STAP Journal of Security Risk Management

Cyber Risk Management in the Internet of Things: Frameworks, Models, and Best Practices

by 

dr Mohammed Almaayah ;

dr Rejwan Bin Sulaiman

PDF logoPDF

Published:

Abstract

This paper contributes to the ongoing discourse by identifying key risks associated with IoT devices and environments and proposing strategies to mitigate them. The study focuses on three main objectives: (1) identifying the primary security threats affecting IoT devices, (2) outlining best practices for mitigating these risks, and (3) exploring the role of cyber risk management in securing IoT ecosystems. By addressing these aspects, the paper aims to support stakeholders in implementing more robust security frameworks, ensuring confidentiality, integrity, and safety in IoT deployments. Based on an analysis of 35 previous studies, it is evident that a variety of complementary risk management frameworks and models are available to support the secure deployment and operation of IoT devices. These frameworks have been developed for both governmental and commercial use, enabling organizations to tailor their risk management strategies to specific IoT contexts. Among the reviewed studies, seven utilized the ISO framework for risk management in IoT environments, while six applied the NIST framework. Additionally, three studies implemented the OCTAVE framework to assess and mitigate risks. Notably, nine studies each employed a distinct risk management model, including ELK Stack, PDCA Cycle, Cyber Kill Chain (CKC), CSRF, CRAMM, COBIT 5, IoTSRM2, and the Cyber Value at Risk (CVaR) model. These diverse approaches highlight the growing recognition of the need for structured, adaptable, and sector-specific risk management strategies in the rapidly evolving IoT landscape.

Keywords

Internet of Things (IoT)Risk ManagementISO FrameworkNIST FrameworkThreats in IoT

Doi Link

https://doi.org/10.63180/jsrm.thestap.2024.1.1

How to Cite the Article

https://doi.org/10.63180/jsrm.thestap.2024.1.1

Cyber Risk Management in the Internet of Things: Frameworks, Models, and Best Practices is licensed under CC BY 4.0CCBY

References

  1. Atlam, H. F., Alenezi, A., Alharthi, A., Walters, R. J., & Wills, G. B. (2017). An overview of risk estimation techniques in risk-based access control for the Internet of Things. Proceedings of the 2nd International Conference on Internet of Things, Big Data and Security (IoTBDS 2017), 254–260.
  2. Abbass, W., Bakraouy, Z., Baina, A., & Bellafkih, M. (2019). Assessing the Internet of Things security risks. Journal of Communications.
  3. Radanliev, P., De Roure, D. C., Walton, R., Van Kleek, M., & Nurse, J. R. C. (2018). Future developments in cyber risk assessment for the Internet of Things. Computers in Industry, 102, 14–22.
  4. Parsons, E. K., Panaousis, E., Loukas, G., & Sakellari, G. (2023). A survey on cyber risk management for the Internet of Things. Applied Sciences, 13(15), 9032.
  5. Raimundo, R. J., & Rosário, A. T. (2022). Cybersecurity in the internet of things in industrial management. Applied Sciences, 12(3), 1598.
  6. Popescu, G. H., Nica, E., & Mocanu, R. (2021). Leaders’ perspectives on IoT security risk management strategies in surveyed organizations relative to IoTSRM2. Applied Sciences, 11(9206).
  7. Lee, I. J. (2020). Internet of Things (IoT) cybersecurity: Literature review and IoT cyber risk management. Future Internet, 12(157). https://doi.org/10.3390/fi12090157
  8. Kandasamy, V., Kandasamy, K., & Vasan, A. (2020). IoT cyber risk: A holistic analysis of cyber risk assessment frameworks, risk vectors, and risk ranking process. EURASIP Journal on Information Security.
  9. Nurse, J. R. C., Creese, S., & De Roure, D. (2017). Security risk assessment in Internet of Things systems. IT Professional, 19(5), 20–26.
  10. Bhatt, S., & Bhushan, B. (2022). Cyberattacks and Risk Management Strategy in Internet of Things Architecture. In Artificial Intelligence and Cybersecurity (pp. 51-68). CRC Press.
  11. Almousa, M., Althunibat, A., & Almalki, A. (2020). Environment-based IoT security risks and vulnerabilities management. International Conference on Computing and Information Technology, University of Tabuk, Saudi Arabia.
  12. Ntafloukas, K., McCrum, D. P., & Pasquale, L. (2022). A cyber-physical risk assessment approach for internet of things enabled transportation infrastructure. Applied Sciences, 12(18), 9241.
  13. Ahmed, A., Shah, B., & Khan, A. (2020). Internet of Things (IoT): Vulnerabilities, security concerns and things to consider. 11th International Conference on Computing, Communication and Networking Technologies (ICCCNT).
  14. Alagappan, A., Andrews, L. J. B., & Raj, R. A. (2022, December). Cybersecurity Risks Quantification in the Internet of Things. In 2022 IEEE 7th International Conference on Recent Advances and Innovations in Engineering (ICRAIE) (Vol. 7, pp. 154-159). IEEE.
  15. Millar, J., & Rapid, A. (2021). IoT security challenges and mitigations: An introduction.
  16. Lam, P., & Chi, H. (2016). Identity in the Internet-of-Things (IoT): New challenges and opportunities. Springer International Publishing.
  17. Alagappan, A., Andrews, L. J. B., Venkatachary, S. K., & Raj, R. A. (2022, December). Cybersecurity Risks Mitigation in the Internet of Things. In 2022 2nd International Conference on Innovative Sustainable Computational Technologies (CISCT) (pp. 1-6). IEEE.
  18. Zhang, X., Xu, M., Su, J., & Zhao, P. (2023). Structural models for fog computing based internet of things architectures with insurance and risk management applications. European Journal of Operational Research, 305(3), 1273-1291.
  19. Yang, Y., Wu, L., Yin, G., Li, L., & Zhao, H. (2017). A survey on security and privacy issues in Internet-of-Things. IEEE Internet of Things Journal.
  20. Shah, R., & Patel, D. (2017). Applications and challenges faced by Internet of Things – A survey. ICST Institute for Computer Sciences, Social Informatics and Telecommunications Engineering.
  21. Bhosale, S. A., & Sonavane, S. S. (2022). Cyber-security in the internet of things. In Artificial Intelligence, Internet of Things (IoT) and Smart Materials for Energy Applications (pp. 169-185). CRC Press.
  22. Joshua, E. S. N., Bhattacharyya, D., & Rao, N. T. (2022). Managing information security risk and Internet of Things (IoT) impact on challenges of medicinal problems with complex settings: a complete systematic approach. In Multi-chaos, fractal and multi-fractional artificial intelligence of different complex systems (pp. 291-310). Academic Press.
  23. Rekha, K., Rani, K. U., & Shobha, G. (2021). Study of security issues and solutions in Internet of Things (IoT). International Conference on Nanoelectronics, Nanophotonics, Nanomaterials, Nanobioscience & Nanotechnology.
  24. Prokofiev, I., & Grinchuk, A. (2018). A method to detect Internet of Things botnets. ResearchGate.
  25. Kumar, S., Guerrero, A., & Navarro, C. (2023, June). Cyber security flood attacks and risk assessment for Internet of Things (IoT) distributed systems. In 2023 IEEE World AI IoT Congress (AIIoT) (pp. 0392-0397). IEEE.
  26. Dilawar, M. N., et al. (2019). Blockchain: Securing Internet of Medical Things (IoMT). International Journal of Advanced Computer Science and Applications.
  27. Taherdoost, H. (2023). Security and internet of things: benefits, challenges, and future perspectives. Electronics, 12(8), 1901.
  28. Kagita, M. K., Thilakarathne, N., Gadekallu, T. R., Maddikunta, P. K. R., & Singh, S. (2022). A review on cyber crimes on the internet of things. Deep learning for security and privacy preservation in IoT, 83-98.
  29. Szymanski, T. H. (2022). The “cyber security via determinism” paradigm for a quantum safe zero trust deterministic internet of things (IoT). IEEE Access, 10, 45893-45930.
  30. Dorri, A., et al. (2017). Blockchain for IoT security and privacy: The case study of a smart home.
  31. Tariq, U., Ahmed, I., Bashir, A. K., & Shaukat, K. (2023). A critical cybersecurity analysis and future research directions for the internet of things: a comprehensive review. sensors, 23(8), 4117.
  32. Kowta, A. S. L., Harida, P. K., Venkatraman, S. V., Das, S., & Priya, V. (2022, February). Cyber security and the internet of things: Vulnerabilities, threats, intruders, and attacks. In Proceedings of International Conference on Computational Intelligence and Data Engineering: ICCIDE 2021 (pp. 387-401). Singapore: Springer Nature Singapore.
  33. Yeasmin, F., & Baig, Z. (2021). Permissioned blockchain: Securing industrial IoT environments. International Journal of Advanced Computer Science and Applications, 12(4).
  34. Alawadhi, J., AlJanabi, A. M., Khder, M. A., Ali, B. J., & Al–Shalabi, R. F. (2022, June). Internet of Things (IoT) security risks: Challenges for business. In 2022 ASU International Conference in Emerging Technologies for Sustainability and Intelligent Systems (ICETSIS) (pp. 450-456). IEEE.
  35. Khan, N. A., Awang, A., & Karim, S. A. A. (2022). Security in Internet of Things: A review. IEEE access, 10, 104649-104670.