This CREST report gives recommendations on the secure adoption and use of smart home products among consumers.

This report details the key findings of work conducted by the Individual Differences in Adoption, Secure Use, and Exploitation of Smart Home Technology project.

The project consisted of three primary work packages (WPs) using smart home-based IoT technology to explore the relationship between individual differences in the adoption and secure use of new technology, and the exploitation of such technologies for nefarious purposes.

The project was delivered by a multi-disciplinary team, which included experts in consumer behaviour and technology adoption, psychology and human factors in the cyber domain, and cyberspace operations.  

The approach of the latter two work packages provided a means to further consider the potential exploitation of connected smart home devices via vulnerabilities that may emerge as a result of people’s choices.

Recommendations arising from this work are provided, with a particular focus on how the secure adoption and use of products and services by all consumers can be facilitated, including potential integration into the product development lifecycle.

 
Key recommendations

Our work shows how the opinions that people hold about technology can carry over to the choices that they make when setting up that technology. Consumers may benefit from increased engagement and education in the early stage of product consideration and use (e.g. during marketing, sales, and initial set-up/registration stages) regarding the relevance and importance of security for different types of smart home devices, particularly those not traditionally viewed as relevant to security. 

For current users of devices, engagement via existing customer relationship management channels may provide a useful route (e.g. Dewnarain, Ramkissoon & Mavondo, 2019). More generally, this research suggests the importance of stressing the dangers to security and privacy from being overly trusting of technology and its applications, as well as highlighting the risks of particular types of use. 

As part of these communications, current adopters and non-adopters of smart home technology would benefit from targeted communications differentially focused on emphasising potential risks and benefits (e.g. Key & Czaplewski, 2017). This would enable current adopters to better understand (and mitigate) security risks and non-adopters to understand the potential benefits that smart home technology may bring to their lives. 

A balanced view of security risks should be encouraged via end-to-end collaboration internally within organisations, with security, product development, and consumer behaviour and marketing professionals all actively engaged to consider the full product lifecycle – from product development to adoption and eventual discontinuance (e.g. Jugend, Ribeiro de Araujo, Pimenta, Gobbo & Hilletofth, 2017). 

To ensure sufficient understanding and buy-in across these groups of the needs and priorities of the other, internal marketing mechanisms may provide a useful structure to communicate and develop a shared internal vision of secure, consumer-focused innovation in relation to smart home devices, which can then be effectively communicated to consumers (e.g. Ballantyne, 2003; Kadic-Maglajlic, Boso & Micevski, 2018). 

Increasing consumers' perceived proficiency with technology, both directly related to security aspects and wider technology interactions, may facilitate greater confidence to both adopt such technologies and to use them securely. Our work also suggests that people could benefit from more support in understanding how their systems are configured and the likely knock-on effects of upgrades and additions. 

The use of community-focused, grassroots networks and organisations to develop and support technology proficiency within the community may increase the likelihood that such approaches can target a diverse range of consumer groups (e.g. Nicholson, Coventry & Briggs, 2019). Explicitly linking such approaches with existing, trusted organisations (e.g. across NGOs, industry, and the public sector) via sponsorship or other activities, may provide further credibility to networks and community technology support spaces, both in offline and online environments. Such approaches should provide support across the product lifecycle.

Reducing perceived vulnerability arising from using technology may increase the adoption of smart home technology but may also contribute to more insecure behaviour as a result if not managed appropriately. An approach that focuses on helping consumers to feel able to effectively manage any potential vulnerabilities that emerge rather than simply influencing perceptions of threat is likely to be preferable, and will also assist in building consumer resilience to emerging security risks as technology develops (e.g. Brass & Sowell, 2020; van Bavel, Rodríguez-Priego, Vila, & Briggs, 2019). Such an approach will likely require flexible and adaptive engagement with the community, or other trusted and accessible, support mechanisms. Such approaches should provide support across the product lifecycle.

Although risk information may increase secure behaviour it may also reduce intentions to use such devices. Therefore, exposure to media information regarding the risks of smart home technologies should be accompanied by protective information that educates consumers on how they can easily manage these to increase secure behaviour without reducing usage or adoption of devices. Such information would likely benefit from the responsive, coordinated, and adaptive approaches typically seen in effective online crisis communications (e.g. Roshan, Warren & Carr, 2016).

Privacy and security work in slightly different ways and this requires more investigation. In the current work, although explicitly priming people to focus on improved security behaviours, it appeared to have an adverse impact on privacy behaviours. On the other hand, implicitly priming people to focus on privacy behaviours was shown to improve both privacy and security behaviours. As such, interventions in the smart home context should be carefully considered regarding the particular behaviour that they are aiming to encourage and the wider impacts that they may have on related behaviours.

