The Illusion of Control in Smart Homes: How IoT App Privacy Statement and Device Interaction Complexity Impact User Security Practices

While security experts have extensively identified risks in smart homes with interconnected Internet of Things (IoT) devices, little work has examined user-perceived control over security practices. Particularly, how the interaction complexity of IoT devices and privacy statements influence user security practices. To address this problem, we developed a threat and mental model grounded in the Illusion of Control (IoC) theory and empirically evaluated how IoT privacy statements and interaction complexity alter users' security practices. We surveyed 102 participants to measure how security knowledge, security attitude, perceived controllability, understanding of privacy statement, and perceived IoT interaction complexity impact security practices. Our findings allude to three key insights. First, overconfidence in security management weakens the adoption of secure practices. Second, users who understand and trust the privacy statement of IoT applications are more likely to engage in secure practices. Third, the results indicate that users who perceive IoT interoperability as too complex are less likely to adopt protective measures. Based on our findings, we provide recommendations to IoT security experts to develop more effective IoT security and privacy measures.