A Survey on Cyber Risk Management for the Internet of Things

1. Introduction

The commercial growth of the Internet of Things (IoT) technology has been exponential due to the benefits to multiple organisations and individuals in a vast number of environments. IoT is changing the daily domestic life [1,2,3,4]. However, the use of this technology comes at a potential cyber risk that can impact, harm, or damage systems and users negatively. In cases, organisations may actively use IoT in a more regulated sense way, however IoT is not just for organisations, but individuals who may dwell within IoT domains that are not regulated. For example, IoT devices being used within healthcare settings and medical IoT being used at home. This difference challenges future works to consider the management of IoT domains and the issues that are specific to them.

Unlike organisations with home workers, organisations that use IoT have more control over how risk is managed due to centralised cyber risk strategies built from standards, legislation, and regulations. Unfortunately, despite centralised strategies, IoT devices carry limited security capabilities due to processing constraints [5] which impacts the ability to accurately control devices at the same level as traditional IT devices. This problem supports the need for IoT cyber risk management methods that can function alongside traditional IT but consider IoT specific issues.

At a very high level, cyber risk management is comprised of three main components: risk identification, risk assessment and risk control [6]. The risk identification phase gathers data needed for risk assessment which aims to determine risk. This determination is then used to establish risk control, which allows for the implementation and evaluation of cyber security controls to mitigate risk. Given the well-known nature of how risk management should function, many types of cyber risk management standards are available for organisations to ensure that their assets and employees are protected, with some of the most well-known coming from NIST and ISO/IEC. In the context of IoT, some methodologies may not always be fit for purpose but could be used to ensure a standardised system using well-known risk factors.

According to NIST, cyber risk is defined as the “risk of depending on cyber resources” [7] and the IoT domain is no exception. In connection, Cyber risk management is a “comprehensive process that requires organisations to: (i) frame risk; (ii) assess risk; (iii) respond to risk once determined; and (iv) monitor risk on an ongoing basis” [8]. Meanwhile, an asset is anything that has value to an organisation or a person that needs to be protected against IoT attacks [9] where using a cyber risk management model can be used to minimise the impact on users and assets with the use of a formalised process. The problem with traditional static requirements is that security controls are deployed “around the external facing nodes of a network” [10] within unchanging networks domains [11], something that is commonly dynamic within IoT. Due to this, static requirements applied to IoT security may not be most suitable due to the IoT scalability, with environments using a vast number of IoT nodes [10,11].

Another factor of concern within the IoT domain is that of users, addressing not only how they are impacted by attacks, but how they may become human vulnerabilities. The perspective of a human vulnerability within security research is often related to humans being the weakest security link, considering the potential manipulation from social engineering attacks. While technical protection for systems is important, if not used correctly or the user is manipulated by an attacker, an attack may still be successful in achieving its goal [12]. It is argued that members of the public will often acknowledge the threat of cyber-attacks but do not necessarily know the steps to mitigate them [13] and with many IoT threats, users that are not aware of how to use safeguards may be putting themselves at risk, and possibly their employers too. The human factor of cyber risk carries incredible importance, where the human weakness is often considered to be the weakest link within information security [14] and thus it is integral to ensure that organisations train employees to form awareness and understanding of cyber risks. In turn, users can succumb to a different type of attacker tactic depending on a manner of distinct factors such as emotions and awareness of security, thus requiring a personalised set of countermeasures for risk mitigation to be effective [15].

Researchers have published IoT cyber risk management frameworks targeting the risk assessment and control phases to better manage IoT cyber risk within different domains (for example smart homes and healthcare environments). Our main contribution is the surveying of papers that propose IoT cyber risk management frameworks to provide insight into how IoT cyber risk management frameworks conduct risk management processes. In doing so, we can better understand how current IoT cyber risk management frameworks work, and how they need to be improved. Our paper aims to conduct a thorough analysis of cyber risk management frameworks for the Internet of Things (IoT) that have been published in the literature.

The remainder of this paper is as follows. First, within Section 2 we outline the related work, which is followed by Section 3 which details our methodology and research questions. In Section 4 we delve into the results of the IoT cyber risk assessment portion of the survey, with Section 5 analysing the IoT cyber risk Matment survey results. Using the literature results and insights, we then make recommendations for gaps that future researchers need to fill when creating an IoT cyber risk management framework within Section 6. Finally, we form conclusions in Section 7.

2. Related Work

The National Institute of Standards and Technology (NIST) and the International Organisation for Standardisation and the International Electrotechnical Commission (ISO/IEC) both carry extensive documentation on cyber risk management. NIST carries a number of popular documents that form the basis of cyber risk management such as: NIST 800-30 “Risk Management Guide for Information Technology Systems” [16]; NIST 800-53 “Security and Privacy security controls for Federal Information Systems and Organizations” [17]; NIST-800-160 “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach” [7]; and NIST 800-39 “Managing Information Security Risk: Organisation, Mission and Information System View” [18]. NIST often works in tandem with ISO/IEC referring to one another, with ISO/IEC standards being internationally recognised, such as ISO 27001 [19] compliance being an international standard to manage information security. Despite thorough documentation, NIST and ISO/IEC predominately focuses on organisational processes and compliance, which may not be applicable for IoT domains such as smart homes. Not only this, but NIST’s cyber security framework is not translated into automated tools and do not allow for the quantification of risk, while ISO 27001 requires a level of compulsory compliance [20]. Kandasamy et al., [20] review well-known cyber risk assessment methodologies and how they are suitable for IoT domains, focusing on NIST, ISO, OCTAVE [21], and TARA [22]. The authors analyse suitability IoT, based on strengths, weaknesses, and the type of approach used. This paper primarily assesses healthcare and medical IoT devices and assessing well-known frameworks and the uses for IoT, rather than assessing novel IoT cyber risk management frameworks that consider IoT specific concepts.

Meanwhile, Heartfield et al., [23] conducted an extensive survey assessing cyber threats within smart homes, exploring attack vectors, types of impacts, and defences considering both humans and systems while providing taxonomic classification examples. For the attack vector, the authors classify areas that could be targeted within the smart home, for example wired and wireless communications. Impact types are seen as system and domestic life related, with system impact being cyber and physical while the impact on domestic life explores direct consequences to life, emotions, and user experience. For defences, the authors examine the limited existing smart home countermeasures for the smart home. The open research challenges proposed relate to the improvement of smart home defences, such as the need for cyber-physical intrusion detection systems and better cyber hygiene. While relating to IoT, this paper does not address cyber risk management methodologies, but it explores important risk factors such as threats and impact, documenting the types of threats and impacts smart home users may come across.

In comparison, Nifakos et al., [24] focuses on human behaviours that affect the security posture of a healthcare organisation. This paper also documents the types of threats and defence strategies, while assessing the impact of human factors and reviewing use cases of data breaches within healthcare; however, it does not consider IoT. The major challenge found within this work is that training and awareness for healthcare organisations need to be standardised and become inclusive, promoting cyber hygiene and a better understanding of attacks. The main difference between Nifakos et al., [24] and Heartfield et al., [23] is not only the domain addressed, but that Nifakos et al., [24] assesses well-known risk assessment standards and methodologies like NIST, using them to explore why the human factor of cyber risk is crucial.

In comparison, Lee et al., [25] contribute a literature review on IoT cyber risk management methods exploring the quantitative and qualitative approaches that organisations may use, such as NIST and ISO/IEC 27005. Due to the limited number of IoT cyber risk management approaches, the authors do not limit the literature review to IoT methods, instead they review qualitative and quantitative approaches which could be used in an IoT context. The authors concluded that none of the frameworks explicitly address IoT cyber security.

The limited number of works that address cyber risk management frameworks only address the most well-known ones such as NIST. While these frameworks provide standards and methods to best assess and mitigate risk, they do not consider the types of IoT domains and the potential differences that cyber risk management may have on IoT technology. For example, the consideration of smart homes and cyber-physical attacks may be overlooked in normal cyber risk management models. To sum up, prior surveys do not address IoT cyber risk management frameworks.

3. Materials and Methods

In this section we outline our methodology for collecting articles for our work and the research questions that were determined from reading articles. Since our aim within this survey is to review models and frameworks that dwell within the IoT cyber risk management space, we have chosen to adopt PRISMA flow modelling for our literature review process driven by Akinrolabu et al., [26] and Fernandez et al., [27]. This process establishes an eligibility criterion to find the relevant articles that we want to review.

The PRISMA flow model in Figure 1 outlines our process for collecting articles. Firstly, we identified peer-reviewed works using IoT cyber risk management keywords in the databases of ACM Digital Library, IEEE Xplore, ScienceDirect, SpringerLink, Elsevier, and MDPI. Next, we filter out papers that are not author’s native language (English) since we do not wish to misinterpret key ideas found within these works. Then we filter out papers that were published prior to 2015. We have chosen 2015 because according to Google Trends, the search terms “IoT” and “Internet of Things” started to rapidly increase in 2015 [28], we assume that this trend implies an increased level of global interest in IoT, therefore we decided to review literature from 2015 and on-wards. As according to the PRISMA protocol, we then screened articles based T+A+K, which assesses the title (T), abstract (A) and keywords (K) to determine if the paper is suitable for discussions into IoT cyber risk management models and frameworks. We then remove any duplicate papers. Finally, we review all papers based on the full content to ensure that contributions from the selected articles propose IoT cyber risk management models and frameworks.

