A Lemon by Any Other Label

Vaibhav Garg

Comcast Cable, Philadelphia, PA, U.S.A.

Keywords:

IoT, Security, Labeling, Energy Star, Economics.

Abstract:

Apparent under-investment in IoT security is often explained by the lack of consumer demand engendered by

information asymmetries. One proposed solution is to create IoT security labels as a market signal of differen-

tiation. Such labeling may be binary, graded, or descriptive. Each label type can be further differentiated based

Security is rated as the most important factor that

drives consumer purchasing decisions in IoT (Ipsos

Public Affairs, 2019). IoT security is not just a tech-

nical issue, but also one of economics (Anderson and

Moore, 2006). If consumers are unable to distinguish

between secure and insecure products, they will be

unwilling to pay a premium for security and merely

differentiate products on price. Manufacturers in re-

sponse would have no incentive to invest in IoT secu-

rity, thus creating a market of security lemons (Smith,

as the distributed denial of service (DDoS) attack

on Dyn, where attackers leveraged poorly designed

internet-connected cameras.

Any effort to create IoT security labels incurs

three distinct challenges. First, it necessitates defin-

ing a security assessment that any proposed label sat-

isfies (Fagan et al., 2020; C2, 2019; DCMS, 2019).

Second, it requires determining the kind of label that

will usable for non-expert consumers (Harris Interac-

tive, 2019; Knowledge, 2019; Johnson et al., 2020).

of this paper. For example, researchers have noted

that consumers are willing to pay a 30% premium for

security, and as such there is an incentive for manu-

facturers to invest in certification and labeling (Ipsos

Public Affairs, 2019). These considerations are be-

yond the scope of this paper.

We begin in Section 2 by reviewing the current

efforts to define ‘security’. Section 3 presents an

overview of labeling and associated efforts in other

risk domains. In Section 4 we present examples of

Proponents of a security label for IoT reference the

success of Energy Star labels for energy consump-

tion (King and Gallagher, 2020). However unlike

energy, there is no unit for security. Thus, any ef-

fort to create an IoT security label must begin with

a definition of ‘security’. The oft repeated assertion

to follow ‘best practices’ can be less than promis-

ing, as many such efforts fail to address basic secu-

558

Garg, V.

rity practices that will prevent brute forced attacks

such as Mirai (Dingman et al., 2018). The average

manufacturer is then left to differentiate between nu-

merous distinct best practices, recommendations, and

guidelines across industry, government, as well as

academic sources (Bellman and van Oorschot, 2020).

The Department of Digital, Culture, Media, &

Sport (DCMS) analyzed over 100 documents across

50 organizations and mapped them across 13 distinct

guidelines, to create a Code of Practice for consumer

8259A (Fagan et al., 2020), which defines a set of six

high level baseline capabilities that should be satisfied

by a plurality IoT devices (or their controller/hubs).

NIST notes that not all baseline requirement may be

applicable to all IoT devices. Thus, in practice a de-

vice may be able to satisfy only a portion of the six

capabilities and still adhere to the spirit of NIST’s

expectation. Furthermore, NIST’s capabilities relate

specifically to the device itself.

In contrast, the Council to Secure the Digi-

making software open source, as well as non-security

related requirements, such as protection from harass-

ment (Ditigal Standard, 2020). Choosing the right

IoT guidance is critical to ensuring good security out-

comes (Momenzadeh et al., 2020).

To facilitate this discussion, researchers investi-

gated the meaning of ‘best practice’ in IoT secu-

rity (Bellman and van Oorschot, 2020). They note

that most of the guidance, more than 90%, does not

relate to actual practices but is outcome-based. Si-

manufacturers must define security as well as differ-

entiate between security level 1 and security level 1+.

Is C2 better than NIST simply because it has a longer

list of recommendations? Is the Digital Standard even

better merely because it is more onerous?

Choosing the wrong set of requirements to sat-

isfy can fail to provide security (Dingman et al.,

2018). This may exacerbated by vulnerabilities intro-

duced in implementation. Furthermore, manufactur-

ers must have some confidence in the lifetime of both

requirements and labels. For example, manufacturers

who spent resources investing in Mozilla’s Trustable

Technology Mark will be disappointed that this label

no longer exists (Trustable Technology Mark, 2020).

