are reviewed regularly and may be amended at any time. Springer Nature is not obligated to publish any information or
content on this website and may remove it or features or functionality at our sole discretion, at any time with or without notice. Springer Nature
may revoke this licence to you at any time and remove access to any copies of the Springer Nature journal content which have been saved.
To the fullest extent permitted by law, Springer Nature makes no warranties, representations or guarantees to Users, either express or implied
with respect to the Springer nature journal content and all parties disclaim and waive any implied warranties or warranties imposed by law,
including merchantability or fitness for any particular purpose.
Please note that these rights do not automatically extend to content, data or other material published by Springer Nature that may be licensed
from third parties.
If you would like to use or distribute our Springer Nature journal content to a wider audience or on a regular basis or in any other manner not
expressly permitted by these Terms, please contact Springer Nature at
onlineservice@springernature.com
... In are therefore also willing to pay more to obtain it. This finding is line with previous literature demonstrating an increased willingness to pay for a higher provided security in technologies (Tsai et al., 2011;Blythe et al., 2020;Johnson et al., 2020). ...
... Besides, Blythe et al. (2020) argued that the provision of security information primes consumers and nudges them to pay additionally, thereby influencing their purchasing behaviour. ...
Thesis
Full-text available
Emerging AI technologies are leading to major security and privacy concerns among consumers which often decrease trust in and increase anxiety of AI products. Since trust and anxiety influence technology acceptance, security concerns that are associated with low trust and high anxiety of AI can inhibit extensive AI adoption. To ascertain whether those concerns can be reduced by conveying security, this study investigates how two differently designed AI security labels impact consumers’ trust, anxiety, and attributed value in relation to the corresponding AI products. A graphical (traffic light like) and a text-based (ticked boxes) AI security label with three varying security levels (low, intermediate, high) were manipulated in different phases to measure trust, anxiety, and attributed value for two commonly used AI products. A high security label led to significantly higher trust and lower anxiety whereas a low security label led to significantly lower trust and higher anxiety in participants compared to when no label was applied on the AI product. As expected, trust significantly increased and anxiety significantly decreased with rising security levels (from low to intermediate and from intermediate to high) of the label, while attributed value also significantly increased with higher security. AI security labels therefore effectively communicate the level of security to consumers, supporting them to distinguish secure products from those who are less or not secure. Widespread application of such labels could potentially stimulate higher security practices that increase trust in AI and encourage adoption thereof. Keywords: AI security labels, AI anxiety, trust, data privacy, technology acceptance
... The most explored relationships within the IoT are between privacy concerns, perceived IoT benefits, and the intention to use IoT, as evidenced by multiple studies (e.g., Attié and Meyer-Waarden, 2022;Belanger et al., 2021;Ha et al., 2021;Harkin et al., 2022;Kim et al., 2022;Mani and Chouk, 2019;Marakhimov and Joo, 2017;Menard and Bott, 2020;Philip et al., 2023;Roe et al., 2022;Winter, 2014;Zhu et al., 2023). Fewer studies investigated consumer actual purchase behavior and use (Attié and Meyer-Waarden, 2022), willingness to pay for secure IoT (Blythe et al., 2020), or habit formation in IoT use (Wagner et al., 2020). ...
Article
Full-text available
Purpose This study aims to analyze and synthesize literature on consumer privacy-related behavior and intelligent device-to-device interactions within the Internet of Things (IoT). Design/methodology/approach We conducted a systematic review using Elsevier’s Scopus database, focusing on studies published in English from 2000 to 2023. The review targeted articles within selected social sciences and business disciplines, specifically concerning consumer behavior in IoT contexts. Findings We categorized the privacy literature into three thematic clusters: legislation and policy, business implications and consumer behavior. Within the consumer behavior cluster, our analysis indicates a shift from general Internet and e-commerce privacy concerns prior to 2016, toward issues related to advertising and policy between 2017 and 2018, and increasingly toward pronounced concerns in technological systems, particularly IoT, from 2019 onwards. We identify eight distinct areas of privacy concern within IoT and propose a framework that links antecedents and privacy concerns to subsequent attitudes and behaviors. This framework highlights varying patterns of information disclosure and bridges theoretical constructs with empirical research in IoT privacy. Originality/value Originality lies in enhancing the Antecedents-Privacy Concerns-Outcomes (APCO) macro-model by integrating diverse theoretical perspectives on technological and individual-specific antecedents, alongside privacy concerns and beliefs. This comprehensive integration enriches the framework, enabling it to predict and categorize consumer behavior in IoT environments more effectively. The revised model provides a robust tool for understanding privacy-related behavior within the IoT, significantly enriching its theoretical relevance and practical applicability.