3.1. Research Questions

Overall, we have gathered 39 papers in the domain of IoT cyber risk management. To discuss the fundamentals of IoT cyber risk frameworks, we answer four research questions based on well-known cyber risk management model from ISO 31000:2009 [29] splitting our work into two high level processes, IoT cyber risk assessment and IoT cyber risk treatment.

- RQ1: How does the current literature undertake IoT Cyber Risk Identification? IoT Cyber Risk Identification involves processes that uncover various risk parameters needed to assess risk, with cyber risk identification needing to be clearly defined so that the data collected is useful. The most fundamental risk parameters categories defined within NIST and ISO frameworks, are assets, users, threats, vulnerabilities, security controls, impact, and likelihood. For IoT, before threats and vulnerabilities can be determined, the elements of an IoT system (assets, users, and existing controls) need to be identified first, [30] which raises the question of how this is determined by current IoT cyber risk management frameworks and the way in which they do so. Traditional IT threats and vulnerabilities are well documented within many repositories, for example the National Vulnerability Database (NVD) [31] and Common Vulnerabilities and Exposures (CVE) [32]. However, IoT has the caveat of IoT’s heterogeneity components (for example sensors), which suggests that an IoT cyber risk management framework must extend existing threats and vulnerabilities to factor in IoT elements. Due to well established risk management concepts, impact and likelihood are required to assess risk. This is because impact reflects the result of an attack which lead to a degree of harmful consequences and likelihood reflects the probability of an attack [23]. IoT cyber risk management frameworks must ensure that assessed risk values are meaningful and well defined with a clear rationale. For each of the risk parameters uncovered in the IoT cyber risk identification phase, we want to know how IoT frameworks handle this process.

- RQ2: How does the current literature calculate IoT Cyber Risk? Once risk identification processes are completed, risk needs to be analysed and evaluated to make informed risk decisions in the risk control phase. IoT cyber risk calculation requires various methods to analyse and evaluate risk producing results in qualitative, quantitative, or semi-quantitative ways [33]. There are many approaches that could be used to assess and quantify risk, with IoT cyber risk management frameworks using methods like the use of risk matrices, graph-modelling, the use of vulnerability databases to uncover risk values. Without a risk assessment that calculates meaningful risk results, providing an in-depth knowledge about IoT security would be difficult. This means that comparing the results to determine if risks are acceptable (risk evaluation) [7], is much harder with critical risks potentially being missed. Given what we have discussed, we use this research question to uncover the methods used to perform IoT risk calculation to determine meaningful results.

- RQ3: How does the current literature control IoT Cyber Risk? Cyber Risk Treatment involves processes that deal with how to handle risk responses involving the action of “accepting, avoiding, mitigating, sharing, or transferring risk to organisational operations” [16]. Acclimating an effective and efficient risk response is essential to IoT systems to ensure that assets and users are protected from harm. To achieve this, risk decision making (the process of making decisions resulting in positive or negative consequences [34]), is needed to ensure that all IoT constraints and risk assessment results are factored into risk response. Controlling IoT risk can be different from traditional IT due to differing innovations and functionalities within environments that we have not seen before. Therefore, IoT risk decision making requires security goals to be clearly defined, with these goals considering the new functionalities to assure conformity. Another element relates to the number of resources (such as money and time) available to an IoT domain and the trade-off between them, for example, if a control is implemented, then it needs to be paid for [35]. Finally, risk decision making needs to be optimised by minimising negative and maximising positive consequences and probabilities [36]. Given what we have discussed, we use this research question to uncover the ways in which IoT risk control takes place, and way in which resources and security objectives are factored into frameworks.

- RQ4: How does the current literature monitor IoT Cyber Risk? Cyber risk treatment considers that the implementation of security decision making is not a static process. Risk parameters may change over time, which influences the level of risk, potentially deeming acceptable risks to become unacceptable. For example, security measures may degrade becoming less effective, a long standing issue with IoT devices as they are not always designed with security at the forefront and lack security capabilities [37]. This degrading in effectiveness requires dynamic updates to risk results and controls, including the of monitoring user and asset behaviours as well as new attacks. The remaining IoT risk upon the implementation of controls also needs to be monitored, to ensure that values do not go over a given threshold. Monitoring is integral to ensure that risk results and security measures are as accurate as possible, due to this, we want to know how IoT frameworks handle this process.

Using the above research questions, we conduct an analysis of the 39 papers in the domain of IoT cyber risk management and identified core concepts related to this field based on our findings. An overview of the survey results can be seen within Figure 2, which outlines the fundamental themes our analysis uncovers. In the next section, we explore our results by providing a literature review of the fundamental IoT cyber risk management paper’s themes and provide insight into key areas.

4. Cyber Risk Assessment for IoT Survey Results

IoT cyber risk management strategies assess and determine IoT risk based on risk assessment which uses data from risk identification processes. According to ISO [19], risk assessment can be broken down into three major processes, risk identification, risk analysis, and risk evaluation. Within the identification phase, the context of the system is built, with all entities that need to be protected being identified, as well as the potential threats to each entity. This information is then used to analyse risks, assessing probability and impact, with risk evaluation being used to determine whether risk is tolerable. Therefore, the goal of carrying out cyber risk assessments is to formulate a risk acceptance criterion, perform a risk assessment, and produce results that are meaningful [19].

For IoT cyber risk assessment, additional challenges different to traditional IT are present, with IoT breaches have been well-documented within the vast number of environments that harness IoT, with one of the most notable being the Mirai botnet DDoS attacks affecting OVHcloud, Dyn, and Krebs on Security [38]. Overall, the identification and calculation of IoT risk must consider integral differences to become sufficient, with the surveyed papers discussed in this section showing the commonalities and differences in how these processes are undertaken with an overview of the results found within Table 1.

4.1. IoT Cyber Risk Identification

According to NIST, risk identification is the “Process of finding, recognising, and describing risks” which provides the data needed for a risk assessment [7]. Assets and users are the entities that attackers may target and need to be protected. Information is needed to understand the environment [61] and provide a detailed architecture of the systems [72], which may also include users. Once assets are identified, potential threats and vulnerabilities can be uncovered. These components can combine to create negative events. Threats refer to processes or activities that increase the likelihood of such events, while IoT vulnerabilities are weaknesses that could be exploited. Subsequently, existing security controls can be identified, providing information on how each mechanism can mitigate certain threats and the extent to which they can do so. Additionally, risk parameters can be identified to determine the impact and likelihood of potential threats and vulnerabilities.

4.1.1. Identification of IoT Assets

NIST [9] defines asset identification as being the “use of attributes and methods to uniquely identify an asset”. The identification of assets may take place as part of a context-gathering phase, which supplies the information needed to understand the environment [61] and to provide a detailed architecture of the systems [72]. In the case of an IoT domain, the information provided from the identification of IoT assets and users is integral to ensuring that other risk management phases capture the most accurate results.

Despite the similarities between IoT domains, devices operate in diverse ways to achieve different goals. Seeam et al., [71] consider this concept by evaluating various IoT domains and proposing the types of assets that may exist in an environment, as well as the fundamental security goals that threats could circumvent. Meanwhile, Danielis et al., [50] use ISO/IEC 2700 to analyse risk of IoT, using primary and supporting assets that are inputted within a dedicated worksheet with the various related attributes. Within Anisetti et al., [46] an asset assessment phase is used to identify all assets for an organisation, with these assets holding value and non-functional properties.

Health related IoT like the Internet of Medical Things (IoMT) aim to automate healthcare related systems while also improving the level of care for patients. Nakamura and Ribeiro [65] concentrate on assessing OCARIoT (Smart Childhood Obesity Caring Solution using IoT potential), a platform that provides an IoT-based system to coach children into adopting healthy eating and physical activity. Within the first phase of the model, the IoT domain’s context is built, collecting information about assets. As a complement, the second phase builds a data flow diagram which shows all the points that could be attacked. In the context of wearable health devices, Tseng et al., [74] establish that assets and their value must be identified so that the accuracy of data flow diagrams can be improved, suggesting that rigorous qualitative analysis must be used to assess the value of assets. In connection, Vakhter et al., [75] focus on assessing miniaturised wireless biomedical devices and establish a model phase that enumerates protected assets that are tangible or intangible.

Smart cities hold a huge amount of data, assets, and users, which can make risk assessment difficult, with a limited number of datasets which can be used. Kalinin et al., [59] overcame this issue by synthetically creating asset datasets to simulate a large-scale dynamic network. The use of a neural network allows the authors to easily decide the types of assets used, tailored to be smart city specific. Alternatively, Andrade et al., [45] focuses on critical assets, rather than trying to identify them all. These assets may have a much higher priority due to a higher damage potential which may propagate within a smart city network.

Unlike other IoT domains, smart homes carry more freedoms due to not being bound by legislation, with users utilising devices how they see fit, which can pose a significant risk to personal life. According to James [58], one of the most critical security objectives for smart homes is to prioritise the identification of user authorisation, where only specific users should have access to resources. Ryoo et al., [70] suggest that an asset inventory of IoT devices needs to be created, with this inventory outlining the components of a smart home environment. The creation of such inventory may be automatic or semi-automatic and the information required relates to capturing device capabilities, which can be used to derive the impact on security and privacy.

Kavallieratos and colleagues [60] present another smart home model that identifies assets in the second phase of their framework, enabling the development of data flow diagrams. Parsons et al., [68] utilised an adapted version of the Health and Safety Guidance (HSG48) to determine the most appropriate assets and users that may be vulnerable to risks in a smart home. In another study related to smart homes, Ali and Awad [42] utilised the OCTAVE Allegro model, which includes a phase that collects asset information through a profile asset approach, primarily focusing on critical information assets. The authors established risk measurement criteria before this phase.

Zahra and Abdelhamid [77] propose the risk analysis methodology EBIOS [78] which also contains a context gathering phase, aiming to ensure that the IoT domain is identified and described. This phase collects information about assets, different actors and stakeholders, and the parameters that need to be considered in risk analysis. Echeverria et al., [52] incorporated a phase in their approach that establishes the purpose and requirements of the IoT domain, considering other relevant conditional factors that an organisation should consider when defining the environment.

Sometimes, an organisation may need to prioritise the most critical assets. Abbass et al., [39] propose ArchiMate. based Security Risk Assessment as a Service (ASRAaaS) which follows a “Do-Act-Check” approach starting with the creation of an inventory which contains identified critical assets using risk profiles. Christensen et al., [49] conducted an assessment of evaluation targets, which consisted of multiple assets, and identified the components that an attacker would consider valuable. Finally, Chehida et al., [48] used an IoT domain model to aid in finding assets, this helps to avoid overlapping labels for assets.

In their study, Ali et al., [43] emphasise the importance of identifying assets in IoT systems due to their complex interfaces and architectural layers. The authors illustrate this point by highlighting how a seemingly simple device like a smart thermostat can comprise of several components such as firmware, personal information, and more. These components are considered as valuable assets, and their identification is crucial for ensuring their security and protection. By providing this insight, the authors shed light on the need for a comprehensive approach to IoT security that considers the different layers and components of the system. Meanwhile, Ksibi et al., [61] focus on analysing the abnormal IoT system usage within a model that requires user’s to be identified by membership and location to devices, data which would need to be collected before the risk model could analyse risk.

Insight 1: For RQ1, assets classification needs to be dynamic, fitting various standards and prioritise valuable assets, with the ability to be updated when required. The issue with current methods is that’s specific critical assets may be overlooked, thus being forgotten in the risk management processes, with such classifications like tangible/intangible assets [75], primary/supporting assets [50], functional/non-functional asset properties [46] are not IoT specific. This poses the question of how IoT assets should be broken down, for example, should a device be more than one asset? How are device capabilities factored in? As an example of non-specific IoT assets, Al et al., [41], defines hardware as an asset type, but does not expand on how IoT hardware is classified. The main point of contention is how to ensure that sensors and actuators are assessed for risk, with the identification of these components allowing for them not to be missed. Overcoming this, Ali et al., [43] is one of the only papers that breaks down IoT devices by components, while papers like Christensen et al., [49] approaches the aspects of an IoT system that could be targeted by an attacker. There is no agreed upon method for IoT asset classification, which may be due to various IoT domains having different needs, with different assets that do different things and are controlled by different people. IoT asset classification needs to be clear to create an asset inventory (potentially for the first time in the case of IoT domains like smart homes.) for ease of understanding critical security objectives [58].

4.1.2. Identification of Users

Users require protection from IoT cyber-attacks to ensure safety and to protect users from being harmed. Zahra and Abdelhamid [77] suggest that the context state of an IoT risk framework involves not only the collection of assets, but the types of risk actors and stakeholders that could be impacted by an attack. Despite this, there is significant lack of IoT cyber risk management frameworks that prioritise users, for example, users may be expressed as another asset type [48] rather than an individual entity. Researchers have suggested different approaches to mapping assets and users to threats.

For instance, Chehida et al., [48] and Nakamura et al., [65] propose that the impact of attacks on assets and users should be considered in threat analysis. In contrast, Andrade et al., [45] highlight the importance of considering user interactions with real-world physical devices. By adopting these approaches, researchers can develop a more nuanced understanding of the complex relationship between assets, users, and threats in the context of IoT security. While users could be simply viewed as another asset, other frameworks expand on how user can be modelled within the IoT domain based on a set of attributes.

Rather than considering privileges, Ali and Awad [42] map users to assets to reflect responsibility for that asset. In contrast, Tseng et al., [74] use a trust level which defines the access that an application should grant to users using privileges and user roles to model access trust levels to aid in the creation of a data flow diagram. Additionally, with the second phase of Al et al., [41], a trust model is defined for the device, comprising software, hardware, and data on which the device relies for its security.

Another approach from Ksibi et al., [61] describes user types as the membership (insiders and outsiders) and the location of a user in connection to a device (internal or external uses). This is used with a formula that deals with the probability of abnormal usage at a storage and processing level. Finally, in our prior work, Parsons et al., [68] classified individual users by identifying their high risk behaviours, familiarity with security, as well as perception and prevention abilities.

Insight 2: Within the surveyed papers, assets and users are often intertwined, making them integral to answer RQ1. IoT devices have more enhanced capabilities than traditional IT hardware due to sensors and actuators with the involvements of a controller (such as a smart phone) or automated actions based on environmental stimuli (like motion). The papers discussing users are significantly less than assets, with users often being seen as another asset to be protected, which may be sufficient for some IoT domains. The complex relationship between assets and users poses an additional need to know how users interact with devices, with Al et al., [41] and Tseng et al., [74] using trust models to define IoT security assurance. However, IoT domains like smart homes where there is little regulation, this approach neglects human interaction and usage of the system and how this may affect risk. For example, within Parsons et al., [68] the lack or abundance of cyber best IoT practices (such as default passwords) can reduce or increase the risk level of a smart home. In turn, without understanding how users interact with devices, the link between a user and the vulnerabilities they may cause could be missed, thus critical risks could be overlooked.

4.1.3. Identification of Threats

Threats are circumstances with the potential to adversely impact organisational operations assets, or individuals using attacks that allow for “unauthorised access, destruction, disclosure, modification of information, and/or denial of service” [79] by exploiting vulnerabilities. IoT threats are the events that have the potential to adversely impact on IoT assets and users [80]. To identify threats in IoT systems, it is necessary to discover their sources and assess their potential impact. IoT risk management frameworks offer several ways to achieve this, including the use of established threat modelling methods, development of new threat models, and analysis of attack use cases.

Threat-based risk assessment for IoT involves evaluating potential risks associated with IoT devices by analysing and modelling potential threat scenarios. This approach is an essential part of the overall IoT risk assessment process, helping to identify and prioritise potential risks. As noted in [80], this approach involves modelling, developing, and analysing potential threats to determine the overall risk posed by an IoT device or network.

There are several effective threat modelling methods available, such as STRIDE [81] and LINDDUN [82]. Among these, Microsoft’s STRIDE threat model is the most widely used in IoT cyber risk management frameworks to identify and quantify potential threats. It divides threats into six categories, namely spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege [81]. This model has been extensively referenced in recent research on IoT security, including studies on threat analysis [50,60,70,71], threat vectors [43], and attack surfaces [45]. Therefore, utilising the STRIDE threat model can provide a solid foundation for comprehensive IoT security risk assessment and management.

The issue with using STRIDE is that while it is good for security risks, privacy risks are often not exhaustive making it insufficient in places where privacy is of the utmost importance. LINDDUN targets the modelling privacy related threats, these being linkability, identifiability, non-repudiation, detectability, disclosure of information, unawareness, and non-compliance [82], while DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) [83] allows for the comparing and prioritisation of threats using a rating. Since IoT poses a larger threat on privacy alongside containing attacks on sensors and actuation, modifications may be needed to capture all threats that could be high risk. To overcome this, Shivraj et al., [72] simulate their proposed framework using STRIDE, DREAD, and LINDDUN, using LINDDUN to focus on privacy risks. Tseng et al., [74] use the STRIDE and DREAD model to find the threats and the attack potential of wearable Internet of Medical Things devices, while Andrade et al., [45] use both models in the context of smart cities. functions (e.g., the abuse of privileges).

There are various methodologies available for identifying and mitigating cyber threats, and one such approach is the OCTAVE Allegro methodology, as discussed by Ali and Awad in their study [42]. This methodology includes a dedicated phase for identifying potential threats, which involves identifying areas of concern and creating threat scenarios to better understand the various cyber threats that could target smart home data. Meanwhile, Echeverria et al., [52] perform threat modelling using analysis from the OWASP IoT Top 10 project as way to identify the threats.

