Those Who Know Don't, Those Who Don't Know Deploy: Understanding Security Awareness in the Adoption of Industrial IoT

Authors

Verena Schrama, Carlos H. Gañán, Doris Aschenbrenner, Mark de Reuver, Kevin Borgolte, Tobias Fiebig

Publication

Proceedings of the 20th Workshop on the Economics of Information Security (WEIS), December 2020

Abstract

The Internet-of-Things is no longer confined to end-users and private homes. Industrial IoT (IIoT) is supposedto improve industrial processes and make them more efficient.However, IIoT technologies may also pose (significant) securitythreats. Therefore, it is important to understand the balancebetween security awareness and willingness to adopt IIoT amongmanufacturing companies.

In this paper, we explore companies’ willingness to adoptIIoT, their willingness to participate in trainings on IIoT, andcontrast this to their current security awareness. We investigateclasses of companies through latent class analysis based on asurvey of over 130 industrial firms. We collected this samplefrom the Netherlands, as earlier research demonstrated thatthe Netherlands are generally comparable with other westerncountries in terms of technology adoption, while focusing on asingle country reduces other potential noise effects.

We find that the class of companies most susceptible andwillingness to participate in educational awareness programs iscomprised of companies with a high intention to adopt IIoTtechnologies, but with lowest awareness of their security threats,that is, companies that may be impacted the most by insecureIIoT devices. In contrast, the companies of the other class arehighly aware of risks associated with IIoT, but also averseto adopting IIoT for their production processes. Furthermore,we find that smaller companies are more likely to be risk-aware and IIoT averse, while larger companies embrace IIoTwhile being risk unaware. The classes that we identified arerobust to company age, market segment, current informationand communication technology usage, and degree of productionfocus. Our findings highlight the need for policy makers to targettheir security awareness programs on adopting IIoT technologiesto “smarten up” industrial processes to specific company classes,which increases the educational efforts’ efficacies. Otherwise, anapparent information imbalance skews the economic incentivemodel behind IIoT adoption, potentially leading to a future ofdramatic IIoT security incidents.

@inproceedings{weis2020-those-who-know-dont,
  title     = {{Those Who Know Don't, Those Who Don't Know Deploy: Understanding Security Awareness in the Adoption of Industrial IoT}},
  author    = {Schrama, Verena and Gañán, Carlos H. and Aschenbrenner, Doris and de Reuver, Mark and Borgolte, Kevin and Fiebig, Tobias},
  booktitle = {Proceedings of the 20th Workshop on the Economics of Information Security (WEIS)},
  date      = {2020-12},
  editor    = {Christin, Nicolas},
  location  = {Brussels, Belgium},
  url       = {https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final23.pdf}
}