If you can't understand it, you can't properly assess it! The reality of assessing security risks in Internet of Things systems

Security risk assessment methods have served us well over the last two decades. As the complexity, pervasiveness and automation of technology systems increases, particularly with the Internet of Things (IoT), there is a convincing argument that we will need new approaches to assess risk and build system trust. In this article, we report on a series of scoping workshops and interviews with industry professionals (experts in enterprise systems, IoT and risk) conducted to investigate the validity of this argument. Additionally, our research aims to consult with these professionals to understand two crucial aspects. Firstly, we seek to identify the wider concerns in adopting IoT systems into a corporate environment, be it a smart manufacturing shop floor or a smart office. Secondly, we investigate the key challenges for approaches in industry that attempt to effectively and efficiently assess cyber-risk in the IoT.

[1]  Athanasios V. Vasilakos,et al.  Security of the Internet of Things: perspectives and challenges , 2014, Wireless Networks.

[2]  Atif Ahmad,et al.  Incorporating a knowledge perspective into security risk assessments , 2011 .

[3]  Aiman Majid Nassar,et al.  The Internet of Things - A Survey , 2018, مؤتمرات الآداب والعلوم الانسانية والطبيعية.

[4]  Emil C. Lupu,et al.  Bayesian Attack Graphs for Security Risk Assessment , 2017 .

[5]  Ronald S. Ross,et al.  Guide for Conducting Risk Assessments , 2012 .

[6]  Scott Russell,et al.  The EU General Data Protection Regulation (GDPR) , 2018 .

[7]  Jason R. C. Nurse A business-oriented framework for enhancing web services security for e-business , 2010 .

[8]  B. Berg Qualitative Research Methods for the Social Sciences , 1989 .

[9]  Rolf H. Weber,et al.  Cybersecurity in the Internet of Things: Legal aspects , 2016, Comput. Law Secur. Rev..

[10]  Steven Furnell,et al.  Security education and awareness: just let them burn? , 2017, Netw. Secur..

[11]  Ramjee Prasad,et al.  Proposed Security Model and Threat Taxonomy for the Internet of Things (IoT) , 2010, CNSA.

[12]  Zahid Anwar,et al.  IoTRiskAnalyzer: A Probabilistic Model Checking Based Framework for Formal Risk Analytics of the Internet of Things , 2017, IEEE Access.

[13]  Sathish Alampalayam Kumar,et al.  Security in Internet of Things: Challenges, Solutions and Future Directions , 2016, 2016 49th Hawaii International Conference on System Sciences (HICSS).

[14]  Rodrigo Roman,et al.  On the features and challenges of security and privacy in distributed internet of things , 2013, Comput. Networks.

[15]  Sadie Creese,et al.  Smart Insiders: Exploring the Threat from Insiders Using the Internet-of-Things , 2015, 2015 International Workshop on Secure Internet of Things (SIoT).

[16]  Sadie Creese,et al.  Security Risk Assessment in Internet of Things Systems , 2017, IT Professional.

[17]  Eric Michael Hutchins,et al.  Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains , 2010 .

[18]  Barak Engel Why Risk Assessments Fail , 2017 .

[19]  Jason R. C. Nurse,et al.  Cyber Security Awareness Campaigns: Why do they fail to change behaviour? , 2014, ArXiv.

[20]  G. Usha,et al.  Cyber threat landscape in cyber space , 2017, 2017 International conference of Electronics, Communication and Aerospace Technology (ICECA).

[21]  Gang Zhao,et al.  A novel risk assessment model for privacy security in Internet of Things , 2014, Wuhan University Journal of Natural Sciences.

[22]  Richard G. Taylor,et al.  Potential Problems with Information Security Risk Assessments , 2015, Inf. Secur. J. A Glob. Perspect..

[23]  Ricardo Neisse,et al.  A Model-Based Security Toolkit for the Internet of Things , 2014, 2014 Ninth International Conference on Availability, Reliability and Security.

[24]  Florian Skopik,et al.  A problem shared is a problem halved: A survey on the dimensions of collective cyber defense through security information sharing , 2016, Comput. Secur..

[25]  Imrich Chlamtac,et al.  Internet of things: Vision, applications and research challenges , 2012, Ad Hoc Networks.

[26]  Jin B. Hong,et al.  A framework for automating security analysis of the internet of things , 2017, J. Netw. Comput. Appl..

[27]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..