**4. Findings**

Through thematic analysis, we identified three key themes in the dataset: (1) IoT awareness, including both industry and perceived public awareness; (2) trust in privacy and trust in security as industry challenges; (3) responses to privacy and security challenges of the IoT. **Table 2** shows how the challenges and the responses map.


**Table 2.**

*Summary of the cybersecurity challenges of the smart home as perceived by the IoT industry, and of the industry's responses to these challenges.*

#### **4.1 Awareness**

#### *4.1.1 IoT awareness: connectedness and the problems IoT can solve*

Businesses tended to provide general definitions of IoT—one in terms of the shape of communication it entails, its abstract structure, that is, IoT stands for "connected to everything everywhere" [3], and another in terms of its material structure, or "bare bones" [7], that is, "a piece of electronic equipment with a radio in it, in a box" [7]. NGO organizations, instead, defined the IoT less in terms of its shape and structure but more in terms of its function:

*For most people it is the smart speaker, it's the home hub, it's the thing that does lots of tasks, which don't really add much – remove much friction from your daily life but they're nice to have. I don't really think they think about the more advanced areas that do actually remove friction. [4]*

In this case, the function of IoT, "not removing much friction" points at consumers' IoT identity coinciding with something superfluous—perhaps a luxury product of a consumeristic society.

The case of IoT being purely functional was made even stronger by this NGO respondent, who explained that a "true" IoT is "the problem that that device or that product is trying to solve" [5]. Also, the respondent elaborated on the idea of IoT as benign primarily represented by its function:

*We're purists as an organisation, we want to see IoT for the real purpose of IoT rather than it being IoT washed if you like, where everyone is just putting a sensor on something or connecting something to call it IoT. I think that's the false IoT. [5]*

In this view, definitions of IoT simply based on structure, shape, network, and connections, do not fully represent the "real" IoT. Furthermore, both business organizations and NGOs point to privacy and security being issues that are intrinsic to IoT's identity.

#### *4.1.2 Perceived public awareness*

Business respondents were in agreement that public awareness of IoT was low: "I'd imagine there's still some people who won't know what IoT stands for" [3]. Also, they thought that while the public may be familiar with services such as Alexa (introduced in 2016 in the UK) they did not connect them with IoT, for example, "lots of people have got Alexa, lots of people have got Google Home, but they don't know that that's actually part of the IoT" [7]. Furthermore, the lack of awareness is also related to the need to have specific knowledge and skillset to be able to grasp IoT identity*:* "I don't think anybody I know that is not an engineer works for this industry understands what the IoT is or have heard of it" [7].

Regarding awareness of privacy and security issues, a business respondent stated that "I don't think people understand exactly what privacy is and what it means as a consumer." This view was echoed by an NGO respondent:

*You see the stories of murder cases that use a small bit of audio from an Amazon Echo recording or how someone has been able to play a song in someone else's room when* 

*How Is the Internet of Things Industry Responding to the Cybersecurity Challenges of the Smart… DOI: http://dx.doi.org/10.5772/intechopen.106012*

*they shouldn't have. And they're funny, they're intriguing, they're engaging, but as I mentioned earlier, it's not tangible until it happens to you. [4]*

The "Stories" mentioned by the respondent point to the role of media reports of security incidents potentially shaping risk perception. However, these may be insufficient for the public to understand the risks more fully. The respondent explained that direct experience of working with IoT gives a more realistic idea of the extent to which security is an intrinsic aspect of IoT's identity:

*there are much more concerning areas to it that I in my job are fully aware of and I would never have a smart home hub in my house, ever, and I wouldn't let my house mate bring his into my house because I just didn't like the idea of that thing being on. [4]*

#### **4.2 Privacy**

A prominent challenge pertaining to the smart home industry was privacy. Industry respondents pinpointed some examples of privacy issues pertaining to the smart home and also provided responses to these challenges.

#### *4.2.1 Privacy challenges perceived by the IoT industry*

In general, the context surrounding privacy issues was defined as a tradeoff between privacy versus productivity and a response concluded that "We're in a bit of a catch 22 scenario." Zubiaga et al. [4] explained the NGO respondent representing consumers. Smart home privacy issues were raised in unison across the industry spectrum since there was not a marked distinction between business organizations and NGOs in the kind of privacy issues being recollected.