Pacheco et al., [67] use anomaly behaviour analysis to identify behaviours that deviate from normal operations, with anomaly behaviour being a threat to IoT systems, with this behaviour being characterised by variables such as hardware configuration and system memory. Abbass et al., [39] propose ASRAaaS (an ArchiMate based Security Risk Assessment as a service model) which uses the ArchiMate modelling language. The model analyses the potential threats for IoT systems using vulnerabilities which are assessed within attack scenarios.

Zahra and Abdelhamid [77] use EBIOS which includes assessing the context, feared events, and threat scenarios used to study risks. The authors use an example of a IoT threat scenario based on an attacker taking control of IoT processes. Chehida et al., [48] also use EBIOS to formulate a threat list which are classified into eight main categories, for example, threats that cause physical damage (e.g., fires and damage to hardware), unauthorised actions (e.g., the corruption of data), and the compromise of functions (e.g., the abuse of privileges).

Threat classifications can be used to categorise threats in simple or complex ways, with authors defining classifications based on several different factors. For example, threats may be categorised based on the types of impact that cause, such as the impact on confidentiality, integrity, and availability [59]. Threat classification can be based on attacker characteristics and the skills required to perform an attack [44,75], and the types of attackers that would target IoT systems [44].

Wangyal et al., [76] consider high level risk factors that describe how threats may manifest. These factors are categorised in cyber, physical, and psychological. Mohsin et al., [63,64] classify IoT threats by core IoT components. Context threats are non-malicious imperfections associated with processing communicating information; trigger threats are based on decision making, with triggers for actuation being blocked or incomplete where a decision cannot be made; and actuation threats are based on the anomalous behaviours that can cause denied or delayed actuation.

Attack surfaces can be used to define the threat landscape for IoT systems in its entirety. Lally and Sgandurra [62] utilise multiple threat models that relate to an attacker’s access types, for example physical, remote or application access. Rizvi et al., [69] define a threat environment for IoT network to uncover attacks on smart pacemakers, IP cameras, and Radio Frequency Identification devices using vulnerabilities which could be exploited on these device types. Additionally, James [57] define two main types of attack surfaces based on attacks associated with them local networks and public networks and users and devices interact. Nakamura and Ribeiro [65] use threat mapping to display all possible security issues that may arise and how these may have been caused, for example a threat being accidental, malicious, or natural. Pacheco et al., [66] define threat models for each architectural layer of IoT with each threat model defining the attack surface and the associated entry points.

Finally, rather than providing a method that could be used to identity threats, papers may focus more on specific use cases and attack types. In Arfaoui et al., [47] authors formulate a threat model based on IoT wireless body area networks where attacks (impersonation attacks, false data injection, false log-in attempts, sniffing, and eavesdropping ) can be dynamic. Ksibi et al., [61] assess tampering attacks targeting a smart insulin pump and Christensen et al., [49] uncover threats towards distributed energy resources. In contrast, Parsons et al., [68] use tactics from Mitre’s IoT ATT&CK matrix to formulate an example attack scenario, where an attacker acquires personal credentials to gain unauthorised access to a smart camera account, once access has been gained, the attacker uses the smart camera’s functionalities to phish home residents into paying a ransom. As part of their security assessment of knowledge within smart homes, Aiken et al., [40], focus on common attacks that smart home residents need to know, questioning users about social engineering, spoofing, ransomware, denial of service, and man in the middle attacks. Finally, James [58] and Anisetti et al., [46] spotlight the identification of attacks towards IoT sensors and actuators.

Insight 3: Another factor of RQ1 relates to identifying potential threats that exist for an IoT domain in an accurate fashion. The most common way to model IoT threats is using STRIDE [43,45,50,60,70,71]. While effective, the use of well-known threat models may not allow for all threats to be uncovered, for example STRIDE requires other models like DREAD and LINDDUN to uncover privacy risks within Shivraj et al., [72]. STRIDE and other well-known models are not explicitly for IoT, which may be an issue when finding an exhaustive set of threats within an IoT domain. Uncovering threats requires a good understanding of assets, users, and the needs they possess, where it is important to ensure all potential threats towards assets and users are accounted for, with critical threats not being forgotten.

4.1.4. Identification of Vulnerabilities

Vulnerabilities are the weaknesses in “information systems, system security procedures, internal controls, or implementation” that could be exploited by a threat source [17]. Within the IoT cyber risk management models, the identification of vulnerabilities is simply referred to into how vulnerabilities are collected and the data needed to aid risk assessment [39,42,44,45,46,48,53,56,61,66,67,71,75,77] with more emphasis on using vulnerabilities for threat modelling. For example, the use of a threat modelling phase which requires exploitable vulnerabilities and how these link to threat actors [41]. In other papers, vulnerability identification is undertaken by using various knowledge bases and methodologies that may also be used for threats, such as OWASP [52,65], NVD [51], CRAMM (CCTA Risk Analysis and Management Method) [50], MITRE’s CVE list [54,55], and STRIDE [43,60,72].

Risk-related attributes can be used to indicate vulnerabilities [70] as well as contextual information gathered by monitoring an IoT system [47] that could make it easier to find weaknesses. Lally and Sgandurra [62] link vulnerabilities to IoT security requirements, tools for testing vulnerabilities, and threat models to formulate an attack surface. Not only this, but vulnerabilities can be linked to attributes like external entities, trust boundaries, data flows, and entry points [74]. Part of this information may relate to prioritisation of vulnerabilities due to their criticality based on the potential impact [69] or an increased likelihood of being targeted [57,63]. The commonality of vulnerabilities may also be prioritised due to the potential ease of exploit [49].

Vulnerabilities may be simplified into classifications based on risk-related attributes. For example, George and Thampi [54,55] categorise vulnerabilities into software weaknesses and insecure configurations for devices and networks, while Garcia et al., [53] propose eight vulnerability types for general IoT domains. Within James [58], vulnerabilities are associated within a single or multi-state state attack, where more complex attacks use a vulnerability to have multiple outcomes. In contrast, Rizvi et al., [69] uncover vulnerabilities for several devices, these being smart pacemakers, IP cameras, and Radio Frequency Identification devices (RFID).

Wangyal et al., [76] propose a classification approach for identifying and assessing cyber risks in IoT systems. The approach categorises threats and vulnerabilities into different risk categories based on attacker factors, such as cyber, physical, and psychological. In addition, the approach also considers the specific IoT components that an attacker might target, such as software or hardware, and breaks down vulnerabilities based on these targets. An attacker’s capabilities may also play a part in identifying vulnerabilities [64].

One subset of IoT vulnerabilities relates to human vulnerability/human weaknesses in relation to IoT systems. Human vulnerabilities express the ways that humans can be vulnerable to IoT attacks, which is increasingly more concerning with the large amount of personal information and increased attack surface brought by IoT technology [84]. While an IoT device’s software can be updated and patched, humans are not as simple. Humans may be susceptible to psychological attacks or simply not be aware that their actions could lead to an attack. For example, if a user were to fall victim to social engineering, the reason may be a lack of training and awareness of what social engineering is and how it can compromise a system. This notable increase is due to there being more mediums for social engineering than before [85], with IoT devices carrying more capabilities than traditional IT.

Risky user actions can pose as IoT weaknesses, where users with a higher risk appetite can increase the likelihood of an attack happening due to the lack of cyber hygiene. Cyber hygiene refers to the regular good practices and mitigation methods that help maintain security, with lacking cyber hygiene hampering an IoT domain’s ability to respond to attacks [86,87]. Examples of high risk actions include not changing passwords/usernames [73], the use of unknown public networks [58], and not receiving training when it comes to IoT security [76]. The lack of security knowledge and awareness [40,61,68] refers to potential lack of security knowledge and awareness of a user about IoT security. Users may become vulnerable to cyber threats due to a lack of training, which can prevent them from understanding how to prevent or respond to such threats. This vulnerability also increases the risk of falling prey to social engineering attacks [42,44,68], such as phishing, which exploit personal factors to gain access to sensitive information. For instance, a user’s emotional state and lack of knowledge regarding social engineering attacks can make them more susceptible to such attacks.

Another common high risk action is the misconfiguration of IoT systems [44,55,57,67], where users configure an IoT system incorrectly or in a fashion that is not secure, for example not setting up two-factor authentication. Finally, the potential misuse of systems [42,49,57,67], which may be intentional with users using a system to perform an attack (e.g., spying or eavesdropping) or unintentional where users choose to ignore some security mechanisms, e.g., bypassing security processes when using their devices.

