/* ---- Google Analytics Code Below */

Wednesday, September 28, 2022

Security by Labeling

Security by Labeling

By Andreas Kuehn

Communications of the ACM, September 2022, Vol. 65 No. 9, Pages 23-25  10.1145/3548762

Empowering consumers to make risk-informed purchasing decisions when buying Internet-of-Things (IoT) devices or using digital services is a principal thrust to advance consumer cybersecurity. Simple yet effective labels convey relevant cybersecurity information to buyers at the point of sale and encourage IoT vendors to up their cybersecurity game as they now can recoup their security investments from risk-aware buyers. These dynamics benefit consumers and the industry alike, resulting in better, more resilient cybersecurity for all.

Consumers are insufficiently aware of risks emanating from IoT and are ill-equipped to manage them. For all the much-heralded benefits of consumer IoT to come true, the industry must ensure all the smart home appliances, connected thermostats, and digital services are secure and can be trusted. The industry has for long been criticized for not paying sufficient attention to the cybersecurity of its products. Concerns over security were pushed aside, yielding precedence to shorter time-to-market and higher corporate profits. Less time for testing translates into insecure products in residential homes.

The full cost of insecurity is on display when consumers, industry, and governments must respond to and clean up after cyber incidents. The toll of consumer cybercrime alone adds up to more than 100 billion USD per year globally.4 The industry, with support from government, must find ways to put IoT security front and center and make the necessary up-front investments that enhance consumer cyber-security and lower cost to everyone.

Lack of Information Drives Cyber Insecurity

Consumer cybersecurity is suffering from information asymmetry, the skewed appraisal of the quality of a property that Nobel Laureate economist George Akerlof described in his seminal writing "The Market for Lemons: Quality Uncertainty and the Market Mechanism."1 In the secondhand car market, Akerlof observed, buyers of used cars could not tell good cars from bad ones and thus differentiated the product on price alone, rather than including the quality of the preowned vehicles in their purchase decision-making. Sellers had no incentive to sell higher-quality cars since they could not find buyers willing to pay a higher price. Thus, the information asymmetry between the seller, who knows the quality of the car, and the buyer, who cannot assess the quality of the car, led to a market of lemons, a degraded market of subquality cars, which frequently break down and are in constant need of expensive repairs.

The challenges on the way to consumer IoT cybersecurity labeling are considerable but not insurmountable.

The consumer IoT marketplace faces a similar conundrum. Buyers cannot discern a secure Internet-connected camera from its insecure, cheaper alternative. With no market demand, IoT manufacturers have no incentive to invest in cybersecurity. All that is left is to compete on price, further incenting the reduction of security to save on cost and hindering the much-needed consumer adoption of secure Internet-connected devices and services. Adding transparency by means of a recognized, trusted cybersecurity label can break this vicious cycle, empower buyers to make risk-informed purchases, and allow vendors to reap the rewards of their cybersecurity investments by marketing to security-aware customers. In fact, research shows that a sizable portion of consumers is willing to pay a 30% markup for secure IoT products. ... '

No comments: