“…Vulnerabilities are the weaknesses in "information systems, system security procedures, internal controls, or implementation" that could be exploited by a threat source [16]. Within an overwhelming number of IoT cyber risk management papers, the identification of vulnerabilities is simply a phase within the framework and is not often expanded on [38,41,[43][44][45]47,52,55,60,65,66,70,74,76], with more emphasis on using vulnerabilities for threat modelling. For example, the use of a threat modelling phase requires exploitable vulnerabilities and how these link to threat actors [40].…”