Thus, choosing the wrong ‘security guideline’ may

impose costs on both the manufacturers and down

3 LABEL DESIGN

Section 2 notes the difficulty in defining security. As-

suming that the manufacturers, along with appropri-

ate stakeholders, are able to coalesce around a specific

ing order of design complexity. In addition, new tech-

nical solutions also allow for Smart Labels (Emami-

Naeini et al., 2020). These combine a traditional label

with a QR code that can be used to find additional in-

formation via an online resource. This section details

the properties of these different label types as well

as their benefits and inherent limitations. However,

given that most consumers do not find QR codes to

be usable we do not cover Smart Labels as a separate

category in this paper (Harris Interactive, 2019).

security label for their study. Instead they employed

Secure by Design which has been designed for phys-

ical security rather than cybersecurity (Police Crime

Prevention Initiatives, 2020). Participants may have

had prior awareness of that label, a limitation that may

confound their findings. Prior research in Web Assur-

ance Seals notes that consumer behavior is informed

by familiarity and awareness (Odom et al., 2002). De-

spite that Johnson et al. noted that while binary la-

bels were effective, they may be less so compared to

rity Foundation offers a targeted trustmark which uses

a lock icon to indicate security (IoT Security Founda-

tion, 2020). Additionally, multiple governments are

creating voluntary labeling programs that employ a

binary certification label. For example, Finland’s vol-

untary IoT security indicator, Tietoturvamerkki, also

employs a lock icon (National Cyber Security Cen-

ter, 2019). Australian government has similarly pro-

posed a trustmark based on IoT Alliance Trust Frame-

work (IoT Alliance Australia, 2020).

home hubs (Cyber Security Agency of Singapore,

2020). In United States, the Cyber Solarium Com-

mission’s report similarly advances the need for an

Energy Star-like label for IoT security (King and Gal-

lagher, 2020). However, developing an Energy Star

style label for IoT security not only requires one to de-

termine the definition of ‘security’ but also be able to

differentiate between distinct levels of security. Sec-

tion 2 notes the difficultly in determining the former;

the latter can only be less tractable.

surance as well as usability. UL, however, has pro-

posed a commercial offering that also uses a five

dimensional security label based on precious met-

als (UL, 2020).

Johnson et al. studied the effectiveness of a UK

Energy Star style label for IoT security to inform

and other competing consumer interests such as func-

tionality. Their study covered four different products

estingly, participants expected to pay less for a device

with Grade G label than one without any label.

None of these proposals, academic or otherwise,

have demonstrated external validity, i.e. there is no

way to ascertain that the highest level of security of-

fered by one of these labeling schemes exposes the

device to less risk, compared to similar guarantees

from the lowest level label. In fact, establishing a de-

terminant of external validity in itself is a non-trivial

issue. For example, it may be possible to correlate

able. Similarly, deployment context is important. A

vice that is simply exposed to the Internet.

Thus, developing a graded schema for IoT secu-

rity labels is constrained by all of the challenges of a

560

binary label with the added requirement to differenti-

ate between different levels of security. Furthermore,

research indicates that some label types, i.e. towards

the middle or the lower end of the security spectrum,

may either be ignored or, worse, penalized by the con-

sumer. Consequently, while Energy Star styled labels

have found much traction in policy discussions, few

real solutions exist, with the exception of UL.

the perceived risk of the IoT device.

Emami-Naeini et al. designed a descriptive

IoT label with both security and privacy informa-

tion (Emami-Naeini et al., 2020). Their label had two

layers with a shorter label on the first layer and more

details on the second layer. The security information

on layer one consists of: 1) firmware version, 2) up-

date date, 3) whether the security updates are auto-

matic, 4) how long the security dates will be available,

and 5) information about access control. They also

vacy), 4) data (privacy), and 5) connectivity (infor-

mation) (Shen and Vervier, 2019). System, in this con-

text, consists of information about certificates, secure

boot, firmware/software update methods, passwords,

and authentication. Communication constitutes infor-

label style uses two additional design elements com-

pared to prior efforts. The first style uses common

Section 3 notes the distinct types of labels as well as

the associated limitations of each structure. Label de-

sign goes beyond just the structure and must address

rity experts employ one of five mental models: 1)

physical, 2) medical, 3) criminal, 4) warfare, and 5)

market (Camp, 2009). Physical and criminal men-

tal models are employed through the use of a lock

symbol to indicate the presence of https. However,

this may have an unintended consequence: That non-

expert consumers may assume the presence of secu-

rity guarantees that are not, in fact, present. For exam-

ple, the use of a lock icon in HTTPS has been known

to confuse non-experts, who mistakenly conflate con-

nection security with website security (Wu and Zap-

pala, 2018). Similarly, for IoT security, a binary la-

bel like a lock icon may be misintepreted as a sign

prior use of lock icons to indicate connection security,

its use in IoT security might similarly confuse users

who may assume that the IoT device merely provides

the same and no greater security guarantees. Thus,

lock-based IoT labels may potentially incur either un-

derestimation or overestimation of risk by non-expert

consumers.

