Affiliation:
1. Carleton University, Ottawa, Canada
Abstract
Academic research has highlighted the failure of many
Internet of Things (IoT)
product manufacturers to follow accepted practices, while IoT security
best practices
have recently attracted considerable attention worldwide from industry and governments. Given current examples of security advice, confusion is evident from guidelines that conflate desired outcomes with security practices to achieve those outcomes. We explore a surprising lack of clarity, and void in the literature, on what (generically)
best practice
means, independent of identifying specific individual practices or highlighting failure to follow best practices. We consider categories of security advice, and analyze how they apply over the lifecycle of IoT devices. For concreteness in discussion, we use iterative inductive coding to code and systematically analyze a set of 1,013 IoT security best practices, recommendations, and guidelines collated from industrial, government, and academic sources. Among our findings, of all analyzed items, 68% fail to meet our definition of an (actionable) practice, and 73% of all actionable advice relates to the software development lifecycle phase, highlighting the critical position of manufacturers and developers. We hope that our work provides a basis for the community to better understand best practices, identify and reach consensus on specific practices, and find ways to motivate relevant stakeholders to follow them.
Funder
Natural Sciences and Engineering Research Council of Canada
Publisher
Association for Computing Machinery (ACM)
Subject
Safety, Risk, Reliability and Quality,General Computer Science
Reference76 articles.
1. Yasemin Acar, Christian Stransky, Dominik Wermke, Charles Weir, Michelle L. Mazurek, and Sascha Fahl. 2017. Developers need support, too: A survey of security advice for software developers. In Cybersecurity Development (SecDev). IEEE, 22–26.
2. The Market for "Lemons": Quality Uncertainty and the Market Mechanism
3. Alliance for Internet of Things Innovation (AIOTI). 2015. Report: Working Group 4—Policy. https://aioti.eu/wp-content/uploads/2017/03/AIOTIWG04Report2015-Policy-Issues.pdf.
4. Alliance for Internet of Things Innovation (AIOTI). 2016. AIOTI Digitisation of Industry Policy Recommendations. https://aioti.eu/wp-content/uploads/2017/03/AIOTI-Digitisation-of-Ind-policy-doc-Nov-2016.pdf.
5. Alliance for Internet of Things Innovation (AIOTI). 2016. Report on Workshop on Security and Privacy in the Hyper-connected World. https://aioti-space.org/wp-content/uploads/2017/03/AIOTI-Workshop-on-Security-and-Privacy-in-the-Hyper-connected-World-Report-20160616_vFinal.pdf.
Cited by
9 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. Cyber Security in Smart Homes;Computer and Information Security Handbook;2025
2. On the Contents and Utility of IoT Cybersecurity Guidelines;Proceedings of the ACM on Software Engineering;2024-07-12
3. Security Principles in Smart and Agile Cybersecurity for IoT and IIoT Environments;Advances in Information Security, Privacy, and Ethics;2024-06-30
4. Patchy Performance? Uncovering the Vulnerability Management Practices of IoT-Centric Vendors;2024 IEEE Symposium on Security and Privacy (SP);2024-05-19
5. Internet Of Things: Sensor Layer Security Risk Mitigation Framework;2023 International Conference on Electrical, Computer and Energy Technologies (ICECET);2023-11-16