pith. sign in

arxiv: 1906.11094 · v1 · pith:WC5EG57Unew · submitted 2019-06-26 · 💻 cs.CR

Security Update Labels: Establishing Economic Incentives for Security Patching of IoT Consumer Products

Philipp Morgner , Christoph Mai , Nicole Koschate-Fischer , Felix Freiling , Zinaida Benenson This is my paper

Pith reviewed 2026-05-25 15:30 UTC · model grok-4.3

classification 💻 cs.CR
keywords IoT securitysecurity updatesconsumer choiceconjoint analysislabelseconomic incentivespatchingmandatory disclosure
0
0 comments X

The pith

Mandatory security update labels on IoT devices shift consumer choices by 8 to 35 percent depending on product risk level.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper tests whether forcing manufacturers to state on the box until what date they will provide security updates would change what consumers decide to buy. A conjoint experiment with more than 1400 participants measured how much weight buyers place on the promised update period compared with price, brand, and other features. The results indicate that update availability carries 8 to 35 percent of the decision weight, rising to twice the importance of other top attributes when the product category carries high perceived security risk. Provisioning speed for patches adds a further 7 to 25 percent weight. If these preferences hold in the market, the labels would give manufacturers a direct financial reason to extend support periods without any pre-release third-party inspection of the devices.

Core claim

The availability of security updates accounts for 8% to 35% impact on overall consumers' choice, depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Provisioning time for security updates additionally accounts for 7% to 25% impact on consumers' choices. The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.

What carries the argument

Conjoint choice experiment that isolates the relative importance weights of security-update duration and provisioning time across different IoT product categories.

If this is right

  • Manufacturers gain a direct sales incentive to lengthen the period they commit to issuing security updates.
  • Regulators obtain a labeling scheme that requires no third-party product testing before market entry.
  • Consumer demand would favor devices whose labels promise longer guaranteed support, especially in high-risk categories.
  • The scheme works for any IoT category without needing separate security assessments for each model.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • If the labels change purchases at scale, the stock of long-supported IoT devices in homes would rise over successive product cycles.
  • The same label format could be tested on other connected devices whose security support also ends quickly after purchase.
  • A real deployment would need to check whether the survey weights survive when buyers see the labels next to actual prices and competing products.

Load-bearing premise

The stated preferences measured in the online conjoint survey will match real purchasing behavior once the labels become mandatory on actual store products.

What would settle it

A field study that places the proposed labels on real IoT products for sale and measures whether the resulting market shares deviate from the importance percentages reported in the conjoint results.

Figures

Figures reproduced from arXiv: 1906.11094 by Christoph Mai, Felix Freiling, Nicole Koschate-Fischer, Philipp Morgner, Zinaida Benenson.

Figure 1
Figure 1. Figure 1: In the first stage (Prestudy 1), two suitable product categories were selected. In the second stage (Prestudy 2), we determined the most important product attributes and their levels for each of the two product categories. In the third stage (Conjoint Analysis), we assessed the consumers’ preferences (RQ1), comparing the attributes of the security update label with other important product attributes. Final… view at source ↗
Figure 2
Figure 2. Figure 2: Screenshot of a choice task in the conjoint question [PITH_FULL_IMAGE:figures/full_fig_p017_2.png] view at source ↗
read the original abstract

