Establishing IoT Reputation Systems

Establishing IoT Reputation Systems: Sociotechnical Challenges to Securing Transnational IoT Value Networks

About the project

Keeping pace with emerging IoT vulnerabilities requires concerted efforts across the value network to identify, characterize, and report how threats emerge, providing accurate and timely information about who is and isn’t doing their part to create a safe and secure IoT.

Ongoing development of the Internet of Things (IoT) promises revolutionary socioeconomic innovations across diverse domains: healthcare, public transport, energy management, infrastructure, and home automation, to name but a few.  Despite substantive adoption of IoT technologies by consumers and critical infrastructures, effective security and safeguards are not de facto priorities in the global IoT value network.  Securing the IoT as a complex system-of-systems, comprising not just IoT devices themselves, but the connectivity and supporting cloud infrastructure, is a distinctly sociotechnical problem that must address interdependent technical, economic, and policy challenges.  Interdependencies include innovation life cycles that focus on minimal viable products with equally minimal security safeguards, the challenges of developing common IoT security standards, and, most importantly here, coordinating domestic and transnational information sharing institutions necessary to mitigate emerging vulnerabilities and threats.

The broad objective of this project is to model and develop an IoT security governance regime that can effectively monitor and characterise the efficacy and tractability of operational IoT security practices.  Working with partners in industry and standards development, a key focus of this project is exploring what it means for actors in the IoT value network to have a reputation for consistent and effective IoT security practices, and to then develop systematic models and standards that can make those expectations a reality.  The overarching socio-technical questions driving this project are:

1. What are the incentives and barriers to effectively monitoring and characterising IoT device behaviours necessary to systematically distinguish effective IoT security practices from those practices that have led to vulnerabilities and compromises?
2. How should evidence of these challenges and barriers be collected and communicated to industry, standards, and policy stakeholders critical to systematically identifying and remediating emerging IoT threats and vulnerabilities?

Building on notions of planned adaptation (Sowell, 2019) and adaptive regulatory governance design (Brass & Sowell, 2020), this work develops a model of the incentives and reputation mechanisms that, based on industry feedback and contributions, can be tractably deployed to close the gaps between identifying and mitigating emerging threats in the IoT.