When Your Thing Won’t Behave: Security Governance in the Internet of Things

Abstract

AbstractIn the Internet of Things (IoT), interconnected smart things enable new products and services in cyber-physical systems. Yet, smart things not only inherit information technology (IT) security risks from their digital components, but they may also aggravate them through the use of technology platforms (TPs). In the context of the IoT, TPs describe a tangible (e.g., hardware) or intangible (e.g., software and standards) general-purpose technology that is shared between different models of smart things. While TPs are evolving rapidly owing to their functional and economic benefits, this is partly to the detriment of security, as several recent IoT security incidents demonstrate. We address this problem by formalizing the situation’s dynamics with an established risk quantification approach from platforms in the automotive industry, namely a Bernoulli mixture model. We outline and discuss the implications of relevant parameters for security risks of TP use in the IoT, i.e., correlation and heterogeneity, vulnerability probability and conformity costs, exploit probability and non-conformity costs, as well as TP connectivity. We argue that these parameters should be considered in IoT governance decisions and delineate prescriptive governance implications, identifying potential counter-measures at the individual, organizational, and regulatory levels.