... To gain entrance into the victim's home, a burglar may choose to use sophisticated technology rather than a crude tool such as a crowbar, depending on the level of protection that is there. As sensors collect and transmit data from every location where humans can be found, the need for privacy becomes increasingly apparent [9]. Customer perceptions of security vulnerabilities are not only real; they are also present in many of today's smart gadgets [10]. ...
Article
Full-text available
A network of connected things that can communicate and exchange data is known as the Internet of Things, or IoT. The number of these connected devices will be 38.6 billion in 2025 and devices are collecting data continuously from your location, contacts, calendar events, smart homes, health devices, etc. Several security and privacy challenges arise due to its heterogeneity and use. The identification of the challenges and issues is important for better security and privacy. The research will focus on the current issues and challenges with an available solution for a smart home context. An IoT Smart Gateway concept has been introduced for dealing with the most common issues and challenges by using a pre-train machine learning model at the smart gateway, which deals with consumers and resource policies separately.
... Research show that many consumers seek out products and services that endorses one's safety, confidence, wellbeing and security (Solomon, 2019). Research show that security is significant to predict people's choice in consumption (Blythe et al., 2020). According to Flavian et al. (2009), the perception of security leads to purchase intention as consumers view this value as guaranteeing integrity, authentication, and respectable transactions. ...
Article
Full-text available
Consumer purchase intention towards luxury brands is influenced by various factors, both internal and external. The purpose of this study is to examine the values that drive consumers to purchase luxury brands during COVID-19. The study seeks to achieve four main objectives by examining four universal values, namely openness to change, conservation, self-enhancement, and self-transcendence, and their impact on purchase intention. We collected primary data from upper-middle-class youth and young adults through a questionnaire. Previous research shows that aspirational youth, including GenZ and millennials, are the primary consumers of luxury brands today. To analyze the data, we used Statistical Package for Social Sciences (SPSS) – version 25 and Analysis of Moment Structure (AMOS) – version 23. The results demonstrate that self-direction, stimulation, hedonism, achievement, conformity restraint, universalism, benevolence, and preservation have significant relationships with purchase intention. However, no significant relationship was observed between power attainment, security, and purchase intention.
... To gain entrance into the victim's home, a burglar may choose to use sophisticated technology rather than a crude tool such as a crowbar, depending on the level of protection that is there. As sensors collect and transmit data from every location where humans can be found, the need for privacy becomes increasingly apparent [9]. Customer perceptions of security vulnerabilities are not only real; they are also present in many of today's smart gadgets [10]. ...
Article
Full-text available
A network of connected things that can communicate and exchange data is known as the Internet of Things, or IoT. The number of these connected devices will be 38.6 billion in 2025 and devices are collecting data continuously from your location, contacts, calendar events, smart homes, health devices, etc. Several security and privacy challenges arise due to its heterogeneity and use. The identification of the challenges and issues is important for better security and privacy. The research will focus on the current issues and challenges with an available solution for a smart home context. An IoT Smart Gateway concept has been introduced for dealing with the most common issues and challenges by using a pre-train machine learning model at the smart gateway, which deals with consumers and resource policies separately.
... They used a contingent valuation open question to estimate the New Yorkers willingness to support investments in making subway infrastructure more resilient and Discrete Choice Experiments (DCE) with scenarios described in terms of the percentage of their transportation system being operative several days/weeks after a highly disruptive extreme weather event. Based on a contingent valuation survey, Blythe et al. [14] have estimated the WTP of UK consumers for the security of different Internet connected products and tested the influence of the percentage improvement in security proposed. Finally, Brozović et al. [5] and Price et al. [15] worked on the resilience of the water distribution network. ...
