Internet Service Providers and Individuals Attitudes Barriers and Incentives to Secure IoT Nissy Sombatruang1Tristan Caulﬁeld2Ingolf Becker2Akira Fujita1

2025-05-06 0 0 472.05KB 24 页 10玖币

侵权投诉

Internet Service Providers’ and Individuals’

Attitudes, Barriers, and Incentives to Secure IoT

Nissy Sombatruang1Tristan Caulﬁeld2Ingolf Becker2Akira Fujita1

Takahiro Kasama1Koji Nakao1Daisuke Inoue1

1National Institute of Information and Communications Technology

2University College London

Abstract

Internet Service Providers (ISPs) and individual users of

Internet of Things (IoT) play a vital role in securing IoT.

However, encouraging them to do so is hard. Our study inves-

tigates ISPs’ and individuals’ attitudes towards the security

of IoT, the obstacles they face, and their incentives to keep

IoT secure, drawing evidence from Japan.

Due to the complex interactions of the stakeholders, we

follow an iterative methodology where we present issues and

potential solutions to our stakeholders in turn. For ISPs, we

survey 27 ISPs in Japan, followed by a workshop with repre-

sentatives from government and 5 ISPs. Based on the ﬁndings

from this, we conduct semi-structured interviews with 20 par-

ticipants followed by a more quantitative survey with 328

participants. We review these results in a second workshop

with representatives from government and 7 ISPs. The appre-

ciation of challenges by each party has lead to ﬁndings that

are supported by all stakeholders.

Securing IoT devices is neither users’ nor ISPs’ priority.

Individuals are keen on more interventions both from the

government as part of regulation and from ISPs in terms of

ﬁltering malicious trafﬁc. Participants are willing to pay for

enhanced monitoring and ﬁltering. While ISPs do want to help

users, there appears to be a lack of effective technology to

aid them. ISPs would like to see more public recognition for

their efforts, but internally they struggle with executive buy-in

and effective means to communicate with their customers.

The majority of barriers and incentives are external to ISPs

and individuals, demonstrating the complexity of keeping IoT

secure and emphasizing the need for relevant stakeholders in

the IoT ecosystem to work in tandem.

This is an extended version of our USENIX Security ’23 paper [41].

1 Introduction

The Internet of Things (IoT) brings several beneﬁts to individ-

uals and society. The ability to monitor properties remotely

via smart CCTV, adjust heating remotely, and utilise energy

more efﬁciently with a smart meter are just a few examples

that are gradually becoming part of many people’s lives. How-

ever, the lagging of security and privacy on these IoT devices

can expose users and the supporting networks to cybersecurity

risks. The 2016 Dyn attack which caused large-scale disrup-

tion to Internet services is a prime example of the risks that

the IoT can pose to both individual users of IoT and ISPs [3].

It provides compelling evidence for the need for both parties

to keep IoT secure.

The increasing involvement of ISPs in cleaning up infected

home computers [1,4,11,14,22] demonstrates that ISPs are

key to securing IoT. Individuals, as the owner and the user of

IoT devices, also have an important role in securing these de-

vices. However, the attitudes of ISPs and individuals towards

the need to secure IoT, and the incentives and obstacles that

encourage or discourage them to act to secure IoT are still

poorly understood.

This study seeks to understand these attitudes, obstacles,

and incentives by investigating ISPs and individuals in Japan.

Japan is of particular interest due to the country’s fast-growing

IoT adoption [29,42] and the government’s ambition to keep

the IoT ecosystem secure. This is most notably evident in the

National Operation Towards IoT Clean Environment (NO-

TICE), an ongoing nationwide project to identify and remedi-

ate vulnerable and infected IoT devices [33]. Our ﬁndings will

improve the effectiveness of NOTICE and similar projects

elsewhere.

For ISPs, we survey 27 ISPs across Japan followed by two

workshops in which 5 and 7 ISPs participated. For individuals,

we conduct semi-structured interviews with 20 participants

and followed this up with an online survey with 328 partici-

pants.

