Multifaceted Risk Assessment and Risk Countermeasure Portfolio for Internet of Things
Abstract
As global businesses now extensively depend on data, Internet of Things (IoT) sensors have become the primary source of real-time data that enable the digital transformation. According to Bain’s Insight, the IoT market will grow to more than $520 billion by 2021. The technology has already been adopted for a wide array of use cases, but due to the ever-expanding threat landscape, many customers have indicated that security remains the primary barrier when it comes to their acceptance of IoT. The current security risk management methodologies focus mostly on the cyber view. In this work, we identify 28 risk factors extracted using the risk breakdown structure method and expand this traditional view to include others (physical, psychological) that are critical to business operations. Next, we proposed risk countermeasures for all the extracted risk factors using a risk matrix method. Further, from a practical point of view, a portfolio of the proposed risk countermeasures was clearly indicated to enable the gradual introduction of risk countermeasures. Finally, the effectiveness of the risk countermeasures was quantitatively evaluated on the basis of the risk values. Our findings help clarify IoT security and its relation to non-cyber risks for proper implementation of IoT systems.
References
Government of Japan, The 5th Science and Technology Basic Plan, https://www8.cao.go.jp/cstp/english/society5_0/index.html
Bain & Company, Unlocking Opportunities in the Internet of Things, https://www.bain.com/insights/unlocking-opportunities-in-the-internet-of-things/
KPMG, Risk or reward: What lurks within your IoT?, https://assets.kpmg/content/dam/kpmg/xx/pdf/2017/04/risk-or-reward-what-lurkswithin-your-IoT.pdf
NIST (National Institute of Standards and Technology) SP800-30 https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-30r1.pdf
Operational critical threat, asset, and vulnerability evaluation (OCTAVE) https://resources.sei.cmu.edu/asset_files/TechnicalReport/2007_005_ 001_14885.pdf
Projecet Management Institute, “A guide to the procjet management body of knowledge PMBOK Guide”, Sixth Edition, PMI, 2017
International Data Corporation (IDC), “The Growth in Connected IoT Devices”, https://www.idc.com/getdoc.jsp?containerId=prUS45213219
B. Ali, et al., “Cyber and Physical Security Vulnerability Assessment for IoT-Based Smart Homes”, Sensors 2018, 18, 817; doi:10.3390/s18030817
J. R.C Nurse, et al., “Security risk assessment in Internet of Things systems”, IT professional (IT Pro), 2017, https://arxiv.org/ftp/arxiv/papers/1811/1811.03290.pdf
D. E. Kouicem, et al., “Internet of Things Security: a top-down survey” Computer Networks, 2018, https://hal.archives-ouvertes.fr/hal-01780365/file/survey.pdf
S. Wangyal, et al., A Study of Multi-viewpoint Risk Assessment of Internet of Things (IoT), 9th International Congress on Advanced Applied Informatics (AAI2020), pp.643-648, 2020
J.Wiik, et al., Effectiveness of Proactive CSIRT Services, In 18th Annual FIRST Conference on Computer Security Incident Handling, 2006
Y. Kenmoku, et al., A Study of Assurance Level in Information Security Management - LoA Introducing Method for CSIRT Deployment -, 6th International Conference on Project Management (ProMAC 2012), 2012
ISMS Risk Assessment Manual v1.4, [Online]. Available from: https://www.igt.hscic.gov.uk/KnowledgeBaseNew/ISMS%20Risk%20Assessment%20Manual%20v1.4.pdf, 2020.7.19
S. Tanimoto, et al., “A Study of Risk Assessment Quantification in Cloud Computing,” 8th International Workshop on Advanced Distributed and Parallel Network Applications (ADPNA-2014), pp. 426-431, Sep., 2014
JNSA, 2011 Investigation Report on Information Security Incidents , 2011, http://www.jnsa.org/result/incident/2011.html, (in Japanese)
