Systematic Analysis and Comparison of Security Advice as Datasets

TL;DR

This paper systematically analyzes and compares security advice datasets for IoT, revealing their evolution and highlighting key aspects for security advice providers, using a novel categorization method.

Contribution

It introduces the first systematic analysis of security advice datasets, comparing ETSI Provisions and UK DCMS Guidelines, and proposes a categorization approach for security advice.

Findings

ETSI Provisions are a positive evolution of UK DCMS Guidelines

The analysis method categorizes advice into predefined categories

Highlights aspects of security advice needing special attention

Abstract

A long list of documents have been offered as security advice, codes of practice, and security guidelines for building and using security products, including Internet of Things (IoT) devices. To date, little or no systematic analysis has been carried out on the advice datasets themselves. Towards addressing this, with IoT as a case study, we begin with an informal analysis of two documents offering advice related to IoT security -- the ETSI Provisions and the UK DCMS Guidelines -- and then carry out what we believe is the first systematic analysis of these advice datasets. Our analysis explains in what ways the ETSI Provisions are a positive evolution of the UK DCMS Guidelines. We also suggest aspects of security advice warranting special attention by those offering security advice. Such parties may find the systematic analysis method, which categorizes advice into predefined categories, to be of general interest beyond IoT itself.