Our ﬁndings shed light on the profound complexity of the

effort to encourage ISPs and individuals to keep IoT secure.

arXiv:2210.02137v1 [cs.CY] 5 Oct 2022

While individuals have some concerns about the security and

privacy of IoT devices and ISPs are concerned about their

networks hosting infected/vulnerable IoT devices, keeping

IoT secure is only a secondary priority for them. Individuals

and ISPs also faced various barriers that deterred them from

doing so.

Most of the key incentives are external to ISPs and individ-

uals; hence, the onus of implementing these incentives falls

onto other stakeholders in the IoT ecosystem. In the grand

scheme of things, these ﬁndings suggest that: 1) solutions

can not be unilateral on the part of one stakeholder, 2) good

solutions require ISPs, governments, device manufacturers,

and individuals to work together, and 3) the other stakeholders

must help support and motivate individuals in their role.

In summary, our contributions are as follows:

•

We investigate ISPs’ and individuals’ attitudes, barriers,

and incentives to secure IoT, being the ﬁrst to undertake

an integrated approach — by examining three aspects

from two stakeholders in one study.

•

We provide evidence of these attitudes, barriers, and

incentives, the latter of which include the misaligned

incentive between ISPs and individuals.

•

We synthesise lessons learned and propose considera-

tions to encourage ISPs and individuals to secure IoT.

2 Background and related work

Along with its many beneﬁts, the IoT also has disadvantages—

one of the most criticised being the risks to security and

privacy. Plenty of previous studies have produced evidence

of the vulnerabilities found on IoT devices. For example, Liu

et al [28] uncovered security issues in one smart home sys-

tem which allowed an attacker to compromise a passphrase

guarding the communication over the local wireless network.

Morgner et al [32] showed how an attacker can exploit a vul-

nerability in Zigbee 3.0, a wireless technology used in devices

such as door locks, and take over the devices from distance.

Alrawi et al [2] also evaluated and found vulnerabilities in a

long list of IoT devices, concerning as some of these devices

are popular products in the market.

More frightening than the theoretical attacks is the mount-

ing evidence of real-life attacks on IoT devices. Media reports

about the hacking of IoT such as Internet-connected CCTV

(e.g. [6,45,46]), and smart home systems [30] are not new

today. The most infamous IoT attack to date is the 2016 DYN

attacks in which millions of IoT devices infected by Mirai,

an IoT malware, were compromised and used to launch a

distributed denial-of services, causing a large-scale disruption

to Internet services [3,27].

With the IoT market expected to grow exponentially—

consumer spending is estimated to be 1.6 trillion US dol-

lars by 2025 [43]—the need to secure IoT devices cannot be

ignored.

2.1 The role of ISPs in keeping IoT secure

To understand ISPs’ roles in keeping IoT secure, understand-

ing their roles in mitigating botnets, a network of computers

infected by malware, paves the foundation.

In one of the earliest works in this area, Van Eeten et al [47]

analyzed a global set of spam data between 2005–2008 and

showed that a small number of ISPs accounted for a signif-

icant percentage of unique IP addresses used for sending

spam worldwide, demonstrating the ISPs’ unique position as

intermediaries in botnet mitigation. Their subsequent work

evaluating the role and performance of ISPs in botnet miti-

gation across 60 countries found that although the ISPs’ per-

formances varied, the ISPs can and do make a difference,

especially in identifying, notifying, and quarantining the in-

fected customer [4].

Pijpker and Vranken [37] established a reference model of

the ISPs roles in the anti-botnet life cycle from prevention

to detection, notiﬁcation, remediation, and recovery. They

validated the model with a representative sample of Dutch

ISPs and showed that ISPs spent most effort on the preven-

tion and notiﬁcation but less so on other activities [37]. The

OECD also reported various initiatives by the ISPs in the ﬁght

against botnets in Australia, Germany, Ireland, Japan, Korea,

the Netherlands, the UK, and the US [34].