... Kelly (2011) finds support for the existence of compensating wage differentials based on empirical tests for a relationship between wages and high crime-risk jobs in Miami from 1979 to 1980 in comparison to lower crime-risk cities. Notably, this study did not investigate citizens' willingness to pay for lower crime rates. Recently, Blythe et al. (2020) finds, using an experimental design and a contingent valuation method, that people are willing to pay for improved security systems and lower crime. There are inadequate studies that quantify how much households are affected by crime rates in cities in terms of monetary values: i.e., how much individuals are willing to pay for a unit reduction in crime rates, or how much individuals are willing to accept for a unit increase in crime rates. ...
Article
Full-text available
This study investigates the impact of urban crime rates—property and violent—on wages and rents and estimates the net implicit monetary value of crime rates for living in metropolitan areas, using the American Community Survey 2019 data for cities in North Carolina. A seemingly unrelated regression estimation finds that the crime rates are capitalized into both wages and rents, and suggests crime rates affect wages positively and rents negatively. This investigation estimates a negative value of $51.80 per month—the average net marginal implicit price—for living in cities with high city crime rates. This negative value suggests that households are being compensated for living in cities with high crime rates.
Chapter
Cyber security developers and threat-attackers have always had a reactive relationship. Developers spend time building secure defences only for attackers to exploit new vulnerabilities. Academic and practice literature revealed that human error and motivation plays a major role in the success of a cyber defence strategy and whilst technology and process have their place, implementation and management can significantly affect results. Organisations learn from experience protecting against human error with process and shadow IT with policy. Threat-actors also learn; sharing vulnerability information with others and developing new attack methods with their peers. COVID-19s’ isolation countermeasures may have shifted the balance of power towards the attackers. As cyberattack disruption moves from virtual to the physical world, countries must consider and weigh the benefits of international collaboration against potential exploitation by a more advanced collaborative partner. To address identified gaps, website analysis and in-depth interviews were conducted. I interviewed thirty staff in small and medium-sized Australian organisations to gain an understanding of their perspectives on cyber security and several of the findings may be relevant to future ways of working. No standards exist for cyber security products and configuration by unskilled consumers could increase the quantity of insecure devices available for threat actors to use for disruption and control. As COVID-19 created an environment where rapid innovation became a necessity, the ability to absorb intelligence and adopt more diversity in design and implementation becomes a necessary consideration for those who want to succeed. Creating pathways for cultures, genders and ages to collaborate, could help improve cyber defences for all.
Article
Full-text available
Článek se věnuje legislativnímu návrhu Evropské Komise na horizontální právní regulaci požadavků na kybernetickou bezpečnost produktů s digitálními prvky, označovanému jako „akt o kybernetické odolnosti“. Po nastínění hlavních principů navrhované regulace a jejích důvodů a cílů je pozornost věnována vztahu k existující unijní legislativě a oblasti působnosti. V další části je pak představeno věcné jádro návrhu, konkrétně vymezení základních pojmů a předmětu právní úpravy, dále požadavky stanovené pro uvádění a dodávání produktů s digitálními prvky na trh a představení principů posuzování shody. Další část je věnována představení hlavních povinností výrobců a ostatních hospodářských subjektů a základním pravidlům dozoru nad trhem a vymáhání. Poslední část se věnuje nastínění některých potenciálně problematických dopadů návrhu nové regulace jako podnětu k diskuzi.
