On the Contents and Utility of IoT Cybersecurity Guidelines
Jesse Chen, Dharun Anandayuvaraj, James C Davis, Sazzadur Rahaman
TL;DR
This study critically examines 142 IoT cybersecurity guidelines, analyzing their content, coverage, and effectiveness in preventing real-world failures, revealing gaps and strengths in current practices.
Contribution
It provides a hierarchical taxonomy of recommendations, evaluates their actionability, and assesses their ability to prevent actual security failures.
Findings
87.2% recommendations are actionable
38.7% recommendations can prevent specific threats
Guidelines collectively address major security issues but miss some CVEs
Abstract
Cybersecurity concerns of Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT security guidelines to protect their citizens and customers by providing recommendations on the development and operation of IoT systems. While these guidelines are being adopted, e.g. by US federal contractors, their content and merits have not been critically examined. Specifically, we do not know what topics and recommendations they cover and their effectiveness at preventing real-world IoT failures. In this paper, we address these gaps through a qualitative study of guidelines. We collect 142 IoT cybersecurity guidelines and sample them for recommendations until reaching saturation at 25 guidelines. From the resulting 958 unique recommendations, we iteratively develop a hierarchical taxonomy following grounded theory coding…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsInformation and Cyber Security · Software Engineering Techniques and Practices · Software System Performance and Reliability