A large part of the role of ISPs in keeping the IoT ecosys-

tem secure is similar to their role in combating botnets; indeed,

many botnets comprise IoT devices. A prime example of such

an endeavour is the cleanup of Mirai in the Netherlands. Cetin

et al [15] examined the ISPs’ uses of walled gardens on Mirai-

infected IoT devices. Traditionally, this practice is used to

quarantine and notify customers whose computers were in-

fected by malware and turned botnet. They found that the

use of walled garden remediated 92% of the Mirai infections

within 14 days, and outperformed the uses of email notiﬁ-

cation. Their ﬁndings provide compelling evidence of the

prominent role that ISPs play in keeping IoT secure, particu-

larly in the after-fact events (i.e., after customers’ IoT devices

were infected by malware).

ISPs can also play an important role in preventing the

spreading of customers’ infected IoT hosted in their network.

One approach is for the ISPs to scan for vulnerable IoT de-

vices and isolate them from the Internet before they are com-

promised [20]. Another approach is a wide scan of vulnerable

or infected IoT devices by central government agencies and

asked the ISPs to notify the owner of these vulnerable/infected

devices and ask them to take actions to remediate. This ap-

proach is being undertaken in Japan, under the ongoing ﬁve-

year NOTICE initiative [33]. In NOTICE, the National Insti-

tute of Information and Communications Technology (NICT)

identiﬁes vulnerable or compromised IoT devices; partici-

pating ISPs are informed and assume the responsibility of

identifying and notifying their customers who own the de-

vices. While the effectiveness of this approach is yet to be

evaluated, one key lesson learned from the previous Japanese

government’s effort to clean up malware and botnet on end

users’ computers (under the CCC and ACTIVE initiative, see

Appendix A.1) suggested that participating ISPs in NOTICE

are likely to lack the incentives to actively involve and invest

in the effort.

The lack of incentives also deters ISPs from keeping IoT

secure in general [16]. Therefore, working together with the

ISPs to identify their attitudes in securing IoT, the barriers they

face, and identify incentives to encourage them to overcome

these obstacles is imperative.

2.2 The role of individuals

Individuals who own and use IoT devices are another key

stakeholder in keeping IoT secure. In an ideal world, they

would conﬁgure appropriate security and privacy settings and

maintain good security hygiene until these devices reached

their end of life. However, the reality is rather different.

The ﬁeld of human factors in security has long posited that

security is a secondary, not primary, task [39,48,49]. Simply

put, security tasks such as changing the default password on

IoT devices are less important than the primary task: getting

the new device up and running. Security and privacy is not

the most important factor in IoT device purchase behaviour

either: Emami-Naeini et al [23] showed that they were ranked

below features and price.

Individuals also have different levels of experience and

skill when it comes to ﬁxing compromised devices. A study

of ISP customers asked to identify and remediate compro-

mised devices on their home networks found that, while the

participants were motivated, many could not complete all the

recommended steps [8]. Relying less on individuals to se-

cure IoT and more on device makers to make IoT devices

secure by design is a better solution. A study investigating

responsibilities for smart device security and privacy found

that users largely viewed the responsibility for security as

shared between themselves and device manufacturers [25].

Although progress has been made and governments some

countries (e.g. the UK [19], Australia [24], and Japan [35])

have mandated or recommended device makers to do so, there

are still a large number of devices that are not secure [2].

Therefore, individuals still have a role to play in securing the

IoT ecosystem.

3 Scope and methodology

In this study, we examine two key stakeholders in the IoT

ecosystem: ISPs and individuals. For ISPs, we sought their

views on their customers’ IoT devices (hosted in the ISPs’

networks), not the IoT devices used by the ISPs. For individ-

uals, the scope was limited to ordinary users of IoT and in

personal context only (i.e., in the household).

We aimed to answer three research questions:

Q1—What are ISPs’ and individuals’ attitudes towards the

security and privacy of IoT?

Attitudes toward the security and privacy of IoT are fun-

damental to the ISPs’ and individuals’ course of action on

securing IoT. Understanding their attitudes is key to why they

do or do not keep IoT secure. Speciﬁcally in this study, we

sought to understand their concerns about IoT, perceived like-

lihood that IoT can be compromised, their commitment to

keep IoT secure, and their perception of the contribution made

by other stakeholders to secure IoT.

Q2—What are the barriers that prevent ISPs and individuals

to keep IoT secure?