Simultaneously, Johnson et al. note that partici-

pants recommended a more ‘cyber’ centric label as

opposed to one that targeted physical security (John-

the successful adoption of binary labels is driven pri-

marily by consumer awareness. Thus, BSI’s approach

to simply extend their well known KiteMark logo for

residential IoT security may be a more effective ap-

proach to change consumer behavior (BSI, 2018).

The use of icons to indicate security is not lim-

ited to binary labels. For example, the UL’s IoT secu-

rity label employs a ‘shield’ icon in addition to their

precious metals-based rating (UL, 2020). A shield as

an indicator of IoT security has also been proposed

In addition to the icon, graded labels also have

to pick the framing of their rating. As noted previ-

ously, the UL chose a rating based on precious metals.

This employs a market-based mental model, i.e. as

the professed security of the device goes up, so does

its value, as indicated by the more expensive precious

metals (UL, 2020). Even the least secure product then

has some inherent value.

In contrast, Johnson et al. use a A-G grade based

rating (Johnson et al., 2020). This is not grounded

in any mental model or metaphor that the consumer

can reference. However, the grades are combined

with color codes from green to red, for A-G, respec-

tively. Thus, green is the ‘best’ choice while red is

the worst. This is again grounded in the notion of

physical safety, where we often correlate green with

the label should only display the most relevant infor-

mation that is relevant to a non-expert consumer. The

label proposed by DCMS, for example, only conveys

two pieces of information (DCMS, 2019): 1) whether

important security features are included and 2) the du-

ration of time for which the manufacturer will pro-

vide security updates. Johnson et al. extends this to

two additional properties: 1) whether the device can

connect directly to the Internet and 2) whether the in-

formation collected by the device is shared with third

consensus on what are the must-have pieces of infor-

mation that should be communicated to a non-expert

to inform their device purchase based on security.

Even when researchers agree, e.g. duration of

availability of security updates, this information can

be presented using different language, such as dura-

tion of availability of security patches. A security

update aligns more closely with the market mental

model, whereas a security patch indicates a medical

mental model. Furthermore, lifetime must be defined

can be combined with other risk indicators. For ex-

ample, Shen et al. use colors to indicate the risk level

of the specific information item (Shen and Vervier,

2019). The use of colors leverages affect heuris-

tic (Garg and Camp, 2013); red is typically associated

with ‘bad’ in a western context. These colors can then

562

provide a shortcut for consumers to assess the risk of

a device. But these shortcuts may not be appropriate

for all information. Shen et al. label the ability of a

device’s Internet connection with a yellow color indi-

cating ‘caution’ (Shen and Vervier, 2019). Yet, given

that these labels are being generated for Internet con-

nected devices, the presence of such connectivity can

not reasonably be expected to be a cause for caution.

Aside from affect, other heuristics may also in-

form the effectiveness of a label design. For example,

5 IMPLICATIONS FOR IoT

IoT security labels have been proposed as one solu-

tion to the security information asymmetry between

manufacturers and consumers, to thereby avoid a mar-

ket of security lemons. Well designed labels may help

make consumers choose products with a security ex-

lenges. First, there has to be commonly accepted def-

inition of ‘security’. Second, stakeholders must de-

termine the type of label that is appropriate for the

context. Third, designers must identify the security

information that should inform consumer behaviors

as well as a presentation that makes it usable for non-

expert consumers.

There is preponderance of security best practices,

baselines, and standards in IoT (Copper Horse, 2018;

Fagan et al., 2020; C2, 2019). This creates multi-

will be a direct as well as an indirect opportunity cost

to designing a product against a specific definition of

security. If these definitions do not persist over an

acceptable time frame, it will result in loss for the

manufacturer. An example of this is the conclusion

of Mozilla’s Trustable Technology Mark. Manufac-

turers may have designed products to show compli-

ance against TTM’s specification (Trustable Technol-

ogy Mark, 2020). However, they will no longer be

able to use that to communicate security to their cus-

tomers.

One solution may be for sector-specific trade

groups to define baselines for individual products or

even the sector itself. This may be particularly effec-

tive in mature sectors with long standing trade groups.

They can bring to bear the combined expertise of the

same deployment context will likely make it challeng-

ing for consumers to compare them.

There are multiple extant examples of IoT security

certifications from sector specific trade groups. For

example, the trade association for the wireless com-

munications industry in United States, i.e. CTIA, has

ing labels. In fact, of the multiple IoT security labels

described in Section 3, none are based on a broader

nary labels are more usable for consumers. Blythe et

al. note that consumers would prefer security specific

labels (Blythe and Johnson, 2018). This approach

has, for example, been adopted by Tietoturvamerkki.

