Stay smart: helping consumers choose cyber secure smart devices

Authored on
3 years 1 month ago
Complete
Project Type
Evaluation report
Policy Area
Cyber
Partner agencies
Department of Home Affairs
Registration date
Friday, 13 August 2021

‘Smart devices’ are products with extra functionality to connect to the internet (like smart lights, TVs, and watches). Internationally, cyber security labels have been introduced to help consumers choose smart devices that are more cyber secure. BETA collaborated with the Department of Home Affairs to evaluate the effectiveness of cyber security labels in the Australian context, to test how they influence people’s purchasing decisions, and understand how they influence awareness about the risks of insecure smart devices. We found participants in an online ‘shopping scenario’ were more likely to choose a device with a cyber security label than a device without a label. All the three labels we tested influenced participants’ choices, but a ‘graded’ shield label with four levels had the biggest impact.

ADDITIONAL TRIAL INFORMATION

Intervention start and end date:

27 July 2021 to 11 August 2021

Ethics approval:

Macquarie University, 24 June 2021

Experimental design including randomisation:

An online survey experiment combining two research methods: a randomised control trial (RCT) and a discrete choice experiment (DCE). We combined both methods by randomly assigning each participant to see one of the three label types (the RCT), and then asking them to complete a shopping scenario (the DCE) in which they used the label to make purchasing decisions about smart devices.

Intervention(s):

Three different cyber security labels were developed. We tested two ‘expiry’ labels: one was plain text, and another included an icon and a government URL. A third ‘graded’ label incorporated several behavioural insights principles, including blue shield icons (for salience and novelty) and a ‘tick-mark’ (positive and familiar).

Control condition:

No label

Outcome(s):

We had two primary outcomes for this experiment.

Randomised Controlled Trial (RCT) Component

The primary outcome measure for the RCT component was whether, for each choice set, an individual chose to ‘buy’ a device with a cyber security label. We calculated sample proportions from this binary measure.

Discrete Choice Experiment (DCE) component

The primary outcome measure for the DCE component was the device each individual chose to ‘buy’, in each of ten choice sets (each choice set contained three variations on a single device – e.g., watch or TV).

See the pre-analysis plan for secondary outcome measures.

Expected sample size:

Expected 6,000, final sample size was 5,943

Other:

This trial was publicly pre-registered on the AEA registry, record number AEARCTR-008044.