For individuals, we sought to identify the barriers that pre-

vent them from securing or remediating IoT devices. For ISPs,

we focused on identifying the barriers that prevent them from

investing and/or committing to keeping IoT devices on their

networks secure.

Q3—What are the incentives to encourage ISPs and individu-

als to keep IoT secure?

Incentives are key to encourage ISPs and individuals to

keep IoT secure. We sought to identify internal and external

incentives. We deﬁned internal incentives as those that need to

be applied to ISPs and individuals to motivate them to secure

IoT. External incentives, on the other hand, are those that need

to be applied to other relevant stakeholders (to encourage or

make it easier for ISPs and individuals to keep IoT secure).

3.1 Methodology

We divided the research into studies of both ISPs and individ-

uals. Based on the complex interactions between the stake-

holders when trying to secure the IOT, we decided to adapt an

iterative participatory action research based approach for our

research [36]. Participatory action research has been success-

fully used in studying complex information systems [5,21].

The ISPs study consisted of a survey and two workshops. The

individuals study consisted of user interviews and a survey.

Each study is discussed in turn. An overview of the relation-

ships between the different studies is shown in Fig. 1. The

ISP survey was conducted initially, and the ﬁrst ISP workshop

was held after this to get feedback and clariﬁcation about sur-

vey ﬁndings. Both the survey and workshop then fed into the

design of the individuals interviews and subsequent survey.

Finally, a ﬁnal ISP workshop was held to discuss the ﬁndings

from the earlier studies.

3.1.1 ISPs study

Recruitment and demographic of ISPs

We advertised

and recruited ISPs through the ICT Information Sharing and

Analysis Centre Japan (ICT-ISAC)

. ICT-ISAC regularly

Established in 2016, the centre is responsible for promoting a safe ICT

society in Japan. Its members consist of organisations related to ICT, e.g.

ISPs questionnaire

(n = 27)

1st ISPs workshop

(n = 5)

User interviews

(n = 20)

Individual survey

(n = 328)

2nd ISPs workshop

(n = 7)

Consolidated results

Direct input Partial input

Figure 1: Overview of the methodology

holds information exchange opportunities among ISPs, and

participating ISPs are incentivized to exchange information

on the status of security measures, issues, and knowledge of

other ISPs. We requested that the ideal representative from the

ISPs be in a position that can inﬂuence new policies or strate-

gies in their organisation and have a sound understanding of

the roles, responsibilities, and abilities of ISPs in keeping the

Internet secure.

A total of 27 ISPs took part in the survey, 5 in the 1

work-

shop, and 7 in the 2

workshop (4 of them also took part

in the 1

workshop). Participating ISPs encompassed mixed

demographics with varied customers sizes, service coverage,

and experiences with previous and current government’s ini-

tiatives to promote safe ICT (Table 6). Representatives from

various government were also present, although primarily in

an observatory role. All ISPs participated voluntarily and no

monetary reward was given.

ISP survey

The online (LimeSurvey) survey was designed

to collect data about the ISPs’ attitudes, barriers, and incen-

tives to keep IoT secure. It took approximately one hour to

complete. We tested the questions with experienced mem-

bers of the ICT-ISAC before launching the survey to ensure

that the questions were sound and the survey’s length was

appropriate.

The survey has three parts (shown in Appendix A.4). Part 1

asks about demographic details of the ISPs. Part 2 asks about

the attitudes and barriers. Speciﬁcally, it asks about concerns

about their networks hosting infected/vulnerable IoT devices,

perceived likelihood of their networks being attacked, roles

and responsibilities of ISPs in securing IoT activities (and

their current level of commitment to them), the priority of

ISPs, security companies, and equipment manufacturers.

www.ict-isac.jp

keeping the IoT ecosystem secure, and their perception of

how other stakeholders have acted to secure IoT.

For barriers, we ask about the barriers which ISPs face

internally within their organisation and externally—in terms

of law and regulation, and in aiding NOTICE. Part 3 asked

about initiatives that ISPs viewed as incentives to motivate

them to keep IoT secure in general and in aiding NOTICE.