With the expansion of the Internet of Things (IoT), the number of security incidents due to insecure and misconfigured IoT devices is increasing. Especially on the consumer market, manufacturers focus on new features and early releases at the expense of a comprehensive security strategy. Hence, experts have started calling for regulation of the IoT consumer market, while policymakers are seeking for suitable regulatory approaches. We investigate how manufacturers can be incentivized to increase sustainable security efforts for IoT products. We propose mandatory security update labels that inform consumers during buying decisions about the willingness of the manufacturer to provide security updates in the future. Mandatory means that the labels explicitly state when security updates are not guaranteed. We conducted a user study with more than 1,400 participants to assess the importance of security update labels for the consumer choice by means of a conjoint analysis. The results show that the availability of security updates (until which date the updates are guaranteed) accounts for 8% to 35% impact on overall consumers' choice, depending on the perceived security risk of the product category. For products with a high perceived security risk, this availability is twice as important as other high-ranked product attributes. Moreover, provisioning time for security updates (how quickly the product will be patched after a vulnerability is discovered) additionally accounts for 7% to 25% impact on consumers' choices. The proposed labels are intuitively understood by consumers, do not require product assessments by third parties before release, and have a potential to incentivize manufacturers to provide sustainable security support.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript proposes mandatory security update labels for IoT consumer products to create economic incentives for manufacturers to provide ongoing security support. It reports results from a conjoint analysis with more than 1,400 participants showing that availability of security updates (guaranteed until which date) accounts for 8% to 35% impact on consumer choice depending on perceived security risk of the product category, with this attribute twice as important as others for high-risk categories; provisioning time accounts for an additional 7% to 25% impact. The labels are described as intuitively understood without requiring third-party assessments.

Significance. If the conjoint results are robust, the work supplies large-sample empirical evidence on consumer valuation of security attributes in IoT purchases. This could inform regulatory design by quantifying potential demand shifts from labeling, offering an alternative to direct mandates or third-party certification schemes.

major comments (2)
  1. [Abstract and final paragraph] Abstract and final paragraph: the claim that the labels 'have a potential to incentivize manufacturers' rests on interpreting the conjoint part-worth utilities as evidence of market-level demand shifts. No revealed-preference benchmark, field validation, or bounding of the gap between hypothetical choices and actual purchases under mandatory labeling is provided, leaving the incentive conclusion dependent on an untested external-validity assumption.
  2. [User Study / Results sections] User Study / Results sections: the reported relative-importance percentages (8–35 % and 7–25 %) and the 'twice as important' claim lack accompanying confidence intervals, standard errors, or explicit robustness checks in the visible summary; without these it is difficult to assess whether the category-dependent differences are statistically distinguishable from noise.
minor comments (2)
  1. The abstract omits any mention of the conjoint model specification, attribute levels, or participant screening criteria; adding a concise sentence would improve immediate evaluability.
  2. Tables or figures presenting attribute importances would be clearer if they included error bars or significance indicators for the percentage impacts.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for their constructive comments on our manuscript. We address each major comment below and indicate planned revisions where appropriate.

read point-by-point responses

  1. Referee: [Abstract and final paragraph] Abstract and final paragraph: the claim that the labels 'have a potential to incentivize manufacturers' rests on interpreting the conjoint part-worth utilities as evidence of market-level demand shifts. No revealed-preference benchmark, field validation, or bounding of the gap between hypothetical choices and actual purchases under mandatory labeling is provided, leaving the incentive conclusion dependent on an untested external-validity assumption.

    Authors: We acknowledge that the study relies on stated preferences from conjoint analysis rather than revealed-preference data or field experiments. Conjoint analysis is a standard method for quantifying attribute importance in consumer research and has been applied to policy questions, but we agree that the translation to market-level demand shifts under mandatory labeling rests on an external-validity assumption not directly tested here. In the revised manuscript we will moderate the language in the abstract and conclusion to describe the results as indicating potential influence on consumer choice, and we will add an explicit limitations paragraph discussing the hypothetical-to-actual gap and citing relevant validation literature. revision: yes

  2. Referee: [User Study / Results sections] User Study / Results sections: the reported relative-importance percentages (8–35 % and 7–25 %) and the 'twice as important' claim lack accompanying confidence intervals, standard errors, or explicit robustness checks in the visible summary; without these it is difficult to assess whether the category-dependent differences are statistically distinguishable from noise.

