{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,25]],"date-time":"2025-09-25T00:15:25Z","timestamp":1758759325880,"version":"3.44.0"},"reference-count":81,"publisher":"Oxford University Press (OUP)","issue":"1","license":[{"start":{"date-parts":[[2025,9,24]],"date-time":"2025-09-24T00:00:00Z","timestamp":1758672000000},"content-version":"vor","delay-in-days":266,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/501100003246","name":"NWO","doi-asserted-by":"publisher","id":[{"id":"10.13039\/501100003246","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025,1,17]]},"abstract":"<jats:title>Abstract<\/jats:title>\n               <jats:p>Existing research offers insights into the properties of security advice and user abilities to implement such advice, but lacks insight into whether this advice is fit for purpose when applied to the diversity of consumer IoT devices. Our study bridges this gap by examining how country-level security advice from the UK, the USA, and the Netherlands relates to the user materials of 40 top-selling IoT devices across five categories, focusing on whether the advice can realistically be followed given the devices\u2019 documented features. Drawing on manuals, videos, and organic search results, we offer a scalable approach for assessing the applicability of security advice across a wide range of IoT devices. Four overlapping pieces of advice regarding password management and firmware updates were identified in the three countries. Our assessment revealed a significant disconnect; no device supported the implementation of all four pieces of advice. At most, the analyzed materials for 36 devices provided sufficient information to apply one or two pieces of advice, primarily concerning updates. This shows that the advice does not merely fall short in isolated cases, but fails systematically to align with device capabilities. Users, typically non-experts, must determine whether expert advice applies to their devices, risking ineffective or harmful practices. This disconnect highlights a broader issue: advice itself lacks the grounding needed to support users in the first place. While framed as broadly applicable, general advice fails to account for the wide variability in device features and support materials. Even when seemingly connected to device features, advice risks leading to pseudo-security improvements rather than the proposed security improvements, placing a burden on users to assess the relevance, implementation, and security effectiveness of the advice. This situation jeopardizes IoT security at scale, and risks undermining user trust in protective measures. We propose that governments and researchers consider the practical constraints and informational contexts users face to ensure that provided security support aligns with the realities of device features and user capabilities.<\/jats:p>","DOI":"10.1093\/cybsec\/tyaf024","type":"journal-article","created":{"date-parts":[[2025,9,24]],"date-time":"2025-09-24T14:17:40Z","timestamp":1758723460000},"source":"Crossref","is-referenced-by-count":0,"title":["Unfit for purpose? Assessing the applicability of country-level IoT security advice"],"prefix":"10.1093","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0451-4052","authenticated-orcid":false,"given":"Veerle","family":"van\u00a0Harten","sequence":"first","affiliation":[{"name":"Technology, Policy, and Management, TU Delft , Jaffalaan 5, 2628 BX Delft ,","place":["The Netherlands"]}]},{"given":"Carlos Hern\u00e1ndez","family":"Ga\u00f1\u00e1n","sequence":"additional","affiliation":[{"name":"Technology, Policy, and Management, TU Delft , Jaffalaan 5, 2628 BX Delft ,","place":["The Netherlands"]}]},{"given":"Michel","family":"van\u00a0Eeten","sequence":"additional","affiliation":[{"name":"Technology, Policy, and Management, TU Delft , Jaffalaan 5, 2628 BX Delft ,","place":["The Netherlands"]}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6667-0440","authenticated-orcid":false,"given":"Simon","family":"Parkin","sequence":"additional","affiliation":[{"name":"Technology, Policy, and Management, TU Delft , Jaffalaan 5, 2628 BX Delft ,","place":["The Netherlands"]}]}],"member":"286","published-online":{"date-parts":[[2025,9,24]]},"reference":[{"key":"2025092410173550400_bib1","doi-asserted-by":"crossref","first-page":"55","DOI":"10.1109\/MSP.2017.3681050","article-title":"152 Simple Steps to Stay Safe Online: Security Advice for Non-Tech-Savvy Users","volume":"15","author":"Reeder","year":"2017","journal-title":"IEEE Secur Priv"},{"key":"2025092410173550400_bib2","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-81111-2_10","article-title":"When Googling it doesn\u2019t work: the challenge of finding security advice for smart home devices","volume-title":"International Symposium on Human Aspects of Information Security and Assurance (HAISA 2021)","author":"Turner","year":"2021"},{"key":"2025092410173550400_bib3","article-title":"Smart Home","author":"Bundesamt f\u00fcr Sicherheit in der Informationstechnik (BSI)","year":".."