{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T15:26:20Z","timestamp":1776093980345,"version":"3.50.1"},"publisher-location":"New York, NY, USA","reference-count":65,"publisher":"ACM","license":[{"start":{"date-parts":[[2025,4,25]],"date-time":"2025-04-25T00:00:00Z","timestamp":1745539200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"The Dutch Research Council (NWO)","award":["Grant No. CS.007"],"award-info":[{"award-number":["Grant No. CS.007"]}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2025,4,26]]},"DOI":"10.1145\/3706598.3713719","type":"proceedings-article","created":{"date-parts":[[2025,4,28]],"date-time":"2025-04-28T14:48:11Z","timestamp":1745851691000},"page":"1-19","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":3,"title":["\u201cAll Sorts of Other Reasons to Do It\u201d: Explaining the Persistence of Sub-optimal IoT Security Advice"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0000-0003-0451-4052","authenticated-orcid":false,"given":"Veerle","family":"van Harten","sequence":"first","affiliation":[{"name":"TU Delft, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-4699-3007","authenticated-orcid":false,"given":"Carlos Hernandez","family":"Ganan","sequence":"additional","affiliation":[{"name":"TU Delft, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0338-2812","authenticated-orcid":false,"given":"Michel","family":"van Eeten","sequence":"additional","affiliation":[{"name":"TU Delft, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6667-0440","authenticated-orcid":false,"given":"Simon","family":"Parkin","sequence":"additional","affiliation":[{"name":"TU Delft, Delft, Netherlands"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,4,25]]},"reference":[{"key":"e_1_3_3_3_2_2","doi-asserted-by":"crossref","unstructured":"Rohit Akhilesh Oliver Bills Naveen Chilamkurti and Mohammad Jabed\u00a0Morshed Chowdhury. 2022. Automated penetration testing framework for smart-home-based IoT devices. Future Internet 14 10 (2022) 276.","DOI":"10.3390\/fi14100276"},{"key":"e_1_3_3_3_3_2","doi-asserted-by":"crossref","unstructured":"Audrey Alejandro and Longxuan Zhao. 2024. Multi-method qualitative text and discourse analysis: A methodological framework. Qualitative inquiry 30 6 (2024) 461\u2013473.","DOI":"10.1177\/10778004231184421"},{"key":"e_1_3_3_3_4_2","doi-asserted-by":"crossref","unstructured":"Debi Ashenden and Darren Lawrence. 2016. Security dialogues: Building better relationships between security and business. IEEE Security & Privacy 14 3 (2016) 82\u201387.","DOI":"10.1109\/MSP.2016.57"},{"key":"e_1_3_3_3_5_2","unstructured":"Australian Cyber Security Centre. n. d.. Personal Cyber Security: Advanced Steps. https:\/\/www.cyber.gov.au\/protect-yourself\/resources-protect-yourself\/personal-security-guides\/personal-cyber-security-advanced-steps. [Accessed 11-2023]."},{"key":"e_1_3_3_3_6_2","unstructured":"Bitdefender. 2024. Bitdefender - Global Leader in Cybersecurity Software \u2014 bitdefender.com. https:\/\/www.bitdefender.com\/en-us\/. [Accessed 11-2024]."},{"key":"e_1_3_3_3_7_2","doi-asserted-by":"crossref","unstructured":"John\u00a0M Blythe Nissy Sombatruang and Shane\u00a0D Johnson. 2019. What security features and crime prevention advice is communicated in consumer IoT device manuals and support pages? Journal of Cybersecurity 5 1 (2019) tyz005.","DOI":"10.1093\/cybsec\/tyz005"},{"key":"e_1_3_3_3_8_2","first-page":"493","volume-title":"Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021)","author":"Bouwmeester Brennen","year":"2021","unstructured":"Brennen Bouwmeester, Elsa Rodr\u00edguez, Carlos Ga\u00f1\u00e1n, Michel Van\u00a0Eeten, and Simon Parkin. 2021. \" The Thing Doesn\u2019t Have a Name\": Learning from Emergent { Real-World} Interventions in Smart Home Security. In Seventeenth Symposium on Usable Privacy and Security (SOUPS 2021). USENIX Association, Virtual Conference, 493\u2013512."