Security Risk Assessment in Internet of Things Systems

Nurse, Jason R. C.; Creese, Sadie; Roure, David De

doi:10.1109/mitp.2017.3680959

Cited by 158 publications

(128 citation statements)

References 5 publications

Supporting

Mentioning

124

Contrasting

Unclassified

Order By: Relevance

“…Most critical infrastructure protection implementations are typically based on risk management frameworks conceived as national or global standards [3]. Risk management approaches often vary either by; the nature of approach, or by how risk is measured [29], [30].…”

Section: Risk Managementmentioning

confidence: 99%

A review of critical infrastructure protection approaches: improving security through responsiveness to the dynamic modelling landscape

Ani¹,

Watson²,

Nurse³

et al. 2019

Living in the Internet of Things (IoT 2019)

View full text Add to dashboard Cite

As new technologies such as the Internet of Things (IoT) are integrated into Critical National Infrastructures (CNI), new cybersecurity threats emerge that require specific security solutions. Approaches used for analysis include the modelling and simulation of critical infrastructure systems using attributes, functionalities, operations, and behaviours to support various security analysis viewpoints, recognising and appropriately managing associated security risks. With several critical infrastructure protection approaches available, the question of how to effectively model the complex behaviour of interconnected CNI elements and to configure their protection as a system-of-systems remains a challenge. Using a systematic review approach, existing critical infrastructure protection approaches (tools and techniques) are examined to determine their suitability given trends like IoT, and effective security modelling and analysis issues. It is found that empirical-based, agent-based, system dynamics-based, and network-based modelling are more commonly applied than economic-based and equation-based techniques, and empirical-based modelling is the most widely used. The energy and transportation critical infrastructure sectors reflect the most responsive sectors, and no one Critical Infrastructure Protection (CIP) approach -tool, technique, methodology or framework -provides a 'fit-for-all' capacity for all-round attribute modelling and simulation of security risks. Typically, deciding factors for CIP choices to adopt are often dominated by trade-offs between 'complexity of use' and 'popularity of approach', as well as between 'specificity' and 'generality' of application in sectors. Improved security modelling is feasible via; appropriate tweaking of CIP approaches to include a wider scope of security risk management, functional responsiveness to interdependency, resilience and policy formulation requirements, and collaborative information sharing between public and private sectors.

show abstract

Section: Risk Managementmentioning

confidence: 99%

A review of critical infrastructure protection approaches: improving security through responsiveness to the dynamic modelling landscape

Ani¹,

Watson²,

Nurse³

et al. 2019

Living in the Internet of Things (IoT 2019)

View full text Add to dashboard Cite

show abstract

“…Existing cyber risk assessment models [13][14][15][16][17][18][19] ignore the risk impacts of sharing infrastructure and the cyber risk estimated loss range variously 1 . Further cyber risk assessment challenges emerge from compiling of connected systems devices and platforms 4,20 . The machines are becoming social CPS [21][22][23] operating as real-time IoT systems of systems 24,25 , creating cyber risk from data in transit.…”

Section: Current State Of Cyber Riskmentioning

confidence: 99%

Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardisation of Regulations, Risk Maturity, Strategy Design and Impact Assessment

Radanliev¹,

Roure²,

Nurse³

et al. 2019

Preprint

Self Cite

View full text Add to dashboard Cite

The Internet-of-Things (IoT) enables enterprises to obtain profits from data but triggers data protection questions and new types of cyber risk. Cyber risk regulations for the IoT however do not exist. The IoT risk is not included in the cyber security assessment standards, hence, often not visible to cyber security experts. This is concerning, because companies integrating IoT devices and services need to perform a self-assessment of its IoT cyber security posture. The outcome of such self-assessment needs to define a current and target state, prior to creating a transformation roadmap outlining tasks to achieve the stated target state. In this article, a comparative empirical analysis is performed of multiple cyber risk assessment approaches, to define a high-level potential target state for company integrating IoT devices and/or services. Defining a high-level potential target state represent is followed by a high-level transformation roadmap, describing how company can achieve their target state, based on their current state. The transformation roadmap is used to adapt IoT risk impact assessment with a Goal-Oriented Approach and the Internet of Things Micro Mart model.

show abstract

“…IoT's 'dual use ability' (i.e., sold for one purpose but misused for another) is particularly relevant. Just as botnets (P18) highlight the failure of current risk assessments to consider assets themselves as an attack platform [26], future threat scenarios may also include the repurposing of IoT systems including generated data for usages than those they were originally intended for (Christopher Bull).…”

Section: Crime and Exploitationmentioning

confidence: 99%

Emerging risks in the IoT ecosystem: Who's afraid of the big bad smart fridge?

Tanczer

Steenmans

Elsden

et al. 2018

Living in the Internet of Things: Cybersecurity of the IoT - 2018

View full text Add to dashboard Cite

Rapid technological innovations, including the emergence of the Internet of Things (IoT), introduce a range of uncertainties, opportunities, and risks. While it is not possible to accurately foresee IoT's myriad ramifications, futures and foresight methodologies allow for the exploration of plausible futures and their desirability. Drawing on the futures and foresight literature, the current paper employs a standardised expert elicitation approach to study emerging risk patterns in descriptions of IoT risk scenarios. We surveyed 19 IoT experts between January and February 2018 using an online questionnaire. The submitted scenarios provided expert's perception of evolving IoT risk trajectories and were evaluated using thematic analysis, a method used to identify and report patterns within data. Four common themes were extracted: physical safety; crime and exploitation; loss of control; and social norms and structures. These themes provide suitable analytical tools to contextualise emerging risks and help detecting gaps about security and privacy challenges in the IoT.

show abstract

Security Risk Assessment in Internet of Things Systems

Cited by 158 publications

References 5 publications

A review of critical infrastructure protection approaches: improving security through responsiveness to the dynamic modelling landscape

A review of critical infrastructure protection approaches: improving security through responsiveness to the dynamic modelling landscape

Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardisation of Regulations, Risk Maturity, Strategy Design and Impact Assessment

Emerging risks in the IoT ecosystem: Who's afraid of the big bad smart fridge?

Contact Info

Product

Resources

About