Approaches to Support Families' Engagement with Cyber Security for Home IoT Devices

This thesis records research carried out to explore how families in the UK understand and manage the cyber security of Internet of Things (IoT) devices they use in their homes (home IoT devices), using a variety of research methods. It initially engaged parents and children to understand what they think when discussing the cyber security threats and risks that home IoT devices pose and what they do to mitigate the issues they are concerned about. The findings of those discussions then led to a review of the advice individuals may encounter when searching for answers about cyber security online. These discussions also precipitated a period of autoethnography, a reflexive piece of research that allowed the researcher to consider the extent to which cyber security actually occurs in daily life in a family context. These initial pieces of research provided a picture of families --- both adults and children --- keen to use home IoT devices but not really understanding either how they work or how to learn about and manage the threats and risks that the devices pose in the home. The thesis uses the Transtheoretical Method of Behaviour Change (TTM) as a theoretical base for reflecting upon the place of participant families on the cycle of adoption of cyber security for their home IoT devices. Using this model, it was possible to understand that participant families were, on the whole, at the very first stage of the cycle --- precontemplation, and that the information that they might rely upon is insufficiently robust to support knowledge gathering and raise awareness. Hurdles at home around finding the opportunity to discuss cyber security, or even having the appropriate vocabulary, could also hinder efforts to understand the topic better. To move further along the TTM cycle, training and education would be required to increase their levels of awareness.

To work with families to understand what interventions families may need to increase their awareness of cyber security measures for home IoT devices, a piece of user-centred design work was undertaken to create a serious game. Serious games have been successfully used in organisational and educational settings to teach and explore cyber security concepts before, but not with families at home. The game represented an opportunity to provide participants' families with information on cyber security as it pertains to home IoT devices. This allowed participant families to receive information and possibly move around the TTM cycle at least to the step beyond precontemplation: contemplation. This was evidenced in discussions during and after gameplay about wanting to make changes to their home cyber security setup. In some cases, it was hoped that participants could move further around the cycle to take action, having been motivated by the knowledge provided in the game.

When playing the game, families were given the opportunity to learn about the type of cyber security concerns that could arise in relation to home IoT devices and asked if they would make any modifications to the cyber security measures they use at home in the week following the game. Significantly, more of the gameplay participants did take action to change their cyber security setup in the week following gameplay than a control group that had not had the opportunity to play the game. Almost all participant families discussed their cyber security setup at home during the period of gameplay, and several also reported continuing this discussion in the week following the game, evidencing that the game raised sufficient awareness within the participant families to be able to have conversations about the topic. This suggested that the game could stand as a tool for awareness raising by itself; however, the process of gameplay exposed several other areas where interventions outside the family unit should be made.

This thesis makes several novel contributions, both in terms of the methods used and the findings arising from them. It provides evidence on the level of knowledge within families in the UK about the home IoT devices that they use, how they use them, and their level of comfort with their cyber security setup. Through discussions with participant families and analysis of survey results, the reliance on the Internet for the gathering of knowledge in relation to home IoT device cyber security questions or concerns is made clear. By subsequently analysing the appropriateness of available cyber security information for Internet users, the thesis highlights the lack of visibility of sources to provide targeted and robust guidance. There was also a complete lack of awareness from all participants as to the official governmental agency in the UK from which to gain cyber security guidance. Engaging with participant families over the period of the research consistently highlighted the ease with which cyber security and online safety are conflated in training and education provided at school and thus brought into discussions at home. It is also the case that there is an overwhelmingly strong focus on financial ends rather than identity-driven ones: the value of devices (in terms of replacement) and financial loss are what families worry about, not data loss or possible physical threats emanating from home IoT device use.

The use of an autoethnographic diary study provided a means to use reflexive research to explore issues around lack of awareness, conflation of online safety and cyber security, and the difficulty of finding available information online. It further uncovered difficulties that families may have in describing cyber security issues and requirements, simply because the terminology is too complicated, the actions are too complex (or boring), or the end result does not obviously make a difference. Finally, the use of user-centred design with participant families to develop a serious board game, to build awareness, as evidenced in discussion about home IoT device cyber security measures is novel. Analysis of the participant families' interaction with and actions arising from gameplay show that given training and education, families will use this knowledge to facilitate discussion on the subject, but they may need guidance to ensure that they are discussing topics appropriately. It also showed that, being motivated to take action as a result of gaining knowledge from gameplay, families may attempt to make changes to their cyber security setup for home IoT devices, with varying levels of success and appropriate use. Single-action measures (such as setting up a guest network) are the most popular, although perhaps not the most effective, in terms of managing common cyber security problems. Repetitive actions (such as turning devices off when not in use) seem to quickly fall out of favour, despite being relatively effective and inexpensive, financially at least, to implement. All of these aspects allow for a range of recommendations for improvements to help families have safe home IoT devices.