},{"key":"e_1_3_3_3_9_2","doi-asserted-by":"crossref","unstructured":"Virginia Braun and Victoria Clarke. 2021. One size fits all? What counts as quality practice in (reflexive) thematic analysis? Qualitative research in psychology 18 3 (2021) 328\u2013352.","DOI":"10.1080\/14780887.2020.1769238"},{"key":"e_1_3_3_3_10_2","unstructured":"Bundesamt f\u00fcr Sicherheit in der Informationstechnik (BSI). n. d.. Smart Home. https:\/\/www.bsi.bund.de\/DE\/Themen\/Verbraucherinnen-und-Verbraucher\/Informationen-und-Empfehlungen\/Internet-der-Dinge-Smart-leben\/Smart-Home\/smart-home_node.html. [Accessed 11-2023]."},{"key":"e_1_3_3_3_11_2","doi-asserted-by":"crossref","unstructured":"Paul Cairney and Kathryn Oliver. 2017. Evidence-based policymaking is not like evidence-based medicine so how far should you go to bridge the divide between evidence and policy? Health research policy and systems 15 (2017) 1\u201311.","DOI":"10.1186\/s12961-017-0192-x"},{"key":"e_1_3_3_3_12_2","doi-asserted-by":"crossref","unstructured":"George Chalhoub and Ivan Flechais. 2022. Data protection at a discount: Investigating the ux of data protection from user designer and business leader perspectives. Proceedings of the ACM on Human-computer Interaction 6 CSCW2 (2022) 1\u201336.","DOI":"10.1145\/3555537"},{"key":"e_1_3_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1145\/3411764.3445691"},{"key":"e_1_3_3_3_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/eCrime47957.2019.9037589"},{"key":"e_1_3_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1145\/3313831.3376214"},{"key":"e_1_3_3_3_16_2","volume-title":"Usability, Psychology, and Security 2008 (UPSEC 08)","author":"Cranor Lorrie\u00a0Faith","year":"2008","unstructured":"Lorrie\u00a0Faith Cranor. 2008. A Framework for Reasoning About the Human in the Loop. In Usability, Psychology, and Security 2008 (UPSEC 08). USENIX Association, San Francisco, CA, 15\u00a0pages. https:\/\/www.usenix.org\/conference\/upsec-08\/framework-reasoning-about-human-loop"},{"key":"e_1_3_3_3_17_2","unstructured":"Cybersecurity & Infrastructure Security Agency. 2021. Securing Internet of Things (IoT). https:\/\/www.cisa.gov\/news-events\/news\/securing-internet-things-iot. [Accessed from CISA News & Events]."},{"key":"e_1_3_3_3_18_2","unstructured":"Cyberwiser. 2018. National Cyber Security Agenda; A cyber secure Netherlands. https:\/\/bit.ly\/3ZgFqPy. [Accessed 12-2024]."},{"key":"e_1_3_3_3_19_2","unstructured":"European Commission. 2021. Commission Delegated Regulation (EU)...\/... of 29.10.2021 supplementing Directive 2014\/53\/EU of the European Parliament and of the Council with regard to the application of the essential requirements referred to in Article 3(3) points (d) (e) and (f) of that Directive. Text with EEA relevance SEC(2021) 382 final SWD(2021) 302 final SWD(2021) 303 final. https:\/\/single-market-economy.ec.europa.eu\/system\/files\/2021-10\/C_2021_7672_F1_COMMISSION_DELEGATED_REGULATION_EN_V10_P1_1428769.PDF Brussels 29.10.2021 C(2021) 7672 final."},{"key":"e_1_3_3_3_20_2","unstructured":"European Parliament. 2024. European Parliament legislative resolution of 12 March 2024 on the proposal for a regulation of the European Parliament and of the Council on horizontal cybersecurity requirements for products with digital elements and amending Regulation (EU) 2019\/1020 (COM(2022)0454 \u2013 C9-0308\/2022 \u2013 2022\/0272(COD)). https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=EP%3AP9_TA%282024%290130 Cyber Resilience Act."},{"key":"e_1_3_3_3_21_2","unstructured":"Federal Trade Commission. n. d.. Careful Connections: Building Security in the Internet of Things. https:\/\/www.ftc.gov\/business-guidance\/resources\/careful-connections-keeping-internet-things-secure. [Accessed 11-2023]."