Insight 4: The main objective of uncovering IoT vulnerabilities is to clearly define exploitable weaknesses that may become an IoT threat event and dealing with these. Within RQ1, we stated that IoT cyber risk management frameworks need to extend existing threats and vulnerabilities to factor in specific IoT elements. A common theme within the surveyed papers is the consideration of human vulnerabilities due to a lack of cyber hygiene. The main benefit of identifying human vulnerabilities is the understanding of human to asset weaknesses that could affect security, something that is especially important in IoT domains with little to no regulations. Discovering the types of high risk user actions puts focus on basic IoT practises and easy fixes that can reduced risk, for example encouraging the use of different passwords/usernames from other accounts [73]. Cyber IoT vulnerabilities can be gathered from IoT knowledge bases, with OWASP, NVD, and MITRE’s CVE list being some of the most common. However, these bases are not always applicable to all IoT domains, works like George and Thampi [54,55] and Garcia et al., [53] use proposed classifications to overcome this. The issue is that unlike traditional IT systems, IoT vulnerabilities (and by extension threats) need to consider non-traditional weaknesses, for example sensor-based attacks and insecure sensor hardware.

4.1.5. Identification of Controls

Security controls are “management, operational, and technical controls” [88] that are used to protect assets and users in different ways. A limited number of papers consider the identification of security controls to facilitate IoT risk assessment. In the context of smart homes, Parsons et al., [68] consider the efficiency of safeguard measures that already exist within a smart home, assessing the quality of awareness-based and practical defences in addition to how these can influence the IoT risk score.

Within the SKIP (Self-assessment, Knowledge, Infrastructure, and Practices) survey framework from Aiken et al., [40] knowledge-based questions consider IoT-specific cyber security areas, collecting information about a smart home’s infrastructure and practices. Details about IoT controls are collected here, examining the existing security systems in place, and establishing the network within the home. On the other side, practices centred questions relate to the self-reporting of best security practices and the extent implemented.

In the context of security, readiness refers to how prepared users are to identify, prevent, and respond to cyber-attacks. Within Alsubaei et al., [44], readiness is used to understand the ease of an IoT attack based on the extent that an IoT domain is prepared to detect, report, and respond when an attack occurs. Expanding this, Ksibi et al., [61] also represent the readiness of a device to detect and react, considering IoT security functions, like encryption and intrusion prevention mechanisms, embedded within the device or controller (like smart phones). These authors also use the lack of security knowledge of the users, which reflects an increase probability of successful attacks. In addition, the authors address the cyber risks at the network level, storage, and processing level, which both incorporate control-based risk factors. Since IoT devices are limited in security capabilities, device readiness may be weaker than expected, with readiness relying on uses to carry IoT cybersecurity knowledge and training.

Insight 5: Another factor of RQ1 is to identify pre-existing controls that reduce risk and the effectiveness on doing so. Surveyed papers involving control identification are limited, which is an issue for IoT domains that don’t have clearly defined controls. In turn, controls that are already reduce risk need to be factored into the risk assessment phase to ensure that risk results are accurate. Overcoming this, the readiness of an IoT domain could be studied by assessing the ability to detect and react to threats from an asset and user perspective much like within Ksibi et al., [61] and Alsubaei et al., [44].

4.1.6. Identification of Impact

Simply put, impact is the “consequential magnitude of harm” from an attack [17]. Users and assets can be impacted by attacks in different ways. Providing specific details about the potential types of impact can help to ensure that a risk model accurately predicts the number and severity of potential losses. The CIA triad, which includes confidentiality, integrity, and availability, has been widely adopted as a suitable model for traditional IT systems and is integral to ensuring information security.

Regarding cyber risk, papers measure the impact of a threat event as the level or amount of CIA (confidentiality, integrity, and availability) loss [44,46,48,50,51,52,53,68,69]. For IoT systems, it is crucial to consider the impact on network performance and how security controls may affect network functionality, given the trade-off between security level and impact on network performance [47]. One significant difference between IoT and traditional systems is the extensive use of automation, which poses new threats that may impact the cyber-physical operation of devices. Therefore, cybersecurity measures should prioritise privacy, trust, and accountability to mitigate the risks of cyber-physical impacts that can be both cyber and physical-based.

The concept of cyber-physical impacts involves understanding the potential physical impacts that users may experience because of a cyber-attack, which can lead to real-world consequences. For the use of IoT within organisations, 10 papers consider impact factors that affect organisational operations [42,44,45,53,61,66,68,71,72,77]. First, three of the frameworks refer to “business impact” to describe the cumulative impact on a business, with factors that could vary depending on the business’s practices [53,71,72].

One specific type of impact on a business is the decline in reputation for an IoT domain, company/provider [66], with attacks causing negative press. In turn, a loss of reputation could also mean the reduced value of a company/provider’s worth [42,61], with Alsubaei et al., [44] defining that the brand value loss is any tangible or intangible losses caused by an attack which can affect an organisation’s integrity (reputation), which then leads to a loss of a brand’s worth [44]. In contrast, attacks may cause operational impacts [45] meaning that a system no longer functions in the required way, which could then negatively impact enterprise/vocational activities [68,77].

The direct impact of an attack on users contains several factors that affect day-to-day lives. However, the most extreme relates to human autonomy. The impact to life refers to the user’s health being put at risk (especially in the case of IoMT environments) as an attack could be life-threatening, [61,77] which puts a user in physical danger [44], makes them unsafe [66,67,68], or leads to loss of life [65,75]. In a more psychological angle, one paper targeted emotional impact on individuals [68]. This explores the emotions, attitudes and behavioural changes that are seen within the user once an attack has occurred with these feelings being dependent on how serious an attack is and the personality of the individual.

The impact of a cyber-attack on a user’s well-being can affect how they use other devices and their level of trust in those devices. In turn, attacks may lead to losses of important services, e.g., taking away essential services (such as water and power) [45]. This is reflected within Pacheco et al., [66] where there is a potential loss or wasting of energy which costs an individual or organisation extra money to takes away invaluable resources needed to power a city. Other impact types relating to the loss of time [67], resilience, security, and reliability [65] of IoT services, can be considered with typing being dependent on an IoT domain’s needs. One of the most common IoT impacts towards both individuals and organisations is financial loss due to a successful attack [42,44,54,61,66,68]. When an IoT system is compromised, both individuals and organisations will need to recover and control the ongoing damage requiring a significant budget [44].

Meanwhile, another notable impact type is the loss of privacy that could be inflicted on users [42,44,65,68]. Researchers may consider the direct invasion of personal privacy which leads to the loss or disclosure of personal information [42,44,50,61,69] and physical privacy because of an attack. This loss of privacy could also propagate to individuals and organisations suffering a loss of control over a system [42,67], which results in unauthorised access and unauthorised execution of device operations [42]. This may occur when an attacker hijacks a system and takes full or partial control of a system, leaving users unable to use a device correctly and decreasing the amount of control they have over a system. While an attacker could inhibit functions of a system, an attacker could use their enhanced control to conduct other attacks, such as spying and social engineering.

Insight 6: As discussed to within RQ1, determining the value of impact and the types of impact that assets and user may suffer is an integral component of IoT risk. Impact needs to be estimated and well defined to ensure meaningful results when used within risk assessment. Different types of IoT impact depend on the priorities of the IoT domain and its context, for example the functionality of devices. While CIA is important cyber impact for IoT, it does not encompass the physical, real-world damages they could occur. Overcoming this requires frameworks to focus on the domestic life and business impact depending on IoT setting. On one hand, impacts like privacy and monetary losses correlate to well-known traditional IT consequences, while other IoT impacts, such as the loss of essential services [45] also need to be considered.

4.1.7. Identification of Likelihood

In risk management, likelihood simply refers to the “chance of something happening” [7]. Likelihood can be represented in a qualitative, quantitative, or semi-qualitative way with IoT cyber risk management frameworks commonly using numerical scales, [46,47,50,51,54,55,59] and quantitative scales [65,76,77].

In IoT cyber risk management literature, the most used likelihood parameter is the probability of an attack occurring [41,58,64] to predict the change of an attack happening, given the configuration of a device, different attack capabilities can be used, which affects the likelihood of exploitation. In cybersecurity literature, the most used likelihood parameter is the probability of a cyber-attack occurring [41,58,64]. This probability can be used to predict the likelihood of an attack happening, given the specific configuration of a device.

Andrade et al., [45] utilise the likelihood of an IoT vulnerability being used to trigger a successful attack while also monitoring maintained behaviour over time, considering the probability a node would be violated again based on prior behaviour. Echeverria et al., [52] use the OWASP IoT Top 10 to predict the probability of an IoT threat occurring while Shivraj et al., [72] present the likelihood of attacks on each specific IoT network node.

Rather than estimating the probability of an attack occurring, Tseng et al., [74] focuses on probability of an IoT vulnerability causing damage due to threat exploitation. Meanwhile, Arfaoui et al., [47] consider the frequency of being IoT system being targeted to better understand the number of times an attack may occur, and Kavallieratos et al., [60] consider the probability that a vulnerable IoT node can be infected, recover, and become vulnerable again.

Several factors can influence the probability of an IoT attack occurring. In some cases, researchers target IoT attributes that would allow an attacker to conduct an attack. Christensen et al., [49] uses a methodology which assess the skills, physical accessibility, logical accessibility, the attack vector, and vulnerabilities that an IoT attacker would need to uncover the likelihood of potential threats. Vakhter et al., [75] define the probability of an attack based on the IoT attacker’s expertise, equipment, physical proximity to a system, device assess time, and IoT device information.

