Security know-how is broadly available and security experts are trained to understand the impacts of weak information security. They learn methods to prevent vulnerabilities in product design, development, deployment and management. Despite market-related conditions, why are several IoT products still shipped with infancy and few security features today?
One perspective is an awareness-based role model to describe the dynamics leading to weakly secured IoT products. Caviglione et al. explain a role-based perspective on smart building security . The authors identify vendors, customers and professional operators (typically administrators working with building management systems) as roles with their particular views on the insecurity of smart buildings. According to , vendors do not provide security into IT products since customers are unwilling to pay higher costs for it. The vendors' perspective is cost-centric rather than influenced by high awareness of the importance of securing their products and the long-time implications of selling weakly secured devices on their market position. Caviglione et al. point out that customers lack the necessary security awareness as well and hence, do not demand security features at all. IoT operators, on the other hand, argue that they cannot provide security since vendors do not integrate configurable security features .
We consider the Cycle of Blame a fundamental process for preventing a higher level of security in the IoT industry.
Whenever progress towards improving security is made, one of the stakeholders is required to take a first step. For instance, vendors were required to make an investment into improved security features while considering to receive no immediate benefit. On the other hand, customers were required to take responsibility for the buying-decisions they make, eventually resulting in denying to buy a product due to the risk of surveillance or attacks. Operators and integrators can be seen as being caught in the middle between customers and vendors. If operators would be aware of their responsibility for the security of the devices they manage, they could deploy one of the existing third-party solutions that shield insecure IoT products. Currently, they do not see their responsibility in considering security criteria in existing systems.
For this reason and due to the discovery of several vulnerabilities in IoT products (cf. [1,4]), we observe that it is crucial that at least one stakeholder in each cycle breaks the Cycle of Blame to foster and accelerate the development and integration of security for the IoT. Online social media should play an extended role in offering platforms for sharing and raising the customers' knowledge and security awareness. This would result in additional pressure on the operators, who could invest in alternative products, and hence finally put pressure on the vendors to offer secure solutions. In order to safeguard their market share, foreseeing vendors should build an alliance with customers. Based on customer requirements, they may elaborate stringent security criteria to be guaranteed in their products. This would result in pressure on the other vendors to implement security mechanisms and hence, lead to slowly break the Cycle of Blame.
 E. Fernandes et al.: Security Analysis of Emerging Smart Home Applications, Proc.2016 IEEE Symposium on Security and Privacy (S&P), San Jose, CA, USA, 2016, pp. 636-654.
 L. Caviglione et al.: Analysis of Human Awareness of Security and Privacy Threats in Smart Environments, Proc. Human Aspects of Information Security, Privacy and Trust, LNCS 9190, Los Angeles, pp. 165-177, Springer, 2015.
 R. Anderson: The economics of information security, Science, Vol. 314, pp. 610-613, 2006.
 K. Koscher et al.: Experimental security analysis of a modern automobile. Proc. IEEE Symposium on Security and Privacy, pp. 447-462, IEEE, 2010.