Security by Expectation
Establishing an Empirical Understanding of Reasonable User Expectations in the Internet of Things
L.F. Kustosch (TU Delft - Technology, Policy and Management)
M.J.G. van Eeten – Promotor (TU Delft - Technology, Policy and Management)
C. Hernandez Ganan – Promotor (TU Delft - Technology, Policy and Management)
S.E. Parkin – Copromotor (TU Delft - Technology, Policy and Management)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
The rapid expansion of the Internet of Things (IoT) has increasingly computerized physical objects and tools. Products such as household appliances, cars, industrial machinery, and medical devices are now equipped with sensors, software, and network connections that enable new forms of automation and data exchange. While these developments promise convenience and efficiency, they also introduce new risks. Weak security controls, insufficient privacy safeguards, and inadequate post-market support have repeatedly led to breaches, surveillance incidents, and large-scale cyberattacks. As IoT systems proliferate, the consequences of these vulnerabilities extend beyond individual users or companies to critical infrastructures and society as a whole.
Growing security challenges of the IoT reflect a structural imbalance in the market. Consumers typically lack the information or technical capacity to evaluate or influence a product’s security, while manufacturers face little incentive to prioritize it over features or cost efficiency. To address this, governments, particularly within the European Union, are increasingly introducing legislation that codifies how security should be built, maintained, and enforced across the IoT ecosystem. Key among these initiatives are the Cyber Resilience Act (CRA) and the revised Product Liability Directive (PLD), which place explicit emphasis on the expectations of users as a benchmark for determining compliance and responsibility.
The concept of reasonable user expectations has therefore become central to the regulation of IoT products. It provides a flexible legal standard to assess what users can justifiably anticipate regarding the safety and security of their devices. However, despite its prominence in emerging laws, there is no agreed-upon method for determining what these expectations actually are. Courts may consider factors such as prevailing industry practices or product marketing, but empirical evidence of what users themselves expect in practice has been scarce. This creates uncertainty for regulators and manufacturers alike, who must interpret and act on these expectations long before any case law emerges. Against this backdrop, the overarching research question guiding the work is: What are users’ expectations regarding preventive and reactive security measures of IoT devices?
To answer this research question, this dissertation investigates user expectations at different stages of the IoT device lifecycle: when security or privacy incidents occur, how they are prevented over the device's lifespan, and when devices are used in organizational environments. The studies link these expectations to the broader regulatory concepts of product liability and product conformity, providing evidence that can inform both policy and industry practice.