Internet of Things

(1)

Adam Beskow

Internet of Things

A qualitative study about people’s knowledge of IoT and concerns in using IoT devices

The network of physical objects

Bachelor’s degree

Term: Autumn-20 Supervisor: Bridget Kane

Date: 2021-01-04

(2)

Abstract

Internet of Things (IoT) devices often described as Smart products for consumers consists of physical things that inherit an Internet connection and therefore enable physical things to talk between each other and with people. IoT is a growing market with products existing in e.g., consumers' homes, healthcare, or industries. These physical things have sensors that can gather information about users which later on can be used to adapt the behaviors of IoT devices or create profiles of users. As with any device that is connected to the Internet, IoT devices can fall victim to attacks from outside parties that try to steal private information or observe users of the devices.

With the growing market, it is of importance to understand what people know about IoT devices and that a Smart home does not come with comfortability without its rough edges.

This Bachelor thesis answers what people know about IoT, how they handle security issues, and the sharing of people’s personal information.

The data was gathered through a survey that had 133 participants, the survey was shared in Facebook groups and spread through the snowball effect. After a participant was done with the survey, they were urged to continue to share the survey with people they knew.

The result shows that the majority of people have not heard the term IoT before and that it is not common to take steps in protecting private information when using IoT devices. IoT is a term that is unfamiliar to many, the result shows that the term Smart devices is more

commonly used than IoT devices among people.

(3)

1. Introduction

2007 was the year when people moved into cities and left the rural, now more than 50 percent of people in the world live in cities. According to the United Nations (2018), the trend does not seem to change, reports suggest 55% of the earth's human inhabitants lived in urban territories in 2018 and the number is estimated to grow to 68% by 2050.

The technology in cities is evolving rapidly to adapt to the numbers of urban living people, the use of tech in different fields such as healthcare, manufacturing but also in mundane things which are meant to target consumers is a large and growing market. This means that people more and more can adapt their lives by introducing Smart products in their homes.

These Smart products which can be a variety of physical objects can help the user in different tasks and create a connection between the user itself and all the Smart devices.

While physical things more and more can create connections it also opens doors that are hard to see. These doors are meant to be shut and protected, but the connections which are enabled through the Internet, these physical things now stand under the threat of cyber-attacks. The cost of using IoT devices is the user’s privacy.

1.1 Problem area

“The same incredible growth of people using the Internet in the 1990s is now being repeated by things using the Internet in the 2010s.” (Shelby in Holler et al. 2014, p.XI)

On the 13 of April 2010, Hans Vestberg, new in his position as CEO and president over Ericsson visioned that there would exist 50 billion connected devices in 2020 (Ericsson, 2010). This statement was made in a time when the IoT terms were not widely used yet, even though the term itself was coined in 1999 by Kevin Ashton. The 50 billion devices included a variety of products, even laptops, and Smartphones which are not usually accounted for as being IoT devices.

IoT devices are all around us for the most part, it can be the car you pass on the street, the smart lights in your home, the manufacturing devices in a factory, or the lock on a door. All these devices share a thing, and that is the connection to the Internet, the ability for devices to speak to each other, they are devices that usually do not have an Internet connection (Holler et al. 2014, p14). These devices can often be reached through a Smartphone and an app that act as a controller. If a person wants to be sure that there is hot water in the boiler when they arrive home or enable the heating in their car on a cold day, the person can do that through their phone.

In recent years there have been reports of privacy and security issues with smart devices, users who feel observed, devices that record their surroundings or collect and share data with other companies. Users should be advised what a product does with collected data and in the same way, be able to consent to it. When using IoT devices, the user needs to consent to share their data through the devices, these terms that need consent can often be complex and

sometimes hard to find for the user. The user sometimes accepts the terms without even

(9)

(Ericsson 2015). 26 billion is still a large number that will affect people's lives, either selfselected or not, people will still handle devices that are connected in some way.

Because of the growing market of IoT devices, more people will encounter these devices in their daily life. What people might not know is that all of these devices can communicate with each other, share the data that is collected and send it to be stored in cloud storage to be used in advertisements or tailoring the experiences when using IoT devices based on earlier usage. This thesis will answer the questions of what people know about IoT devices, if they are concerned about IoT devices sharing their private information and if people use measures to secure their privacy.

1.2 Target groups

The target group of this thesis is broad in the aspect of the research that is done. By answering what people know about IoT and if the technology is concerning from a privacy perspective the result can be of value to different people. The target group is therefore people who find it interesting to see people’s knowledge about IoT. It can also be informative for other

researchers who have some of the same questions and/or people who want to know more about IoT and/or companies.

1.3 Purpose

The purpose of the thesis is to research people's knowledge of IoT, the perception of sharing private information, and if people are taking measures in protecting their private information when using IoT devices.

1.4 Scope

IoT is a large and complex topic that includes many aspects that can be of interest to industries, politicians, or consumers. By narrowing down and focusing on fewer aspects of IoT the thesis presents a result with reliable discussions and a valid result.

The scope is based on the RQ since the empirical result is the answers to the RQ. By

questioning if people have heard of the term IoT, what they know about IoT devices, if they are concerned about their privacy when using an IoT device, and if people are taking actions to ensure their privacy safety, the result consists of people’s knowledge of IoT technology, their experience, and their concerns of their privacy.

IoT devices are used in different environments such as in society, healthcare, industries, and agriculture. These are meaningful additions that enable new ways of thinking and adapting to situations.

The scope is demarcated to the bullet points below

• The basics of IoT

• Some of the technologies that enable it IoT devices in homes e.g., Smart devices.

• Security and privacy issues.

• How security and privacy issues are and can be minimized.

