Those Who Know Don't, Those Who Don't Know Deploy: Understanding Security Awareness in the Adoption of Industrial IoT

PDF Paper Library link to paper

Authors

Verena Schrama, Carlos H. Gañán, Doris Aschenbrenner, Mark de Reuver, Kevin Borgolte, Tobias Fiebig

Publication

Proceedings of the 20th Workshop on the Economics of Information Security (WEIS), December 2020

Abstract

The Internet-of-Things is no longer confined to end-users and private homes. Industrial IoT (IIoT) is supposed to improve industrial processes and make them more efficient. However, IIoT technologies may also pose (significant) security threats. Therefore, it is important to understand the balance between security awareness and willingness to adopt IIoT among manufacturing companies.

In this paper, we explore companies’ willingness to adopt IIoT, their willingness to participate in trainings on IIoT, and contrast this to their current security awareness. We investigate classes of companies through latent class analysis based on a survey of over 130 industrial firms. We collected this sample from the Netherlands, as earlier research demonstrated that the Netherlands are generally comparable with other western countries in terms of technology adoption, while focusing on a single country reduces other potential noise effects.

We find that the class of companies most susceptible and willingness to participate in educational awareness programs is comprised of companies with a high intention to adopt IIoT technologies, but with lowest awareness of their security threats, that is, companies that may be impacted the most by insecure IIoT devices. In contrast, the companies of the other class are highly aware of risks associated with IIoT, but also averse to adopting IIoT for their production processes. Furthermore, we find that smaller companies are more likely to be risk-aware and IIoT averse, while larger companies embrace IIoT while being risk unaware. The classes that we identified are robust to company age, market segment, current information and communication technology usage, and degree of production focus. Our findings highlight the need for policy makers to target their security awareness programs on adopting IIoT technologies to “smarten up” industrial processes to specific company classes, which increases the educational efforts’ efficacies. Otherwise, an apparent information imbalance skews the economic incentive model behind IIoT adoption, potentially leading to a future of dramatic IIoT security incidents.

BibTeX

@inproceedings{weis2020-those-who-know-dont,
  title     = {{Those Who Know Don't, Those Who Don't Know Deploy: Understanding Security Awareness in the Adoption of Industrial IoT}},
  author    = {Schrama, Verena and Gañán, Carlos H. and Aschenbrenner, Doris and de Reuver, Mark and Borgolte, Kevin and Fiebig, Tobias},
  booktitle = {Proceedings of the 20th Workshop on the Economics of Information Security (WEIS)},
  date      = {2020-12},
  editor    = {Christin, Nicolas},
  location  = {Brussels, Belgium},
  url       = {https://weis2020.econinfosec.org/wp-content/uploads/sites/8/2020/06/weis20-final23.pdf}
}