The economics of the security of consumer-grade IoT products and services

Adding connectivity to physical devices can significantly enhance their usefulness: for instance, it can allow remote operation or monitoring of the device, improve user convenience, or increase energy efficiency. As a result, the number of connected devices has grown extremely rapidly.

This growth has been accompanied by increasing concerns about cybersecurity and privacy, and nowhere is this more true than in the consumer IoT segment. This segment – consisting of connected devices intended for personal or residential use, such as smart TVs, connected appliances, and home automation devices – accounts for an estimated 63% of the total installed base of connected devices, and is growing quickly.

However, security is often lacking in consumer IoT devices: an analysis of 10 of the most common types of consumer devices – including smart TVs, home thermostats, and connected power outlets, door locks and home alarms – found that 70% contained serious vulnerabilities.

There are a number of technical factors that make consumer IoT devices and services vulnerable to attack. Ultimately, however, weak IoT security has its roots in economic factors rather than technical ones. These include asymmetric information, misaligned incentives and externalities. These factors mean that both manufacturers and consumers are likely to under-invest in effective security measures.

To improve the state of security of consumer IoT devices and services, action will need to be taken to address and compensate for these factors. This report discusses the economic factors and suggests a set of potential actions for market stakeholders to take to address the factors and drive improvements in device security.