Ksibi et al., [61], Alsubaei et al., [44] and Garcia et al., [53] assess attacker capabilities (ease of attack) and motivation as well as the readiness of a healthcare provider to defend against attacks. Within Alsubaei et al., [44], readiness is represented user’s lack of training and knowledge as well as the degree to which a healthcare provider is prepared to ”detect, report, and respond“ to an attack. In turn, Parsons et al., [68] consider the risk appetite of users, referring to how high risk behaviours can affect the likelihood of an attack happening and gauging whether users can effectively prevent and respond to attacks.

Insight 7: In line with RQ1, the probabilities surrounding threat events need to be identified. IoT likelihood needs to also need clearly defined, for example the probability of an attack occurring [41,58,64] or the frequency of an IoT system being targeted [47]. Predicting attacker attributes attached allows for a better understanding of how easy an attack may be. with attributes such as accessibility, skills, and equipment being common themes with surveyed papers. Overall, an IoT likelihood scale needs to be suitable for the assessed environment based on the types of attacks that can be faced, this also means identifying the factors which can affect the likelihood.

4.2. IoT Cyber Risk Calculation

At the basic form, the level of cyber risk is the “magnitude of a risk or combination of risks, expressed in terms of the combination of consequences and their likelihood.” [7], with this phase using the identified risk parameters. Risk calculation is often expressed in a qualitative, quantitative, or semi quantitative way depending on how comprehensible a risk level needs to be. The most common method of calculating risk is to use “risk equals likelihood multiplied by impact”, a simple formula that forms the basis of how risk can be defined. However, within IoT cyber risk management frameworks risk calculations can be used in different ways. We find we establish that common ways to calculate risk involve graph-modelling, risk matrices, existing vulnerability databases and scoring systems, the formulation of threat knowledge bases, and the use of weighted risk formulas.

4.2.1. Use of Graph Modelling

Within cyber risk management, graph modelling represents how an attacker can infiltrate a network using graphical models to show the potential attack paths that could be used, using such concepts as nodes, edges, and dependencies. It is very common to model data flow and interaction within networks to better understand the areas with high risk, and how a risk could propagate to other nodes. As an example, Mohsin et al., [63,64] formulate IoT network topologies using network mapping to form a connected graph to show the relationships between nodes. Not only this, but the authors also use plotted comparative graphs to show risk exposure scores to different attacks [64].

Bayesian networks are acyclic graph models that are probabilistic, depending on random variables and dependency. Due to IoT data not always been completely known, Bayesian networks can be used to infer the posterior probability distribution of unobserved variables, given evidence, or observed values for other variables in the network [45].

Andrade et al., [45] use Bayesian networks to visualise smart city states and connections of the nodes and estimate probabilities that may not be known. To account for changes over time, dynamic Bayesian networks can be used as a temporal extension to better model probabilities, which can help in providing updated estimates for IoT systems.

In connection, Shivraj et al., [72] propose a generic IoT risk assessment model using a weighted acyclic graph upon modelling information flow within an IoT network. The weighting system signifies priority paths and high impact and accounts for the increased risk in more vulnerable parts of an IoT network. The links between nodes reflects the dependency one node or another depending on link direction with nodes also being able to control other links. To demonstrate attack scenarios, an attack vector is formed which consists of aggregated likelihood and cumulative business impact at an IoT node. This allows the risk of a directly attacked node/edge to be computed using the aggregated risk of a node due to other nodes of differing dependency.

A flow network is a directed graph where a flow starts from a source node and reaches a sink node with no dispersion. Anisetti et al., [46] use these graphs to solve the question of how much IoT risk an organisation can mitigate. The risk value of each IoT asset can be used to find the total maximum flow given the degree of risk mitigation for a mechanism. In contrast, Ivanov et al., [56] use oriented graphs (directed graphs with no symmetric pair of directed edges) with arc identification representing compromised IoT nodes alongside the possibility of exploiting the vulnerability of the node. The criticality of compromise is computed for each node with the sum of criticality values to reflect the total risk.

Kavallieratos et al., [60] propose an IoT algorithm that can model and visualise the dynamic changes that occur in a smart home network topology. The algorithm also includes a study of the propagation of infection using attack graphs. A smart home network topology is simulated, generating a vector for a risk input parameter, which is followed by the IoT node and edge generation. The algorithm then visualises a smart home network topology with the given IoT risk metrics while considering malfunctioning or intermittent availability out of a user’s controls. To find IoT risk, the algorithm uses a conditional probability function which determines the state of risk, describing these states as vulnerable, infected, quarantined, healthy and intermittent.

George and Thampi [54] propose an IoT graphical model that captures multi-stage and multi-host IoT attacks through the linking of vulnerabilities found within networks, using graph modelling to uncover vulnerability patterns. Here, a probabilistic metric is applied to the corresponding edge nodes in the graph, and this enables the computation of a cumulative risk corresponding to each attack path. Here, IoT Vulnerabilities are assessed based on their ease of exploitability, by analysing the set of all vulnerabilities that can be exploited on each device within an Industrial IoT (IIoT) network. This provides a better understanding of the overall security posture and exploitable vulnerabilities in the network.

George and Thampi [55] focus on a multi-attacker and multi-target graphical model aimed at showing attack paths to target nodes within IoT edge computing networks. Vulnerability graphs can be created to better understand the potential attack paths that an attacker may use to exploit vulnerabilities in a system. These graphs can help to identify potential entry points and types of vulnerabilities that can be exploited. This is done by estimating the likelihood of an edge device being targeted, which can then be used to find the cumulative likelihood of all attack paths from attackers.

Duan et al., [51] use a Hierarchical Attack Representation Model (HARM) [89] for IoT. This is a two-layer hierarchy model which is used to separate network topology information and vulnerability data from each node. IoT risk is calculated using the probability of a successful attack on each node, with multiple vulnerabilities being represented by AND and OR logic gates, where AND shows that all IoT vulnerabilities must be exploited to compromise the node and OR means that an attack can gain control by exploiting even only one of them. Finally, the IoT risk of different attack paths is represented as the accumulation of all node risk values, which allows for the highest risk paths to be assessed.

James [57,58] proposes the use of finite state automata to demonstrate state transitions as an attacker exploits vulnerabilities in IoT systems, rather than focusing on data flow. This approach can be used to determine the potential success of an attack by analysing the various states an attacker would go through when attempting to exploit vulnerabilities in the system. Attack transition flow can be represented visually in transition graph showing the requirements needed to reach the next state. This transition could be simple, for example a single state or multi state attack with states that are in succession to one another. In the case of a more complex IoT attack, there may be multiple state transition pathways, making it non-deterministic, and providing the attacker with several options to take.

Insight 8: Within RQ2, we stated that we want to know the ways in which IoT risk is calculated. Graph modelling provides a holistic view of an IoT network’s relationship between nodes and dependencies, modelling data flow and interaction visually using directed graph types [56]. IoT networks and attacks can be simulated, displaying the paths of single and multi-state attacks [57,58] and entry points that an attack could use [55]. IoT risk formulas and values can be integrated onto graphs to show risk, for example criticality of compromise [56], which allows for a thorough risk evaluation. Noticeably, Bayesian network graphs are most used within cyber risk assessment papers due to a lack of known data and uncertainty around impact and likelihood values. A dynamic modelling approach that can re-calculate risk upon changes is needed for IoT networks to ensure that risk result is correct, which also allows for the calculation of risk mitigation when a control is implemented [46]. Consequently, the surveyed papers do not seem to consider a user’s relationship to an asset within an IoT network, which negates the analysis of good cyber hygiene.

4.2.2. Use of Risk Matrices

A risk matrix is a well-known method used to describe the probability and impact associated with an attack [90] which can be used to produce a risk value in a qualitative or semi-quantitative way. Wangyal et al., [76] analyses IoT risk using a risk matrix which describes risk probability and impact, resulting in a qualitative risk result based on the risk response: avoidance, mitigation, transference, and acceptance. Meanwhile, Shivraj et al., [72] represent the impact at a IoT network’s node using an impact matrix, with this then being integrated to show the cumulative impact for an attack vector. In contrast, George et al., [54,55] utilise an adjacency matrix to indicate IoT hot spots in a network and how they are connected within the system In addition, to define IoT risk, George et al.,[54] finds the cumulative IoT risk of an attack pathway and represents it as a threat score matrix, mapping the nodes and links of a pathway with the calculated score.

Vakhter et al., [75] use risk matrices as part of a three-tiered scoring system based on IoT threat characteristics that affect impact severity and probability of an attack occurring. Upon the creation of a risk matrix, different colours are used to represent the various levels of risk from very low to very high, allowing for risks to be prioritised, with the authors suggesting the modification of a risk matrix to prioritise impact in cases were an IoT attack could threaten life.

