The rapid rise in Internet-of-Things (IoT) devices, from smart thermostats and fitness trackers to connected cameras, while providing unprecedented convenience to consumers and profitable subscription based business models to manufacturers, has also raised critical security and privacy (S&P) concerns. From hacked video feeds and exploitation of sensitive data to revenue loss from service outages due to Distributed Denial of Service (DDoS) attacks, the consequences of poor S&P of IoT devices are experienced both at the individual level and at the collective societal level.

The underlying reasons for the S&P issues in IoT devices are not merely technical, there are socio-technical and economic dimensions associated with them. For instance, large scale DDoS attacks from insecure IoT devices are a classic example of negative externalities where the consequences of the attack are experienced by a party that is neither the manufacturer nor the consumer. In such a context, manufacturers often face a lack of incentives to improve on the underlying S&P issues since doing so would increase their development costs and delay their time to market. Although consumers as device owners may not be directly targeted by DDoS attacks, they do face indirect consequences from DDoS attacks on governments, banks and other websites. Moreover, they bear the brunt of individual losses to S&P, for example, when their IoT devices are hacked or their personal video feeds are exposed. Therefore, consumers have incentives to buy IoT devices with strong S&P features. Recent studies affirm this, and show that consumers not only care about IoT S&P, they are also willing to pay a premium for it – if they are informed about the S&P at the time of purchase.

However, the problem still remains that consumers do not have sufficient information – at the time of purchase – to discern IoT devices that have good S&P features from those that do not. While regulations like the Cyber Resilience Act (CRA) in the EU, and the US Cyber TrustMark aim to decrease this information asymmetry, they are not yet in effect. In the absence of official information about an IoT device’s S&P at the time of purchase, consumers might use other signals that directly or indirectly indicate the S&P posture of IoT devices like mention of security concerns in consumer reviews on e-commerce platforms. Since consumers currently depend on such indirect sources to assess S&P, insights into these signals can help design more effective interventions that fit into their current decision-making flow. However, there is currently no empirical analysis on these market signals which limits our understanding of how much the consumer base already recognises and signals a need for S&P.

This dissertation addresses this gap by analyzing S&P of consumer IoT devices through a market-based empirical lens that examines how economic incentives, S&P signals, and purchase decisions interact across different stakeholders in real-world e-commerce settings. Specifically, five mature and popular IoT device types are considered: IP cameras, smart printers, smart speakers, smart TVs and smart watches. By examining the interactions between manufacturers, consumers, sellers, and the e-commerce platforms that sell these devices, using actual market data (sales figures, prices, reviews, and product listings), this dissertation provides a unique vantage point on the market signals for IoT S&P and information asymmetry experienced by consumers. Overall, this dissertation aims to answer the following overarching research question through five research studies. What signals for security and privacy are present in the e-commerce platforms that sell IoT devices?

Remotely Triggered Black Hole (RTBH) is a common DDoS mitigation approach that has been in use for the last two decades. Usually, it is implemented close to the attack victim in networks sharing some type of physical connectivity. The Unwanted Traffic Removal Service (UTRS) project offers a free, global, and relatively low-effort-to-join and operate RTBH alternative by removing the requirement of physical connectivity. Given these unique value propositions of UTRS, this paper aims to understand to what extent UTRS is adopted and used to mitigate DDoS attacks. To reach this goal, we collected two DDoS datasets describing amplification and Internet-of-Things-botnet-driven attacks and correlated them with the information from the third dataset containing blackholing requests propagated to the members of UTRS. Our findings suggest that, currently, just a small portion of UTRS members (approximately 10 % ) trigger mitigation attempts: out of 1200+ UTRS members, only 124 triggered blackholing events during our study. Among those, with high probability, 25 Autonomous Systems (ASes) reacted on AmpPot attacks mitigating 0.025 % of them globally or 1.03 % targeting UTRS members; 2 countered IoT-botnet-driven attacks alleviating 0.001 % of them globally or 0.06 % targeting UTRS members. This suggests that UTRS can be a useful tool in mitigating DDoS attacks, but it is not widely used.