Practical Magic: Behavior-based Safety Design for IoT

The information security industry is forceful in its criticism of current IoT security practices, but scant improvement materializes. Few solutions proposed by security experts consider what actually worked to change incentives in other domains – not to mention what is actually feasible in the context of IoT developer workflows. My goal in this talk is to teach you practical magic – how to effect change through behavior-based safety design.

In this talk, we’ll begin with a dive into the incentive problems leading to deficient security mechanisms in IoT devices. The IoT market faces a principal-agent problem, in which an agent (IoT developers) is able to make decisions on behalf of the principals (end users) – but with misaligned incentives between the agent and principal, leading to conflicts of interest. When IoT devices are compromised, user and corporate data is the price paid – but developers of IoT devices and software do not bear this cost.

Next, we’ll explore how behavioral design can help align incentives of the principals (users) and agent (IoT developers). There are lessons from behavior-based safety design employed in other domains, such as healthcare and workplace safety, which can be applied to IoT security. We’ll walk through examples of these behavioral designs, including checklists, reinforcement mechanisms providing immediate feedback, and other behavioral “nudges.”

We’ll conclude with my proposed behavioral designs specifically for the IoT security market, keeping in mind the needs of IoT manufacturers and software developers – which are not met through a data dump of potential vulnerabilities. Finally, I’ll introduce a straightforward, one-page security checklist which presents a concentrated set of requirements for each phase of the development lifecycle – design, build, test – that are digestible by people without security backgrounds.