    Authors: The reported percentages are derived from part-worth utilities in the conjoint model. While the full results section contains the underlying estimates, we agree that the summary presentations would be strengthened by explicit statistical detail. In the revision we will add bootstrapped confidence intervals and standard errors for the relative-importance measures, include these in the key tables and figures, and report additional robustness checks (alternative model specifications and segmentation) to allow evaluation of whether the observed differences across risk categories are statistically distinguishable from noise. revision: yes

Circularity Check

0 steps flagged

No circularity: empirical conjoint outputs are model-fitted quantities from external participant data

full rationale

The paper's central results (8-35% relative importance of security-update availability, 7-25% for provisioning time) are direct outputs of a standard conjoint analysis fitted to stated choices collected from 1400+ survey participants. These quantities are not defined in terms of themselves, not renamed known results, and not justified by self-citation chains. The interpretation step (that labels could create market incentives) is an external inference from the fitted part-worth utilities rather than a mathematical reduction to the paper's own inputs. No load-bearing self-citation or ansatz smuggling appears in the derivation of the reported percentages.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the domain assumption that conjoint analysis measures stable preferences that translate to market behavior; no free parameters or invented entities are introduced beyond standard conjoint modeling.

axioms (1)
  • domain assumption Conjoint analysis choice data accurately reflect consumers' relative attribute importance in real purchase decisions
    Invoked when the abstract interprets the percentage impacts as evidence that labels will create economic incentives for manufacturers.

pith-pipeline@v0.9.0 · 5822 in / 1290 out tokens · 23890 ms · 2026-05-25T15:30:56.160880+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

143 extracted references · 143 canonical work pages

  1. [1]

    That ‘internet of things’ thing,

    K. Ashton, “That ‘internet of things’ thing,” RFiD Journal, vol. 22, no. 7, pp. 97–114, 2009

    work page 2009

  2. [2]

    Gartner says 8.4 billion connected

    Gartner, “Gartner says 8.4 billion connected ”things” will be in use in 2017, up 31 percent from 2016,” February 2017. [Online]. Available: https://www.gartner.com/newsroom/id/3598917

    work page arXiv 2017

  3. [3]

    End user security and privacy concerns with smart homes,

    E. Zeng, S. Mare, and F. Roesner, “End user security and privacy concerns with smart homes,” in 13th Symposium on Usable Privacy and Security, SOUPS , 2017, pp. 65–80

    work page 2017

  4. [4]

    New security priorities in an increasingly connected world,

    McAfee, “New security priorities in an increasingly connected world,” January 2018

    work page 2018

  5. [5]

    Rethinking access control and authentication for the home internet of things (IoT),

    W. He, M. Golla, R. Padhi, J. Ofek, M. D ¨urmuth, E. Fernandes, and B. Ur, “Rethinking access control and authentication for the home internet of things (IoT),” in 27th USENIX Security Symposium , 2018

    work page 2018

  6. [6]

    Exploring how privacy and security factor into IoT device purchase behavior,

    P. Emami-Naeini, H. Dixon, Y . Agarwal, and L. F. Cranor, “Exploring how privacy and security factor into IoT device purchase behavior,” in Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems, CHI 2019, Glasgow, Scotland, UK , 2019

    work page 2019

  7. [7]

    Understanding the Mirai botnet,

    M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis, D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman, N. Sullivan, K. Thomas, and Y . Zhou, “Understanding the Mirai botnet,” in 26th USENIX Security Symposium , 2017, pp. 1093–1110

    work page 2017

  8. [8]

    Testimony of Bruce Schneier [...] before the U.S. House of Representatives [...] joint hearing entitled ‘Understanding the role of connected devices in recent cyber attacks’,

    B. Schneier, “Testimony of Bruce Schneier [...] before the U.S. House of Representatives [...] joint hearing entitled ‘Understanding the role of connected devices in recent cyber attacks’,” November 2016

    work page 2016

  9. [9]

    S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017,

    M. R. Warner, “S.1691 - Internet of Things (IoT) Cybersecurity Improvement Act of 2017,” August 2017

    work page 2017

  10. [10]

    SB-327 Information privacy: Con- nected devices,

    California Legislative Information, “SB-327 Information privacy: Con- nected devices,” September 2018

    work page 2018

  11. [11]

    Baseline security recommendations for IoT,

    European Union Agency for Network and Information Security (ENISA), “Baseline security recommendations for IoT,” October 2017

    work page 2017

  12. [12]