},{"key":"e_1_3_3_3_22_2","unstructured":"Fing. Accessed 12-2024. Network scanner at your fingertips - Manage your home network like a pro. https:\/\/www.fing.com\/."},{"key":"e_1_3_3_3_23_2","doi-asserted-by":"crossref","unstructured":"Dinei Flor\u00eancio Cormac Herley and Adam Shostack. 2014. FUD: A plea for intolerance. Commun. ACM 57 6 (2014) 31\u201333.","DOI":"10.1145\/2602323"},{"key":"e_1_3_3_3_24_2","unstructured":"F\u2011Secure. 2024. Connected Home Security for service providers. https:\/\/www.f-secure.com\/en\/partners\/solutions-and-services\/connected-home-security. [Accessed 11-2024]."},{"key":"e_1_3_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.2139\/ssrn.3426871"},{"key":"e_1_3_3_3_26_2","first-page":"411","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Haney Julie","year":"2021","unstructured":"Julie Haney, Yasemin Acar, and Susanne Furman. 2021. \"It\u2019s the Company, the Government, You and I\": User Perceptions of Responsibility for Smart Home Privacy and Security. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Berkeley, CA, USA, 411\u2013428. https:\/\/www.usenix.org\/conference\/usenixsecurity21\/presentation\/haney"},{"key":"e_1_3_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46215.2023.00045"},{"key":"e_1_3_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-50309-3_26"},{"key":"e_1_3_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1145\/1719030.1719050"},{"key":"e_1_3_3_3_30_2","doi-asserted-by":"crossref","unstructured":"Cormac Herley. 2013. More is not the answer. IEEE Security & Privacy 12 1 (2013) 14\u201319.","DOI":"10.1109\/MSP.2013.134"},{"key":"e_1_3_3_3_31_2","unstructured":"INCIBE - Instituto Nacional de Ciberseguridad. n. d.. Dispositivos IoT (Internet de las cosas). https:\/\/www.incibe.es\/ciudadania\/tematicas\/dispositivos-iot. [Accessed 11-2023]."},{"key":"e_1_3_3_3_32_2","unstructured":"I&O Research. 2022. Cybersecurity onderzoek Alert Online 2022. Available online at https:\/\/open.overheid.nl\/documenten\/ronl-f9dabadc3e7b330da895c60b98cf4db8ae54c95d\/pdf."},{"key":"e_1_3_3_3_33_2","doi-asserted-by":"crossref","unstructured":"Christopher\u00a0J Jewell and Lisa\u00a0A Bero. 2008. \u201cDeveloping good taste in evidence\u201d: facilitators of and hindrances to evidence-informed health policymaking in state government. The Milbank Quarterly 86 2 (2008) 177\u2013208.","DOI":"10.1111\/j.1468-0009.2008.00519.x"},{"key":"e_1_3_3_3_34_2","unstructured":"Kaspersky. 2024. Securing Your Smart Home. https:\/\/www.kaspersky.com\/resource-center\/preemptive-safety\/smart-home-security. [Accessed 11-2024]."},{"key":"e_1_3_3_3_35_2","first-page":"5145","volume-title":"Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23)","author":"Kohno Tadayoshi","year":"2023","unstructured":"Tadayoshi Kohno, Yasemin Acar, and Wulf Loh. 2023. Ethical frameworks and computer security trolley problems: Foundations for conversations. In Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, USA, 5145\u20135162."},{"key":"e_1_3_3_3_36_2","first-page":"1487","volume-title":"32nd USENIX Security Symposium (USENIX Security 23)","author":"Kustosch Lorenz","year":"2023","unstructured":"Lorenz Kustosch, Carlos Ga\u00f1\u00e1n, Mattis Van\u2019t\u00a0Schip, Michel Van\u00a0Eeten, and Simon Parkin. 2023. Measuring Up to (Reasonable) Consumer Expectations: Providing an Empirical Basis for Holding { IoT} Manufacturers Legally Responsible. In 32nd USENIX Security Symposium (USENIX Security 23). USENIX Association, Anaheim, CA, USA, 1487\u20131504."},{"key":"e_1_3_3_3_37_2","unstructured":"Ministry of Internal Affairs and Communications. n. d.. End User Security Guidelines. https:\/\/www.soumu.go.jp\/main_sosiki\/cybersecurity\/kokumin\/enduser\/enduser_security01_13.html. [Accessed 11-2023]."