(10)

With this scope, the result is more concentrated and clearer, the spread is less due to the significance between each limitation. As the technology evolves and new ideas come to fruition the technology behind IoT and the aspects that belong to it grows and gets harder to detail.

The thesis, therefore, avoids focusing on the future of IoT and the usages of IoT outside of homes. Some exceptions can be seen in the Theory chapter.

(11)

2. Theory

This chapter will introduce IoT, the tech that enables IoT, common threats to IoT devices, prior studies on people’s knowledge of IoT, and the search terms which were used.

Guidelines by Robson (2014, p71) were used in search of reference literature and information about IoT technology and prior studies. Robson suggests that the literature first should be sorted into three different piles, the Key sources pile where essential literature is placed. This literature might inspire the model which the researcher follows. Useful sources that usually end up as research. The last pile is the Useless sources where literature that seemed to be useful but later turned up as useless is placed.

By first skimming through literature to find out if it is useful, it can be read more thoroughly when needed.

2.1 Search terms

When searching for literature, databases through Karlstad and Örebro university have been used. The used search terms were:

• Internet of Things

• Internet of Things introduction

• Internet of Things security issues

• Internet of Things privacy issues

• Internet of Things general knowledge

• Internet of Things knowledge study

• IoT knowledge study

The reasoning why there are three search terms that consist of the word knowledge is that it was difficult to find prior studies on people’s knowledge of IoT. Google Scholar and Google search have also been used to some extent, the sources found through Google have been taken into consideration due to reliability and validity. YouTube was also used for Ted Talks about IoT.

2.2 Literature overview

IoT is a technology that has been around for some years, the knowledge about the term and the technology itself can, however, be questioned due to the growth of the technology. This thesis is about to study people’s knowledge of IoT and how they use IoT devices. The literature overview is an introduction to the RQ and therefore also to the result and

discussion. The literature overview also works as a summarize of IoT which is researched, and even though some of these concepts are not directly part of the purpose or the result, the information is needed to create a picture of IoT.

2.3 Machine-to-machine

M2M is the technology that enables machines to speak to each other through a connection but without the use of the Internet, it is instead a more limited connection that enables only the machines on the same connection to speak to each other.

(12)

According to Holler et al. (2014, p.11), the M2M connection and work are often associated with industries because of their ability to monitor productivity, increase security, and reduce costs in production. This is related to limited connection, due to the lack of Internet the security is higher because the machines will not be able to share their data online through the Internet.

M2M solutions generally have a special purpose where they have a single task or managing a single problem, instead of multitasking the M2M solution does a single thing for a single company (Holler et al. 2014, p36). This is one of the bigger differences to IoT devices which are more commonly doing multiple actions.

2.4 Internet of Things

“Now in a digital world, we can make everything talk to each other. We can make our phones talk to each other and we can make Facebook talk to each other. And in the physical world, not so much.

This is where our lives and technological development kind of stopped, but now we are able to build a network, so, multiple of physical objects, your chair, your table, your lounge, those tim tams in the

fridge that are connected to the Internet” (Duffy 2016).

IoT is a technology that evolved through the growing market of Internet and connection.

M2M was the start of what further on became IoT. Machines could work together through the M2M technology, but with a limited connection, the machines were halted in their abilities.

This came to a change when IoT devices were introduced, the variety of things that now could create connections through the Internet could now also create connections to people.

Below is an introduction to the IoT and information about the Smart devices in people’s homes.

2.4.1 Introduction to IoT

Due to people being more introduced to technology in ordinary life the demand grows, nowadays there are a lot of people who own multiple products that are connected to the Internet, there is a growing market for devices that enables data collection from the user (Fu et al. 2017, p2).

IoT devices are physical entities that have not been connected to the Internet before but now have entered a stage where they can speak to each other. IoT is an extension that enables physical things to interact with people in new ways, it enables people to have control and the ability to monitor from afar. These devices can now access data from other places and in that way benefit the user, even if the user is a private person, a business, or the government (Holler et al. 2014, p14).

Duffy (2016) describes the IoT as an opportunity for the user to be able to speak to physical objects and for objects to speak to each other. A smart fridge that knows if someone is

running low on a product can then tell the owner to stock up, the owner can, in the same way, tell the fridge to place an order or to lower the degrees through e.g., a Smartphone. The Smart fridge is also available to speak to other devices that share an Internet connection, the fridge

(13)

The Internet gave people the ability to stay connected over distances and time differences, IoT on the other hand gave devices the ability to stay connected and exchange information all by themselves without the impact of humans (Xiang 2018).

IoT has exploded over the years and the development and sustaining costs are forecasted to be as much as 11.1 trillion dollars by 2025 and the reasoning behind this is:

• Lower costs of hardware.

• High availability of resources.

• The connected and digital world we live in.

• And the ease and simplicity to put the devices together.

According to Duffy (2016)

The IoT devices can be found in a lot of different branches such as agriculture, health care, consumer electronics, and infrastructures. Water supply can be adapted through the help of sensors that monitor the crops and robots, or other entities can be remotely controlled. One of the most common uses of IoT devices is in tracking goods through manufacturing according to Weber (2014, p618).

A big difference to M2M is that an IoT device can collect data from a broader perspective (Holler et al. 2014, p17). Contradictory to the M2M solution which usually works in a smaller context and has limits on which data it can collect, an IoT device can follow a person and not only get information such as how many steps a person has taken or the person's heart rate but also personal information such as how many phone calls a person have gotten

through the day and what a person does for leisure. The IoT device will also be able to send this information at any time due to its connection to the Internet (Xiang 2018).

One point of the IoT devices is the ability to gather data for analysis, but another point is to gather information from other sources on the Internet according to Holler et al. (2014, p15).

