When nudging is not enough to entrench security best practices in IoT

November 9, 2017

Posted by: Zenobia Hegde

Yiru Zhong of Beecham Research

Richard Thaler’s win of the Nobel Economic Prize last month for his behaviour economics theory reminds us of the important role of psychology in everyday decision making. He states that individuals make decisions not solely based on hard evidence but a combination of evidence and “irrational” inputs. This theory and his pop-culture book on Nudge theory have been applied successfully in several public policies; the creation of Nudge Units around the world reflects the widespread belief in the theory’s efficacy to influence an outcome, says Yiru Zhong, principal analyst at Beecham Research.

However, this has limited applicability to embed security and privacy by design practices in IoT deployments. This is because unlike other nudge outcomes such as a ban on public smoking or the opt-in nature of organ donations, the shape of a desired outcome for security and privacy protection in IoT systems is ever shifting. There is no such thing as the optimal security and privacy posture at a single point in time; the journey to get there differs from organisation to organisation, and most importantly, there are such vast differences in the value of security and privacy among individuals that stronger-arm tactics are required. 

This week, ARM releases Platform Security Architecture in open source to address the challenges of adding security features at scale that befits the needs of the IoT vision of “more than a trillion devices”. This is only one of several similar news in the last 2 months. In August, the US Senate proposes a bill, “IoT Cybersecurity Improvement Act 2017 “, to ensure that government entities only purchase internet connected devices that meet a baseline security standard. In September, the EU proposes a regulation to create a Cybersecurity Certification Framework to certify ICT products in the union.

Early October, the IIC showcased several joint projects at the IoT Solutions World Congress to demonstrate the positive cases that operations can perform as usual even after implementing IIC’s security recommendations from their Industrial Internet Security Framework. These recommendations or frameworks are only a few of recent ones. The upcoming General Data Protection Regulation (GDPR) looms over enterprises to prepare for compliance on both data protection and privacy come 25th May 2018.

This can be considered the most strong-arm of all regulation; penalties for non-compliance are much higher at up to €20 million or 4% of global annual revenue. In comparison, the maximum penalty in the UK currently is £500,000 (€563,950) and TalkTalk’s breach only incurred a £400,000 (€451,160) fine. 

image003The disparity in the types of top down tactics to encourage security and privacy best practices reflects the range of perceived value of security. Spending on security is often considered as something to be tolerated, an expense to be made and at times begrudgingly, or something to be done because of heightened fear. Already, enterprises face a shifting landscape of external and internal security risks and have a finite budget to build their arsenal of tools and skills to mitigate the risks as best as they can.

With IoT deployments, many enterprises have started experiments without involving security professionals to provide the necessary framework to ensure deployments are also secure. Checkpoint reported last week that another strain of IoT botnet (IoTroop) has been discovered and infected an estimated 1 million organisations. They also worried that IoTroop will have even more widespread impact than the Mirai-infected Botnets that brought down Dyn and subsequently cloud infrastructure provider AWS, among others.

Despite the reliance on fear to push security products, the more sustainable act is to spread the positive case of security investment, particularly in IoT deployments. Beecham Research, together with our event partners Internet of Business, is conducting a survey to gauge enterprise user attitudes towards security and privacy in their IoT systems, particularly to uncover perception of business value in security investments. We would love it if you would participate in this survey and in return, we would be happy to share with you a summary of the findings.

The author of this blog is Yiru Zhong, principal analyst at Beecham Research

Comment on this article below or via Twitter @IoTGN