Nakamura and Ribeiro [65] express the probability and impact of IoT attacks using a measurement criterion of low, medium, and high, which is then utilised in a risk matrix to evaluate different attack scenarios. For example, a low-impact and probable IoT attack scenario would be considered low risk. The risk matrix provides a basic calculation to express the risk value associated with each attack scenario, making it easier to identify and prioritise potential risks. Unlike prior papers, the Common Vulnerability Scoring System is used by Ali and Awad [43] to formulate a threat score matrix for smart thermostat components using STRIDE, where each STRIDE attack group is mapped to various system components (e.g., firmware and credentials) by threat scores (such as high and critical levels of threat). Danielis et al., [50] use a STRIDE-per-element matrix that shows attacks based on STRIDE mapped to system components. However, the STRIDE-per-Element matrix often excluded threats that were relevant, such as all data flows being affected by spoofing attacks rather than others like man-in-the-middle attacks.

Wangyal et al., [76] have adopted a project management approach to assess IoT risks, which includes a three-step process for formulating the risk assessment process. The first step involves gathering risk specifications through a literature survey. By reviewing existing literature, the authors can identify potential risks and develop a better understanding of the overall risk landscape for IoT systems. Upon finding 28 risk factors, these are analysed using and risk matrix, mapping the risk probability and impact of risks, classifying them based on risk avoidance, risk mitigation, risk transference, and risk acceptance. Finally, the risk evaluation phase which evaluates proposed countermeasures and quantifies the risks using a risk formula. The formula first finds a risk value based on the approximated asset value, value of threat, and value of vulnerability, with the second using impact, probability, and value of vulnerability.

Within Echeverria et al., [52] proposed a risk assessment model that considers hardening processes, which is aimed at minimising the attack surface. The authors use compliance class scores based on CIA impact, For example, class one reflects a limited impact on the IoT system where a low potential impact on confidentiality, a medium potential impact on integrity, and a medium potential impact on availability. The risk matrix describes the compliance class score and an attack’s probability of occurrence, shown within a scale of sale of 1 to 10, which reflects critical, high, medium, low, and null risk levels.

Since IoT and attacker behaviour are non-deterministic in nature, Mohsin et al., [64] use a Markov Decision Process model to represent system states. The authors use a transition probability matrix which represents the transition probabilities of all state transitions, since moving from one state to another within an IoT system is probabilistic based on the current state and the action that triggered the transition. This non-deterministic and dynamic nature is also reflected within Andrade et al., [45] who use dynamic Bayesian networks to model the dynamic nature of IoT and produce probability of attack matrix is also used to express the conditional probability.

Chehida et al., [48] propose a methodology for assessing cybersecurity risks in water management systems. After uncovering the assets in the system and creating a threat list using EBIOS, the authors use a threat-asset matrix to map potential threats to each asset. This mapping allows each threat to be linked to specific security objectives and the countermeasures needed to achieve those objectives.

Insight 9: Another method for RQ2 is the use of a well-defined IoT risk matrix, which can be an easy way to show risk. It is integral for a risk matrix to have a defined set of risk values that allow for the evaluation of risk. A basic IoT risk matrix displays risk by mapping a threat by its impact and likelihood value, for example, Vakhter et al., [75] denote risk on a very low to very high scale depending on impact severity and probability of an attack occurring. Interestingly, IoT risk matrices are often used in connection to another methods, for example a risk matrix can be used alongside graph modelling, with George et al., [54,55] using graphs and a corresponding adjacency matrix. The non-deterministic nature of IoT and attackers needs to be considered when assessing risk, with an IoT risk matrix potentially being used to model dynamic system nature, for example producing probability of attack matrix from a Bayesian network model [45] or using a Markov Decision Process model to produce a transition probability matrix [64].

4.2.3. Use of Threat Knowledge Bases

According to NIST, threat intelligence is the information that has been “aggregated, transformed, analysed, interpreted, or enriched” [91] to provide context for decision-making. In the context of IoT, this means collecting applicable IoT threat information from various sources to form a threat knowledge base that can be used within IoT cyber risk management frameworks. Creating an IoT threat knowledge base allows an organisation or individual to assess threats and vulnerabilities that may not be considered in traditional IT system knowledge bases, for example sensor and actuator threats.

Zahra and Abdelhamid [77] build a knowledge base for estimating security needs and sources of IoT threats by using attacks found within EBIOS. They attribute baseline values of severity and likelihood to each attack and uncover sources for these attacks. This knowledge base can be used to carry out risk assessments by estimating the risk associated with different threat scenarios, where one or more attacks may take place. The associated risk values can then be combined to find the total risk of these scenarios. In contrast, Chehida et al., [48] also use EBIOS attacks to form a threat list, which is then used to map threats to threat classifications and assess their potential impact on systems based on the CIA model. However, they do not provide direct impact values for the attacks.

Alsubaei et al., [44] use current IoT literature to develop a taxonomy for the security and privacy of medical IoT. This taxonomy is used to determine the architectural layers of IoMT and identify potential attacks that may target these layers.

To expand the threat knowledge, attack properties such as the difficulty of attack, CIA impact applicability, the method of carrying out each attack, the level of compromise, and the origin of the attack can be associated with each attack. This approach is used in various works, such as Ali and Awad [42], who curate smart home threats and link impact types, assets, and risk scores to them.

The use of a defined criteria to estimate the impact and likelihood can be easily applied to vulnerabilities as shown within Nakamura and Ribeiro [65]. Here, the authors categorise low, medium, and high values using strict definitions. For example, a vulnerability with a high likelihood of exploitation would typically have a history of malicious incidents, motivated threat agents who can exploit the vulnerability, and assets that contain the vulnerability.

In turn, each risk uses a simple impact multiplied by likelihood calculation that produces a risk score, which is linked to a multidimensional matrix that displays the attack pathway, threat agent, associated assets, and threat that represent each risk. Tseng et al., [74] utilise DREAD as part of the criteria to estimate the potential of attacks. They produce a table of threats ranked by potential damage, reproducibility, exploitability, the number of affected users, and discoverability. The authors use a scale of high (3), medium (2), and low (1) to rank each of these criteria. As an example, an attacker that performs a man-in-the-middle attack targeting an IoT mobile application is rated as a medium risk as the total DREAD score is 8 out of 15, with reproducibility being the highest rating due to the ease of attack.

Within Pacheco et al., [67], a smart water security development framework is presented which reflects a 2-D architecture that can be used to assess risks within a smart water system. This framework focuses on capturing the attack surface, impact, and priority planes at different architectural layers (end device, communications, services, and application layers). The threat knowledge bases are formed by focusing on attack surfaces within each layer and associating impact types and priorities within each. For example, at the communications layer one attack surface is protocols, which can impact Control, human safety, time, money, and energy is an identified as high level priority.

Threat knowledge may require IoT cyber risk management frameworks gather data from users to better understand human vulnerability. Parsons et al., [68] take this into consideration and assess various parameters that could affect impact and likelihood of attacks based on user actions. Here, high risk behaviours, security familiarity, the ability to perceive and prevent attacks, as well as the impact and efficiency level of each user are used to curate risk profiles and analyse the effect of user action on how risk can be predicted.

Insight 10: In reference to RQ2, IoT threat knowledge bases are repositories containing all the risk knowledge needed to calculate risk and the calculated total risk given a threat event. A new IoT threat knowledge base can prioritise a particular IoT domain and allow for threat event ranking based on risk scores, Notability, there is no single knowledge base that exists for IoT, which requires new bases to be created. Since there is no agreed upon knowledge base method, different approaches can be used to ensure that risks values are evaluated. It is notable who works such as Zahra and Abdelhamid [77], use existing IoT works to form knowledge bases, such as the use of traditional IT bases like CVE and EBIOS. The creation of an IoT threat knowledge base allows for many risk totals based on simple likelihood x impact scores per threat event, which could calculate using a matrix. Given that a new repository may need to be formed, user cyber hygiene can also easily be considered and assessed.[68]

4.2.4. Use of Weighted Risk Formulas

Weighted risk calculations can be used to adjust the importance of a given risk parameter. Rather than simply using multiplying likelihood by impact, weighted formulas prioritise certain likelihood and impact metrics. As an example, Andrade et al.,[45] form a quantitative assessment of IoT using security weightings for different IoT areas within smart cities, such as the economy, environment, and society, to be prioritised. The defining of weighting provides freedom for users to easily modify risk scores based on importance allows the authors to consider the different needs of each smart city and the areas of security that city officials may want to prioritise. Therefore, the weighted sum of a smart city’s security is the sum of all assigned weights of each factor. Meanwhile, Alsubaei et al., [44] states that a user needs to define the weights using a specific 1 to 10 scale, with worst-case scenarios being assigned a 10.

An IoT cyber risk management framework may use different impact types to show how a smart domain is affected by an attack. For Parsons et al., [68], impact is defined as the weighted impact sum that represent types of impact for a smart home, such as the impact domestic lives of the smart home inhabitants and cyber impact on systems. Correspondingly, [61] define weights as a scale from 1 to 10, which these weights reflecting different impact types of financial risk, brand value loss, data theft, and threat to life. Here, risk is evaluated depending on the related vulnerabilities, threats, likelihood, and the impact of an attack, with risk impact forming using weights to associate classes of impacts.

