Leveraging Human Factors to Stop Dangerous IoT

Note: Presentation times are in Pacific Standard Time (PST).

Tuesday, February 01, 2022 - 12:15 pm12:45 pm

Dr. Sanchari Das, University of Denver


Even the largest enterprise can be subverted with a small device quietly tunneling through the network boundaries. One way to mitigate the damage is to purchase the higher quality IoT devices, to increase security before installation. In this work, we evaluated the purchase of a few devices that appear relatively harmless but create significant risk. Any workplace may have a small crockpot show up in the break room, or an employee with a fitness tracker. These may offer access to all Bluetooth Low Energy (BLE) devices, or real time audio surveillance. Alternative models of the same devices, without the corresponding risk, show the value of careful IoT selection. Yet an employee can not be expected to understand the security risk of IoT devices. To address this understanding and motivation gap, we present a security-enhancing interaction that provides an effective, acceptable, usable framing for non-technical people making IoT purchase decisions. The interface design nudges users to make risk-averse choices by integrating psychological factors in the presentation of the options. Participants using this purchasing interaction consistently avoided low security and high risk IoT products, even paying more than twice ($6.99 versus $17.95) to select a secure smart device over alternatives. We detail how the nudges were designed, and why they are effective. Specifically, our Amazon store wrapper integrated positive framing, risk communication, and the endowment effect in one interaction design. The result is a system that significantly changes human decision-making, incorporating security the default choice. This was a collaboration between Prof. Sanchari Das at the University of Denver with Shakthidhar Gopavaram and Prof. L. Jean Camp at Indiana University Bloomington.

Sanchari Das, University of Denver

Dr. Sanchari Das is an Assistant Professor at the department of Computer Science in the Ritchie School of Engineering and Computer Science at University of Denver. Her research lab - Inclusive Security and Privacy-focused Innovative Research in Information Technology (INSPIRIT) Lab focuses on computer security, privacy, education, human-computer interaction, social computing, accessibility, and sustainability of new-age technologies. She received Ph.D. from Indiana University Bloomington under the supervision of Dr. L. Jean Camp. Her dissertation focused on understanding users' risk mental models to help in secure decision-making for authentication technologies. She has also worked on projects related to social media privacy, privacy policies, the economics of security, IoT device security, electronic waste security, the security of AR/VR/MR devices, and others. Additionally, she is also working as a User Experience Consultant for the secure technologies at Parity Technology and worked as a Global Privacy Adviser at XRSI.org. She completed Masters in Security Informatics from Indiana University Bloomington, Masters in Computer Applications from Jadavpur University, Bachelors in Computer Applications from The Heritage Academy. Previously, She has worked as a Security and Software Engineer for American Express, Infosys Technologies, and HCL Technologies. Her work has been published in several top-tier academic venues, including CHI, FC, SOUPS, etc. She has also presented at several security conferences, including BlackHat, RSA, BSides, Enigma (2019), and others. These works have also received media coverage in CNET, The Register, VentureBeat, PC Magazine, Iron Geek, and other venues.
@conference {277345,
author = {Sanchari Das},
title = {Leveraging Human Factors to Stop Dangerous {IoT}},
year = {2022},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = feb

Presentation Video