"CyLab's IoT Security and Privacy Label Effectively Conveys Risk, Study Finds"
In 2020, a team of researchers at Carnegie Mellon University's CyLab revealed a prototype security and privacy "nutrition label" similar to that of the label placed on a food product to tell consumers how many calories it has. The security and privacy label is intended to raise consumer awareness about the risks associated with purchasing and using Internet of Things (IoT) devices. The label provided information such as what type(s) of data the device collects, with whom the data is shared, why this data is collected, and more. In order to find out how actual consumers perceive risk when given this information and how this information affects their purchasing behavior, the research team conducted a large-scale study. The study found that people perceived the risk associated with most of the tested attributes accurately. The participants' perceptions were also found to influence their willingness to purchase IoT devices. Although most of the security and privacy attributes displayed by the label produced accurate risk perceptions, there were some misconceptions. Many of the participants presented with the attribute "Average Time to Patch," which had values of either "one month" or "six months," perceived both to be high risk and lowered their willingness to purchase. According to some participants, a device that needs to be patched must not be secure. These findings suggest that manufacturers need to explain why patching may be necessary, why it takes a certain amount of time to patch a flaw, and why it may not be practical to patch vulnerabilities rapidly. Findings from the study will help improve the IoT privacy and security label, which can strengthen the safety and security of the IoT ecosystem. This article continues to discuss the goal of CyLab's security and privacy label, as well as findings from the study on how the information presented by the label changes consumers' risk perception and their willingness to purchase IoT devices.
CyLab reports "CyLab's IoT Security and Privacy Label Effectively Conveys Risk, Study Finds"