In this way a device can adapt due to information from another source than its user, it can get the weathercast on demand for its user and at the same time check-in on Facebook and see what other people think of the weathercast.

2.4.2 Benefits of IoT

With the urbanization that is happening technology is used more and more to control cities and their systems to organize and measure where the need is.

In the same way that a mundane physical thing like a fridge can be Smart, a building or city can also be Smart. A building with sensors on it can check if the weathercast is promising rain in the following days, if there is rain on its way the building can wait with the watering of plants and water them with the rain that is forecasted.

In the mining industries, the IoT devices can help with reducing energy consumption due to their ability to calculate and know which ventilations that need to be used in the mines.

According to Holler et al. (2014, p.17), ventilations are to blame for upwards of 50% of the energy consumption in mining operations.

As mentioned earlier, IoT devices can also help with monitoring in the agriculture field, both crops and animal farms can get benefits because of the device's abilities to adapt the water supply, food supply, and monitoring on how healthy the animals are.

(14)

According to Hougland (2014), Google used its search engine to collect data about flu searches to try and pinpoint where new outbreaks would happen. This started before the broad introduction to IoT, but as more and more devices enabled internet connection the data to analyze grew.

2.4.3 IoT enables Smart homes

A Smart Home, described by Al-Mutawa, Eassa (2020, p260), is a home that has a connection that connects different devices and enables them to be controlled remotely

through a central control unit which can be a Smartphone. These devices can be the speakers, the lights, or the surveillance system which is incorporated with the lock on the door.

Hougland (2014) speaks of a scenario that can occur in a Smart home, he continues by describing that the morning starts when his bracelet wakes him up through vibrating and by shining lights, when the bracelet wakes him up it speaks to the thermostat in his home which checks the temperature. If it is needed, the thermostat speaks to the air conditioner which starts to pump in the fresh air, the coffee machine starts to brew coffee, and his sprinklers on his lawn might start watering the lawn if it recognizes it as needed.

This is something that can be done through connection, the device's abilities to communicate with each other and start a chain reaction. When Hougland leaves his home in his car the carport sends him a message and tells him that the door has closed after him.

2.5 Big Data

The concept of Big Data is the size of data that companies nowadays have access to and can analyze, due to IoT devices which inherit connection and the ability to collect data, the amount of data has rapidly increased and therefore introduced the concept of Big Data. Most of the data that is collected is from industries, devices that can detect errors and therefore ensure safety and keep up the productivity. The ability to collect data and analyze exists also exists in consumer-friendly devices, these devices use the data to adapt and learn how they best can suit consumer’s needs through sharing of the users' data (Holler et al. 2014, p26).

2.6 Open APIs

IoT is built on connection and the ability to share, Open APIs which enables IoT devices to create a connection to each other, is built on the same theory. Holler et al. (2014, p24) describe Open API as a gateway for different developers to share a connection where they can combine other solutions with their solution. In this way, a device of a different brand can still use solutions that are made by a different manufacturer. This technology creates an opportunity for developers to not waste time in developing their solution and without signing a contract with the developer behind the “borrowed” solution (Holler et al. 2014, p25). This is one aspect of the growing market of IoT devices, mostly because of the ease in

manufacturing new devices and solutions.

(15)

nothing that comes free of risks. When physical things get connected to the Internet, their ability to collect data can fall into the wrong hands. IoT devices can also be under the influence of cyber-attacks and used by outside parties.

2.7.1 Identification and reliability

With the growing market of consumer-friendly devices, the privacy concern is growing. With every new device, there is a new sensor that can trace and collect data from the user, with this information a profile can be created which identifies the user through an analysis of the data.

The profile of a user can consist of name, address, movement patterns, search history, and about which products the user owns (Weber 2015, p.619).

Every new sensor is a potential for new risks to manifest, as the technology is evolving so are the risks. When one door shuts other doors open and the security measures need to be able to handle all the doors and all threats.

A simple thing as at which time the coffee machine makes coffee can tell someone when the user wakes up. (Weber 2015, p.623).

Holler et al. (2014, p31) mention that the reliability of the collected data is also a topic of concern due to the concept of Big Data. As the amount of data and the sources which collect data is growing, it becomes harder to form an accurate consensus. The result might not be truthful or liable due to the lack of quality of the data. Weber (2015, p624) sees risk in both low quality because of the lack of information and that the profile which is created is false and that miss interpretations can be made, but also in high-quality data where the profile of a person can be spot on and tell every detail.

2.7.2 Cyberattacks

The connection to the Internet opens doors that did not exist before. As much as a computer needs an antivirus program an IoT device also needs protection from malware, the boiler which can be turned on through the smartphone now has a risk of being the target of a cyberattack (Holler et al. 2014, p31). For example, a baby monitor with a camera that is connected to the Internet can fall victim to an attack where someone else can access the camera, the fact that a lot of consumers do not change the password on their monitor only makes it more vulnerable (Fu et al.2017, p1).

The data which is collected through devices is always moving through access points before it is stored in databases or cloud services. Weber (2015, p621) points out these access points, which can be a smartphone, as targets of cyber-attacks since most data has not been

encrypted at this point.

The acceleration of data collecting sources is a part of the technological push for consumers to have more and more devices in their homes and to replace their prior technique with new Smart products. All these devices are often connected through the same connection and therefore more easily a target, Fu et al. (2017, p1) describes that the FBI issued an

announcement where they urged people to isolate their IoT devices on protected networks to single them out. These devices or controller apps on Smartphones all have a privacy policy that the consumer consent to, the problem lies in that these policies are often hard to understand and can overburden the consumer.

