If you can't understand it, you can't properly assess it! The reality of assessing security risks in Internet of Things systems

TL;DR

This paper investigates the challenges and concerns in assessing security risks in IoT systems, highlighting the need for new approaches due to increasing complexity and automation.

Contribution

It reports on industry consultations revealing the limitations of current risk assessment methods for IoT and emphasizes the need for novel approaches.

Findings

Current risk assessment methods are insufficient for IoT complexity

Industry professionals express concerns about adopting IoT securely

Identifies key challenges in effective IoT cyber-risk assessment

Abstract

Security risk assessment methods have served us well over the last two decades. As the complexity, pervasiveness and automation of technology systems increases, particularly with the Internet of Things (IoT), there is a convincing argument that we will need new approaches to assess risk and build system trust. In this article, we report on a series of scoping workshops and interviews with industry professionals (experts in enterprise systems, IoT and risk) conducted to investigate the validity of this argument. Additionally, our research aims to consult with these professionals to understand two crucial aspects. Firstly, we seek to identify the wider concerns in adopting IoT systems into a corporate environment, be it a smart manufacturing shop floor or a smart office. Secondly, we investigate the key challenges for approaches in industry that attempt to effectively and efficiently assess cyber-risk in the IoT.