    Software vulnerability disclosure in Europe – Technology, policies and legal challenges,

    Centre for European Policy Studies, “Software vulnerability disclosure in Europe – Technology, policies and legal challenges,” June 2018

    work page 2018

  13. [13]

    Why information security is hard – An economic per- spective,

    R. Anderson, “Why information security is hard – An economic per- spective,” in 17th Annual Computer Security Applications Conference (ACSAC 2001), 2001

    work page 2001

  14. [14]

    The economics of information security,

    R. Anderson and T. Moore, “The economics of information security,” Science, vol. 314, no. 5799, pp. 610–613, 2006

    work page 2006

  15. [15]

    Exploring security economics in IoT standardization efforts,

    P. Morgner and Z. Benenson, “Exploring security economics in IoT standardization efforts,” in Proceedings of the NDSS Workshop on Decentralized IoT Security and Standards, DISS’18 , 2018

    work page 2018

  16. [16]

    The market for ‘lemons’: Quality uncertainty and the market mechanism,

    G. A. Akerlof, “The market for ‘lemons’: Quality uncertainty and the market mechanism,” The Quarterly Journal of Economics , vol. 84, no. 3, pp. 488–500, 1970

    work page 1970

  17. [17]

    Thirty years of conjoint analysis: Reflections and prospects,

    P. E. Green, A. M. Krieger, and Y . Wind, “Thirty years of conjoint analysis: Reflections and prospects,” Interfaces, vol. 31, no. 3, pp. 56– 73, 2001

    work page 2001

  18. [18]

    Commercial use of con- joint analysis in Europe: Results and critical reflections,

    D. R. Wittink, M. Vriens, and W. Burhenne, “Commercial use of con- joint analysis in Europe: Results and critical reflections,” International Journal of Research in Marketing , vol. 11, no. 1, pp. 41–52, 1994

    work page 1994

  19. [19]

    Good counsel: Using conjoint analysis to calculate damages,

    S. M. Handmaker, “Good counsel: Using conjoint analysis to calculate damages,” Trial, June 2018

    work page 2018

  20. [20]

    H.R.6 - Energy Independence and Security Act of 2007,

    Library of Congress, “H.R.6 - Energy Independence and Security Act of 2007,” 2007

    work page 2007

  21. [21]

    Directive 2010/30/EU,

    European Parliament and the Council of the European Union, “Directive 2010/30/EU,” May 2010. [Online]. Available: http: //eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32010L0030

    work page 2010

  22. [22]

    Winward, P

    J. Winward, P. Schiellerup, and B. Boardman, Cool labels: The first three years of the European energy label . Energy and Environment Programme, Environmental Change Unit, Univ. of Oxford, 1998

    work page 1998

  23. [23]

    Monitoring of energy efficiency trends of refrigerators, freezers, washing machines and washer-driers sold in the EU,

    P. Waide, “Monitoring of energy efficiency trends of refrigerators, freezers, washing machines and washer-driers sold in the EU,” PW Consulting for ADEME on behalf of the European Commission (SAVE). PW Consulting: Manchester , 2001

    work page 2001

  24. [24]

    The influence of eco-labelling on consumer behaviour – results of a discrete choice analysis for washing machines,

    K. Sammer and R. W ¨ustenhagen, “The influence of eco-labelling on consumer behaviour – results of a discrete choice analysis for washing machines,” Business Strategy and the Environment , vol. 15, no. 3, pp. 185–199, 2006

    work page 2006

  25. [25]

    Lifespan label for electrical products – Study on the effect of lifespan information for electrical products on the purchasing decision,

    Federal Ministry for Environment, Nature Conservation, Construction and Nuclear Safety (Germany), “Lifespan label for electrical products – Study on the effect of lifespan information for electrical products on the purchasing decision,” July 2017

    work page 2017

  26. [26]

    A ‘nutrition label’ for privacy,

    P. G. Kelley, J. Bresee, L. F. Cranor, and R. W. Reeder, “A ‘nutrition label’ for privacy,” in Proceedings of the 5th Symposium on Usable Privacy and Security, SOUPS , 2009

    work page 2009

  27. [27]

