Many Internet of Things (IoT) devices that are currently on the market lack security and therefore many of them got infected with malware to launch powerful distributed denial of service (DDoS) attacks. Notifications from Internet Service Providers (ISPs) to their customers play
...
Many Internet of Things (IoT) devices that are currently on the market lack security and therefore many of them got infected with malware to launch powerful distributed denial of service (DDoS) attacks. Notifications from Internet Service Providers (ISPs) to their customers play a crucial role in the fight to clean up the malware infected IoT devices. It is, however, difficult for the employees of abuse departments to explain how to cleanup an IoT malware infection to a non-technical customer and provide usable action steps to clean up the infection. In particular, because there is no “one size fits all” cleanup solution, due to the heterogeneous nature of the IoT devices. The abuse department of the Dutch ISP KPN would like to know how to notify customers with IoT malware infections and how to explain the cleanup of infected IoT devices to the customers. Therefore, the objective of this research is to make a recommendation to KPN on what notification mechanism to adopt by providing insight into: (1) how to increase the effectiveness of IoT malware notifications from an ISP to its customers in terms of IoT malware cleanup; and (2) how users perceive an IoT malware notification from their ISP. To this end, an experiment has been conducted with 190 retail customers with infected IoT devices to measure the difference in cleanup among IoT malware notifications sent via different channels and with different messages. To explore the reactions of the customers to the different notification mechanisms, telephone interviews have been conducted and the communication logs between KPN and the customers in the experiment have been analysed. We have compared the influence of the notification channel on cleanup and the reactions of customers by comparing customers that received: (1) email notifications; and (2) a combination of walled garden and email notifications. The different notification messages that have been compared in this study include: (1) the walled garden notification content that KPN’s abuse department uses to notify its customers with an IoT malware infection; and (2) a newly composed more actionable walled garden notification message which clearly defines the steps that need to be taken while avoiding technical terms. It is found that a combination of a walled garden and email notification with an actionable content is the most effective in terms of IoT malware cleanup. Furthermore, the walled garden notification is most effective in getting customers to read and react to the IoT malware notification, yet it sometimes results in customers having a low satisfaction with the service they receive. The more actionable notification content results in better understanding and trust from the customer compared to a less actionable content of the notification. However, customers’ understanding of the notification content and the satisfaction with the quarantine event remain a challenge.