8
Wearing safe: Physical and informational security in the age of the wearable device Adam J. Mills a, * , Richard T. Watson b , Leyland Pitt c , Jan Kietzmann c a Loyola University New Orleans, 6363 St. Charles Avenue, Box 15, New Orleans, LA 70118, U.S.A. b Terry College of Business, University of Georgia, Athens, GA 30602-6269, U.S.A. c Beedie School of Business, Simon Fraser University, 500 Granville Street, Vancouver, BC V6C 1W6, Canada 1. The rise of wearables In 1903 at the Royal Institution in London, physicist John Ambrose Fleming was preparing the setup of a primitive projection device intended to display Morse code messages from his colleague Guglielmo Marconi, the inventor of wireless telegraphy. Sup- posedly, this method of transmitting information was secure. Yet before the demonstration had even started, the audience was surprised, baffled, and amused to hear a series of messages being tapped out. The first messages were simply the word ‘‘rats’’ being tapped, but what followed was more complex and insulting to Marconi. A limerick began, ‘‘There was a young fellow of Italy, who diddled the public quite prettily. . . ’’ The damage had been done; wireless telegraphy was clearly nowhere near as secure as Marconi had claimed. A few days later, the magician and inventor Nevil Maskelyne claimed responsibility for this first recorded instance of the hacking of an information system (IS) (Marks, 2011). Whether for mischief or for malice, no system has ever been completely immune from hacking or com- promise since Maskelyne’s trick. In the 1960s, John Draper (aka Captain Crunch) used a toy whistle from a Cap’n Crunch cereal box to trick AT&T’s telephone system into allowing him to place free long distance calls. In 1965, the Compatible Time-Sharing System on IBM’s 7094 machine was hacked for the first time. Business Horizons (2016) 59, 615—622 Available online at www.sciencedirect.com ScienceDirect www.elsevier.com/locate/bushor KEYWORDS Wearable technology; Wearables; Information security; Cybersecurity Abstract Wearable computing devices promise to deliver countless benefits to users. Moreover, they are among the most personal and unique computing devices of all, more so than laptops and tablets and even more so than smartphones. However, this uniqueness also brings with it a risk of security issues not encountered previously in information systems: the potential to not only compromise data, but also to physically harm the wearer. This article considers wearable device security from three perspectives: whether the threat is to the device and/or the individual, the role that the wearable device plays, and how holistic wearable device security strategies can be developed and monitored. # 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved. * Corresponding author E-mail addresses: [email protected] (A.J. Mills), [email protected] (R.T. Watson), [email protected] (L. Pitt), [email protected] (J. Kietzmann) 0007-6813/$ see front matter # 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. All rights reserved. http://dx.doi.org/10.1016/j.bushor.2016.08.003

Wearing safe: Physical and informational security in the age of the wearable device

Embed Size (px)

Citation preview

Page 1: Wearing safe: Physical and informational security in the age of the wearable device

Wearing safe: Physical and informationalsecurity in the age of the wearable device

Adam J. Mills a,*, Richard T. Watson b, Leyland Pitt c, Jan Kietzmann c

a Loyola University New Orleans, 6363 St. Charles Avenue, Box 15, New Orleans, LA 70118, U.S.A.bTerry College of Business, University of Georgia, Athens, GA 30602-6269, U.S.A.cBeedie School of Business, Simon Fraser University, 500 Granville Street, Vancouver, BC V6C 1W6, Canada

Business Horizons (2016) 59, 615—622

Available online at www.sciencedirect.com

ScienceDirectwww.elsevier.com/locate/bushor

KEYWORDSWearable technology;Wearables;Information security;Cybersecurity

Abstract Wearable computing devices promise to deliver countless benefits tousers. Moreover, they are among the most personal and unique computing devicesof all, more so than laptops and tablets and even more so than smartphones. However,this uniqueness also brings with it a risk of security issues not encountered previouslyin information systems: the potential to not only compromise data, but also tophysically harm the wearer. This article considers wearable device security fromthree perspectives: whether the threat is to the device and/or the individual, the rolethat the wearable device plays, and how holistic wearable device security strategiescan be developed and monitored.# 2016 Kelley School of Business, Indiana University. Published by Elsevier Inc. Allrights reserved.

1. The rise of wearables

In 1903 at the Royal Institution in London, physicistJohn Ambrose Fleming was preparing the setup of aprimitive projection device intended to displayMorse code messages from his colleague GuglielmoMarconi, the inventor of wireless telegraphy. Sup-posedly, this method of transmitting informationwas secure. Yet before the demonstration had evenstarted, the audience was surprised, baffled, andamused to hear a series of messages being tappedout. The first messages were simply the word ‘‘rats’’

* Corresponding authorE-mail addresses: [email protected] (A.J. Mills),

[email protected] (R.T. Watson), [email protected] (L. Pitt),[email protected] (J. Kietzmann)

0007-6813/$ — see front matter # 2016 Kelley School of Business, Ihttp://dx.doi.org/10.1016/j.bushor.2016.08.003

being tapped, but what followed was more complexand insulting to Marconi. A limerick began, ‘‘Therewas a young fellow of Italy, who diddled the publicquite prettily. . . ’’ The damage had been done;wireless telegraphy was clearly nowhere near assecure as Marconi had claimed. A few days later,the magician and inventor Nevil Maskelyne claimedresponsibility for this first recorded instance of thehacking of an information system (IS) (Marks, 2011).

Whether for mischief or for malice, no system hasever been completely immune from hacking or com-promise since Maskelyne’s trick. In the 1960s, JohnDraper (aka Captain Crunch) used a toy whistle froma Cap’n Crunch cereal box to trick AT&T’s telephonesystem into allowing him to place free long distancecalls. In 1965, the Compatible Time-Sharing Systemon IBM’s 7094 machine was hacked for the first time.

ndiana University. Published by Elsevier Inc. All rights reserved.

Page 2: Wearing safe: Physical and informational security in the age of the wearable device

616 A.J. Mills et al.

Mainframe systems were targeted from then on, andthe first PC virus, Brain, was accidentally created byPakistani programmers Basit and Amjad Farooq Alviin 1986. Keeping systems, networks, and individualdevices secure became a critical part of the ISprofessional’s role. These cybersecurity issues haveescalated at an exponential rate as massive databreaches at firms such as Target and Sony grabbedheadlines, identity theft became a nightmare forthousands of individuals, and the security of smart-phones also came under threat. Even technologiestraditionally regarded as ‘not IT’ showed their vul-nerability: distraught parents found their baby mon-itoring devices were exposed, and hackers brought aJeep Cherokee to a standstill on a highway byremotely compromising its control systems. Nowthe most personal information technologies of allare under threat; we have entered the age of thewearable computer.

Wearable computers, or wearable informationtechnologies (‘wearables’), represent a huge futuremarket. By the end of 2015, 6.1 million U.K. citizens(13% of the population) owned a wearable, and theproduct category on Amazon has enjoyed atriple-digit sales increase year-over-year since thecompany launched its first wearable offerings. Theconsulting firm IDTechEx predicts the wearablesmarket will grow from $20 billion in 2015 to almost$70 billion in 2025. In November 2015, according tothe analyst firm Canalys, sales of Apple’s watch hadreached nearly 7 million since its April launch(Lamkin, 2015). Wearables are arguably the mostpersonal and intimate IT devices of all, portendingenormous benefits of all kinds for individuals andorganizations alike. However, being more personaland more intimate makes their security even morecritical. Protecting the security of wearable devices

Table 1. Where is the technology worn?

Anatomy Device Examples

Head Cap, eyes, glasses, ears Monitor f

Neck Necklace, chain, tie Smartpho

Torso Shirt, jacket, band Monitor h

Waist Belt, fob Monitor a

Upper arm Band Monitor a

Lower arm/wrist Band, watch Monitor ficomputer

Hand Ring, glove Unlock dowinter, SI

Upper thigh Band, pants ‘Smart jestrength

Lower leg Socks, band Pressure

Foot Sock, shoe Navigatio

and highly personal data will pose enormouschallenges to organizations in general, and to ISpractitioners in particular. We address these issuesin this article.

We proceed as follows: First, we provide a briefoverview of the unique nature of wearables. Thenwe argue that security in the case of wearables isdifferent from other devices, and even more impor-tant. Next, we suggest two frameworks managerscan use to think about device security and shapetheir strategies accordingly. We suggest the use ofthe McCumber cube (McCumber, 2004) as a lensthrough which to view and consider wearable tech-nology security strategy. The article concludes withan integration of the three frameworks.

1.1. When we wear computers

Humankind has long worn the products of technolo-gy. Early warriors wore animal skins in order toprotect themselves from clubs and arrows, andthe Greeks and Romans wore metal body armor longbefore the knights of medieval times. The firstwristwatch was made for the queen of Naples in1810. However, it was not until the 1960s thatpeople began to experiment with the wearing ofcomputerized devices. Among the first of these wasthe Gambling Shoe in 1961. Built by MIT students,this wearable device applied mathematical theoriesto attempt to beat the roulette wheel in casinos. Acomputer strapped to the player’s waist translated asignal from a sensor in the player’s shoe, used totrack the timing of the roulette wheel, into anaudio-based result that was sent to his earpiece.

Today, wearables are no longer reserved for suchspecial applications. Wearable technologies(Table 1) now refer to a concept that describes

Application Examples

atigue, portable computer

ne control, camera

ealth, posture

ctivity, identification and location

ctivity, enhance lifting strength

tness activity, interact with smartphone, portable

ors, connect people, interact with touch screens inRI/Cortana/Google Now enabled

ans’ enable smartphone interaction, enhance physical

sensors monitor foot injury, posture

n, fitness

Page 3: Wearing safe: Physical and informational security in the age of the wearable device

Wearing safe: Physical and informational security in the age of the wearable device 617

how people can wear a wide range of informationtechnology devices (e.g., watches, glasses, shoes)on almost any part of the anatomy (Robson, Pitt, &Kietzmann, 2016). There are now many hundreds ofwearable devices, and the list grows by the day.These technologies can monitor, control, optimize,and even become autonomous (Porter & Heppelman,2014) in a wide range of functions and behaviors.

Wearables can be relatively simple both in theirtechnology and their application. For example, AirNew Zealand now gives unaccompanied minors abracelet to wear when they check in for a flight.The bracelet is scanned at various checkpoints ontheir journey, including check in, boarding, landing,and handover. Up to five nominated parents or guard-ians are alerted when the child passes a checkpoint,and in this way updated with the child’s step-by-stepprogress on their journey. Other wearables are morecomplex. In 2014, Google unveiled a prototype smartcontact lens to monitor the blood glucose levelscontained in human tears. This promises a solutionto the problem of effective blood glucose monitoringand control for people with diabetes.

2. Why wearable device security isdifferent

While security is obviously important to all informa-tion systems, in the case of wearable devices thenature of the security challenge is sufficiently dif-ferent and warrants special attention. First, wear-ables are by far the most personal computingdevices. While the settings might be slightly differ-ent, it is easy for one person to use the desktop orlaptop computer of another. Indeed, it turned outthat the personal computer wasn’t nearly as per-sonal as other devices. While mobile phones, forinstance, are a lot more customized to the individ-ual, it is still relatively easy for one person to use thesmartphone or tablet of another. However, mostwearables are, or will be, unique (e.g., Watson,Pitt, Berthon, & Zinkhan, 2002, 2004) to the wearer.They are close and personal, intimate devices thatwill fit the particular wearer’s anatomy. These de-vices monitor, control, and in many cases optimizetasks ideally and only for that individual. Theybecome part of the anatomy, as in the case of thediabetic contact lenses, or robotic arms that affordthe wearer far greater lifting strength.

Second, because people will wear these devices,fashion becomes very important. One of the majorcriticisms of Google’s Glass spectacles was that theymade wearers look like geeks and behave like‘glassholes.’ Fashion comes at a price, however.Expensive wearables that are worn visibly might

represent attractive targets for thieves. For exam-ple, the Brikk’s Lux Watch Omni costs $114,995. It isan 18-karat gold Apple Watch with multiple rowsof 11.30-carat diamonds around the face, buttons,and strap clasps.

Third, wearables are the first category of ITdevices where there is not only danger to data,but also the real potential to cause physical harmto the wearer. Hacking a person’s PC or laptop, ortheir smartphone, might enable a wrongdoer tosteal data, or in some way impede the device’sability to function. However, it is unlikely that thiscould result in physical injury to the owner. Mischie-vous or malicious hacking of a wearable device canhave consequences that might vary from annoying tosevere. A smart watch might be programmed to emita series of irritating but meaningless pulses for noreason at all. Hacking a diabetic’s smart contactlenses to give erroneous readings could cause thewearer to either not receive warning signals or tooverreact to exaggerated readings of glucose levels.This might not only have serious consequences, butit could also prove fatal. In the following section wesuggest two frameworks that IS decision makers canuse to consider the issues surrounding wearabledevice security.

3. Wearable device security:Questions and frameworks

The unique nature of wearables and the implicationsthis has for security discussed above require that themanager consider three distinct, but related sets ofissues. The first question pertains to who or what isthreatened: The wearer or the wearable? This ques-tion is addressed by means of the 4Ds grid discussedbelow. The second question considers whether thewearable device focuses on the wearer’s physical ormental capacities, and specifically what abilities ofthe wearer the device enhances. Managers andsecurity professionals can explore the differentroles that wearables can play, and how wearabletechnology security can be breached by using the4Ms matrix, introduced later. The third questionconcerns how managers can develop a securitystrategy to address the potential vulnerabilities ofwearables. We suggest the McCumber cube as asuitable device for achieving this.

3.1. Threats to the individual and to thedevice: The 4Ds grid

Throughout their relatively short history, informa-tion devices–—such as PCs, laptops, tablets, andsmartphones–—have been vulnerable to two kindsof security threats. First, if compromised, the data

Page 4: Wearing safe: Physical and informational security in the age of the wearable device

618 A.J. Mills et al.

stored on or via the device (e.g., downstream, in thecloud) can be destroyed, stolen, or changed withnegative consequences for the owner. Second, it istechnically feasible that malicious hackers couldalso cause physical damage to the computing deviceitself. A program that over-exerted the central proc-essing unit (CPU) could eventually damage the CPU.Stressing the graphics-processing unit (GPU) couldhave similar consequences. Flashing the BIOS and/orfirmware could effectively ‘brick’ a computer’smotherboard, making it impossible to turn on; smart-phones have been vulnerable to similar issues.Historically, people have been at minimal physicalrisk when the security of their computing devices hasbeen breached. The fact that wearable devices areworn on the anatomy changes that. While wearershave long been at informational risk–—their datacould be destroyed, changed, or stolen–—they arelikely also at physical risk in the age of the wearable.

The 4Ds grid (Figure 1) summarizes this situationwith regard to threats and serves as a tool for ISdecision makers and security experts to explore thevarious threats breaches in security of a wearabledevice represent. It asks, what is the nature of thethreat: disablement, damage, deception, or distor-tion?

In the bottom left quadrant of the grid is thedisablement threat, because the effect of a securitybreach on both the wearer and the device is that thephysical attributes of either one or both can becompromised. The device could be disabled by ahacker, either by impairing it or by simply turning itoff remotely so that it no longer operates. Alterna-tively, the device can be breached in such a way thatit can disable the physical performance of the wear-er, even to the point of injury. Examples of this couldvary from initiating a sudden shutdown in a powered

Figure 1. The 4Ds grid — Threats to individuals anddevices

exoskeleton arm that makes the wearer suddenlydrop what they are carrying to causing injurythrough a smart watch that delivers a shock throughits haptic apparatus.

The damage quadrant encompasses securitythreats where the device is compromised physically,but the wearer’s information–—rather than physicalwell-being–—is now at risk. Simple hacking of thedevice could cause a person to either lose all of theirdata, or have it stolen or changed. Since manywearable devices will be connected to a wearer’sother information systems, such as smartphones andcomputers, they might possibly be used as gatewaysto the larger data stored on this kind of equipment.The wearable might also be used to locate a partic-ular wearer, with the intention to harm them ortheir devices, or to breach their property.

The bottom right cell of the grid has to do withdeception, where the security breach on the deviceis informational but the effect on the user isphysical. For example, the malicious changing ofthe data on a medical wearable might cause it togive the wearer wrong information with regard tomeasures such as blood glucose or blood pressure.This might either cause the wearer to be lulled into afalse sense of security or to overreact to an errone-ous reading–—perhaps by changing the dosage of theirmedication–—when, in fact, nothing was wrong at all.

Distortion is at the heart of the top rightquadrant, where–—in the case of both wearer anddevice–—the breach is informational. By breaching adevice’s information security, a third party mightlearn a lot about a wearer’s behavior for malevolentpurposes. Alternatively, the information on a wear-er’s device could be manipulated to relay falseinformation about a person’s behavior, such as thatthey were complying with a medical regimen whenthey were not, or causing a physician to prescribeadditional medication when the patient did notneed it.

3.2. The roles that wearables play:The 4Ms matrix

The next decision tool for managers to use in theirconsideration of wearable device security asks twoquestions. First, what is the focus of the wearable? Isit on cognitive ability, and how this can be en-hanced; or is it on the physical? Is the focus onthe mind or the matter? Second, what ability doesthe wearable enhance–—to better inform the wear-er, or to better perform tasks? This enables us toidentify four distinct roles wearable technology canplay. We term these roles the 4Ms, illustrated inFigure 2. Understanding these roles should givemanagers a good perspective on exactly how a

Page 5: Wearing safe: Physical and informational security in the age of the wearable device

Figure 2. Understanding the roles of wearables

Wearing safe: Physical and informational security in the age of the wearable device 619

wearable device can have its security compromisedand how this could, in turn, affect the wearer.

The muscle quadrant is the one in which thewearable device focuses on physical things(i.e., the matter) such as lifting or moving objects,or performing fine tasks at much higher accuracy.These devices–—such as exoskeleton arms, whichgive laborers the ability to lift a lot more weight,or smart gloves that permit surgeons to work withenhanced precision–—enable the wearer to performtasks better than they would be able to without thedevice. The focus is on reinforcing muscles, enhanc-ing strength, extending endurance, or augmentingthe ability to work more finely and accurately.Where muscle is the focus of the wearable, themain security threat would come from attemptsto make the device perform in ways other thanintended. This could either injure or hurt thewearer, or cause them to be unable to performthe task the device was intended to reinforce. Ahacked exoskeleton lifting arm could be made tostall mid-lift and cause the wearer to be left holdinga burden that was much heavier than they couldordinarily carry. A surgical smart glove’s finenessand precision could be turned off in mid-operation,or its accuracy could be altered in a way that causesthe surgeon to make mistakes and put the patientat risk.

The remaining quadrants focus on the mind. Oneof the main applications of wearables is to remindwearers. Captured in the memory quadrant, thismight be something as simple as a smart watchreminding a sedentary office worker to stand upand move about if they have been inactive for toolong, or it might be a more complex function, suchas using smart spectacles or a headset to access adatabase while on the job. Disabling, or changing

the frequency of ‘stand up’ reminders on a smartwatch might merely be annoying to the wearer.However, when the data being fed to a smart head-set is tampered with in a way that misleads orconfuses the wearer, the consequences can be farmore serious.

In the measure quadrant the wearable deviceenhances the wearer’s ability to keep informedabout physical attributes. Medical devices that mea-sure and monitor physical signals on the humananatomy are an example of this. A band on a preg-nant mother’s abdomen can monitor a fetal heartbeat and relay this to her obstetrician. It might besusceptible to malicious or mischievous hacking. Ifthe device got a critical measurement wrong andreported incorrectly, the mother or the obstetriciancould either overreact (e.g., adjusting their treat-ment) or underreact by doing nothing when theyshould take corrective steps. Both of these condi-tions could be injurious and, in some instances,fatal.

Finally, the main consequence of compromising awearable in the mediate quadrant is that the devicewill fail in its task to inform the wearer when itsfocus is on the wearer’s cognitive abilities. Stateddifferently, the device might fail in its task ofoptimizing the wearer’s contextual awareness.The Safelet (http://www.safelet.com) is a smartbracelet that alerts others to the wearer’s geo-graphic presence when they might be alone in apotentially dangerous area at night, for example. Ifthe device were to mislead the recipients of thesignals into believing that the wearer was safe,when in fact they weren’t, the consequences couldbe serious. The Lechal (http://www.lechal.com)shoe is a device that guides the wearer using GPSinformation and a series of pulses in the footwear topoint direction. Its purpose is to prevent users frombecoming lost in unknown terrain, particularly atnight, and targets the visually impaired, police, andthe military. By getting the user’s context wrong,compromised footwear could cause them to becomelost, or place them in a threatening environment.

3.3. The McCumber cube

A basic premise of cybersecurity is that organiza-tions need to protect the confidentiality, availabili-ty, and integrity of their data (i.e., security goals)during its transmission, processing, and storage(known as data states) using technology, policy,and people appropriately (i.e., countermeasures).The McCumber cube (see Figure 3) allows managersto focus on each one of these elements individuallybefore concentrating on their interconnectedness.Since the security of the information system relies

Page 6: Wearing safe: Physical and informational security in the age of the wearable device

Figure 3. McCumber cube*

*Source: Based on McCumber (2004)

1 See http://www.itbusinessedge.com/slideshows/five-potential-security-concerns-related-to-wearables-05.html

620 A.J. Mills et al.

on the joint optimization of all these elements, theMcCumber cube also reminds managers not to focuson one of the elements to the exclusion of others(e.g., on technology over people).

3.3.1. Security goalsThree security goals–—confidentiality, integrity,and availability, also known as ‘the CIA of datasecurity’–—are the main objectives that assure datais not lost when critical issues arise (e.g., naturaldisasters, technology malfunction, theft). Confi-dentiality refers to the goal that sensitive informa-tion is not intentionally or accidentally disclosed ormade available to unauthorized individuals, enti-ties, or processes. This is usually achieved throughthe encryption of data and password protection ofwearables devices. Many wearables today, though,are completely unprotected. Integrity means main-taining and assuring the accuracy and completenessof data over its entire lifecycle. This means datacannot be modified in an unauthorized or undetect-ed manner. Often, integrity can be achieved bykeeping backup data or logging user activities tomonitor whether data has been compromised. Onwearables, this is hardly ever the case. Availabilitymeans that authorized individuals and processesneed to have timely and reliable access to dataand other resources for any IS to serve its purpose.Traditional enterprise information systems arebacked up regularly and off-site, and organizationsimplement strong data recovery procedures toassure reliable access to data.

3.3.2. Data statesThe three states of digital data are storage (i.e.,data-at-rest), transmission (i.e., data-in-transit),and processing (i.e., data-in-use). Storage refersto inactive data-at-rest, whether this is on thewearable device itself, on a connected smart de-vice, or in the cloud. On wearables, a lot of data arestored because of the interconnected nature of thebackend databases and the need for historic refer-ence (e.g., workout data over time). Transmissionrelates to data-in-transit between information sys-tems, either over public or untrusted networks suchas the internet or over more secure, private net-works. For many wearables, this refers mainly tobasic, unsecured Bluetooth connections or wi-finetworks that pair wearable devices with othertechnology, typically other mobile devices (e.g.,smartphones). Both are relatively easy to breachwith brute-force attacks.1 Processing refers todata-in-use, to data in computer memory currentlybeing processed by applications either on wearabledevices, on mobile devices, or in the cloud. Data-in-use can contain digital certificates, encryption keys,and personally identifiable information, whichmakes it particularly attractive to hackers whocan then use the compromised data to gain accessto stored data.

3.3.3. CountermeasuresSecurity countermeasures aim to eliminate or pre-vent threats by minimizing their probability and/orreducing the harm attacks can cause. In the McCum-ber cube, these countermeasures are divided intohuman factors, organizational policies and practi-ces, and security solutions embedded in technolo-gies. Human factors refer to those individuals whouse and administer information systems. In manycases, employees are the weakest link in organiza-tional information systems (e.g., passwords kept onPost-it notes, sensitive data stored on unprotectedUSB drives). Measures are put in place to mitigatethese risks, including narrowly-defined roles (e.g.,read/write permissions) and responsibilities for ev-eryone, end-user training for device use, and theeducation of potential threats and how to circum-vent or report these.

Policy and practices refer to organizational, ad-ministrative controls that govern how data andinformation security are to be managed within afirm. They include policies for managing risks relat-ed to the use, storage, and transmission of data, andacceptable use policies users must agree to before

Page 7: Wearing safe: Physical and informational security in the age of the wearable device

Wearing safe: Physical and informational security in the age of the wearable device 621

they can gain access to corporate devices, net-works, or the internet. Some firms maintain a formalcomputer emergency response team (CERT) or com-puter security incident response team (CSIRT),while many others maintain flexible BYOD (bringyour own device) practices for wearable devices,making their use particularly challenging to man-age. Especially since many wearables include cloud-based services, the contractual agreements withthird parties are also of tremendous importance.Technology refers to the software- and hardware-based solutions designed to protect informationsystems, including anti-virus software, firewalls,and intrusion detection systems. Wearables arecomplex systems. Sensors capture signals from usersand their environment to translate them into data.Micro-processors then turn the data into a transmit-table format, where transmitters send the data onto other processing or storage technologies. All ofthese phases need to be protected to minimizecyber threats.

Together, these three elements of cybersecurity–—namely security goals, data states, andcountermeasures–—offer a structured approach toassessing and managing security risk in wearablesinformation systems. The McCumber cube focuses oninformation (not on technologies), suggesting thatthe same method remains useful as technologiesmature and change. More importantly, when theseelements are combined, the McCumber cube reveals27 individual cubes that offer help for managers whoneed to protect their wearables information system.For instance, for the combination of data confidenti-ality, data storage, and policies, managers ought tolook very closely at contractual agreements betweenthe wearable device vendor and any third partiesthey might use. How do these parties store data andhow are these firms protected against breaches? Arethey allowed to sell the data, either as part of theirongoing business model (e.g., to insurance compa-nies) or in case they go out of business, likeRadioShack tried when it put up consumers’ per-sonal data among the assets it tried to auction off tosettle its bankruptcy (Federal Trade Commission,2015)? In the combination of data confidentiality,data storage, and policy, how can managers ensuretheir employees choose strong and unique pass-words in the first place? In reality, the majorityof people use the same passwords across personaland corporate accounts, which is likely going toincrease when personal devices such as wearablesare used at work. People also frequently sharepasswords with team-mates, which introducesnew problems when disgruntled employees leavewith access to their colleagues’ wearable devicepasswords.

Working through each of the 27 cubes allowsmanagers to establish the information security oftheir wearables information system. They take intoconsideration how the key security goals (CIAs)related to various data states (processing, storage,and transmission) are addressed through the fullrange of available security measures (human fac-tors, politics, and technology itself). The sameframework can also be used to monitor and evaluatethe information security of the wearables informa-tion systems over time–—an important component ofa firm’s risk assessment and management practices.As wearables progress and people change their be-havior, new threats emerge. These risk/securitymanagement practices need to be revised and im-proved, based at least in part on the insights gleanedthrough the use of the McCumber Cube. In thiscontext, managers are advised to review the poli-cies of their cyber liability and data breach insur-ances to ensure these cover breaches of wearabledevices.

4. Conclusion: Are wearables a realconcern?

Many of the situations described above soundlike the material of conspiracy stories and sciencefiction novels. Hacking into wearables to changethe reading of the wearer’s vitals is the modusoperandi of a James Bond villain rather thana target any black-hat hacker would really beinterested in. But such is the world we live intoday–—people often violate ‘‘computer securityfor little reason beyond maliciousness or for per-sonal gain’’ (Moore, 2005, p. 258). Serious vulner-abilities in several models of drug infusion pumpsin hospitals have already been discovered, whichallow a hacker to secretly and remotely changethe amount of drugs administered to a patient(Zetter, 2015). Doing so indirectly, via wearables,is the next logical step.

However, so far no massive data breaches basedon wearables have made the news. Given the steepgrowth projections for the sales of wearable devicesand their increasing interconnectivity with otherwearables and existing information systems, thislack of bad news may have lulled consumers andfirms into a false sense of security. In fact, when wethink of wearables today, we mainly think aboutharmless devices that collect data about the personand their behavior; data that is of no interest toothers (e.g., workout routines, run times, sleepingpatterns). But other, more permanent and impor-tant data can also be accessed through wearables,including the wearer’s date of birth and social

Page 8: Wearing safe: Physical and informational security in the age of the wearable device

622 A.J. Mills et al.

security number. These types of personal informa-tion are many times more valuable than a stolencredit card number on the black market (Overfelt,2015).

From a firm’s perspective, there is a real concernthat wearables become the new weakest techno-logical link through which existing security measurescan be bypassed, especially when these devicesconnect to the cloud. As more and more wearablesare used for work, it is no longer just personal datathat may be exposed or compromised, ‘‘but alsopotentially operational data, that could be sensitivein nature’’ (Maddox, 2015).

In the race to be first-to-market, security onwearables has not been taken as seriously as itshould be by the firms who develop them, theconsumers who wear them, or by the firms whoadopt them into their existing legacy systems andwork processes. In order to reap the organizationalbenefits wearable devices offer, managers need tothink through the entire wearables ecosystem anddevelop a holistic security strategy.

In this article we discussed how wearables intro-duce potential vulnerabilities to the device and/orthe individual (in the 4Ds framework), we describedthe different roles the wearable device plays (in the4Ms framework), and how holistic security strategiesfor such devices can be developed and monitored.For the latter, we argue that managers need toaddress security risks based on not only on thehardware and software of the device, but also thoserelated to the data they generate, the networksused, the people who have access, and the proce-dures and policies that deal with processing, stor-ing, and distributing information in an organization.The McCumber cube is a framework for developingsuch an information assurance strategy for enter-prise risk management.

The need for such strategies keeps growing for anumber of reasons. Typically, legal regulatory envi-ronments adapt to technological advancement afterabout five years. This suggests the laws today arenot equipped to address many of the new threatsthat arise through emerging wearable technologies.Developers of wearable technologies keep movingahead to create newer and more powerful techno-logical devices, further increasing the gap betweentechnology and the laws that govern them. In thisprocess, ongoing support for older versions is not

always assured by these developers. Firms, on theother hand, are reluctant to update all the time.Together, these two divergent interests further in-crease security concerns of wearable informationsystems. All of these trends suggest that it is up tothe firm to determine the level of risk it is willing totake versus the benefit it gets from wearable de-vices. The responsibility to develop, implement,and monitor appropriate wearable technology secu-rity strategies lies with the firm.

References

Federal Trade Commission. (2015, May 18). FTC requests bank-ruptcy court take steps to protect RadioShack consumers’personal information. Retrieved from https://www.ftc.gov/news-events/press-releases/2015/05/ftc-requests-bankruptcy-court-take-steps-protect-radioshack

Lamkin, P. (2015, November 5). Apple sales hit 7 million. Forbes.Retrieved from http://www.forbes.com/sites/paullamkin/2015/11/05/apple-watch-sales-hit-7-million/#826b1645c9ac

Maddox, T. (2015, January 29). Experts discuss security, privacy,and fashion trends for wearables at CES 2015. Tech ProResearch. Retrieved from: http://www.techproresearch.com/article/experts-discuss-security-privacy-and-fashion-trends-for-wearables-at-ces-2015/

Marks, P. (2011, December 20). Dot-dash-diss: The gentlemanhacker’s 1903 lulz. New Scientist. Retrieved from https://www.newscientist.com/article/mg21228440-700-dot-dash-diss-the-gentleman-hackers-1903-lulz/

McCumber, J. (2004). Assessing and managing security risk in ITsystems: A structured methodology. Boca Raton, FL: AuerbachPublications.

Moore, R. (2005). Cybercrime: Investigating high technologycomputer crime. Newark, NJ: Matthew Bender & Company.

Overfelt, M. (2015, December 13). The price of the wearablecraze: Less data security. NBC News. Retrieved from http://www.nbcnews.com/tech/innovation/price-wearable-craze-less-data-security-n479271

Porter, M. E., & Heppelmann, J. E. (2014). How smart, connectedproducts are transforming competition. Harvard Business Re-view, 92(11), 66—68.

Robson, K. E., Pitt, L. F., & Kietzmann, J. H. (2016). Wearables,the internet of things, and the internet of people: Convergingon the internet of everything. Report of the Advanced Prac-tices Council of the Society for Information Management.

Watson, R. T., Berthon, P. R., Pitt, L. F., & Zinkhan, G. M. (2004).Marketing in the age of the network: From marketplace tou-space. Business Horizons, 47(6), 33—40.

Watson, R. T., Pitt, L. F., Berthon, P., & Zinkhan, G. M. (2002).U-commerce: Expanding the universe of marketing. Journal ofthe Academy of Marketing Science, 30(4), 333—347.

Zetter, K. (2015, June 8). Hacker can send fatal dose to hospitaldrug pumps. Wired. Retrieved from: http://www.wired.com/2015/06/hackers-can-send-fatal-doses-hospital-drug-pumps/