We collected quantitative and qualitative data. Quantitative

data were responses from rating, ranking, and multiple choices

(single and multiple answers) questions. Qualitative data were

from free-text questions. All questions asked for quantitative

data, except for those about the barriers in NOTICE.

For quantitative data, we performed statistical tests to deter-

mine the statistical signiﬁcance of the ﬁndings. The Shapiro-

Wilk test for normality was done ﬁrst to determine whether

the data being analyzed was normally distributed. For rating

questions, the mean (

) was used to describe the central ten-

dency of the responses if data were normally distributed and

the median (

) and the mode (

) were used if data were not

normally distributed [44]. McDonald’s Omega was also used

as a measure for internal consistency

and was found to be re-

liable (

ωmin =0.72

). For ranking questions, the Friedman test

was used to determine the signiﬁcance of the ranking scores.

For multiple choices questions, the proportion test was used

to determine whether the observed proportions of the selected

answer choices were statistically signiﬁcantly different. To

compare responses between multiple sub-groups (mainly ISP

sizes), we performed Mann-Whitney U tests. Where neces-

sary, the signiﬁcance boundaries of the statistical tests were

Bonferroni adjusted to account for multiple comparisons.

The small number of qualitative responses from the survey

were thematically grouped by two researchers to identify

common barriers that ISPs faced in the NOTICE project. This

grouping was reviewed by other team members and iteratively

reﬁned until consensus was reached. The grouping can be

seen in Table 9.

ISP workshops

We held two ISP online workshops (due

to COVID-19 travel restriction) at two different stages in the

study (Figure 1). Each of them served a different purpose.

The 1

workshop took place after the ISP survey. The aim

was to obtain feedback and clariﬁcation about the ﬁndings

from the survey. Feedback relevant to individuals was also

used to inform the design of the individuals’ study. In the

workshop, one researcher chaired the session, two took de-

tailed notes and facilitated when required, and one of them

presented a summary of key points at the end of the workshop.

The 2

workshop took place after the individuals’ study.

The objectives were to share preliminary ﬁndings from the

individuals study with ISPs and seek their feedback where

relevant. This was run in the same way as the 1st workshop.

2Cronbach’s Alpha does not suit small sample size (n<30)

3.1.2 Individuals study

Recruitment and demographic of participants

We ad-

vertised and recruited participants in Japan for both user in-

terviews and survey through NTT Com Research

. Eligible

participants must be living in Japan, are at least 18 years

old, and were required to possess one IoT device besides a

smartphone, tablet, or Wi-Fi router.

A total of 20 participants took part in the user interviews

and 328 in the survey. Participants encompassed a mixed de-

mographic: gender, age, and IoT devices they have (Table 5).

User interviews

The interviews aimed to gain a prelim-

inary understanding of individuals’ attitudes, barriers, and

incentives to keep IoT secure. Findings from the interviews

were primarily used to inform the design of the survey but

some of the ﬁndings were also used to interpret the ﬁndings

from the survey where appropriate.

A one-to-one, semi-structured one-hour online interview

took place with each participant. The interview consisted of

three parts (see Appendix A.5 for the interview guide). Part 1

asked about the uses of IoT devices and factors affecting the

uptake decisions. Part 2 asked about the security and privacy

of IoT. This included the extent and the nature of concerns and

supporting rationale, priority to keep IoT secure, the security

hygiene practice on IoT devices and any problems they en-

countered, the perceived likelihood of their IoT devices being

compromised and the rationale supporting their perception,

and their experiences of remediating compromised IoT de-

vices. Part 3 asked about possible initiatives that individuals

viewed as incentives to motivate them to keep IoT secure.

Interviews were recorded and manually transcribed. Each

participant was then assigned a non-identiﬁable ID (P1–P20).