(16)

The manufacturer of a device is responsible for maintaining the support and security of the product, if the manufacturer goes out of business their support of the device will end, this means that the device will still go on without getting updated (Fu et al. 2017, p4).

2.8 Minimizing privacy issues of IoT devices in homes

Al-Mutawa, Eassa (2020, p260) describes a Smart home as a vulnerable place where security and privacy issues need to be accounted for to achieve a safer home with IoT devices.

According to Al-Mutawa, Eassa (2020, p261) there are limits to what a security system can do, by authenticating the user in several ways, either through a password and biometric authentication methods like face-recognizing or fingerprints the security is higher. However, the systems must work, therefore should passwords be stored in secure ways with encryption as a minimum, the face scans or voice detectors need to be better at checking for signs of life, this is because biometric authentication methods have been fooled by pictures or dummies and thought them to be living and real persons.

As described earlier, Fu et al. (2017, p6) explain that the user policies for IoT devices can be hard to understand because of their length and complexity, the lack of explanation on how different devices on the same connection connects is also a topic which needs to be addressed by manufacturers and regulatory boards. By creating an application for users where they can monitor their collection of IoT devices together and be able to see how they work with each other and what data they share, users can get an understanding of their products. A study by Kumar et al. (2019) researched the most common IoT devices in homes in different regions.

The study was done in collaboration with the software company Avast Software and the data was gathered through a Wi-Fi inspector which was created by Avast Software. This inspector scans the subnet, the home network, to look for connected devices and notify the user if the devices are vulnerable to cyberattacks.

The recommendation that FBI urged people, to have their IoT devices on their connections to not enable them to work together (Fu et al. 2017, p1), by doing this, users can achieve a safer home with less connectivity between devices. The downside to this is that the Smart home is not achievable anymore due to the lack of connectivity.

Weber (2015, p621) describes PET which is privacy-enhancing technologies, these technologies aim to keep data about the user as private as possible, for example, when a company collects data and does not necessarily need details on the user it should not be able to collect that part of the data. This is also something that the EU Data Protection Regulation has considered, it describes that organizations that control the data need to protect the privacy of a user through the lifetime of the data. Weber (2015, p622) mentions that there are ways to anonymize the user by dividing the data into different sub-users, therefore the identification of someone cannot be read from a single user. According to Weber (2015, p.622), this is not the full extent of the technology, there are ways to identify users even if the information is separated.

2.8.1 Regulation of data collection

(17)

processed. What personal data is can be hard to distinguish however, the raw data that are collected is mostly not identifying someone, and therefore the data can be collected and processed even if it ends up as personal data.

Weber (2015, p619) continues by explaining that The European Commission ordered a team of experts to study the IoT network and look for potential security risks. The conclusion reported by the team which was disbanded afterward was that the industry reported that the current security framework was enough, the consumers, on the other hand, did not agree.

They meant that the security and privacy risks should be handled better.

As more and more manufacturers can produce cheap IoT devices the regulations need to be broad and unite as many countries as possible to create a more secure and controllable usage of IoT devices.

2.9 Prior studies on general IoT knowledge and privacy concerns

The search for prior studies in people’s knowledge and concerns of sharing private

information when using IoT devices yielded interesting leads and the result is presented in this chapter. However, there are some concerns over reliability since one study method and details cannot be accessed and some other studies are not entirely part of the scope of this thesis. The studies have still been used to analyze the empirical result, this is because they all have some information that is part of the scope and answers to the RQ.

2.9.1 General knowledge and usage of IoT devices

Metova is a tech firm that works with IoT, connected cars, mobile applications, and more techs that involve the Internet and connections. In 2019 they did a follow-up study and comparison on an earlier study they did in 2018 of IoT knowledge among their customers.

Metova's (2019) result is only available in limited information through an infographic on Metova’s website, the study is not open to see and Metova has not answered questions about getting access to more details.

The 2019 study had over 1000 customers who answered the survey, while Metova is an American company the infographic is not clear on where their customers who partook in the study are stationed.

The reason why the study was used is that the study has been referred to in several articles and the result of the study seems reliable.

(18)

Figure1. Summarize and comparison of Metova (2018) & Metova (2019) The figure is drawn from Metova (2019).

According to Metova (2019), IoT knowledge among their customers is low, and less than 25% fully understand the term IoT. In 2018, Metova reported that 20% of customers knew about IoT but 70% of participants already owned an IoT device. It is not clear if these numbers are considered Smartphones which is a Smart product that a lot of people already own and usually is not considered as an IoT device.

Metova’s (2019) study infographic on the other hand contains new results that were not present in the 2018 study. For example, Metova (2019) shows that about 75% of consumers streamed programs on their Smart TVs through the Internet. It also describes that the most popular Smart device among the participants is Bluetooth trackers which can be attached to keys or other things in case of disappearance. However, both studies show that the two most popular Smart products are Retrofit devices, which are older devices that inherit additions or new features which enhance the usage, and Smart thermostats.

2.9.2 IoT devices in homes per region

Kumar et al.'s (2019) research is based on IoT device adoption in homes in three different global regions in the world. The data in Kumar et al. (2019) was gathered through a Wi-Fi inspector by Avast Software which is a security software company. The scope was also limited to Windows as there are differences in Windows and Mac operating systems, the data was could only be gathered if the Wi-Fi inspector were installed on the home computer.

One part of Kumar et al. (2019) is summarized in the following diagram

(19)

Figure 2. Summarize of Kumar et al(2019).

The figure is drawn from Kumar et al. (2019)

This diagram shows in which context homes in different regions own IoT devices. In North America about 70% of homes had an IoT device, meanwhile, in South Asia, there was only 9% of the homes inherited an IoT device. The 70% ownership in North America can be compared to the almost 74% ownership in the Metova study (2019), as stated before, the Metova infographic is not clear on where the participants are based.

