Cyber Risk Management for the Internet of Things

The Internet-of-Things (IoT) enables enterprises to obtain profits from data but triggers data protection questions and new types of cyber risk. Cyber risk regulations for the IoT however do not exist. The IoT risk is not included in the cyber security assessment standards, hence, often not visible to cyber security experts. This is concerning, because companies integrating IoT devices and services need to perform a self-assessment of its IoT cyber security posture. The outcome of such self-assessment need to define a current and target state, prior to creating a transformation roadmap outlining tasks to achieve the stated target state. In this article, a comparative empirical analysis is performed of multiple cyber risk assessment approaches, to define a high-level potential target state for company integrating IoT devices and/or services. Defining a high-level potential target state represent is followed by a high-level transformation roadmap, describing how company can achieve their target state, based on their current state. The transformation roadmap is used to adapt IoT risk impact assessment with a Goal-Oriented Approach and the Internet of Things Micro Mart model. The main contributions from this paper represent a transformation roadmap for standardisation of IoT risk impact assessment; and transformation design imperatives describing how IoT companies can achieve their target state based on their current state with a Goal-Oriented approach. Verified by epistemological analysis defining a unified cyber risk assessment approach. These can be used for calculating the economic impact of cyber risk; for international cyber risk assessment approach; for quantifying cyber risk; and for planning for impact of cyber-attacks, e.g. cyber insurance. The new methods presented in this paper for applying the roadmap include: IoT Risk Analysis through Functional Dependency; Network-based Linear Dependency Modelling; IoT risk impact assessment with a GoalOriented Approach; and a correlation between the Goal-Oriented Approach and the IoTMM model.

[1]  Mark de Reuver,et al.  The digital platform: a research agenda , 2018, J. Inf. Technol..

[2]  Mark A. Turnquist,et al.  Assessing the performance of interdependent infrastructures and optimizing investments , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[3]  Sadie Creese,et al.  If you can't understand it, you can't properly assess it! The reality of assessing security risks in Internet of Things systems , 2018, IoT 2018.

[4]  Pengcheng Zhang,et al.  A generalized modeling framework to analyze interdependencies among infrastructure systems , 2011 .

[5]  Michael Huth,et al.  Future Developments in Cyber Risk Assessment for the Internet of Things , 2018, Comput. Ind..

[6]  Muhammad Bilal,et al.  A Review of Internet of Things Architecture, Technologies and Analysis Smartphone-based Attacks Against 3D printers , 2017, ArXiv.

[7]  Dulcy M. Abraham,et al.  Allocating security resources to a water supply network , 2007 .

[8]  Michael Huth,et al.  A reference architecture for integrating the Industrial Internet of Things in the Industry 4.0 , 2019, ArXiv.

[9]  David Wright,et al.  Stochastic Modelling of the Effects of Interdependencies between Critical Infrastructure , 2009, CRITIS.

[10]  Sadie Creese,et al.  Sonification in security operations centres: what do security practitioners think? , 2018, ArXiv.

[11]  Michael Huth,et al.  Cyber Risk impact Assessment - Assessing the Risk from the IoT to the Digital Economy , 2019 .

[12]  Luis Lino Ferreira,et al.  The Industrial Internet of Things , 2017 .

[13]  Michael Huth,et al.  Mapping the values of IoT , 2018, J. Inf. Technol..

[14]  Guo Chen,et al.  A Stochastic Approach of Dependency Evaluation for IoT Devices , 2016 .

[15]  Peter Burnap,et al.  Methodology for Designing Decision Support Systems for Visualising and Mitigating Supply Chain Cyber Risk from IoT Technologies , 2019, ArXiv.

[16]  Petar Radanliev A conceptual framework for supply : supply chain systems architecture and integration design based on practice and theory in the North Wales slate mining industry , 2014 .

[17]  Jason R. C. Nurse,et al.  Insider threat response and recovery strategies in financial services firms , 2016 .

[18]  Panayiotis Kotzanikolaou,et al.  Time-based critical infrastructure dependency analysis for large-scale and cross-sectoral failures , 2016, Int. J. Crit. Infrastructure Prot..

[19]  Petar Radanliev,et al.  Economic impact of IoT cyber risk - Analysing past and present to predict the future developments in IoT risk analysis and IoT cyber insurance , 2018, IoT 2018.

[20]  Roberto Setola,et al.  Critical infrastructure dependency assessment using the input-output inoperability model , 2009, Int. J. Crit. Infrastructure Prot..

[21]  Uchenna P. Daniel Ani,et al.  Evaluating Industrial Control System (ICS) security vulnerability through functional dependency analysis , 2018 .

[22]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[23]  David De Roure,et al.  Cyber Risk in IoT Systems , 2019 .

[24]  Kenneth M. Hanson,et al.  THE BAYES INFERENCE ENGINE , 1996 .

[25]  David De Roure,et al.  Integration of Cyber Security Frameworks‚ Models and Approaches for Building Design Principles for the Internet−of−Things in Industry 4.0 , 2018, IoT 2018.

[26]  Josune Hernantes,et al.  Critical infrastructure dependencies: A holistic, dynamic and quantitative approach , 2015, Int. J. Crit. Infrastructure Prot..

[27]  Martin D. Weinberg,et al.  Computational statistics using the Bayesian Inference Engine , 2012, 1203.3816.

[28]  Junmo Kim,et al.  Are countries ready for the new meso revolution? Testing the waters for new industrial change in Korea , 2017, Technological Forecasting and Social Change.

[29]  Panayiotis Kotzanikolaou,et al.  Cascading Effects of Common-Cause Failures in Critical Infrastructures , 2013, Critical Infrastructure Protection.