},{"key":"2025092410173550400_bib4","article-title":"Personal cyber security: advanced steps","author":"Australian Cyber Security Centre","year":".."},{"key":"2025092410173550400_bib5","article-title":"Dispositivos IoT (Internet de las cosas)","author":"INCIBE - Instituto Nacional de Ciberseguridad","year":"2021"},{"key":"2025092410173550400_bib6","article-title":"Cyber tipp: IoT","author":"National Cyber Security Centre Switzerland","year":".."},{"key":"2025092410173550400_bib7","article-title":"End user security guidelines","author":"Ministry of Internal Affairs and Communications","year":".."},{"key":"2025092410173550400_bib8","article-title":"End user security and privacy concerns with smart homes","author":"Zeng","year":"2017"},{"key":"2025092410173550400_bib9","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-50309-3_26","article-title":"Smart home security and privacy mitigations: consumer perceptions, practices, and challenges","volume-title":"International Conference on Human-Computer Interaction (HCII)","author":"Haney","year":"2020"},{"key":"2025092410173550400_bib10","doi-asserted-by":"crossref","DOI":"10.1109\/SP46215.2023.10179459","article-title":"User perceptions and experiences with smart home updates","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Haney","year":"2023"},{"key":"2025092410173550400_bib11","article-title":"A comprehensive quality evaluation of security and privacy advice on the web","volume-title":"29th USENIX Security Symposium","author":"Redmiles","year":"2020"},{"key":"2025092410173550400_bib12","doi-asserted-by":"crossref","first-page":"30","DOI":"10.1145\/3563392","article-title":"Security best practices: a critical analysis using IoT as a case study","volume":"26","author":"Barrera","year":"2023","journal-title":"ACM Trans Priv Secur"},{"key":"2025092410173550400_bib13","article-title":"The Network Readiness Index 2019: towards a future-ready society","author":"Dutta","year":"2019"},{"key":"2025092410173550400_bib14","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1186\/s40327-018-0063-8","article-title":"What is a smart device? A conceptualisation within the paradigm of the internet of things","volume":"6","author":"Silverio-Fern\u00e1ndez","year":"2018","journal-title":"Vis Eng"},{"key":"2025092410173550400_bib15","article-title":"Who\u2019s in control? interactions in multi-user smart homes","volume-title":"CHI Conference on Human Factors in Computing Systems","author":"Geeng","year":"2019"},{"key":"2025092410173550400_bib16","article-title":"\u201dIt\u2019s the Company, the Government, You and I\u201d: user perceptions of responsibility for smart home privacy and security","volume-title":"30th USENIX Security Symposium","author":"Haney","year":"2021"},{"key":"2025092410173550400_bib17","article-title":"\u201c...No one Can Hack My Mind\u201d: comparing expert and non-expert security practices","volume-title":"SOUPS","author":"Ion","year":"2015"},{"key":"2025092410173550400_bib18","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3274469","article-title":"User perceptions of smart home IoT privacy","volume":"2","author":"Zheng","year":"2018","journal-title":"Proc ACM Hum-Comput Interact"},{"key":"2025092410173550400_bib19","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-319-73697-6_15","article-title":"An overview of the usage of default passwords","volume-title":"Digital Forensics and Cyber Crime","author":"Knieriem","year":"2018"},{"key":"2025092410173550400_bib20","doi-asserted-by":"crossref","DOI":"10.1145\/3485832.3485894","article-title":"Obfuscation revealed: leveraging electromagnetic signals for obfuscated malware classification","volume-title":"ACSAC","author":"Pham","year":"2021"},{"key":"2025092410173550400_bib21","article-title":"Superspreaders: quantifying the role of IoT manufacturers in device infections","volume-title":"20th Annual Workshop on the Economics of Information Security (WEIS 2021)","author":"Rodr\u00edguez","year":"2021"},{"key":"2025092410173550400_bib22","first-page":"20","article-title":"An evolutionary study of IoT malware","volume":"8","author":"Wang","year":"2021","journal-title":"IEEE Internet of Things Journal"},{"key":"2025092410173550400_bib23","first-page":"20","article-title":"\u2018Internet of Things\u2019: how abuse is getting smarter","author":"Lopez-Neira","year":"2019","journal-title":"Safe\u2013The