Article
Full-text available
Through the enhanced connectivity of physical devices, the Internet of Things (IoT) brings improved efficiency to the lives of consumers when on-the-go and in the home. However, it also introduces new potential security threats and risks. These include threats that range from the direct hacking of devices that could undermine the security, privacy and safety of its users, to the enslaving of IoT devices to commit cybercrime at scale, such as Denial of Service attacks. The IoT is recognized as being widely insecure, in large part, due to the lack of security features built into devices. Additionally, consumers do not always actively use security features when available. More disconcerting is that we lack market surveillance on whether manufacturers ship products with good security features or how the importance of user-controlled security features is explained to IoT users. Our study seeks to address this gap. To do this, we compiled a database of 270 consumer IoT devices produced by 220 different manufacturers on sale at the time of the study. The user manuals and associated support pages for these devices were then analysed to provide a ‘consumer eye’ view of the security features they provide and the cyber hygiene advice that is communicated to users. The security features identified were then mapped to the UK Government’s Secure by Design Code of Practice for IoT devices to examine the extent to which devices currently on the market appear to conform to it. Our findings suggest that manufacturers provide too little publicly available information about the security features of their devices, which makes market surveillance challenging and provides consumers with little information about the security of devices prior to their purchase. On average, there was discussion of around four security features, with account management and software updates being the most frequently mentioned. Advice to consumers on cyber hygiene was rarely provided. Finally, we found a lack of standardization in the communication of security-related information for IoT devices among our sample. We argue for government intervention in this space to provide assurances around device security, whether this is provided in a centralized or decentralized manner.
Conference Paper
Full-text available
Consumer IoT devices often lack adequate in-built security, giving rise to newer forms of threats and crime risks. Security should be designed into devices but at present there is little incentive for manufacturers to do so consistently. Additionally, consumers are not given simple information at the point of purchase, in user manuals or other materials to help them assess the security of devices. Consumers are therefore not afforded the opportunity to understand the level of security devices offer. Consumer rating indices (e.g. food traffic light labels) can provide this opportunity to aid consumer choice. This research aims to co-develop a consumer security index (CSI), with consumers and security experts, to aid consumer decision making and incentivise greater security provision in the manufacture of IoT devices. In this paper, we focus on the methodology for the development of the index. Through a focus group with IoT security experts, Study 1 will identify security features that consumer IoT devices should provide. Study 2 will employ an online survey to identify consumer preferences concerning the disclosure of security and privacy features that devices provide, and focus groups will help to co-design the CSI by discussing the information value, appeal and likely engagement of a security index label. To better understand the current situation, Study 3 will develop a matrix of different classes of IoT devices manually coded according to the CSI for a sample of devices. Study 4 will explore the use of natural language processing to extract data from device user manuals to identify what information is communicated about the security features, as well as, what crime prevention messaging is provided by manufacturers. The project will use a formal methodology to develop a CSI that is co-designed with experts and consumers. The ultimate aims are to encourage the use of the index to help inform consumer choice, and to lever market action so that IoT devices are shipped with security features in-built.
Article
Full-text available
The extent to which users take precautionary actions against cyber risks is conditional upon how they perceive the value of information security relative to other important personal goals. In most cyber security contexts, users are faced with trade-offs between information security and other important attributes that they desire to maximize. We examined this issue by eliciting the “security premiums” that users were willing to sacrifice to protect their information security in a phishing context. We also examined the effect of usage contexts on value of information security using an experimental design. Respondents from Amazon Mechanical Turk were randomized into one of three conditions in which the context of a phishing attack was varied. Respondents were asked to make trade-offs between pairs of attributes including security, cost, latency, and productivity, from which we could quantify security premiums. Results indicated that half of the respondents were willing to pay a premium between 9and9 and 11 per month, willing to wait between 8 and 9 additional minutes, and willing to forgo their access to 21–29 valid pieces of information, to obtain a more effective phishing filter that reduces the number of false negatives from 24 to 6 per month. Interestingly, the value of information security was sensitive to the usage context, such that social media invoked greater security premiums in terms of productivity than email and web surfing. We also found that vulnerability and perceived net benefit significantly correlated with security premiums in terms of monthly cost. These results offer valuable insights for the design of more usable information security systems.
