Security Risk Assessment in Internet of Things Systems
This addresses the problem of security risk assessment for organizations and governments deploying IoT systems, but it is incremental as it proposes a need for new approaches rather than presenting a specific solution.
The paper argues that existing information security risk assessment methods are insufficient for Internet of Things (IoT) systems due to new risks from connectivity and system couplings, and calls for new methodologies that maintain rigor while addressing IoT dynamics.
Information security risk assessment methods have served us well over the past two decades. They have provided a tool for organizations and governments to use in protecting themselves against pertinent risks. As the complexity, pervasiveness, and automation of technology systems increases and cyberspace matures, particularly with the Internet of Things (IoT), there is a strong argument that we will need new approaches to assess risk and build trust. The challenge with simply extending existing assessment methodologies to IoT systems is that we could be blind to new risks arising in such ecosystems. These risks could be related to the high degrees of connectivity present or the coupling of digital, cyber-physical, and social systems. This article makes the case for new methodologies to assess risk in this context that consider the dynamics and uniqueness of the IoT while maintaining the rigor of best practice in risk assessment.