Kumar et al. (2019, p1174) also describe which kinds of IoT devices are most popular in different regions. The most common IoT device in North America was part of the Media/TV category and 43% of the households had one or more Media/TV IoT devices. The Media/TV category stands for 45% of all the IoT devices in North America.

In South Asia, the most common IoT device in households belonged to the Surveillance category, about 9% of the homes had an IoT surveillance device and the category stood for 55% of all IoT devices in South Asia.

The result of Kumar et al. (2019) shows that the Media/TV category of IoT devices are the most used devices in homes, especially in North and South America, Europe, and Oceania.

Metova (2019) describes the most common Smart device as the Bluetooth tracker, Metova also states that 75% of participants streamed programs through their Smart TV which shows that there were a lot of devices in the Media/TV category.

2.9.3 Knowledge of privacy concerns using an IoT device

Stefan Allirol-Molin and Xheniza Gashi (2017) did a study on what people know about IoT and their knowledge of privacy concerns in using IoT devices. The study was done using a survey which was initiated by a pilot study. The biggest age group of respondents were between 18-34 years old according to Allirol-Molin & Gashi (2017), and the selection of participants was done among friends and acquaintances.

(20)

The data which was gathered by Allirol-Molin & Gashi (2017) shows that.

• 90% of the participants have heard about the term IoT,

• 50% have some knowledge of IoT

• 20% have full knowledge of the technology.

When it comes to security and privacy issues the results were as follows.

• With 41% thinking that the security of IoT devices is enough.

But when asked about how good the security is:

• 41.9% answered that they do not know.

The participants also answered the question if they knew how to secure their IoT devices,

• 48,4% answered that they do not know 41,9% answered maybe 9,7% answered yes.

When giving room to participants to write their answers the result to the question of what they do to secure their data in IoT devices were,

• Two people answered that they cryptate their data One answered Anti-virus software on pc One answered that they only use HTTPS.

This question was only answered by 4 people out of the 31 participating.

The result of Allirol-Molin & Gashi (2017) is that people's perception of the existence of security and privacy issues related to IoT devices are high but the perception of how to secure IoT devices was low.

2.9.4 IoT in enterprises and organizations

Securing the Internet of Things Survey is a research done by John Pescatore in 2014 in collaboration with SANS which is an education and research organization where individuals in their respected fields can share their experience or studies.

Pescatore (2014) used a survey that was open for three months during 2013 to gather data, the number of participants was 391 and the research focused on workplaces and businesses. The result of Pescatore (2014) is summarized in the diagram below.

(21)

Figure 3. Summarize of Pescatore (2014).

The figure is drawn from Pescatore (2014)

By seeing the result of the study, Pescatore (2014) figured out that the majority of the participants had experience in IoT technology, this was also be seen in the statistics of workplaces where 19% answered that they work for the government which, according to Pescatore, had grown their IoT divisions recently.

The above summary shows that a lot of the participants knew IoT, but there was a large group who do not have the same kind of knowledge. About 28% said that they had a vague idea of IoT and 29% answered that their organization was not actively working with IoT, it was likely that the organizations would be active with IoT in five years. Almost everyone saw the growth of connected things in their enterprise and only 6% said that they were not aware of any growth.

The conclusion which Pescatore (2014, p20) made of the result is that IoT is overhyped and that the growth of devices was not as high as many had foreseen. The awareness of security issues with IoT devices was high among the participants, 90% answered that some changes would be done in their organization to lower the threat of connected device

2.10 Research Question

The RQ is based on the gathered theory and the result of the questions reflects people’s knowledge about IoT technology and if there is concern about sharing private information when using an IoT device. The result of the questions was gathered through surveys which were designed after the four following RQ.

RQ 1. Have people heard about the term IoT?

RQ 2. What do people know about IoT?

RQ 3. Are people concerned about their privacy when using IoT devices?

RQ 4. Are people using measures to protect their privacy when using IoT devices?

(22)

(23)

3. Method

This chapter is all about the design and method used in the research, how data was collected but also about the selection of respondents, reliability, validity, and ethics concerning the collection and result of data.

This chapter ends on the result of the two pilot studies that were made and how the data gathered through a survey was analyzed and summarized.

3.1 Design

Different methods can be used in data gathering, they all suit different needs, and it all depends on the RQ and scope. The design was decided before the method that was used for collecting data.

Robson (2014, p22) writes about the importance of design and why a researcher should acknowledge it before moving on to methods. Robson explains that by pondering on what would suit the research, it becomes easier to choose a method. A house built without an architect with only builders is not a good thing, which is according to Hakim (Robson 2014, p22), the same as not following a design. The first thing that must be done is to decide if there is a need to collect new data or if the data already exists.

By collecting new data, which is known as primary data collection, enables the possibility to summarize and analyze the data in a new study and reach a conclusion based on the findings.

Comparison to other studies on the same topic can also be done, in that way, data that already exists can be used, which is known as collecting secondary data.

By collecting secondary data, the need for prior studies and results becomes more important and the analysis will contain its interpretation of other studies.

Robson (2014, p22) urges the researcher to make their decision based on their interest and what method is most comfortable for them. If the researcher struggles with a method, it might not be the right choice.

According to Robson (2014, p23), two commonly used research designs are known as flexible and fixed designs.

3.1.1 Flexible and fixed design.

When deciding on the design of the thesis, different aspects need to be taken into consideration.

