Approaches and Technologies to Support Home Users’ Engagement with Cyber Security

“Approaches and Technologies to Support Home Users’ Engagement with Cyber Security” analyses the way in which UK families engage with cyber security when using home Internet of Things (IoT) devices. By determining the prevalence of devices in the home, how different family members use those devices, and what knowledge of cyber security those individuals have, it aims to expose specific needs in the improvement of device design, marketing or support; more targeted governmental policy, or regulation, where devices are used by both adults and children; and how best to address the need for further education, both for adults and children.


INTRODUCTION
The Internet of Things is increasingly prevalent in everyday life, with estimates suggesting that consumer IoT spending reached $108 billion in 2019 (Kemper, 2019). The promise of the IoT in the home is alluring: optimised utilities usage, monitoring the home when absent, checking in on sick or elderly relatives. Yet, there are a range of issues to be resolved, including methods to achieve interoperability of devices within the house (Basaure et al., 2020), data security risks (Zeng et al., 2017) and the inability of devices to accommodate multiple users (Jang et al., 2017).

SECURITY, PRIVACY AND THE INTERNET OF THINGS
The privacy and security of all people within the home is of key importance when considering home IoT devices. Significant considerations have already been given to the implications of constant data collection, where IoT devices process data in the cloud (Apthorpe et al., 2018), and the patterns that can be extrapolated from it (Tolmie et al., 2016). The perceived convenience of such devices sees that individuals exhibit the privacy paradox: despite considering themselves privacy conscious, in practice, users exhibit risky behaviours, in particular sharing a significant amount of personal information where the perceived benefit of using such devices is worthwhile (Williams et al., 2016(Williams et al., , 2017. Keeping data that is intended to be private out of the public domain is fundamental, but the security issues arising from the adoption of IoT devices extend beyond this. When surveyed, experts considered there to be a high potential for crime, exploitation, risk to physical safety and a loss of personal control to emanate from IoT devices (Tanczer et al., 2018).
It is unsurprising that adherence to recommended cybersecurity hygiene measures (for example, those found in National Cyber Security Centre (2019)) is poor, when cost and features are maybe more important than security at point of purchase (Emami-Naeini et al., 2019), and given individuals have incorrect mental models in relation to how devices work (Abdi et al., 2019). There are few formal legal or regulatory obligations in place around mandatory security requirements: the UK government has put forward a law mandating no default passwords, software update processes and details of vulnerability disclosure procedures (Department for Digital, Culture, Media and Sport, 2020). This follows a wider-ranging Code of Practice for Consumer IoT devices that was not widely taken on board by IoT producers, despite its uncontroversial requirements (Department for Digital, Culture, Media and Sport, 2018). Unsurprisingly, details of cyber security measures are largely absent from home IoT device documentation, making it extremely hard for users to understand all the features of the devices they are buying, and how to ensure such devices are secure (Blythe et al., 2019). It is also unclear how well home IoT devices will adhere to the proposed Age Appropriate Design Code that is currently subject to Parliamentary approval (Information Commissioner's Office, n.d.).

DIGITAL TECHNOLOGIES AND FAMILIES
Research has started to consider the role of multiple users of IoT devices within the home: in particular, the design implications arising from the expectation of any household member being able to access the Internet upon devices designed for one individual (Geeng & Roesner, 2019;Matthews et al., 2016;Tabassum et al., 2020;Watson et al., 2020). In parallel, there has been consideration of how families negotiate digital technology use (Cranor et al., 2014;Moser et al., 2016;Ur et al., 2014;Wisniewski et al., 2017), including how cyber security is controlled (Garitaonandia et al., 2019;Muir & Joinson, 2020). Parents often manage digital technology use within the household through restricting access or facilitating discussion about how the technology works or what it is doing (Livingstone et al., 2017). This works in cases where technology is used to access content or where the device is not designed to be available in the background at all times. Neither aspect is necessarily true of IoT devices in the home. Furthermore, with device interfaces typically absent (Geeng & Roesner, 2019), app-based control introduces risks of inequality of use and access, whether intentional or otherwise -posing significant threats to vulnerable family members (Chatterjee et al., 2018;Markwick et al., 2019).
Limitations in devices (either through restricting software, or as a result of having been "designed for children'') often leads to children using alternative technologies (designed for adults) or circumventing controls in other ways (Ghosh et al., 2018;McReynolds et al., 2017). There is a significant balancing act required in the designing of systems to recognize the value of collaborative technologies in a family setting, with the concerns that privacy is essential to facilitate maturationand also, that children are much more likely to encounter a family member or a close friend as a threat than a stranger.
It has been shown that cyber awareness schemes targeted at adults tend to have low impact rates (Bada et al., 2015). This is particularly true of IoT devices. How best to explain the security and privacy risks of a device used by multiple household members remains elusive. Children also need to understand how to use IoT devices safely.
It is important to note that children's ways of learning about privacy and other cybersecurity skills may require significantly different knowledge scaffolding and approaches than adults, using techniques such as storytelling or game-playing (Zhang-Kennedy et al., 2016;Zhao et al., 2019). There may also need to be a cultural shift: amongst groups sharing devices, discussions about the security and privacy preferences of individuals within these groups do not happen (Watson et al., 2020). It is even less likely such discussions will occur within families.

CURRENT WORK AND FUTURE PLANS
Little prior work appears to have been done to understand how the adoption of IoT devices in the home affect both adult and child family members, taking into account differences between individual interaction preferences and abilities, what data the device may collect and knowledge of how to use such devices in a secure manner. Our systematic literature review found that, when IoT devices were researched, privacy arising from the data being collected was considered in depth, whereas other cyber security issues were not. There was no clear understanding of which devices were most commonly used in a typical home, and although men are largely known to be the main purchasers and maintainers of devices (Geeng & Roesner, 2019;Strengers et al., 2019), when parents were being interviewed in relation to their child's or family's use of devices, mothers were disproportionately over-represented in the research. Many papers cited the recognition of a lack of understanding of how digital technologies work as a key concern for parents.
The following work strands arose from the literature review: • Determining the prevalence of IoT devices used by families in the UK, and understanding how they are used by household members of all ages. • Critically examining the cyber security issues present in IoT devices typically used by families, and the extent to which different family members pose different risks. • Investigating what information needs to be provided for secure IoT use in the home, and how, to whom, and when is this information best presented.
Using the work strands as a guide, immediate future work will involve mixed methods approaches to determine, in particular, the ways in which different family members use the most common devices, what they understand about how the devices work, and how cyber security knowledge is brought into, and used within, the family. The research will also aim to understand how well the most commonly used devices adhere to the proposed Age Appropriate Design Code and regulation on smart device cyber security.
It is hoped that the findings of such research may serve to underline specific needs in the improvement of device design, marketing or support; the need for more targeted governmental policy, or regulation, in the case of devices that can reasonably be expected to be used by both adults and children; and how best to address the need for further education, both for adults and children, in terms of the specific types of cyber security risks devices may pose within the household.