},{"key":"e_1_3_3_3_38_2","unstructured":"T. Mitchell. 2021. How Do You Communicate Uncertainty and Promote Public Health\u2014During COVID-19 and Beyond? https:\/\/hsph.harvard.edu\/exec-ed\/news\/how-do-you-communicate-uncertainty-and-promote-public-health-during-covid-19-and-beyond\/. [Accessed 11-2024]."},{"key":"e_1_3_3_3_39_2","volume-title":"Top tips for staying secure online","author":"Centre National Cyber Security","unstructured":"National Cyber Security Centre. n. d.. Top tips for staying secure online. (NCSC). https:\/\/www.ncsc.gov.uk\/collection\/top-tips-for-staying-secure-online\/install-the-latest-software-and-app-updates [Accessed 07-2024]."},{"key":"e_1_3_3_3_40_2","unstructured":"National Cyber Security Centre Switzerland. n. d.. Cyber Tipp: IoT. https:\/\/www.ncsc.admin.ch\/ncsc\/de\/home\/aktuell\/im-fokus\/2023\/cybertipp-iot.html [Accessed 11-2023]."},{"key":"e_1_3_3_3_41_2","first-page":"283","volume-title":"Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023)","author":"Neil Lorenzo","year":"2023","unstructured":"Lorenzo Neil, Harshini\u00a0Sri Ramulu, Yasemin Acar, and Bradley Reaves. 2023. Who Comes Up with this Stuff? Interviewing Authors to Understand How They Produce Security Advice. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023). USENIX Association, Anaheim, CA, 283\u2013299. https:\/\/www.usenix.org\/conference\/soups2023\/presentation\/neil"},{"key":"e_1_3_3_3_42_2","doi-asserted-by":"crossref","unstructured":"Kathryn Oliver and Paul Cairney. 2019. The dos and don\u2019ts of influencing policy: a systematic review of advice to academics. Palgrave Communications 5 1 (2019) 1\u201311.","DOI":"10.1057\/s41599-019-0232-y"},{"key":"e_1_3_3_3_43_2","unstructured":"Rikke \u00d8rngreen and Karin\u00a0Tweddell Levinsen. 2017. Workshops as a research methodology. Electronic Journal of E-learning 15 1 (2017) 70\u201381."},{"key":"e_1_3_3_3_44_2","doi-asserted-by":"publisher","DOI":"10.14722\/usec.2019.23024"},{"key":"#cr-split#-e_1_3_3_3_45_2.1","unstructured":"European Parliament and Council of\u00a0the European\u00a0Union. 2022. NIS 2 Directive (Directive"},{"key":"#cr-split#-e_1_3_3_3_45_2.2","unstructured":"(EU) 2022\/2555). https:\/\/eur-lex.europa.eu\/eli\/dir\/2022\/2555. [Accessed 12-2024]."},{"key":"e_1_3_3_3_46_2","doi-asserted-by":"publisher","DOI":"10.1145\/3025453.3025673"},{"key":"e_1_3_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.5555\/3489212.3489218"},{"key":"e_1_3_3_3_48_2","doi-asserted-by":"crossref","unstructured":"Robert\u00a0W Reeder Iulia Ion and Sunny Consolvo. 2017. 152 simple steps to stay safe online: Security advice for non-tech-savvy users. IEEE Security & Privacy 15 5 (2017) 55\u201364.","DOI":"10.1109\/MSP.2017.3681050"},{"key":"e_1_3_3_3_49_2","unstructured":"Elvira Rodr\u00edguez Arman Noroozian Michel van Eeten and Carlos\u00a0Hernandez Ga\u00f1\u00e1n. 2021. Superspreaders: Quantifying the Role of IoT Manufacturers in Device Infections. Presented at the Annual Workshop on the Economics of Information Security (WEIS)."},{"key":"e_1_3_3_3_50_2","volume-title":"Proceedings of the 32nd USENIX Security Symposium","author":"Sombatruang Nissy","year":"2023","unstructured":"Nissy Sombatruang, Tristan Caulfield, Ingolf Becker, Akira Fujita, Takahiro Kasama, Koji Nakao, and Daisuke Inoue. 2023. Internet Service Providers\u2019 and Individuals\u2019 Attitudes, Barriers, and Incentives to Secure IoT. In Proceedings of the 32nd USENIX Security Symposium. USENIX Association, Anaheim, CA, USA, 19\u00a0pages."},{"key":"e_1_3_3_3_51_2","doi-asserted-by":"publisher","DOI":"10.1145\/3290605.3300314"},{"key":"e_1_3_3_3_52_2","doi-asserted-by":"crossref","unstructured":"Geordie Stewart and David Lacey. 