However, given that the effectiveness of binary labels

is driven by awareness, any new security specific la-

bels may need to be complemented by public educa-

tion campaigns. Additionally, there is need to under-

stand whether consumer mental models align with the

symbols currently being used to communicate secu-

the approach adopted by BSI. In this case security be-

consumers with low levels of technical literacy. Fur-

thermore, this approach may be more effective where

lack of security does not impact the customer them-

selves. Anecdotal evidence posits that reframing se-

curity as quality has led to software developers paying

more attention to the former. Unfortunately, there is

but one study that examines the impact of binary IoT

security labels.

Beyond binary labels, graded and descriptive la-

bels result in additional complexity. For graded la-

bels, devices at the middle or bottom of the grade

scale may be ignored or penalized by consumers. Fur-

thermore, given the difficulty of defining security, it is

than AES128. Regardless there should be clear dis-

tinctions between the different security levels, so that

the average consumer can understand the differences.

From a design perspective it may be better to have

fewer levels to make the distinctions clearer.

For the descriptive labels discussed in this paper,

effectiveness is correlated with the perceived risk of

the device. As these label types are more information-

rich there is a temptation to add more design ele-

ments, such as color and icons. However, a simpler

derstanding and behaviors may vary based on demo-

graphic factors, technical literacy, and prior risk expe-

rience. Thus, as labels increase in complexity, design

becomes more challenging.

Even when communicating limited elements, it

is important to consider the usability as well as the

whether the specific element is meaningful. One

often-argued factor is the lifetime of software patches.

However, it is unclear what happens if a company that

advertised a long patch lifetime goes out of business.

sion was the latest version at the time of manufactur-

ing.

Overall, there are many factors to be considered

when designing an IoT security label. There are few

studies that have studied these labels in detail and only

one that we could find that compares multiple labels.

Thus, the path to an effective label design remains un-

clear.

6 CONCLUSION

This paper surveys the current research in IoT secu-

rity labels. Overall, there is only one study that com-

pares different types of labels. This indicates the need

Finally, the descriptive labels may not be effective for

low risk devices (or those that are perceived as such).

Thus, the use of descriptive labels should be limited

to high risk devices.

significantly across risk - a car is not a camera, and

as such different types of labels may be needed for

distinct classes of devices.

Information asymmetry between IoT device man-

ufacturers and consumers threatens to create a mar-

ket of security lemons. One solution is IoT security

labeling. However, poor designs will simply result

in a lemons market of security labels. Once poorly

designed labels have been deployed they may harm

consumer confidence in security labeling for the long

I would like to thank Mark Walker of CableLabs and

Prof. Eric Jardine from Virginia Tech for reviewing

early drafts of the paper. The author, however, is

solely responsible for any errors in this paper.

REFERENCES

Anderson, R. and Moore, T. (2006). The economics of in-

564

Andrews, J. C., Burton, S., and Kees, J. (2011). Is sim-

Bellman, C. and van Oorschot, P. C. (2020). Best practices

Blythe, J. and Johnson, S. (2018). Rapid evidence assess-

BSI (2018). BSI launches kitemark for Internet of Things

C2 (2019). The C2 consensus on iot device security baseline

Copper Horse (2018). Mapping security & privacy in the

CTIA (2020). Cybersecurity certification program for IoT

Cyber Security Agency of Singapore (2020). Cybersecurity

DCMS (2019). Mandating security requirements for con-

Emami-Naeini, P., Agarwal, Y., Cranor, L. F., and Hib-

Fagan, M., Megas, K. N., Scarfone, K., and Smith, M.

Garg, V. and Camp, J. (2013). Heuristics and biases: impli-

IoT Security Foundation (2020). Best practice user mark

Ipsos Public Affairs (2019). Product security: IoT and other

Jameison, A. (2016). IoT security: It’s in the

Johnson, S. D., Blythe, J. M., Manning, M., and Wong, G.

King, A. and Gallagher, R. M. (2020). Cyberspace solarium

Morgner, P., Mai, C., Koschate-Fischer, N., Freiling, F., and

National Cyber Security Center (2019). Tietoturvamerkki.

Odom, M. D., Kumar, A., and Saunders, L. (2002). Web

Shen, Y. and Vervier, P.-A. (2019). IoT security and pri-

Smith, M. W. (2019). Information asymmetry meets data

UL (2020). IoT security rating level. https://ims.ul.com/