By Dr. Andreas Kuehn and Vaibhav Garg
Originally published in ;login:, an open access digital publication from USENIX.
Some public policy experts have suggested that a cybersecurity label can help buyers make informed purchasing decisions of new IoT devices. One proposal uses New York City’s health sanitation labels as an analogy. Restaurateurs are required to display a letter grade – A, B, or C – based on the inspector’s score. The score changes after an infraction, resulting in a lower letter grade from which restaurant goers can infer that an establishment’s hygiene is amiss. Policy makers have argued that a similar label that assigns grades based on the cybersecurity posture of the IoT product may help buyers make purchasing decisions commensurate with their cyber-risk tolerance. We discuss some of the issues involved with the establishment of IoT labeling in this article.
The underlying concern is that non-expert buyers may be unable to differentiate IoT products on cybersecurity. This information asymmetry may lead to under provisioning of cybersecurity by the vendors, as consumers will differentiate products on features instead. This potentially results in a lemons market for cybersecurity in some IoT. The resulting costs are made apparent when industry and government respond to incidents, clean-up compromised networks and devices, recover business operations, as well as contain the damages from data breaches. Labels may mitigate information asymmetry and thereby incentivize upfront cybersecurity investments, and move cybersecurity to the left, that is, earlier in the product development lifecycle.
Furthermore, these labels may allow vendors to generate additional revenue. Research shows that buyers are willing to pay a 30% premium for cybersecurity for consumer IoT products [3]. Labeling may enable vendors to differentiate their products from less secure alternatives and thereby target customers who are willing to pay for secure and safe IoT products.