Both NGO and business respondents referred to a privacy-problematic aspect of smart home devices, that is, data collection being always on: "Alexa, for example, has had a bad rep to the fact she's always listening" [3] and "every single word, every single tone, every single character is being referenced and archived for the evolution of AI for Alexa" [5]. This creates uncertainty and insecurity surrounding data use. The business respondent providing consultancy and design solutions, highlighted the central role of trust in the transparency of the smart device in regard to how it collects data and uses it, in other words, its integrity: "Not only the collection of data, what are you going to do with that data? Are you going to do what you're saying? And even if you do what you're saying, what does that mean for me?" [2]. This industry view displays awareness of how key a concern trust is in systems' integrity for successful smart home adoption.

Illegal, malicious data use is also a concern according to a respondent who reported the example of remote control wireless plugs used to control an appliance that was then discovered to be sending data to a server in China. A business respondent outlined the general lack of awareness in regard to the meaning and consequences of privacy breach: "People are not bothered if somebody can see their light going off" [7]. However, the respondent suggested that public attitudes can change when they become aware of the potential impact of a privacy breach:

*It's when people understand what that privacy data that's getting out there means in a different context, and it starts to worry them. […] what happens if somebody breaks into your system and there's a guy there with the crowbar that knows that when the light's turned off you've gone to bed, and then he comes and breaks your back door? [7]*

#### *4.2.2 Responses to privacy challenges*

In order to respond to the privacy challenges of the smart home, business respondents reported experimenting with trials to find out the extent to which data can be collected and used. A business organization respondent providing services and products explained how they were having to be cautious of problems that are raised with the smart home in terms of what data can be shared and that they are experimenting with "workaround" trials to find new ways to protect people's privacy [3]. Specifically, they were working on a safety program involving the practice of obscuring personal data, thereby relying on partial data use: "what we've done is for that particular trial, we would hide parts of their journey so they can't actually be identified" [3].

An NGO respondent representing smart home consumers described two initiatives aimed at protecting privacy: the campaign "Trust by Design for IoT products" to make consumers aware of security risks in products such as IoT baby monitors, and principles and recommendations to make consumer rights, privacy, safety, and security key features of smart home devices; and designing a new standard for "Privacy by Design" in smart home devices and services as part of the ISO PC 317 standard [8], "Consumer protection: privacy by design for consumer goods and services" [54].

A service and product provider business respondent outlined that there are others in the sector, like service providers, who bear responsibility for protecting privacy: "providers, like the voice assistants like Google and Amazon, I think people are quite wary of. […] So, I think they have a certain level of responsibility to reassure people and let people know where that data is going" [3]. The importance of integrity for increasing consumer trust is underlined by the business respondent who argued that it is service providers that have the greatest responsibility toward data integrity:

*They need to do more and at least be open and honest what that data is being used for, because obviously the cases where you see an advert has been personalised for them from what it's heard in the home, then the data is being used for other purposes than what it stated. So, it does need to be more honest. [3]*

NGOs take responsibility for improving industry practices in regard to protecting privacy, while also calling for collaboration with external, noncommercial, and nongovernmental players as academic institutions and researchers:

*there is certainly better than evil being done with AI. It is up to folks like us as a community, you all with your research, to participate in trying to help create this balance or expose the risk but expose the value of the technology. So that we don't have binary decisions. We want to make adjustments to ensure privacy that don't hinder the ongoing development and capability of things like AI. [5]*

In other words, the NGO respondent clearly declared their own responsibility but also the need to work alongside other players "as a community" to improve industry practices, persuade businesses to be more transparent about data use, and increase consumers' trust.

*How Is the Internet of Things Industry Responding to the Cybersecurity Challenges of the Smart… DOI: http://dx.doi.org/10.5772/intechopen.106012*

#### **4.3 Security**

#### *4.3.1 Security challenges perceived by the IoT industry*

Both NGO and business respondents believe there is a general lack of public awareness of smart home security issues. An NGO respondent representing the business community reported not feeling confident that the average person understands the risks associated with the security of IoT devices [5]3 . A business respondent providing testing and certification also agreed that the public lacks security awareness and that "the consumer doesn't really understand […] how important it is to have a secure device…" [7]. The NGO respondent recollected a famous case of a hack of a smart home device in a Las Vegas casino, one of the most commercially secure areas as there can be, which allowed hackers to gain entry into their entire network and download its "high roller" database [5]. The underlying problem here is that the consumer finds themselves in a difficult position when having to gauge which device has more security at the point of making a purchase: "the end user ends up trying to make a decision, 'do I want to buy this for twenty dollars a person or do I want to buy this for fifty dollars a person?'" [5]. A business respondent pointed to a lack of a communication strategy to help the consumer make their choices in regard to the security of devices: "The way of explaining to them [the consumers] how secure a device is, is secure or isn't, there's no real way of demonstrating that by say a cybersecurity mark" [7]. An NGO respondent outlined how this lack of awareness of security issues of smart home devices coupled with a lack of education on how to make security judgments, creates a "ticking timebomb" situation: "[if] we put a whole bunch of IoT devices out there that are not secure, we're just creating a botnet army for the cyber guys" [5].

Furthermore, as with privacy, there may be a gap in regard to understanding the impact of security breaches of smart home devices. As a business respondent put it: "some people just don't even care. I know a number of people that have these cameras at home and they say they don't care… But I would hazard a guess that they would care if they were to find that their camera was livestreaming on the internet and they could see it themselves" [7].

Another key problem for both NGO and business respondents is the lack of regulation. For one NGO respondent, security standards are difficult to implement because of a lack of focus and fragmentation of the government's efforts and responsibility, for example, "security, for example, it's fragmented across government […] it's with the National Security Secretariat, it's with DCMS, it's with Cabinet Office" [4]. For a business respondent, there was a sense that existing regulatory efforts are not sufficient, since they rely on voluntary compliance. This business respondent stated that businesses are slow to take action: "But the biggest problem I've noticed when I speak to customers is that cyber security is not yet mandated in products and because of that, people will not pay for that work to be done" [7].

An NGO-specific security concern is a liability for the consumer, for example, "I don't know about the UK but in the United States… If the hack goes through your network, known or unknown to you, you have a level of legal liability" [5].

<sup>3</sup> This reference number refers to the interview reference code used to preserve the businesses' anonymity in **Table** 1.

From a business perspective, however, security may not be a priority, as this business respondent stated: "When I speak to customers [product makers] their idea of security is, well, it's something we want and something we're thinking about, but it's not a priority" [7]. Furthermore, there is a sense in the industry that security is not a priority because it lacks a sufficient market incentive: "Whether [cybersecurity] it's a marketing point I'm not really sure. And I would even be not as sure to go towards a no."

### *4.3.2 Responses to security challenges*

Responses to security challenges differ between NGO and business respondents. An NGO respondent representing the business community stressed the importance of security being a default setting of devices that prevents security issues rather than reacts to them: "we want to see secure by design IoT devices out there rather than people thinking about security as an afterthought when it comes to just getting the product to market" [5]. Another NGO respondent representing consumers stated that standards and guidelines developed by companies with the support of consumer organizations can provide transparency of how IoT products should be developed [8]. As for a consumer-centered approach, a respondent stressed the need for security labeling that could help consumers to understand what kind of levels of privacy, security, and trust they could have in that product [5] and help them to make more informed choices. Also, in response to the challenge of fragmented regulation and lack of regulation enforcement, an NGO respondent stated that clarity about enforcement needs to be made clear for consumers: "regulation should be designed with consumers at the heart… [and] clear guidance needs to be set out on how policy and regulation will be enforced, and the measures need to be clear" [8].

Business respondents, on the other hand, reported working on specific technical security solutions such as blockchains in security and quantum key distribution and were "confident that the smart home will be protected through the use of these security technologies" [3]. Another business respondent providing consultancy and design solutions also stressed the need for external review and independent testing of devices to ensure security:

*we would provide information about how secure we believe their product is, and then they would take that information and through some kind of dialogue work out some kind of solution on what they want to do to make the actual product more secure. [2]*

NGO respondents representing consumers stressed that, ultimately, the responsibility for ensuring the security of smart home devices lay with the government:

*I think it's really up to the government to think more broadly about how you change the discourse around security, about preparing for things that go wrong, rather than just reacting to them. [4]*

That smart home security is seen as the government's responsibility is significant because it is unlike privacy, where responsibility seems to be down to the user to consent to data collection and use: "it really shouldn't necessarily be solely down to the consumer to become security-savvy, to have to be the one that protects their device. The device should have some adequate level of protection to the consumer from the get-go" [5] stated the respondent representing the business community.

*How Is the Internet of Things Industry Responding to the Cybersecurity Challenges of the Smart… DOI: http://dx.doi.org/10.5772/intechopen.106012*

Another NGO respondent representing consumers stressed that such responsibility toward ensuring the security of smart home devices is transnational:

*The responsibility for ensuring that consumers' rights are protected online, and autonomy and personal freedom are upheld, cannot be managed by one country alone. It requires international collaboration across governments, international organisations and businesses. [8]*

For this respondent, given the cross-border nature of data flows and the size of technology companies that are major market leaders in the development of smart home devices, national efforts should link to international approaches.