We followed an established methodology for iterative the-

matic analysis [10,31]. After familiarising ourselves with the

transcripts, two researchers generated initial codes that repre-

sented reoccurring aspects in the data. These codes (and their

associated quotations) were discussed and deﬁned with the

larger researcher team, before repeating the coding process

on all of the transcripts. After four rounds of this process the

codebook was stable: we reached consensus on the meaning

of the codes and their occurrences in the transcripts. At this

point codes were grouped into themes. This process was sup-

ported by a review of prior literature, allowing us to identify

reoccurring themes as well as new, divergent ideas in our

data. These resulting themes were used to inform the survey

structure and answer options, and the ﬁndings are discussed

in Sections 5 and 6. The codebook and coding matrix can be

seen in Table 10.

The company provides various data collection services in Japan, includ-

ing Internet surveys, and has about 2.17 million registered users from all over

the country as of March 2021 (https://research.nttcoms.com).

Survey

The design of the survey is based on the ﬁndings

from the interviews. It has three parts (see Appendix A.6

for an English translation) and follows the same topics and

subjects as the interview. The original surveys uses a number

of common Likert scales which have been translated with

matching English ones.

In examining incentives, we also examined participants’

willingness to pay (WTP) for IoT security services. A contin-

gent valuation (CV) method was used by asking participants

to specify the amount they were willing to pay for four IoT

security services: trafﬁc monitoring, remote assistance, home

visit, and a bundled service including all of these. CV is used

widely in economic studies to determine the stated preference

of the WTP for a product or service (e.g. [7,18,40]).

We applied the same statistical tests used in the ISP survey

(Section 3.1.1) for the rating, ranking, and multiple-choice

questions. Cronbach’s alpha was used to determine the inter-

nal consistency of rating responses (

αmin =0.94

, suggesting

that they were reliable).

The online survey took about 20-25 minutes to complete.

Prior to its launch, we iterated on the questions with four

researchers.

3.2 Ethics consideration

The study was conducted after having been approved by the

institutional review board. Permission was granted provided

that we informed participants about the study, obtain their

consent before data collection, and complied with Japan’s Act

on the Protection of Personal Information (APPI). Individual

participants gave informed consent to participate in the study,

and no personally identifying information was collected. The

ISP participants were aware of the time commitments, and

results of this research are provided to the ISPs, which is

an incentive for them. Each individual participant received

5500 and

1000 yen to participate in the interview and online

survey, respectively.

4 Results: ISPs

We begin with the results from the ISPs’ perspective. ISPs

with more than 10,000 and less than 1 million customers were

classed as ‘medium’, with ‘small’ and ‘large’ ISPs on either

side of this range. See Table 6 for full ISP demographics.

4.1 Attitudes toward IoT security and privacy

ISPs had varying concerns about the potential impact of IoT

security risks, the perceived likelihood that the risks will be-

come materialized, and their priority to securing IoT ecosys-

tem.

文档加载中……请稍候！
如果长时间未打开，您也可以点击刷新试试。

下载文档到电脑，查找使用更方便

10 玖币 0人已下载

立即下载

摘要：

InternetServiceProviders'andIndividuals'Attitudes,Barriers,andIncentivestoSecureIoTNissySombatruang1TristanCauleld2IngolfBecker2AkiraFujita1TakahiroKasama1KojiNakao1DaisukeInoue11NationalInstituteofInformationandCommunicationsTechnology2UniversityCollegeLondonAbstractInternetServiceProviders(ISPs)a...

展开>> 收起<<

Internet Service Providers and Individuals Attitudes Barriers and Incentives to Secure IoT Nissy Sombatruang1Tristan Caulﬁeld2Ingolf Becker2Akira Fujita1.pdf

共24页,预览5页

还剩页未读，继续阅读

声明：本站为文档C2C交易模式，即用户上传的文档直接被用户下载，本站只是中间服务平台，本站所有文档下载所得的收益归上传人(含作者)所有。玖贝云文库仅提供信息存储空间，仅对用户上传内容的表现方式做保护处理，对上载内容本身不做任何修改或编辑。若文档所含内容侵犯了您的版权或隐私，请立即通知玖贝云文库，我们立即给予删除！

Internet Service Providers and Individuals Attitudes Barriers and Incentives to Secure IoT Nissy Sombatruang1Tristan Caulﬁeld2Ingolf Becker2Akira Fujita1

相关推荐

开通VIP享超值会员特权

作者详情

相关内容

热门标签

举报选择: