User values and the development of a cybersecurity public policy for the IoT

Public administrators, entrusted to develop public policy to manage the growing complexities of the IoT, face significant challenges. The challenges exist because of three reasons; First, there is a lack of policy direction. Second, user values related to cybersecurity are not well understood. Third, there is a lack of clarity as to how IoT public policy should be developed. In this paper we argue that new IoT policy should be guided by key stakeholder values (i.e. what users think to be important). We utilize the Public Value Forum to elicit public values to inform decision-making surrounding IoT policy by public administrators, conceptually informed by Rational choice theory. We use a five-phase process to introduce the decision context (i.e. the policy problem), define fundamental objectives, rank these objectives, identify value-based trade-offs between them and construct a multi-attribute utility model. The findings indicate several key themes for IoT security from the citizens themselves and decision-making administrators in diverse public agencies developing IoT cybersecurity public policy.