The flexible design also called qualitative design is according to Robson (2014, p23) the idea that the researcher can be more flexible, data is gathered in an early stage with less planning before. The flexibility in this design is more fitting with qualitative data because of the more in-depth knowledge. Goldkuhl (2011, p28) speaks about the depth and broad knowledge, where depth often calls for a qualitative method. A flexible design often tends to incorporate Case Studies or interviews as methods when collecting data, this is because of the more indepth knowledge and the ability to adapt to the situation or the answers.

The fixed design, also known as quantitative design, is in comparison to flexible design more structured and it becomes more important to plan out the research before data is gathered (Robson 2014, p23). Instead of gathering data at an early stage, the researcher does pilot studies which act as tests to see if questions for participants are clear and not confusing.

When doing a pilot, bad data can be avoided in the gathering process according to feedback

(24)

from the pilot. By doing a quantitative study the knowledge gained is broader and usually more general than with a qualitative study according to Goldkuhl (2011, p28). The study is narrower, and the researcher often limits what the survey is focused on.

3.1.2 Chosen design

Both Goldkuhl (2011, p28) and Robson (2014, p23) mention that qualitative and quantitative design is not always used as they commonly have been, a qualitative method can be used in a fixed design and vice versa. It is the same with in-depth and broad knowledge, they are not fixed to one design but can co-exist in both.

A fixed design was followed through the research and the data that was gathered was qualitative. The reasoning behind this was that by following a fixed design the project and research were planned out from the beginning. The chosen method see (3.2), which data was collected through, can be used when collecting both quantitative and qualitative data. It is usually more often associated with quantitative data. The reasoning why the gathered data was qualitative is that the data represents opinions and not measurements in the form of a numerical scale.

3.2 Scientific methods

The decision to acquire qualitative data through a survey grew from the design choice and the format of the RQ. When asking for people's knowledge, perception, and actions a survey was the best way of reaching a broader group of people, this decision was taken instead of doing interviews which was the initial thought. Interviews would have gathered more in-depth data which would yield a different result and answers to the RQ than doing a survey.

3.2.1 Survey

When choosing a method, the cons and pros need to be weighted to each other to ensure that the right method was used (Goldkuhl 2011, p32).

Surveys are usually done by collecting data from a larger group and the result is often considered as more general (Goldkuhl 2011, p28). Robson (2014, p30) describes the survey method in the same way as Goldkuhl (2011), Robson continues by listing the usual pros and cons of the survey method

The pros in using a survey are that they are predictable by the amount of time that is needed to create, hand out and in some way analyze the data. The amount of time that is needed for analysis is depending on how many participants there are, and which questions are asked. If questions are answered through tick boxes the analysis will be easier than questions asking for written answers. The result is often quantitative data that can be turned into diagrams, the data can also be qualitative and still summarized through diagrams or bars.

The result can be general though, it depends on the target group and number of participants,

(25)

respondent might have marked the wrong answer or lacked seriousness when answering the survey. The result can be questioned when the response number is low. This is because the result often lacks in-depth knowledge and therefore a higher response is needed. When doing a survey, a sample of participants needs to be gathered. While this can be done at random, by allowing larger groups of unknown people to answer the survey, it can be hard to do a

selection that does not impact the result. Friends or relatives might not be the most reliable respondents in a study because of the difficulty of being impartial. Surveys are a bad method if the researcher wants more in-depth data, this is because Survey Questions (SQ) with many details are often lengthy and complex which in the end will affect the number of respondents according to Robson (2014, p30).

Robson (2014, p32) means that in choosing a method that is already established the researcher can navigate through the known cons and pros.

Being aware of the pros and cons, actions have been taken to ensure that the result was gathered truthfully without affecting or altering the answers, and at the same time, preparations for the survey were done without rushing the analysis.

3.2.2 Online survey

The survey was done through Survey & Report (S&R). The S&R software enabled the usage of an online survey which was easier than handing out papers and was more fitting with the current state of the world (at writing time) due to the pandemic Covid-19.

S&R is a web-based survey tool where the user can design their survey, the program also helps to summarize the data for the result.

The main survey was done both in Swedish and English which let the respondent choose their preferred language.

3.3 Selection of respondents

To gather data on people’s knowledge of IoT, privacy concerns in using IoT devices and if measures are taken by people, requires the respondents to be part of the general population.

They should not be part of a singular group or category. According to Robson (2014, p83) the when, what, where, and who questions are of essential importance when sampling for the study. The selection of respondents depends on the scope of the RQ.

A general study such as which political party the general population would vote on needs a lot of participants and preferably people in different age groups that have different

occupations and social status.

Robson (2014, p84) writes about random selection, which is when respondents have been narrowed down to, for example, school students, the selection can be done by choosing everyone who starts their name with an A. From the list of names, the narrowing down of participants can be done through a lottery approach where every person has a number

attached to him/her. The last selection of respondents can then be commenced by rolling a die and see which persons who start their name with an A is selected.

With a smaller scale study, but still in-depth, the selection of respondents does not need to be selected through a random method and the result is usually not accounted for as general.

(26)

Robson (2014, p85) mentions that some respondents are chosen because of their prior knowledge or in some cases occupation, this means that the respondents are experienced in their field and that the research which they take part in might be in-depth research. The respondent can in some cases be family members or friends of the one researching. Robson does however not recommend this since known people can be bias and the data that is gathered is therefore not reliable. If family members or friends are used it is better to have them as respondents on pilot tests and not include them when gathering data.

The ideal way of selecting respondents to gather people’s knowledge of IoT would have been to use the random method. The ideal respondents would consist of people who represent different groups and have different experiences of IoT. With limitations in time and resources, the limitations on the selection of respondents were taken.

Initial thoughts on the selection of respondents were to go through Örebro university and/or Karlstad university to find respondents, either through sending out messages to work and student platforms or informing students before a lecture about the survey. However, with the response from personal and the advice from the Supervisor, the selection of respondents was done through Facebook groups and the snowball effect instead.