Read more
  • Agarwal, R., & Prasad, J. (2007). Are individual differences germane to the acceptance of new information technologies? Decision Sciences, 30, 361–391
  • Ali, B., & Awad, A. (2018). Cyber and physical security vulnerability assessment for IoT-based smart homes. Sensors (Switzerland), 18(3) 
  • Ballantyne, D. (2003). A relationship-mediated theory of internal marketing. European Journal of Marketing, 37, 1242–1260
  • Bashir, A., & Mir, A. (2018). Internet of things security issues, threats, attacks and counter measures. International Journal of Computing and Digital Systems, 7(2), 111–120 
  • BBC News (2018). Panorama’s Hacked: Smart Home Secrets. Accessed from https://www.bbc.co.uk/news/av/uk-44117337/security-footage-viewed-by-thousands
  • Beautement, A., Sasse, A., & Wonham, M. (2008). The compliance budget: Managing security behaviour in organisations. Proceedings of the 2008 New Security Paradigms Workshop, California, USA, 22- 25 Sep, 47–48 
  • Blythe, J.M., & Johnson, S.D. (2019). A systematic review of crime facilitated by consumer Internet of Things. Security Journal, doi:10.1057/s41284-019-00211-8
  • Brass, I., & Sowell, J.H. (2020). Adaptive governance for the Internet of Things: Coping with emerging security risks. Regulation & Governance, doi:10.1111/rego.12343 
  • Coughlin, J.F., D’Ambrosio, L.A., Reimer, B., & Pratt, M.R. (2007). Adult perceptions of smart home technologies: Implications for research, policy & market innovations in healthcare. Proceedings of the 29th Annual International Conference of the IEEE Engineering in Medicine and Biology Society, Lyon, France, 22–26 August. 
  • Das, S., Kim, A., Jelen, B., Streiff, J., Camp, L.J., & Huber, L. (2020). Why don’t older adults adopt two-factor authentication. Proceedings of the 2020 SIGCHI Workshop on Designing Interactions for the Ageing Populations - Addressing Global Challenges. Available at: https://ssrn.com/abstract=3577820
  • de Boer, P., van Deursen, A., & van Rompay, T. (2019). Accepting the Internet-of-Things in our homes: The role of user skills. Telematics and Informatics, 36, 147–156 
  • Dewnarain, S., Ramkissoon, H., & Mavondo, F. (2019). Social customer relationship management: An integrated conceptual framework. Journal of Hospitality Marketing & Management, 28, 172–188.
  • Featherman, M.S., & Pavlou, P.A. (2003). Predicting e-services adoption: A perceived risk facets perspective. International Journal of Human-Computer Studies, 59, 451-474
  • Hadlington, L., & Chivers, S. (2018). Segmentation analysis of susceptibility to cybercrime. Exploring individual differences in information security awareness and personality factors. Policing: A Journal of Policy and Practice, 14, 6, 479–492 
  • Heartfield, R., Loukas, G., Budimir, S., Bezemskij, A., Fontaine, J.R.J., Filippoupolitis, A., & Roesch, E. (2018). A taxonomy of cyber-physical threats and impact in the smart home. Computers & Security, 78, 398–428
  • Hubert, M., Blut, M., Brock, C., Zhang, R. W., Koch, V., & Riedl, R. (2019). The influence of acceptance and adoption drivers on smart home usage. European Journal of Marketing, 53, 6, 1073–1098
  • Jugend, D., Ribeiro de Araujo, T., Pimenta, M.L., Gobbo, J.A., & Hilletofth, P. (2017). The role of cross-functional integration in new product development: Differences between incremental and radical innovation projects. Innovation: Organization & Management, 20, 42–60
  • Kadic-Maglajlic, S., Boso, N., & Micevski, M. (2018). How internal marketing drives customer satisfaction in matured and maturing European markets? Journal of Business Research, 86, 291–299.
  • Key, T.M., & Czaplewski, A.J. (2017). Upstream social marketing strategy: An integrated marketing communications approach. Business Horizons, 60, 325–333
  • Kim, K.J., & Shin, D-H. (2015). An acceptance model for smart watches: Implications for the adoption of future wearable technology. Internet Research, 25, 527–541 
  • Lin, C-H., Shih, H-Y., & Sher, P.J. (2007). Integrating technology readiness into technology acceptance: The TRAM model. Psychology & Marketing, 24, 641–657 
  • Mani, Z. & Chouk, I. (2018). Consumer resistance to innovation in services: Challenges and barriers in the Internet of Things era. Journal of Product Innovation Management, 35, 780–807 