Article
Full-text available
The Internet of Things is a paradigm in which everyday items are connected to the internet and share information with other devices. This new paradigm is rapidly becoming a reality in the developed world, and while it holds an immensely positive potential, it also means that criminals and terrorists would be able to influence the physical world from the comfort of their homes. We can expect that hackers, ransomwares, viruses, spywares and many of the other woes of the internet today will migrate to the internet of things as well. In this research we used General Morphological Analysis and brought together fifty experts on an online platform to develop novel scenarios about the crimes and terrorist acts of the future. The experts developed 21 scenarios, which were then ranked according to their plausibility. We provide a brief description of every scenario, and focus particularly on the four most plausible ones: blackmailing by connecting to smart homes, gaining insider information from wearable devices and using it for financial gains, assaulting a smart city through the internet, and performing sex crimes via connected items in the smart home.
Article
Full-text available
This paper is a first, exploratory, attempt at providing some background, and a framework, to help designers more systematically incorporate crime prevention in their remit. The scope includes design of technological items, environments, systems and services. With all these products this is design against misappropriation, damage and misuse in the furtherance of crime; and design of products explicitly intended for the urtherance of prevention. The intention is to stimulate designers, commissioners of design and those like criminologists who conduct research that informs design in two ways: 1) shifting perspective from user to misuser to aid the day-to-day process of incorporating the preventive function in specific design tasks; and 2) in the more strategic process of helping crime prevention evolve as fast as crime in a world of adaptable criminals and changing opportunities, many of which stem from the permeation of society by IT. This involves setting up the infrastructure to speed up the feeding of information on crime and prevention to designers, and to promote the durability of preventive techniques. For the one certain thing in prevention is the obsolescence, sooner or later, of any individual measure.
Conference Paper
We examine the security of home smart locks: cyber-physical devices that replace traditional door locks with deadbolts that can be electronically controlled by mobile devices or the lock manufacturer's remote servers. We present two categories of attacks against smart locks and analyze the security of five commercially-available locks with respect to these attacks. Our security analysis reveals that flaws in the design, implementation, and interaction models of existing locks can be exploited by several classes of adversaries, allowing them to learn private information about users and gain unauthorized home access. To guide future development of smart locks and similar Internet of Things devices, we propose several defenses that mitigate the attacks we present. One of these defenses is a novel approach to securely and usably communicate a user's intended actions to smart locks, which we prototype and evaluate. Ultimately, our work takes a first step towards illuminating security challenges in the system design and novel functionality introduced by emerging IoT systems.
Article
How can individuals best be encouraged to take more responsibility for their well-being and their environment or to behave more ethically in their business transactions? Across the world, governments are showing a growing interest in using behavioural economic research to inform the design of nudges which, some suggest, might encourage citizens to adopt beneficial patterns of behaviour. In this fascinating collection, leading academic economists, psychologists and philosophers reflect on how behavioural economic findings can be used to help inform the design of policy initiatives in the areas of health, education, the environment, personal finances and worker remuneration. Each chapter is accompanied by a shorter 'response' that provides critical commentary and an alternative perspective. This accessible book will interest academic researchers, graduate students and policy-makers across a range of disciplinary perspectives.
Article
Consumer choices concerning the selection, consumption, and disposal of products and services can often be difficult and are important to the consumer, to marketers, and to policy makers. As a result, the study of consumer decision processes has been a focal interest in consumer behavior for over 30 years (e.g., Bettman, 1979; Hansen, 1972; Howard & Sheth, 1969; Nicosia, 1966). One can infer from recent trends in the nature and structure of the marketplace that the importance of understanding consumer decision making is likely to continue. Rapid technological change, for instance, has led to multitudes of new products and decreased product lifetimes. In addition, new communications media, such as the World Wide Web, have made enormous amounts of information on options potentially available (Alba et al., 1997). Further, consumers are often asked to make difficult value tradeoffs, such as price versus safety in purchasing an automobile, environmental protection versus convenience in a variety of goods, and quality of life versus longevity in complex health care decisions. How do consumers cope with the decisions they must make, some of which involve difficult tradeoffs and uncertainties? One approach to studying consumer decisions has been to assume a rational decision maker with well-defined preferences that do not depend on particular descriptions of the options or on the specific methods used to elicit those preferences. Each option in a choice set is assumed to have a utility, or subjective value, that depends only on the option.