Due to the pandemic COVID-19 and the usage of an online survey through S&R, the selection of respondents was done through the Facebook group “Dem kallar oss studenter”

which is a Swedish Facebook group created by Örebro University and the Facebook group

“Survey sharing 2020” which consist of people of different nationalities who help each other out with answering surveys.

The selection was also done by sharing the survey with friends and family who were urged to not take the survey themselves, they were instead urged to continue to share the survey with friends or family members of them. This is called the snowball effect. By reaching out to people who continued to share the study the number of respondents grew.

3.4 Environment

The physical environment of the survey was answered in ways dependent on the respondent’s choice. Doing an online survey enabled people to answer the survey anywhere as long as they had access to the Internet.

The environment changed from a physical place to an online space which means that there are differences in things that might affect the respondent when doing the survey. More about the choice in doing an online survey through S&R and the aspects that were taken into consideration can be read about in (3.5.1).

3.5 Reliability and validity

Reliability is to make sure that the gathered data are truthful data, that the result is based on data that represents the person's knowledge. Ensuring that data is reliable can be hard

according to Robson (2014, p54). The process of ensuring data can be done in different ways

(27)

(2014, p55) points out that the response to a question might alter just because the interviewee gets the same question again.

If data collection is done through observation there can be two observers who then compare their results to make it reliable.

Robson (2014, p56) mentions that researchers who chose flexible design often do not think about reliability because qualitative studies are often done in a deeper sense and reach for different aspects. The qualitative design is commonly used to study real-life scenarios that can be messy and are hard to do again in the same way.

It is not enough to have reliable data if it is not valid in the end. Validity is if the data represents what it intends to represent (Robson 2014, p56) e.g., in this case, data should represent what people know about IoT.

3.5.1 Reliability and validity in an online survey

The data was gathered through a survey which was made in S&R. The first intention was to use Google forms but with a recommendation from Karlstad university to use S&R instead the change was made. The reasoning was also that Google Forms do not comply with GDPR and S&R is a better option.

In using an online survey there are aspects to take into consideration when accounting for reliability and validity of the result.

• The first aspect is: An open survey without a login option.

The survey was done without an obligation to login. The choice of making the survey open and more susceptible for the respondents was that by locking the survey and demanding a log in the respondent might have been more unwilling to complete the survey. However, S&R does save the survey in the cookies section of the web browser which limits the participants to do the survey one time in the same browser.

Cookies can be deleted and if the user opens the survey in another web browser, they can do the survey again. The negative aspect of this is that anyone that had the link to the study could have used it multiple times, this aspect can change the look of the result, and therefore it is of virtue to be accounted for.

• The second aspect is: With the Internet as an environment.

By doing an online survey people can be affected and disturbed by other things than in a physical environment such as a lecture hall. The Internet itself and applications on a desktop pc, laptop, or smartphone can catch the participants' attention and the ability to look up answers or descriptions about topics in the survey can alter the answer and, in some way, general knowledge.

This is not a problem that only exists with online surveys, there are opportunities to look up answers as long as the respondent has access to the Internet when doing a paper survey, however, when surveying in a browser or an application the respondent is already in the digital and online environment.

Because of this, the decision to include a description and introduction of IoT in the survey was taken. The reason for this was to give people some knowledge and hopefully, people did not feel the urge to research more about IoT during the survey was taken. Some of the information in the introduction was used in SQ in the survey, this was not a test to see if the participant had read the introduction, its purpose was still to see what people knew about IoT.

(28)

• The third aspect is: Usability and design of the survey

The ease of using an online survey and for the respondents to understand where to click with was taken into consideration. Difficulty and problems should not affect the respondent, if the respondent could not figure out the questions or how the survey was supposed to be done in a digital format the answers might be affected.

By doing two pilot studies the interaction options and readability were tested with respondents that left feedback which shaped the survey.

In summary, the result of the thesis should be reliable due to actions that have been taken and the knowledge of reliability aspects.

The result also needs to be valid. Without validity, the resulting data will not represent the intention of the RQ, therefore the result cannot be reliable if it is not valid.

With working through a fixed design, the result has been anticipated in an early stage by focusing on the RQ and the scope of the thesis. Robson (2014, p57) means that anticipating the result enables the susceptible to see the evidence which is contrary to the anticipation.

This means that even with anticipations, an open mind to evidence which does not support the earlier thoughts is of importance. By ignoring the contrary evidence, the result cannot be reliable.

By examining and planning into the choice of research method, the selection of respondents, and the scope of the thesis the result should be truthful and valid. This was also done through doing pilot studies (3.7) before the survey and gathering of data.

3.6 Ethics

When analyzing and presenting data from the survey, which are based on the respondents' answers, and ethical effort must be made to ensure that people are represented ethically. This is because the participants in a study should be protected. Respondents should not be put in harm's way or be ridiculed. Robson (2014, p75) means that the participant should know what is expected of them, what the answers will be used for, and that the respondents had a chance to accept terms on how their personal information will be handled before data is gathered.

The result of the study should not come as a shock for participants, the participants should have been properly informed from the beginning. If the scope of the research were altered the participants also need to know of the changes, participants need to be able to withdraw their earlier given consent if they no longer agree to the research.

3.6.1 Terms and Conditions

The respondents of the main survey had the opportunity to read the Terms and Conditions before doing the survey, the respondent could then either consent to the terms or decline. The respondents that declined the terms could not commence on the survey and they were thanked for their interest.

The respondents who gave their consent continued with the SQ.

(29)

By doing the survey through S&R, some mandatory information from Karlstad university was also part of the information.