Domestic Abuse Quarterly"},{"key":"2025092410173550400_bib24","article-title":"Code of practice for consumer IoT security\u2014gov.uk","author":"GOV.UK","year":"2018"},{"key":"2025092410173550400_bib25","article-title":"Product Security and Telecommunications Infrastructure Act 2022","author":"Parliament","year":"2022"},{"key":"2025092410173550400_bib26","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.IR.8259","volume-title":"NISTIR 8259 Foundational cybersecurity activities for IoT device manufacturers","author":"Fagan","year":"2020"},{"key":"2025092410173550400_bib27","article-title":"Code of practice: securing the Internet of Things for consumers","author":"Government","year":"2020"},{"key":"2025092410173550400_bib28","article-title":"European Parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019\/1020 (COM(2022)0454\u2013C9-0308\/2022\u20132022\/0272(COD))","author":"European Parliament","year":"2024"},{"key":"2025092410173550400_bib29","article-title":"Cybersecurity Labelling Scheme (CLS)","author":"Cyber Security Agency of Singapore","year":"2020"},{"key":"2025092410173550400_bib30","article-title":"IoT product security conformity assessment scheme policy (provisional translation)","author":"Ministry of Economy, Trade and Industry Commerce and Information Policy Bureau Cybersecurity Division","year":"2024"},{"key":"2025092410173550400_bib31","first-page":"15","article-title":"A framework for reasoning about the human in the loop","author":"Cranor","year":"2008","journal-title":"Proceedings of the 1st Conference on Usability, Psychology, and Security (UPSEC \u201908)"},{"key":"2025092410173550400_bib32","article-title":"Being hacked: understanding victims\u2019 experiences of $\\lbrace$IoT$\\rbrace$ hacking","volume-title":"SOUPS","author":"Rostami","year":"2022"},{"key":"2025092410173550400_bib33","first-page":"8","article-title":"What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use?","volume":"6","author":"Van\u00a0Steen","year":"2020","journal-title":"J Cybersecur"},{"key":"2025092410173550400_bib34","doi-asserted-by":"crossref","DOI":"10.1109\/PST.2017.00029","article-title":"Privacy is the boring bit: user perceptions and behaviour in the Internet-of-Things","volume-title":"2017 15th Annual Conference on Privacy, Security and Trust (PST)","author":"Williams","year":"2017"},{"key":"2025092410173550400_bib35","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1093\/cybsec\/tyz005","article-title":"What security features and crime prevention advice is communicated in consumer IoT device manuals and support pages?","volume":"5","author":"Blythe","year":"2019","journal-title":"J Cybersecur"},{"key":"2025092410173550400_bib36","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1109\/MIC.2017.3301619","article-title":"To follow or not to follow: a study of user motivations around cybersecurity advice","volume":"22","author":"Fagan","year":"2018","journal-title":"IEEE Internet Computing"},{"key":"2025092410173550400_bib37","doi-asserted-by":"crossref","DOI":"10.1109\/SP.2016.24","article-title":"I think they\u2019re trying to tell me something: advice sources and selection for digital security","volume-title":"IEEE Symposium on Security and Privacy (SP)","author":"Redmiles","year":"2016"},{"key":"2025092410173550400_bib38","article-title":"Dancing pigs or externalities? measuring the rationality of security decisions","volume-title":"ACM Conference on Economics and Computation","author":"Redmiles","year":"2018"},{"key":"2025092410173550400_bib39","article-title":"Exploring how privacy and security factor into IoT device purchase behavior","volume-title":"CHI Conference on Human Factors in Computing Systems","author":"Emami-Naeini","year":"2019"},{"key":"2025092410173550400_bib40","article-title":"More than smart speakers: security and privacy perceptions of smart home personal assistants","volume-title":"SOUPS","author":"Abdi","year":"2019"},{"key":"2025092410173550400_bib41","article-title":"Informal support networks: an investigation into home data security practices","volume-title":"SOUPS","author":"Nthala","year":"2018"},{"key":"2025092410173550400_bib42","article-title":"Breaking! A typology of security and privacy news and how it\u2019s shared","volume-title":"CHI Conference on Human Factors in Computing Systems","author":"Das","year":"2018"},{"key":"2025092410173550400_bib43","article-title":"The effect of social influence on security sensitivity","volume-title":"SOUPS","author":"Das","year":"2014"},{"key":"2025092410173550400_bib44","doi-asserted-by":"crossref","DOI":"10.1145\/1518701.1518816","article-title":"Computer help at home: methods and motivations