2012. Death by a thousand facts: Criticising the technocratic approach to information security awareness. Information Management & Computer Security 20 1 (2012) 29\u201338.","DOI":"10.1108\/09685221211219182"},{"key":"e_1_3_3_3_53_2","unstructured":"The White House (US). 2023. Biden\u2013Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers. https:\/\/www.whitehouse.gov\/briefing-room\/statements-releases\/2023\/07\/18\/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers\/. [Accessed 08-2024]."},{"key":"e_1_3_3_3_54_2","unstructured":"UK Parliament. 2021. Product Security and Telecommunications Infrastructure Bill. https:\/\/bills.parliament.uk\/bills\/3069 [Accessed 11-2023]."},{"key":"e_1_3_3_3_55_2","unstructured":"Ministerie van Economische Zaken\u00a0en Klimaat. n. d.. Doe je updates. https:\/\/veiliginternetten.nl\/doejeupdates\/. [Accessed 11-2023]."},{"key":"e_1_3_3_3_56_2","unstructured":"Veerle van Harten Carlos\u00a0Hern\u00e1ndez Ga\u00f1\u00e1n Michel van Eeten and Simon Parkin. 2023. Easier Said Than Done: The Failure of Top-Level Cybersecurity Advice for Consumer IoT Devices. arxiv:https:\/\/arXiv.org\/abs\/2310.00942\u00a0[cs.CR]"},{"key":"e_1_3_3_3_57_2","doi-asserted-by":"publisher","unstructured":"Veerle van Harten and Michel van Eeten. 2023. Cybersecurity Workshop Smart Devices. 10.5281\/zenodo.14872940PowerPoint presentation.","DOI":"10.5281\/zenodo.14872940"},{"key":"e_1_3_3_3_58_2","doi-asserted-by":"crossref","unstructured":"Tommy Van\u00a0Steen Emma Norris Kirsty Atha and Adam Joinson. 2020. What (if any) behaviour change techniques do government-led cybersecurity awareness campaigns use? Journal of Cybersecurity 6 1 (2020) tyaa019.","DOI":"10.1093\/cybsec\/tyaa019"},{"key":"e_1_3_3_3_59_2","doi-asserted-by":"publisher","DOI":"10.1145\/2556288.2557275"},{"key":"e_1_3_3_3_60_2","first-page":"7031","volume-title":"Proceedings of the 33rd USENIX Security Symposium","author":"Vetrivel Swaathi","year":"2024","unstructured":"Swaathi Vetrivel, Brennen Bouwmeester, Michel van Eeten, and Carlos\u00a0H Ga\u00f1\u00e1n. 2024. { IoT} Market Dynamics: An Analysis of Device Sales, Security and Privacy Signals, and their Interactions. In Proceedings of the 33rd USENIX Security Symposium. USENIX Association, Philadelphia, PA, USA, 7031\u20137048."},{"key":"e_1_3_3_3_61_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSE-SEIP52600.2021.00011"},{"key":"e_1_3_3_3_62_2","doi-asserted-by":"crossref","unstructured":"Charles Weir Ingolf Becker and Lynne Blair. 2023. Incorporating software security: using developer workshops to engage product managers. Empirical Software Engineering 28 2 (2023) 21.","DOI":"10.1007\/s10664-022-10252-0"},{"key":"e_1_3_3_3_63_2","doi-asserted-by":"publisher","DOI":"10.1145\/3498891.3501257"},{"key":"e_1_3_3_3_64_2","doi-asserted-by":"publisher","DOI":"10.1145\/3613904.3642771"},{"key":"e_1_3_3_3_65_2","unstructured":"Yokohama National\u00a0University (YNU). 2024. am I infected? https:\/\/amii.ynu.codes\/. [Accessed 12-2024]."}],"event":{"name":"CHI 2025: CHI Conference on Human Factors in Computing Systems","location":"Yokohama Japan","acronym":"CHI '25","sponsor":["SIGCHI ACM Special Interest Group on Computer-Human Interaction"]},"container-title":["Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706598.3713719","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3706598.3713719","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,7,4]],"date-time":"2025-07-04T05:31:33Z","timestamp":1751607093000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3706598.3713719"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,25]]},"references-count":65,"alternative-id":["10.1145\/3706598.3713719","10.1145\/3706598"],"URL":"https:\/\/doi.org\/10.1145\/3706598.3713719","relation":{},"subject":[],"published":{"date-parts":[[2025,4,25]]},"assertion":[{"value":"2025-04-25","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}