    Standardizing privacy notices: An online study of the nutrition label approach,

    P. G. Kelley, L. Cesca, J. Bresee, and L. F. Cranor, “Standardizing privacy notices: An online study of the nutrition label approach,” in Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010 , 2010, pp. 1573–1582

    work page 2010

  28. [28]

    The effect of online privacy information on purchasing behavior: An experimental study,

    J. Y . Tsai, S. Egelman, L. F. Cranor, and A. Acquisti, “The effect of online privacy information on purchasing behavior: An experimental study,” Information Systems Research , vol. 22, no. 2, pp. 254–268, 2011

    work page 2011

  29. [29]

    Selling a single item with negative externalities,

    T. Chattopadhyay, N. Feamster, M. V . X. Ferreira, D. Y . Huang, and S. M. Weinberg, “Selling a single item with negative externalities,” in The World Wide Web Conference (WWW’19) . New York, NY , USA: ACM, 2019, pp. 196–206

    work page 2019

  30. [30]

    Market share constraints and the loss function in choice-based conjoint analysis,

    T. J. Gilbride, P. J. Lenk, and J. D. Brazell, “Market share constraints and the loss function in choice-based conjoint analysis,” Marketing Science, vol. 27, no. 6, pp. 995–1011, 2008

    work page 2008

  31. [31]

    Which conjoint method should I use,

    B. Orme, “Which conjoint method should I use,” Sawtooth Software Research Paper Series, 2014

    work page 2014

  32. [32]

    An approach to improve the predictive power of choice-based conjoint analysis,

    S. V oleti, V . Srinivasan, and P. Ghosh, “An approach to improve the predictive power of choice-based conjoint analysis,” International Journal of Research in Marketing , vol. 34, no. 2, pp. 325 – 335, 2017

    work page 2017

  33. [33]

    Using conjoint analysis to assess women’s preferences for miscarriage management,

    M. Ryan and J. Hughes, “Using conjoint analysis to assess women’s preferences for miscarriage management,” Health Economics , vol. 6, no. 3, pp. 261–273, 1997

    work page 1997

  34. [34]

    The Apple vs. Samsung ‘Patent trial of the century,’ Conjoint analysis, and Sawtooth Software,

    Sawtooth Software, Inc., “The Apple vs. Samsung ‘Patent trial of the century,’ Conjoint analysis, and Sawtooth Software,” 2012

    work page 2012

  35. [35]

    Do consumers care about ethics? Willingness to pay for fair-trade coffee,

    P. de Pelsmacker, L. Driesen, and G. Rayp, “Do consumers care about ethics? Willingness to pay for fair-trade coffee,” The Journal of Consumer Affairs , vol. 39, no. 2, pp. 363–385, 2005

    work page 2005

  36. [36]

    Testing consumer perception of nutrient content claims using conjoint analy- sis,

    A. Drewnowski, H. Moskowitz, M. Reisner, and B. Krieger, “Testing consumer perception of nutrient content claims using conjoint analy- sis,” Public Health Nutrition , vol. 13, no. 5, p. 688–694, 2010

    work page 2010

  37. [37]

    Colour me in – an empirical study on consumer responses to the traffic light signposting system in nutrition labelling,

    S. Hieke and P. Wilczynski, “Colour me in – an empirical study on consumer responses to the traffic light signposting system in nutrition labelling,” Public Health Nutrition , vol. 15, no. 5, p. 773–782, 2012

    work page 2012

  38. [38]

    The influence of eco-labelling on consumer behaviour–results of a discrete choice analysis for washing machines,

    K. Sammer and R. W ¨ustenhagen, “The influence of eco-labelling on consumer behaviour–results of a discrete choice analysis for washing machines,” Business Strategy and the Environment , vol. 15, no. 3, pp. 185–199, 2006

    work page 2006

  39. [39]

    How certification systems fail: Lessons from the Ware report,

    S. J. Murdoch, M. Bond, and R. Anderson, “How certification systems fail: Lessons from the Ware report,” IEEE Security & Privacy , vol. 10, no. 6, pp. 40–44, 2012

    work page 2012

  40. [40]