for informal technical support","volume-title":"SIGCHI Conference on Human Factors in Computing Systems","author":"Poole","year":"2009"},{"key":"2025092410173550400_bib45","article-title":"Out of sight, out of mind: UI design and the inhibition of mental models of security","volume-title":"Proceedings of the New Security Paradigms Workshop","author":"Spero","year":"2020"},{"key":"2025092410173550400_bib46","doi-asserted-by":"crossref","DOI":"10.1145\/1719030.1719050","article-title":"So long, and no thanks for the externalities: the rational rejection of security advice by users","volume-title":"Proceedings of the 2009 workshop on New security paradigms workshop","author":"Herley","year":"2009"},{"key":"2025092410173550400_bib47","doi-asserted-by":"crossref","DOI":"10.1145\/2976749.2978307","article-title":"How i learned to be secure: a census-representative survey of security advice sources and behavior","volume-title":"ACM SIGSAC Conference on Computer and Communications Security","author":"Redmiles","year":"2016"},{"key":"2025092410173550400_bib48","doi-asserted-by":"crossref","first-page":"25","DOI":"10.1007\/978-3-642-79868-9_2","article-title":"Diffusion of Innovations: modifications of a model for telecommunications","volume":"17","author":"Rogers","year":"1995","journal-title":"Die diffusion von innovationen in der telekommunikation"},{"key":"2025092410173550400_bib49","article-title":"1 miljoen bezoekers voor Veiliginternetten.nl","author":"ECP","year":"2017"},{"key":"2025092410173550400_bib50","article-title":"\u201dThe Thing Doesn\u2019t Have a Name\u201d: learning from emergent real-world interventions in smart home security","volume-title":"Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021)","author":"Bouwmeester","year":"2021"},{"key":"2025092410173550400_bib51","doi-asserted-by":"crossref","DOI":"10.14236\/ewic\/HCI20DC.14","article-title":"Approaches and technologies to support home users\u2019 engagement with cyber security","volume-title":"33rd International BCS Human Computer Interaction Conference (BCS HCI)","author":"Turner","year":"2020"},{"key":"2025092410173550400_bib52","article-title":"Network Readiness Index 2024 - Benchmarking the Future of the Network Economy","author":"Portulans Institute","year":"2024"},{"key":"2025092410173550400_bib53","article-title":"Security Tip (ST17-001)","author":"CISA","year":"2019"},{"key":"2025092410173550400_bib54","doi-asserted-by":"crossref","first-page":"328","DOI":"10.1080\/14780887.2020.1769238","article-title":"One size fits all? What counts as quality practice in (reflexive) thematic analysis?","volume":"18","author":"Braun","year":"2021","journal-title":"Qual Res Psychol"},{"key":"2025092410173550400_bib55","article-title":"How to safeguard IoT gadgets at home","author":"Get Safe Online","year":"2019"},{"key":"2025092410173550400_bib56","article-title":"Tips","author":"CISA"},{"key":"2025092410173550400_bib57","article-title":"Veelgestelde vragen over slimme apparaten","author":"EZK","year":"2022"},{"key":"2025092410173550400_bib58","article-title":"Hoe moet ik mijn Beveiligingscamera (IP camera) updaten?","author":"EZK","year":"2024"},{"key":"2025092410173550400_bib59","article-title":"Biden\u2013Harris administration announces cybersecurity labeling program for smart devices to protect American consumers","author":"The White House (US)","year":"2023"},{"key":"2025092410173550400_bib60","article-title":"IoT reality: smart devices, dumb defaults","author":"Krebs","year":"2016"},{"key":"2025092410173550400_bib61","article-title":"Consumer IoT security guidance","author":"\u200b\u200b\u200bIoT\u00a0Security\u00a0Foundation","year":"2020"},{"key":"2025092410173550400_bib62","article-title":"Innovation inaction or in action? the role of user experience in the security and privacy design of smart home cameras","volume-title":"Sixteenth Symposium on Usable Privacy and Security (SOUPS 2020)","author":"Chalhoub","year":"2020"},{"key":"2025092410173550400_bib63","article-title":"Towards robust experimental design for user studies in security and privacy","volume-title":"4th LASER Workshop (2016): Learning from Authoritative Security Experiment Results","author":"Krol","year":"2016"},{"key":"2025092410173550400_bib64","volume-title":"Task-centered user interface design","author":"Lewis","year":"1993"},{"key":"2025092410173550400_bib65","article-title":"Digital 2020: Global Digital Overview","author":"Kemp","year":"2020"},{"key":"2025092410173550400_bib66","doi-asserted-by":"crossref","first-page":"1485","DOI":"10.1080\/0144929X.2020.1761450","article-title":"Factors influencing viewing behaviour on search engine results pages: a review of eye-tracking