  • Marikyan, D., Papagiannidis, S., & Alamanos, E. (2019). A systematic review of the smart home literature: A user perspective. Technological Forecasting and Social Change, 138, 139–154
  • McGuire, M. & Dowling, S, (2013). Cyber crime: A review of the evidence. Home Office research report 75. Available: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/248621/horr75-chap2.pdf
  • NCSC (2019). Smart devices in the home. Accessed from https://www.ncsc.gov.uk/guidance/smart-devices-in-the-home.
  • Nicholson, J., Coventry, L., & Briggs, P. (2019). “If it’s important, it will be a headline”: Cybersecurity information seeking in older adults. Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, 349, 1–11
  • Nikou, S. (2019). Factors driving the adoption of smart home technology: An empirical assessment. Telematics and Informatics, 45, DOI: 10.1016/j.tele.2019.101283
  • Patton, J. H., Stanford, M. S., & Barratt, E. S. (1995). Factor structure of the Barratt impulsiveness scale. Journal of Clinical Psychology, 51, 768–774
  • Park, C., Kim, Y., & Jeong, M. (2018). Influencing factors on risk perception of IoT-based home energy management services. Telematics and Informatics, 35, 2355–2365 
  • Ratchford, M., & Barnhart, M. (2012). Development and validation of the technology adoption propensity (TAP) index. Journal of Business Research, 65, 1209–1215
  • Roshan, M., Warren, M., & Carr, R. (2016). Understanding the use of social media by organisations for crisis communication. Computers in Human Behavior, 63, 350–361
  • Shin, J., Park, Y., & Lee, D. (2018). Who will be smart home users? An analysis of adoption and diffusion of smart homes. Technological Forecasting & Social Change, 134, 246–253
  • Siponen, M., & Vance, A. (2010). Neutralization: New insights into the problem of employee information systems security policy violations. MIS Quarterly, 34, 3, 487–502
  • Sovacool, B.K., & Furszyfer Del Rio, D.D. (2020). Smart home technologies in Europe: A critical review of concepts, benefits, risks and policies. Renewable and Sustainable Energy Reviews, 120, 109663.
  • Statista (2018a). Size of the IoT market worldwide from 2016 to 2020. Cited from https://www.statista.com/statistics/764051/iot-market-size-worldwide/
  • Statista (2018b). Control and connectivity smart home household penetration rate in the United Kingdom (UK) from 2016 to 2022. Cited from https://www.statista.com/statistics/483847/home-automation-smart-home-household-penetration-digital-market-outlook-uk/
  • van Bavel, R., Rodríguez-Priego, N., Vila, J., & Briggs, P. (2019). Using protection motivation theory in the design of nudges to improve online security behavior. International Journal of Human-Computer Studies, 123, 29–39
  • van Schaik, P., Jansen, J., Onibokun, J., Camp, J., & Kusev, P. (2018). Security and privacy in online social networking: Risk perceptions and precautionary behaviour. Computers in Human Behavior, 78, 283–297 
  • van Schaik, P., Jeske, D., Onibokun, J., Coventry, L., Jansen, J., & Kusev, P. (2017). Risk perceptions of cyber-security and precautionary behaviour. Computers in Human Behavior, 75, 547–559
  • Wahlberg, A.A.F., & Sjoberg, L. (2000). Risk perception and the media. Journal of Risk Research, 3, 31–50 
  • Weber, E.U., Blais, A.-R., & Betz, N. (2002). A domain-specific risk-attitude scale: Measuring risk perceptions and risk behaviors. Journal of Behavioral Decision Making, 15, 263–290
  • Williams, E.J., Hinds, J., & Joinson, A.N. (2018). Exploring susceptibility to phishing in the workplace. International Journal of Human-Computer Studies, 120, 1–13 
  • Williams, E.J., & Joinson, A.N. (2020). Developing a measure of information seeking about phishing. Journal of Cybersecurity, 6, tyaa001.
  • Wilson, C., Hargreaves, T., & Hauxwell-Baldwin, R. (2017). Benefits and risks of smart home technologies. Energy Policy, 103, 72–83
  • Wünderlich, N., Wangenheim, F., & Bitner, M. (2013). High tech and high touch: A framework for understanding user attitudes and behaviors related to smart interactive services. Journal of Service Research, 16, 3–20 
  • Yang, H., Lee, H., & Zo, J. (2017). User acceptance of smart home services: An extension of the Theory of Planned Behavior. Industrial Management & Data Systems, 117, 68–89