3.6.2 Handling gathered data

The personal information and answers given by respondents were or will be deleted at the latest 31 January 2021, this information was part of the Terms and Conditions, and all who submitted the survey had to accept the terms.

Gathered data was stored through cloud services which are part of S&R software and framework.

Personal information that was handled consisted of the age of the participants, the alternatives of stating age were divided into groups, as follows:

• 18-30

• 31-45

• 46-65

• 65+

• Does not want to disclose

In having the option to not disclose the age the respondents of the survey had the opportunity to be fully anonymous, as no other personal data was gathered.

3.7 Development of survey

This section is about the development of the survey and the piloting process. The pilot was done to test the SQ with test respondents before the survey and gathering of data for the result was commenced. This was done to ensure that the survey was easy to understand, use and that the questions felt relevant to the respondent and the RQ. The respondents of the pilot study were also able to give feedback on other things than the SQ that bothered them with the survey.

3.7.1 Pilot

According to Robson (2014, p97), the pilot study is crucial when working with a fixed design, this helps in designing the method, where the real data gathering is done to go as smooth as possible. The pilot study is an opportunity for the researcher to test the study material on participants and get their valuable feedback. Robson means that the researcher should avoid picking the same respondent during the method, the survey in this case if the respondent were part of the pilot. This is because the result might be altered, the respondents are already aware of the study and the method might not be that different from the pilot.

With the response from the pilot, the researcher can alter descriptions or change questions, but if there would be major issues with the study, the researcher should do around more pilot studies to see if the issues are fixed before moving forward with gathering data.

(30)

3.7.2 Result of the first pilot study

The selection of respondents for the pilot study was done by asking friends and relatives to take the test survey. The pilot study was done in Google Forms and the number of

respondents who took the pilot study was 12.

The pilot was conducted through Swedish.

The reasoning behind using Google Forms for the pilot was due to the initial plan of using Google Forms for the survey. This meant that the test survey was already done when the choice to change to S&R was taken, therefore was the pilot done with Google Forms to check what respondents thought of the questions.

The respondents of the first pilot were not part of the respondents who took the survey.

The test survey, which can be seen in Appendices (8.1), was designed to give respondents the ability to comment on every question in the test survey. In that way, it was clearer for

respondents on which question they were commenting on and it was easier to read the feedback.

For example:

Question 1, which is found in Appendices (A.1)

The question is about the age of the respondent and the answers are sorted into different age groups; the last answer is the option to not state age.

Below the first question is the second question which was an opportunity for the respondent to leave a comment about the question above. This is how the test survey for the pilot was designed.

(31)

This question is about how much the respondent appreciates their knowledge of IoT devices between 1 (Do not understand at all) and 5 (fully understands).

One comment from a respondent thought that it was both hard to appreciate the knowledge on a scale between 1-5 and that the response option through a scale differed from other questions in the survey which were done through bullet points. The comment suggested that the

questions should be asked in the same way as other questions with prewritten options in words, the respondent also argued that it would be easier to gather the result if all questions are asked in the same way.

Robson (2014, p111) means response options which consist of numbers that represent describing words can be arbitrary because of the difficulty of understanding the value of the response. Robson gives the example that a 6 can be treated as a value that is twice the amount of 3. However, the 6 might stand for Very good and the 3 might stand for neither good nor bad.

In making the responses to the questions prewritten instead of using the scale between 1-5 the design of the thesis was more coherent and it was clear for the user how to answer the

question, it also resulted in an easier way to see the result as suggested by the comment.

This question handles how respondents estimate how good the security of IoT devices is. One respondent was not sure in which way the question was referring to with the word security.

Because of the goal of designing an easy to use survey, the question was tweaked for the survey and instead asked if the respondent thinks that IoT devices have enough security to keep their personal information safe. This meant that the response options for the respondents in the survey were more limited than in the test survey. The respondent was able to answer

‘Yes’, ‘No’, and ‘Do not know’.

(32)

Question 15, which is found in Appendices (A.5).

This question is asking if the respondent is actively doing measures to secure their personal information when using IoT devices. Comments on this question showed that respondents thought that it was hard to answer the question, the reason being that they could not figure out any measures now. The comments suggested that instead of writing their response,

respondents should be able to choose among prewritten answers. This would enable

respondents to see examples of measures that they might already do but have forgotten about.

The comments showed that several people had this problem with the questions and therefore the question was redesigned to make it easier for the respondents to answer.

Some respondents also questioned the order of responses that were available in the test study, e.g.,

• No

• Occasionally

• Do not know

• Often

The order of response options varied on every question, the decision to vary the response options were consciously made to see what respondents thought of it. The feedback of the pilot showed that the response options should be in order and look the same on every question to make the design coherent and clear. Comments also stated that they missed neutral response options. That resulted in the following order and response option addition.

• Always

• Often

• Occasionally

• Sometimes

• Do not know

(33)

The number of responses on the second pilot was 7 and the pilot was accessible through Swedish and English.

The feedback from the second pilot described that there were still problems with grammar, the language in the introduction, and the format of some questions. The changes that had been done since the first pilot were positively met and the respondents were satisfied with the altered questions and larger width of response options.

The main problem that respondents found was question 5, which is found in Appendices (B.2)

This question, where the respondent is asked to tick the checkboxes of the statements, they think are true, e.g., “Smartphone is a Smart device”, was confusing to many respondents. The feedback showed that respondents got stuck on the question, the reason being that the

respondents thought it was hard to select answers that only are true.

By discussing this with the Supervisor the questions were changed before the survey was sent out. The result is shown below in English and with S&R instead of Google Forms, which is found in Appendices (C.2).

Internet of Things

Adam Beskow