Opinion

Abstract

The installed base of Internet of Things (IoT) consumer products is steadily increasing, in conjunction with the number of disclosed security vulnerabilities in these devices. In this paper, we share the opinion that strong security measures are necessary but IoT security cannot solely be improved by means of sophisticated technical solutions. From our point of view, economic incentives for the manufacturers have to be established through enabling consumers to reward security. This is currently not the case, as an asymmetric information barrier prevents consumers from assessing the level of security that is provided by IoT products. As a result, consumers are not willing to pay for a comprehensive security design as they cannot distinguish it from insufficient security measures. Learning from regulatory approaches that overcame information asymmetries about other non-functional properties in consumer products, e.g., energy labels to compare the power consumption, we propose security lifetime labels, a mechanism that transforms security into an accessible feature and enables consumers to make informed buying decisions. Focusing on the delivering of security updates as an important aspect of enforcing IoT security, we aim to transform the asymmetric information about the manufacturers' willingness to provide security updates into a label that can be assessed by the consumers.