    Standardisation and certi- fication of the ‘Internet of Things’,

    ´E. Leverett, R. Clayton, and R. Anderson, “Standardisation and certi- fication of the ‘Internet of Things’,” 2017, 16th Annual Workshop on the Economics of Information Security, WEIS 2017

    work page 2017

  41. [41]

    Ideal based cyber security technical metrics for control systems,

    W. Boyer and M. McQueen, “Ideal based cyber security technical metrics for control systems,” in Critical Information Infrastructures Security. Springer Berlin Heidelberg, 2008, pp. 246–260

    work page 2008

  42. [42]

    Using the vulnerability information of computer systems to improve the network security,

    Y . Lai and P. Hsia, “Using the vulnerability information of computer systems to improve the network security,” Computer Communications, vol. 30, no. 9, pp. 2032–2047, 2007

    work page 2032

  43. [43]

    A complete guide to the common vulnerability scoring system version 2.0 (2007),

    P. Mell, K. Scarfone, and S. Romanosky, “A complete guide to the common vulnerability scoring system version 2.0 (2007),” 2007

    work page 2007

  44. [44]

    Estimating a system’s mean time-to- compromise,

    D. J. Leversage and E. J. Byres, “Estimating a system’s mean time-to- compromise,” IEEE Security Privacy , vol. 6, no. 1, pp. 52–60, 2008

    work page 2008

  45. [45]

    Measuring, analyzing and predicting security vulnerabilities in software systems,

    O. H. Alhazmi, Y . K. Malaiya, and I. Ray, “Measuring, analyzing and predicting security vulnerabilities in software systems,” Computers & Security, vol. 26, no. 3, pp. 219–228, 2007

    work page 2007

  46. [46]

    Jones and O

    C. Jones and O. Bonsignour, The Economics of Software Quality . Pearson Education, 2011

    work page 2011

  47. [47]

    Energy and water use labeling for consumer products under the Energy Policy and Conservation Act (“Energy Labeling Rule

    Federal Trade Commission, “Energy and water use labeling for consumer products under the Energy Policy and Conservation Act (“Energy Labeling Rule”),” 2018. [Online]. Available: https://www. ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/ energy-water-use-labeling-consumer

    work page 2018

  48. [48]

    ISO/IEC 29147:2014 – Information technology – Security techniques – Vulnerability disclo- sure,

    International Organization for Standardization, “ISO/IEC 29147:2014 – Information technology – Security techniques – Vulnerability disclo- sure,” February 2014

    work page 2014

  49. [49]

    ISO/IEC 30111:2013 – Information technology – Security techniques – Vulnerability handling processes,

    ——, “ISO/IEC 30111:2013 – Information technology – Security techniques – Vulnerability handling processes,” November 2013

    work page 2013

  50. [50]

    Regu- lation (EU) 2016/679,

    European Parliament and the Council of the European Union, “Regu- lation (EU) 2016/679,” April 2016. 14

    work page 2016

  51. [51]

    Betrayed by updates: How negative experiences affect future security,

    K. Vaniea, E. J. Rader, and R. Wash, “Betrayed by updates: How negative experiences affect future security,” in CHI Conference on Human Factors in Computing Systems, CHI’14 , 2014, pp. 2671–2674

    work page 2014

  52. [52]

    Tales of software updates: The process of updating software,

    K. Vaniea and Y . Rashidi, “Tales of software updates: The process of updating software,” in Proceedings of the 2016 CHI Conference on Human Factors in Computing Systems , 2016, pp. 3215–3226

    work page 2016

  53. [53]

    Do or do not, there is no try: User engagement may not improve security outcomes,

    A. Forget, S. Pearman, J. Thomas, A. Acquisti, N. Christin, L. F. Cranor, S. Egelman, M. Harbach, and R. Telang, “Do or do not, there is no try: User engagement may not improve security outcomes,” in 12th Symposium on Usable Privacy and Security, SOUPS , 2016

    work page 2016

  54. [54]

