Practical Magic: Behavior-based Safety Design for IoT

Presented at TROOPERS18 (2018), March 12, 2018, 2:30 p.m. (Unknown duration)

The information security industry is forceful in its criticism of current IoT security practices, but scant improvement materializes. Few solutions proposed by security experts consider what actually worked to change incentives in other domains - not to mention what is actually feasible in the context of IoT developer workflows. My goal in this talk is to teach you practical magic - how to effect change through behavior-based safety design.

In this talk, we'll begin with a dive into the incentive problems leading to deficient security mechanisms in IoT devices. The IoT market faces a principal-agent problem, in which an agent (IoT developers) is able to make decisions on behalf of the principals (end users) - but with misaligned incentives between the agent and principal, leading to conflicts of interest. When IoT devices are compromised, user and corporate data is the price paid - but developers of IoT devices and software do not bear this cost.

Next, we'll explore how behavioral design can help align incentives of the principals (users) and agent (IoT developers). There are lessons from behavior-based safety design employed in other domains, such as healthcare and workplace safety, which can be applied to IoT security. We'll walk through examples of these behavioral designs, including checklists, reinforcement mechanisms providing immediate feedback, and other behavioral "nudges."

We'll conclude with my proposed behavioral designs specifically for the IoT security market, keeping in mind the needs of IoT manufacturers and software developers - which are not met through a data dump of potential vulnerabilities. Finally, I'll introduce a straightforward, one-page security checklist which presents a concentrated set of requirements for each phase of the development lifecycle - design, build, test - that are digestible by people without security backgrounds.


  • Kelly Shortridge
    Kelly Shortridge is currently a Product Manager at SecurityScorecard, the ecosystem risk management platform. In her spare time, she researches applications of behavioral economics and behavioral game theory to information security, on which she's spoken at conferences internationally, including Black Hat, Troopers, and ZeroNights. Previously, Kelly was the Product Manager for cross-platform Detection capabilities at BAE Systems, within the Applied Intelligence division, and also co-founded a mobile monitoring and access control startup called IperLane, where she served as COO for almost two years. Prior to IperLane, Kelly was an investment banking analyst at Teneo Capital, responsible for coverage of the data security, intelligence and analytics sectors, advising clients on M&A and capital raising assignments. Kelly graduated from Vassar College with a B.A. in Economics and was awarded the Leo M. Prince Prize for Academic Achievement. In her spare time, she enjoys practicing Krav Maga, world-building, weight lifting, reading sci-fi novels and playing open-world RPGs.


Similar Presentations: