What Makes IoT Secure? A Maturity Analysis of Industrial Product Manufacturers’ Approaches to IoT Security
Pages 406 - 421
Abstract
The Internet of Things (IoT) carries enormous potential but also exposes products to new security threats. Even though recent years have seen several costly breaches and security experts advocate for a more proactive approach, security is often not up to par with technological innovations. But why is this so? Whereas a lot of research has been dedicated to describing technical security issues, there is a lack of research into product manufacturers’ practices of securing IoT; what challenges do they face in developing, manufacturing, and selling secure IoT products, and what resources do they have for overcoming them? Without knowledge of these empirical perspectives, initiatives to further IoT security grope in the dark.
Employing a theory of change to unfold organizational aspects of IoT security, this paper seeks to explore the socio-technical factors that shape IoT security in practice. Based on a qualitative interview study with 52 informants from 26 companies making products for industrial enterprises and critical infrastructures, this paper not only offers insights into the real-world challenges in working with IoT security, but also presents a maturity model based on three necessary conditions for companies’ ability to handle IoT security.
References
[1]
Chen K et al. Internet-of-Things security and vulnerabilities: Taxonomy, challenges, and practice J. Hardw. Syst. Secur. 2018 2 2 97-110
[2]
Vorakulpipat, C., Rattanalerdnusorn, E., Thaenkaew, P., Hai, H.D.: Recent challenges, trends, and concerns related to IoT security: An evolutionary study. In: 20th International Conference on Advanced Communication Technology (ICACT), 2018, pp. 405–410 (2018)
[3]
Sadeghi, A.-R., Wachsmann, C., Waidner, M.: Security and privacy challenges in industrial internet of things. In: 2015 52nd ACM/EDAC/IEEE Design Automation Conference (DAC), pp. 1–6 (2015)
[4]
OWASP: OWASP IoT Top 10 2018 (2018). https://owasp.org/www-pdf-archive/OWASP-IoT-Top-10-2018-final.pdf. Accessed 21 Feb 2021
[5]
Asplund M and Nadjm-Tehrani S Attitudes and perceptions of IoT security in critical societal services IEEE Access 2016 4 2130-2138
[6]
Alaba FA, Othman M, Hashem IAT, and Alotaibi F Internet of Things security: A survey J. Netw. Comput. Appl. 2017 88 10-28
[7]
Miloslavskaya N and Tolstoy A Internet of Things: information security challenges and solutions Clust. Comput. 2018 22 1 103-119
[8]
Georgiadou, A., Mouzakitis, S., Bounas, K., Askounis, D.: A cyber-security culture framework for assessing organization readiness. J. Comput. Inf. Syst., 1–11 (2020)
[9]
Ruighaver AB, Maynard SB, and Chang S Organisational security culture: Extending the end-user perspective Comput. Secur. 2007 26 1 56-62
[10]
Petersen, C.K., Dinesen, M.S.: Essensen af Innovativ evaluering. Dansk Psykologisk Forlag (2013)
[11]
CIDI consortium: CIDI project. https://marketing.alexandra.dk/acton/media/35392/cidi
[12]
Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security, pp. 1–16 (2010)
[13]
Squires, S., Shade, M.: People, the weak link in cyber‐security: Can ethnography bridge the gap?. In: Ethnographic Praxis in Industry Conference Proceedings, vol. 2015, no. 1, pp. 47–57 (2015)
[14]
Palombo, H., Tabari, A.Z., Lende, D., Ligatti, J., Ou, X.: An ethnographic understanding of software (In) security and a co-creation model to improve secure software development. In: Sixteenth Symposium on Usable Privacy and Security ({SOUPS} 2020), pp. 205–220 (2020)
[15]
Assal, H., Chiasson, S.: Security in the software development lifecycle. In: Fourteenth Symposium on Usable Privacy and Security ({SOUPS} 2018), pp. 281–296 (2018)
[16]
Morgan PL, Asquith PM, Bishop LM, Raywood-Burke G, Wedgbury A, and Jones K Moallem A A new hope: Human-centric cybersecurity research embedded within organizations HCI for Cybersecurity, Privacy and Trust 2020 Cham Springer 206-216
[17]
Heeager LT and Nielsen PA Meshing agile and plan-driven development in safety-critical software: A case study Empir. Softw. Eng. 2020 25 2 1035-1062
[18]
Bellman, C., van Oorschot, P.C.: Best practices for IoT security: What does that even mean? arXiv Prepr. arXiv2004.12179 (2020)
[19]
Höst, M., Sönnerup, J., Hell, M., Olsson, T.: Industrial practices in security vulnerability management for IoT systems–an interview study. In: Proceedings of the International Conference on Software Engineering Research and Practice (SERP), pp. 61–67 (2018)
[20]
Lasrado, L., Vatrapu, R., Andersen, K.N.: A set theoretical approach to maturity models: guidelines and demonstration. In: Thirty Seventh International Conference on Information Systems (2016)
[21]
Dul J Identifying single necessary conditions with NCA and fsQCA J. Bus. Res. 2016 69 4 1516-1523
[22]
Lim, J.S., Chang, S., Maynard, S., Ahmad, A.: Exploring the relationship between organizational culture and information security culture. In: Australian Information Security Management Conference (2009)
[23]
De Bruin, T., Rosemann, M., Freeze, R., Kaulkarni, U.: Understanding the main phases of developing a maturity assessment model. In: Australasian Conference on Information Systems (ACIS), pp. 8–19 (2005)
[24]
Jason Christopher, D.G., Muneer, F., Fry, J. et al.: Cybersecurity Capability Maturity Model (C2M2) (2014)
[25]
Shire, C.: IoT Security Compliance Questionnaire. IoT Security Foundation (2018)
[26]
IoT Security Maturity Model: Description and Intended Use (2018). https://www.iiconsortium.org/smm.htm
[27]
Le, N.T., Hoang, D.B.: Can maturity models support cyber security?. In: 2016 IEEE 35th International Performance Computing and Communications Conference (IPCCC), pp. 1–7 (2016)
[28]
Code of Practice for consumer IoT security (2018). https://www.gov.uk/government/publications/code-of-practice-for-consumer-iot-security/code-of-practice-for-consumer-iot-security. Accessed 21 Feb 2010
[29]
Nadler DA and Tushman ML A model for diagnosing organizational behavior Organ. Dyn. 1980 9 2 35-51
[30]
Fågelstedt, E.: Virksomheders uvidenhed om IoT-sikkerhed er en samfundsrisiko, Version 2 (2018)
[31]
Christopher, J.: The cybersecurity maturity model: A means to measure and improve your cybersecurity program. Forbes Technol. Counc. (2018)
[32]
Tannenbaum, A.: Why do IoT companies keep building devices with huge security flaws?. Harv. Bus. Rev. 27 (2017)
[33]
Lewis, K.: IoT security vs. IT security: What’s the difference?. IBM (2016). https://www.ibm.com/blogs/internet-of-things/security-iot/
[34]
Almuhammadi S and Alsaleh M Information security maturity model for NIST cyber security framework Comput. Sci. Inf. Technol. (CS IT) 2017 7 3 51-62
[35]
Mortensen, H.: Vejledning: Sikkerhed i Internet of Things. https://www.danskindustri.dk/vi-radgiver-dig-ny/di-dokumenter-for-virksomhed/it--og-datasikkerhed/sikkerhed-i-internet-of-things/
[36]
Bær dit brand sikkert med over i den digitale verden. The Alexandra Institute (2015)
[37]
IoT Security Guidelines for Service Ecosystems. GSM Association (2016).
[38]
Runeson P and Höst M Guidelines for conducting and reporting case study research in software engineering Empir. Softw. Eng. 2009 14 2 131-164
[39]
Ladner, S.: Practical Ethnography: A Guide to Doing Ethnography in the Private Sector. Left Coast Press (2014)
[40]
Michrina, B.P., Richards, C.: Person to Person: Fieldwork, Dialogue, and the Hermeneutic Method. SUNY Press (1996)
[41]
Bernard HR Research Methods in Anthropology: Qualitative and Quantitative Approaches 1994 London Sage
[42]
SMV Portalen: http://www.smvportalen.dk/Om-smvportalen/definition-af-smv. Accessed 21 Feb 2010
[43]
The Danish Code of Conduct for Research Integrity: Ministry of Higher Education and Science (2014). https://ufm.dk/publikationer/2014/the-danish-code-of-conduct-for-research-integrity
[44]
The European Parliament: General Data Protection regulation. https://eur-lex.europa.eu/eli/reg/2016/679/oj
[45]
Principles of Professional Responsibility: American Anthropological Association (2012). http://ethics.americananthro.org/category/statement/
[46]
Thomas DR A general inductive approach for analyzing qualitative evaluation data Am. J. Eval. 2006 27 2 237-246
[47]
Miles, M.B., Huberman, A.M., Saldaña, J.: Qualitative data analysis: A methods sourcebook. Sage Publications, London (2018)
[48]
Gordon LA and Loeb MP The economics of information security investment ACM Trans. Inf. Syst. Secur. 2002 5 4 438-457
Recommendations
IoT Security & Privacy: Threats and Challenges
IoTPTS '15: Proceedings of the 1st ACM Workshop on IoT Privacy, Trust, and SecurityThe era of the Internet of Things (IoT) has already started and it will profoundly change our way of life. While IoT provides us many valuable benefits, IoT also exposes us to many different types of security threats in our daily life. Before the advent ...
IoT Security: Ongoing Challenges and Research Opportunities
SOCA '14: Proceedings of the 2014 IEEE 7th International Conference on Service-Oriented Computing and ApplicationsThe Internet of Things (IoT) opens opportunities for wearable devices, home appliances, and software to share and communicate information on the Internet. Given that the shared data contains a large amount of private information, preserving information ...
Comments
Information & Contributors
Information
Published In
© The Author(s), under exclusive license to Springer Nature Switzerland AG 2022.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 26 June 2022
Author Tags
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 13 Jan 2025