    Impact of user characteristics on attitudes towards automatic mobile application updates,

    A. Mathur and M. Chetty, “Impact of user characteristics on attitudes towards automatic mobile application updates,” in 13th Symposium on Usable Privacy and Security, SOUPS , 2017, pp. 175–193

    work page 2017

  55. [55]

    The economics of moral hazard: Comment,

    M. V . Pauly, “The economics of moral hazard: Comment,” The Amer- ican Economic Review , vol. 58, no. 3, pp. 531–537, 1968

    work page 1968

  56. [56]

    Households and NPISHs final consumption expenditure,

    World Bank, “Households and NPISHs final consumption expenditure,”

    work page

  57. [57]

    Available: https://data.worldbank.org/indicator/NE

    [Online]. Available: https://data.worldbank.org/indicator/NE. CON.PRVT.CD

    work page

  58. [58]

    How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples,

    E. M. Redmiles, S. Kross, and M. L. Mazurek, “How well do my results generalize? Comparing security and privacy survey results from MTurk, web, and telephone samples,” in 2019 IEEE Symposium on Security and Privacy (SP) , 2019, pp. 227–244

    work page 2019

  59. [59]

    Data management services: AI training data, text creation, web researches,

    Clickworker, “Data management services: AI training data, text creation, web researches,” 2018. [Online]. Available: https://www. clickworker.com/

    work page 2018

  60. [60]

    An extended privacy calculus model for e- commerce transactions,

    T. Dinev and P. Hart, “An extended privacy calculus model for e- commerce transactions,” Information Systems Research, vol. 17, no. 1, pp. 61–80, 2006

    work page 2006

  61. [61]

    Self-confidence trumps knowledge: A cross-cultural study of security behavior,

    Y . Sawaya, M. Sharif, N. Christin, A. Kubota, A. Nakarai, and A. Yamada, “Self-confidence trumps knowledge: A cross-cultural study of security behavior,” in Proceedings of the 2017 CHI Conference on Human Factors in Computing Systems , 2017, pp. 2202–2214

    work page 2017

  62. [62]

    Consumer acceptance and use of information technology: Extending the unified theory of acceptance and use of technology,

    V . Venkatesh, J. Y . L. Thong, and X. Xu, “Consumer acceptance and use of information technology: Extending the unified theory of acceptance and use of technology,” MIS Quarterly, vol. 36, no. 1, pp. 157–178, 2012

    work page 2012

  63. [63]

    Cohen, Statistical power analysis for the behavioral sciences

    J. Cohen, Statistical power analysis for the behavioral sciences . Lawrence Erlbaum Associates, 1988

    work page 1988

  64. [64]

    Field, Discovering statistics using IBM SPSS statistics

    A. Field, Discovering statistics using IBM SPSS statistics . Sage Publications, 2013

    work page 2013

  65. [65]

    Branding strategies, mar- keting communication, and perceived brand meaning: The transfer of purposive, goal–oriented brand meaning to brand extensions,

    I. M. Martin, D. W. Stewart, and S. Matta, “Branding strategies, mar- keting communication, and perceived brand meaning: The transfer of purposive, goal–oriented brand meaning to brand extensions,” Journal of the Academy of Marketing Science , vol. 33, no. 3, pp. 275–294, 2005

    work page 2005

  66. [66]

    Play, flow, and the online search experience,

    C. Mathwick and E. Rigdon, “Play, flow, and the online search experience,” Journal of Consumer Research , vol. 31, no. 2, pp. 324– 332, 2004

    work page 2004

  67. [67]

    Situational price sensitivity: The role of consumption occasion, social context and income,

    K. L. Wakefield and J. Inman, “Situational price sensitivity: The role of consumption occasion, social context and income,” Journal of Retailing, vol. 79, no. 4, pp. 199–212, 2003

    work page 2003

  68. [68]

    Base-rate information in consumer attributions of product-harm crises,

    J. Lei, N. Dawar, and Z. G ¨urhan-Canli, “Base-rate information in consumer attributions of product-harm crises,” Journal of Marketing Research, vol. 49, no. 3, pp. 336–348, 2012

    work page 2012

  69. [69]

    The role of attitude toward the ad as a mediator of advertising effectiveness: A test of competing explanations,

    S. B. MacKenzie, R. J. Lutz, and G. E. Belch, “The role of attitude toward the ad as a mediator of advertising effectiveness: A test of competing explanations,” Journal of Marketing Research, vol. 23, no. 2, pp. 130–143, 1986

    work page 1986

  70. [70]

    Predicting e-services adoption: A perceived risk facets perspective,

    M. Featherman and P. A. Pavlou, “Predicting e-services adoption: A perceived risk facets perspective,” Int. J. Hum.-Comput. Stud. , vol. 59, no. 4, pp. 451–474, 2003

    work page 2003

  71. [71]

    Examining multi-dimensional trust and multi-faceted risk in initial acceptance of emerging technolo- gies: An empirical study of mobile banking services,

    X. Luo, H. Li, J. Zhang, and J. Shim, “Examining multi-dimensional trust and multi-faceted risk in initial acceptance of emerging technolo- gies: An empirical study of mobile banking services,” Decision Support Systems, vol. 49, no. 2, pp. 222–234, 2010

    work page 2010

  72. [72]

    Perceived usefulness, perceived ease of use, and user acceptance of information technology,

    F. D. Davis, “Perceived usefulness, perceived ease of use, and user acceptance of information technology,” MIS Quarterly, vol. 13, no. 3, pp. 319–340, 1989

    work page 1989

  73. [73]

    Are multichannel customers really more valuable? The moderating role of product category characteristics,

    T. Kushwaha and V . Shankar, “Are multichannel customers really more valuable? The moderating role of product category characteristics,” Journal of Marketing , vol. 77, no. 4, pp. 67–85, 2013

    work page 2013

  74. [74]

    The components of perceived risk,

    J. Jacoby and L. B. Kaplan, “The components of perceived risk,” ACR Special Volumes, 1972

    work page 1972

  75. [75]

    An in- tegrated framework for the conceptualization of consumers’ perceived- risk processing,

    M. P. Conchar, G. M. Zinkhan, C. Peters, and S. Olavarrieta, “An in- tegrated framework for the conceptualization of consumers’ perceived- risk processing,” Journal of the Academy of Marketing Science, vol. 32, no. 4, pp. 418–436, September 2004

    work page 2004

  76. [76]

    G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences,

    F. Faul, E. Erdfelder, A.-G. Lang, and A. Buchner, “G*Power 3: A flexible statistical power analysis program for the social, behavioral, and biomedical sciences,” Behavior Research Methods , vol. 39, no. 2, pp. 175–191, May 2007

    work page 2007

  77. [77]

    LimeSurvey: The online survey tool - open source surveys,

    LimeSurvey, “LimeSurvey: The online survey tool - open source surveys,” 2018. [Online]. Available: https://www.limesurvey.org/

    work page 2018

  78. [78]

    Conjoint analysis in consumer research: Issues and outlook,

    P. E. Green and V . Srinivasan, “Conjoint analysis in consumer research: Issues and outlook,” Journal of Consumer Research , vol. 5, no. 2, pp. 103–123, 1978

    work page 1978

  79. [79]

    Hybrid individualized two-level choice-based conjoint (HIT-CBC): A new method for measuring preference struc- tures with many attribute levels,

    F. Eggers and H. Sattler, “Hybrid individualized two-level choice-based conjoint (HIT-CBC): A new method for measuring preference struc- tures with many attribute levels,” International Journal of Research in Marketing, vol. 26, no. 2, pp. 108–118, 2009

    work page 2009

  80. [80]

    Discrete choice experiments are not conjoint analysis,

    J. J. Louviere, T. N. Flynn, and R. T. Carson, “Discrete choice experiments are not conjoint analysis,” Journal of Choice Modelling , vol. 3, no. 3, pp. 57–72, 2010

    work page 2010

Showing first 80 references.