Economies and societies are increasingly reliant upon “smart products” that contain
code and can connect to one another, e.g. through the Internet. Recent cyber-attacks
such as Mirai, WannaCry, NotPetya and SolarWinds have underlined that the exploitation
of vulnerabilities in smart products can have severe economic and social consequences.
Such attacks increasingly threaten users’ safety and well-being, as well. This report
shows that economic factors play an important role in the relative “insecurity” of
smart products. It develops an analytical framework based on the value chain and lifecycle
of smart products, and applies the framework to three case studies: computers and
smartphones, consumer Internet of Things (IoT) devices and cloud services. It demonstrates
that complex and opaque value chains lead to a misallocation of responsibility for
digital security risk management, while significant information asymmetries and externalities
often limit stakeholders’ ability to behave optimally.