Security vs. convenience? IoT requires another level of thinking about risk

Enlarge / IoT products like Amazon Key come with a whole set of risks that consumers aren’t equipped to assess themselves. (credit: Amazon)

Every time a major Internet-connected-product is released, we keep coming back to the debate over security vs. convenience. The progression of arguments goes something like this:

• One group expresses outrage/skepticism/ridicule of how this product doesn’t need to be connected to the Internet;
• Another group argues how the benefits outweigh the risks and/or how the risks are overblown;
• There will be news stories on both sides of the issue, and the debate soon dies down as people move on to the next thing; and
• Most users are left wondering what to believe.

As a security researcher, I often wonder whether the conveniences offered by these Internet-connected-devices are worth the potential security risks. To meaningfully understand the nuances of this ecosystem, I consciously made these devices a part of my daily life over the past year. One thing immediately stood out to me: there seems to be no proper mechanism to help users understand the ramifications of the risk/reward tradeoffs around these commonly used “personal” Internet-connected-devices, which makes it difficult for users to have any sort of effective understanding of their risks. I pointed out the same in a recent CNN Tech article about Amazon Key, where I also said:

A simple rule of thumb here could be to visualize the best case, average case, and worst case scenarios, see how each of those affect you, and take a call on whether you are equipped to deal with the fall out, and whether the tradeoffs are worth the convenience.

Without knowing a user’s specific needs, this is probably as close as it gets to any sort of “useful advice” any security professional could give. But this is still only a semi-useful platitude, because it doesn’t answer a very important question: