{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,11]],"date-time":"2026-03-11T09:20:46Z","timestamp":1773220846655,"version":"3.50.1"},"reference-count":47,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2021,7,15]],"date-time":"2021-07-15T00:00:00Z","timestamp":1626307200000},"content-version":"vor","delay-in-days":195,"URL":"https:\/\/creativecommons.org\/licenses\/by-nc\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003246","name":"NWO","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2021,7,15]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Internet Service Providers (ISPs) are getting involved in remediating Internet of Things (IoT) infections of end users. This endeavor runs into serious usability problems. Given that it is usually unknown what kind of device is infected, they can only provide users with very generic cleanup advice, trying to cover all device types and remediation paths. Does this advice work? To what extent do users comply with the instructions? And does more compliance lead to higher cleanup rates? This study is the first to shed light on these questions. In partnership with an ISP, we designed a randomized control experiment followed up by a user survey. We randomly assigned 177 consumers affected by malware from the Mirai family to three different groups: (i) notified via a walled garden (quarantine network), (ii) notified via email, and (iii) no immediate notification, i.e. a control group. The notification asks the user to take five steps to remediate the infection. We conducted a phone survey with 95 of these customers based on communication\u2013human information processing theory. We model the impact of the treatment, comprehension, and motivation on the compliance rate of each customer, while controlling for differences in demographics and infected device types. We also estimate the extent to which compliance leads to successful cleanup of the infected IoT devices. While only 24% of notified users perform all five remediation steps, 92% of notified users perform at least one action. Compliance increases the probability of successful cleanup by 32%, while the presence of competing malware reduces it by 54%. We provide an empirical basis to shape ISP best practices in the fight against IoT malware.<\/jats:p>","DOI":"10.1093\/cybsec\/tyab015","type":"journal-article","created":{"date-parts":[[2021,7,15]],"date-time":"2021-07-15T16:25:07Z","timestamp":1626366307000},"source":"Crossref","is-referenced-by-count":14,"title":["User compliance and remediation success after IoT malware notifications"],"prefix":"10.1093","volume":"7","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-4976-4311","authenticated-orcid":false,"given":"Elsa","family":"Rodr\u00edguez","sequence":"first","affiliation":[{"name":"Organisation and Governance, Delft University of Technology, Jaffalaan 5, 2628 BX Delft, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Susanne","family":"Verstegen","sequence":"additional","affiliation":[{"name":"Organisation and Governance, Delft University of Technology, Jaffalaan 5, 2628 BX Delft, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Arman","family":"Noroozian","sequence":"additional","affiliation":[{"name":"Organisation and Governance, Delft University of Technology, Jaffalaan 5, 2628 BX Delft, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Daisuke","family":"Inoue","sequence":"additional","affiliation":[{"name":"National Institute of Information and Communications Technology, 4-2-1, Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Takahiro","family":"Kasama","sequence":"additional","affiliation":[{"name":"National Institute of Information and Communications Technology, 4-2-1, Nukui-Kitamachi, Koganei, Tokyo 184-8795, Japan"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Michel","family":"van\u00a0Eeten","sequence":"additional","affiliation":[{"name":"Organisation and Governance, Delft University of Technology, Jaffalaan 5, 2628 BX Delft, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Carlos H","family":"Ga\u00f1\u00e1n","sequence":"additional","affiliation":[{"name":"Organisation and Governance, Delft University of Technology, Jaffalaan 5, 2628 BX Delft, The Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"286","published-online":{"date-parts":[[2021,7,15]]},"reference":[{"key":"2021071516250219600_bib1","article-title":"IoT devices will outnumber the world's population this year for the first time","author":"Tung","year":"2017"},{"key":"2021071516250219600_bib2","first-page":"1169","article-title":"All things considered: an analysis of IoT devices on home networks","volume-title":"28th USENIX Security Symposium (USENIX Security 19)","author":"Kumar","year":"2019"},{"key":"2021071516250219600_bib3","article-title":"HP news: HP study reveals 70 percent of internet of things devices vulnerable to attack","author":"","year":"2014"},{"key":"2021071516250219600_bib4","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2019.23438","article-title":"Cleaning up the internet of evil things: real-world evidence on ISP and consumer efforts to remove mira","volume-title":"NDSS","author":"Cetin","year":"2019"},{"key":"2021071516250219600_bib5","doi-asserted-by":"crossref","DOI":"10.17487\/rfc6561","article-title":"Recommendations for the remediation of bots in ISP networks","author":"Livingood","year":"2012"},{"key":"2021071516250219600_bib6","first-page":"1093","article-title":"Understanding the mirai botnet","volume-title":"Proceedings of the 26th USENIX Security Symposium","author":"Antonakakis","year":"2017"},{"key":"2021071516250219600_bib7","doi-asserted-by":"crossref","DOI":"10.1145\/3321408.3326671","article-title":"IoT device fingerprinting for relieving pressure in the access control","volume-title":"Proceedings of the ACM Turing Celebration Conference, China","author":"Song","year":"2019"},{"key":"2021071516250219600_bib8","doi-asserted-by":"crossref","first-page":"80","DOI":"10.1109\/MC.2017.201","article-title":"DDoS in the IoT: Mirai and other botnets","volume":"50","author":"Kolias","year":"2017","journal-title":"Computer"},{"key":"2021071516250219600_bib9","article-title":"Analysis of DDoS-capable IoT malwares","volume-title":"Proceedings of the 2017 Federated Conference on Computer Science and Information Systems, FedCSIS 2017","author":"De\u00a0Donno","year":"2017"},{"key":"2021071516250219600_bib10","doi-asserted-by":"crossref","first-page":"26","DOI":"10.1109\/MC.2018.3011046","article-title":"IoT as a land of opportunity for DDoS hackers","volume":"51","author":"Vlajic","year":"2018","journal-title":"Computer"},{"key":"2021071516250219600_bib11","article-title":"Internet security threat report, volume 24","author":"Symantec","year":"2019"},{"key":"2021071516250219600_bib12","article-title":"New trends in the world of IoT threats","author":"Mikhail\u00a0Kuzin","year":"2018"},{"key":"2021071516250219600_bib13","article-title":"I can't believe mirais: tracking the infamous IoT malware","author":"DeBeck"},{"key":"2021071516250219600_bib14","doi-asserted-by":"crossref","first-page":"16","DOI":"10.1109\/MSP.2015.110","article-title":"Economics of fighting botnets: lessons from a decade of mitigation","volume":"13","author":"Asghari","year":"2015","journal-title":"IEEE Secur Priv"},{"key":"2021071516250219600_bib15","article-title":"Post-mortem of a zombie: conficker cleanup after six years","author":"Asghari","year":"2015","journal-title":"Proceedings of the 24th USENIX Security Symposium (pp. 1-16)"},{"key":"2021071516250219600_bib16","doi-asserted-by":"crossref","first-page":"24","DOI":"10.1109\/EISIC.2016.013","article-title":"The role of internet service providers in botnet mitigation","volume-title":"2016 European Intelligence and Security Informatics Conference (EISIC)","author":"Pijpker","year":"2016"},{"key":"2021071516250219600_bib17","doi-asserted-by":"crossref","DOI":"10.17487\/RFC8520","article-title":"Manufacturer usage description specification","author":"Lear","year":"2019"},{"key":"2021071516250219600_bib18","article-title":"Manufacturer usage description for quarantined access to firmware","author":"Richardson","year":"2019"},{"key":"2021071516250219600_bib19","article-title":"Do malware reports expedite cleanup? An experimental study","volume-title":"Presented as part of the 5th Workshop on Cyber Security Experimentation and Test","author":"Vasek","year":"2012"},{"key":"2021071516250219600_bib20","doi-asserted-by":"crossref","DOI":"10.1145\/2872427.2883039","article-title":"Remedying web hijacking: notification effectiveness and webmaster comprehension","volume-title":"25th International World Wide Web Conference, WWW 2016","author":"Li","year":"2016"},{"key":"2021071516250219600_bib21","doi-asserted-by":"crossref","first-page":"83","DOI":"10.1093\/cybsec\/tyw005","article-title":"Understanding the role of sender reputation in abuse reporting and cleanup","volume":"2","author":"Cetin","year":"2016","journal-title":"J Cybersecurity"},{"key":"2021071516250219600_bib22","doi-asserted-by":"crossref","DOI":"10.1145\/2663716.2663755","article-title":"The matter of Heartbleed","volume-title":"Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC","author":"Durumeric","year":"2014"},{"key":"2021071516250219600_bib23","article-title":"You've got vulnerability: exploring effective vulnerability notifications","volume-title":"USENIX Security Symposium","author":"Li","year":"2016"},{"key":"2021071516250219600_bib24","doi-asserted-by":"crossref","DOI":"10.14722\/ndss.2018.23171","article-title":"Didn't you hear me? Towards more successful web vulnerability notifications","volume-title":"Proceedings of the 25th Annual Symposium on Network and Distributed System Security (NDSS \u201918)","author":"Stock","year":"2018"},{"key":"2021071516250219600_bib25","doi-asserted-by":"crossref","first-page":"326","DOI":"10.1109\/EuroSP.2019.00032","article-title":"Tell me you fixed it: evaluating vulnerability notifications via quarantine networks","volume-title":"2019 IEEE European Symposium on Security and Privacy (EuroS&P)","author":"Cetin","year":"2019"},{"key":"2021071516250219600_bib26","article-title":"Let me out! Evaluating the effectiveness of quarantining compromised users in walled gardens","volume-title":"Fourteenth Symposium on Usable Privacy and Security","author":"Cetin","year":"2018"},{"key":"2021071516250219600_bib27","article-title":"Please continue to hold: an empirical study on user tolerance of security delays","volume-title":"Workshop on the Economics of Information Security (WEIS)","author":"Egelman","year":"2010"},{"key":"2021071516250219600_bib28","article-title":"The importance of being earnest","volume-title":"Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)","author":"Egelman","year":"2013"},{"key":"2021071516250219600_bib29","doi-asserted-by":"crossref","DOI":"10.1145\/2702123.2702442","article-title":"Improving SSL warnings: comprehension and adherence","volume-title":"Conference on Human Factors in Computing Systems, Proceedings","author":"Felt","year":"2015"},{"key":"2021071516250219600_bib30","first-page":"257","article-title":"Alice in warningland: a large-scale field study of browser security warning effectiveness","volume-title":"Presented as part of the 22nd USENIX Security Symposium (USENIX Security 13)","author":"Akhawe","year":"2013"},{"key":"2021071516250219600_bib31","doi-asserted-by":"crossref","DOI":"10.1109\/CRISIS.2012.6378951","article-title":"Don't work. Can't work? Why it's time to rethink security warnings","volume-title":"7th International Conference on Risks and Security of Internet and Systems, CRiSIS 2012","author":"Krol","year":"2012"},{"key":"2021071516250219600_bib32","doi-asserted-by":"crossref","first-page":"18","DOI":"10.1109\/MSP.2010.198","article-title":"Bridging the gap in computer security warnings: a mental model approach","volume":"9","author":"Bravo-Lillo","year":"2011","journal-title":"IEEE Secur Priv"},{"key":"2021071516250219600_bib33","doi-asserted-by":"crossref","first-page":"33","DOI":"10.1111\/1467-8721.ep10772712","article-title":"Warning! sign and label effectiveness","volume":"5","author":"Wogalter","year":"1996","journal-title":"Curr Dir Psychol Sci"},{"key":"2021071516250219600_bib34","first-page":"59","article-title":"Why do they do what they do?: a study of what motivates users to (not) follow computer security advice","volume-title":"Twelfth Symposium on Usable Privacy and Security (SOUPS 2016)","author":"Fagan","year":"2016"},{"key":"2021071516250219600_bib35","doi-asserted-by":"crossref","first-page":"920","DOI":"10.1109\/SP.2019.00059","article-title":"\u201cShould I worry?\u201d A cross-cultural examination of account security incident response","volume-title":"2019 IEEE Symposium on Security and Privacy (SP)","author":"Redmiles","year":"2019"},{"key":"2021071516250219600_bib36","doi-asserted-by":"crossref","DOI":"10.1145\/2556288.2557275","article-title":"Betrayed by updates: how negative experiences affect future security","volume-title":"Conference on Human Factors in Computing Systems, Proceedings","author":"Vaniea","year":"2014"},{"key":"2021071516250219600_bib37","doi-asserted-by":"crossref","first-page":"309","DOI":"10.1080\/13669870110062712","article-title":"A communication\u2013human information processing (C\u2013HIP) approach to warning effectiveness in the workplace","volume":"4","author":"Conzola","year":"2001","journal-title":"J Risk Res"},{"key":"2021071516250219600_bib38","doi-asserted-by":"crossref","first-page":"53","DOI":"10.1016\/j.ijhcs.2005.04.013","article-title":"The role of moderating factors in user technology acceptance","volume":"64","author":"Sun","year":"2006","journal-title":"Int J Hum Comput Stud"},{"key":"2021071516250219600_bib39","article-title":"Shodan","author":"Shodan","year":"2019"},{"key":"2021071516250219600_bib40","article-title":"Drone\/botnet-drone report","author":"Shadowserver","year":"2019"},{"key":"2021071516250219600_bib41","article-title":"GCA\u2014global cyber alliance\u2014working to eradicate cyber risk","author":"GCA","year":"2019"},{"key":"2021071516250219600_bib42","article-title":"IoTPOT: analysing the rise of IoT compromises","volume-title":"9th USENIX Workshop on Offensive Technologies (WOOT '15)","author":"Pa","year":"2015"},{"key":"2021071516250219600_bib43","article-title":"Mirai: malware wiki","author":"Malware Wiki","year":"2019"},{"key":"2021071516250219600_bib44","article-title":"The menlo report: ethical principles guiding information and communication technology research","author":"Dittrich","year":"2012"},{"key":"2021071516250219600_bib45","article-title":"Domoticz downloads","author":"Domoticz","year":"2019"},{"key":"2021071516250219600_bib46","doi-asserted-by":"crossref","first-page":"54","DOI":"10.1037\/1082-989X.11.1.54","article-title":"A better lemon squeezer? Maximum-likelihood regression with beta-distributed dependent variables","volume":"11","author":"Smithson","year":"2006","journal-title":"Psychol Methods"},{"key":"2021071516250219600_bib47","doi-asserted-by":"crossref","first-page":"1","DOI":"10.18637\/jss.v034.i02","article-title":"Beta regression in R","volume":"34","author":"Cribari-Neto","year":"2010","journal-title":"J Stat Softw"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab015\/39047609\/tyab015.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"http:\/\/academic.oup.com\/cybersecurity\/article-pdf\/7\/1\/tyab015\/39047609\/tyab015.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,7,15]],"date-time":"2021-07-15T16:26:07Z","timestamp":1626366367000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyab015\/6321977"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2021,1,1]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2021,7,15]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyab015","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2021,1,1]]},"published":{"date-parts":[[2021,1,1]]},"article-number":"tyab015"}}