Asset-Driven Approach for Security Risk Assessment in IoT Systems

“…Christensen et al [48] conduct an assessment of evaluation targets, which consists of multiple assets, and identified the components that an attacker would consider valuable. Finally, Chehida et al [47] use an IoT domain model to aid in finding assets, which helps to avoid overlapping labels for assets.…”

“…Zahra and Abdelhamid [76] suggest that the context state of an IoT risk framework involves not only the collection of assets but the types of risk actors and stakeholders that could be impacted by an attack. Despite this, there is a significant lack of IoT cyber risk management frameworks that prioritise users, for example, users may be expressed as another asset type [47] rather than an individual entity. Researchers have suggested different approaches to mapping assets and users to threats.…”

“…For instance, Chehida et al [47] and Nakamura et al [64] propose that the impact of attacks on assets and users should be considered in threat analysis. In contrast, Andrade et al [44] highlight the importance of considering user interactions with real-world physical devices.…”

“…The authors use an example of a IoT threat scenario based on an attacker taking control of IoT processes. Chehida et al [47] also use EBIOS to formulate a threat list, which classifies eight main categories, for example, threats that cause physical damage (e.g., fires and damage to hardware), unauthorised actions (e.g., the corruption of data), and the compromise of functions (e.g., the abuse of privileges).…”

“…Vulnerabilities are the weaknesses in "information systems, system security procedures, internal controls, or implementation" that could be exploited by a threat source [16]. Within an overwhelming number of IoT cyber risk management papers, the identification of vulnerabilities is simply a phase within the framework and is not often expanded on [38,41,[43][44][45]47,52,55,60,65,66,70,74,76], with more emphasis on using vulnerabilities for threat modelling. For example, the use of a threat modelling phase requires exploitable vulnerabilities and how these link to threat actors [40].…”

A Survey on Cyber Risk Management for the Internet of Things

“…Christensen et al [48] conduct an assessment of evaluation targets, which consists of multiple assets, and identified the components that an attacker would consider valuable. Finally, Chehida et al [47] use an IoT domain model to aid in finding assets, which helps to avoid overlapping labels for assets.…”

“…Zahra and Abdelhamid [76] suggest that the context state of an IoT risk framework involves not only the collection of assets but the types of risk actors and stakeholders that could be impacted by an attack. Despite this, there is a significant lack of IoT cyber risk management frameworks that prioritise users, for example, users may be expressed as another asset type [47] rather than an individual entity. Researchers have suggested different approaches to mapping assets and users to threats.…”

“…For instance, Chehida et al [47] and Nakamura et al [64] propose that the impact of attacks on assets and users should be considered in threat analysis. In contrast, Andrade et al [44] highlight the importance of considering user interactions with real-world physical devices.…”

“…The authors use an example of a IoT threat scenario based on an attacker taking control of IoT processes. Chehida et al [47] also use EBIOS to formulate a threat list, which classifies eight main categories, for example, threats that cause physical damage (e.g., fires and damage to hardware), unauthorised actions (e.g., the corruption of data), and the compromise of functions (e.g., the abuse of privileges).…”

“…Vulnerabilities are the weaknesses in "information systems, system security procedures, internal controls, or implementation" that could be exploited by a threat source [16]. Within an overwhelming number of IoT cyber risk management papers, the identification of vulnerabilities is simply a phase within the framework and is not often expanded on [38,41,[43][44][45]47,52,55,60,65,66,70,74,76], with more emphasis on using vulnerabilities for threat modelling. For example, the use of a threat modelling phase requires exploitable vulnerabilities and how these link to threat actors [40].…”

A Survey on Cyber Risk Management for the Internet of Things

Research on Security Assets Attention Networks for Temporal Knowledge Graph Enhanced Risk Assessment

A Survey on Cyber Risk Management for the Internet of Things