research","volume":"40","author":"Lewandowski","year":"2021","journal-title":"Behav Inf Technol"},{"key":"2025092410173550400_bib67","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1145\/3359174","article-title":"Reliability and inter-rater reliability in qualitative research: Norms and guidelines for CSCW and HCI practice","volume":"3","author":"McDonald","year":"2019","journal-title":"Proc ACM Human-Computer Interaction"},{"key":"2025092410173550400_bib68","article-title":"Literature review on connected devices within enterprise networks","author":"Ipsos MORI","year":"2021"},{"key":"2025092410173550400_bib69","doi-asserted-by":"crossref","DOI":"10.1145\/1837110.1837125","article-title":"Folk models of home computer security","volume-title":"SOUPS","author":"Wash","year":"2010"},{"key":"2025092410173550400_bib70","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-030-79318-0_6","article-title":"Work in progress: towards usable updates for smart home devices","volume-title":"Socio-Technical Aspects in Security and Trust","author":"Haney","year":"2021"},{"key":"2025092410173550400_bib71","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-031-05457-0_10","article-title":"When choice is (not) an option: nudging and techno-regulation approaches to behavioural cybersecurity","volume-title":"Augmented Cognition","author":"van\u00a0Steen","year":"2022"},{"key":"2025092410173550400_bib72","volume-title":"Tiny habits: The small changes that change everything","author":"Fogg","year":"2019"},{"key":"2025092410173550400_bib73","first-page":"12","article-title":"Learning from behavioural changes that fail","volume":"26","author":"Osman","year":"2020","journal-title":"Trends Cogn Sci"},{"key":"2025092410173550400_bib74","doi-asserted-by":"crossref","DOI":"10.1109\/eCrime47957.2019.9037589","article-title":"Identifying unintended harms of cybersecurity countermeasures","volume-title":"2019 APWG Symposium on Electronic Crime Research (eCrime)","author":"Chua","year":"2019"},{"key":"2025092410173550400_bib75","article-title":"Exploring authentication for $\\lbrace$security-sensitive$\\rbrace$ tasks on smart home voice assistants","volume-title":"Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021)","author":"Ponticello","year":"2021"},{"key":"2025092410173550400_bib76","doi-asserted-by":"crossref","DOI":"10.1109\/SP46215.2023.10179459","article-title":"User perceptions and experiences with smart home updates","volume-title":"2023 IEEE Symposium on Security and Privacy (SP)","author":"Haney","year":"2023"},{"key":"2025092410173550400_bib77","article-title":"Questions and answers: strengthening cybersecurity of wireless devices and products","author":"European Commission","year":"2021"},{"key":"2025092410173550400_bib78","article-title":"Code of practice for consumer IoT security","author":"UK Department of Digital, Culture, Media and Sport","year":"2018"},{"key":"2025092410173550400_bib79","doi-asserted-by":"crossref","DOI":"10.1145\/3531073.3531089","article-title":"\u201cSecure Settings Are Quick and Easy!\u201d \u2013 motivating end-users to choose secure smart home configurations","volume-title":"International Conference on Advanced Visual Interfaces","author":"Prange","year":"2022"},{"key":"2025092410173550400_bib80","doi-asserted-by":"crossref","DOI":"10.1007\/978-3-642-13226-1_13","article-title":"Behavior wizard: a method for matching target behaviors with solutions","volume-title":"International Conference on Persuasive Technology","author":"Fogg","year":"2010"},{"key":"2025092410173550400_bib81","doi-asserted-by":"crossref","DOI":"10.6028\/NIST.IR.8259","volume-title":"Foundational cybersecurity activities for IoT device manufacturers","author":"Fagan","year":"2020"}],"container-title":["Journal of Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf024\/64372423\/tyaf024.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"syndication"},{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article-pdf\/11\/1\/tyaf024\/64372423\/tyaf024.pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,24]],"date-time":"2025-09-24T14:17:53Z","timestamp":1758723473000},"score":1,"resource":{"primary":{"URL":"https:\/\/academic.oup.com\/cybersecurity\/article\/doi\/10.1093\/cybsec\/tyaf024\/8262872"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"references-count":81,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2025,1,17]]}},"URL":"https:\/\/doi.org\/10.1093\/cybsec\/tyaf024","relation":{},"ISSN":["2057-2085","2057-2093"],"issn-type":[{"value":"2057-2085","type":"print"},{"value":"2057-2093","type":"electronic"}],"subject":[],"published-other":{"date-parts":[[2025]]},"published":{"date-parts":[[2025]]},"article-number":"tyaf024"}}