Unlike other papers, Aiken et al., [40] propose an initial attempt at an IoT-based smart home security assessment named SKIP (Self-assessment, Knowledge, Infrastructure, and Practices). They use self-assessment questionnaires (related to understanding IoT terminology, and assessing the understanding of IoT information systems, security, and cyber-attacks), knowledge (questioning the user on security systems, attack scenarios, legal issues and general IoT knowledge), details into the smart home infrastructure, and IoT practices (e.g., questioning users about how they use security systems). All this data is used to form a weighted composite score to estimate risk, with the weightings used to prioritise practices over knowledge and infrastructure, as the actions that users take are more important and better express high risk actions a user may be taking.

Weighting can also work alongside graph modelling, with Shivraj et al., [72] suggesting that users can signify paths of priority by factors like impact, generating weighted attack trees. Weighted graphs have assigned values that represent some form of cost, such as impact and likelihood. Finally, George and Thampi [55] use weighted and directed graphs with weights representing the risk likelihood assigned to network pathways, with the total risk likelihood of a path being the product of all weights on all links.

Insight 11: Another solution for RQ2 is the use of IoT risk weighting which helps to prioritise impact, certain assets, and users etc. Weighting signifies that a given risk value is deemed as critical over other values, for example. an IoT domain may prioritise the potential impact to life within threat events over cyber impacts. This allows for an IoT cyber risk framework to assess risk based on criticality, as the weights will likely change the value of risk. Weighted scoring is also useful in assessing the security of users, with Aiken et al., [40] using weights to estimate risk using a questionnaire based approach. Not only this, but other methods of risk calculation (such as graphs and risk matrices) can use weightings, making this easy to implement to increase prioritisation on selected risk components.

5. Cyber Risk Treatment For IoT Survey Results

Upon IoT cyber risk management strategies assessing and determining IoT risk based on risk assessment, results are used to establish risk treatment, which allows for the implementation and evaluation of security controls to mitigate risk. Upon the completion of a risk assessment, processes to modify risk can be introduced, taking risk assessment results into account [19], with risking being monitored to ensure risk treatment is effective. As defined by ISO, risk treatment involves a mirage of processes, for example, the selection of risk treatments, implementation of required actions and determining whether an acceptable level of risk has been met [92].

On the surface, treating risk requires risk responses to be assessed, with NIST referring to risk response as the decision to accept, avoid, mitigate, share, or transfer risk to decrease risk to tolerable levels [16]. However, further analysis into mitigation methods is needed to ensure that mitigation controls are effective. Despite well-crafted risk treatment phases of cyber risk frameworks, IoT carries significant challenges when treating risk that differ from traditional IT, for example the lack of device hardware and software capacity for security and limited resources (money etc). Not only this, but in private IoT domains like smart homes, security relies on user’s carrying out good practices due to the lack of required standardisation. It is notable that IoT risk treatment categories contain significantly less papers, as shown within Table 2.

5.1. IoT Risk Control

Security controls are the “means of managing risk” referring to all mechanisms that can reduce risk, such as good practices, policies, and physical controls [17]. In the case of mitigation, risks need to be treated appropriately by the most suitable yet effective controls which takes further evaluation, implementation, and prioritisation [16]. IoT Cyber risk management frameworks must contain a phase that acts against risk, for example a risk mitigation phase where risk assessment results are evaluated and security controls or risk response are applied to reduce risk to an acceptable level [39,41,61,75,77]. With this, Parsons et al., [68] considers the effectiveness of IoT security controls for smart home environments, assessing if controls are effective enough to reach an acceptable level of risk. Implementing IoT control strategies based on prioritising critical risks is a simple way of combating potentially very damaging attacks, for example, the elimination of the top five most critical IoT vulnerabilities [56] or use of NIST’s frameworks [45]. IoT risk assessment results show critical areas of concern that should be responded to [44] and security controls can be used to ensure that security requirements are achieved [65,66]. For Shokeen et al., [73] vulnerabilities that can impact IoT data are assessed, with risk control focusing on whether vulnerabilities are controlled and if IoT data is secure.

Within the surveyed papers, risk controls are driven by literature and applied to IoT domains by means of discussion, exploring how these controls can be applied to reduce IoT risk [42,48,69,71,76]. For example, Tseng et al., [74] discuss controls that combat spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege in the context of IoT, while Danielis et al., [50] build a IoT risk catalogue using Deutsche Telekom’s ISO/IEC 27001 certified Privacy and security assessment document [93]. Controlling risks can support cyber resiliency, which is the ability to “anticipate, withstand, recover from, and adapt to adverse conditions”. [63,64] focus on building IoT resiliency against attacks and assess how attacks can impact resiliency, for example, the number of services per actuator opens more entry points for attackers and can reduce actuation resiliency. One of the common suggestions within the surveyed papers is the use of hardening, which is a process that eliminates attacks by patching vulnerabilities and “turning off non-essential services” [94].

Despite IoT vulnerabilities often not being patchable, there associated IoT components that can be hardened, like mobile operating systems and physical access [49]. For IoT, Echeverria et al., [52], focus on implementing hardening controls where possible, with IoT vulnerabilities being patched and ports being switched off to shrink a system’s attack surface. George and Thampi [54,55] use graph modelling to propose algorithms that can aid in strategies to eliminate risk. These algorithms aim to reduce threats within network pathways by removing high threat paths, low hop paths, and the detection of high risk nodes [54] which can lead to the isolation of high risk devices [55].

Security control decision making is integral for IoT as it helps to select security controls based on control properties like strength and the degree risk is mitigated [46], for example security controls used to prevent risk occurrence [39]. Within Pacheco et al., [67], an action Handling unit for security control decisions is used, which picks security actions based on the amount of risk that can be reduced. Ivanov et al., [56] use a countermeasure selection module which implements vulnerability search algorithms to find intruders and prompt action to be taken, when an intruder is removed from the system, the risk level is minimised. Within Arfaoui et al., [47], dynamic decisions are used to adjust security levels to an acceptable level. The framework uses sensor behavioural patterns that have an associated risk thresholds (accepted level of risk) decided by security admins, where if a level is higher than the risk threshold for a device, it should switch on more effective security control. In contrast, an intrusion prevention system (IPS) that can detect an intrusive activity and attempts to stop an attack from happening [95] is proposed by James [57], which can be used to choose risk control strategies based on the causes of risk, with the system performing preventive actions once a strategy has been formed. IoT mitigation strategies are chosen using several distinct factors, e.g., the root of risks that have been evaluated, the common causes, suitability, and the required resources needed. Based on these factors, mitigation solutions are created based on the selection of controls [57,58] IoT suitable strategy can be accepted, allowing for the control be implemented, or rejected, where evaluation will need to take place again [58].

Insight 12: Within our discussion, we have shown that IoT risk control greatly relies on risk assessment results and the need reduce risk to an acceptable level, thus a robust IoT risk control strategy needs to prioritise critical risks using reliable controls. When answering RQ3, one of the main pitfalls of IoT cyber risk management papers is the lack of risk control processes that are discussed. Due to the nature of IoT, a framework that simply states to implement a control to reduce risk may not always be applicable or may be hard to implement. Papers such as Chehida et al., [48], contain a IoT risk control phase, but do not provide insight into controlling risk to an acceptable level. In turn, there is no agreed upon set of controls for IoT, with papers often using threat attributes (such as suggesting controls that combat STRIDE threats [74]). However, CIS controls can be applied to IoT domains, with CIS publishing a IoT companion guide [96] that explores how each control may or may not be suitable for an IoT domain. Given the literature, we found three common themes that frameworks that expand IoT risk control consider. Firstly, is the need to establish security requirements for emerging IoT domains like smart homes, to better understand acceptable risk. Second is the consideration of resources needed to facilitate risk control processes. Finally, is the ability to optimise IoT risk control by considering various factors like resources.

5.1.1. Establish Security Requirements

One of the first risk control processes within Zahra and Abdelhamid [77] is to identify the security objectives that relate to the identified risk and choose the associated controls to reduce the effect an attack or ensure prevention. According to NIST, security requirements specify “the functional, assurance, and strength characteristics for a mechanism, system, or system element” [7] which are derived from systems such as laws, policies, standards, to ensure the confidentiality, integrity, and availability of a system [16]. Within Chehida et al., [48], IoT controls are based on the security requirements of an IoT system using the CIA model, with security requirements leading to the implementation of technical controls, which are then justified by how or what the objective aims to protect. Christensen et al., [49], suggest that IoT security requirements should be specified at a development level to better understand the parts of the system that need increased security, the security goals that should be achieved, and how controls should be implemented. These requirements need to be clearly defined, for instance within smart cities security requirements need to ensure that only secure IoT services and devices are created and implemented [71]. To accomplish clarity, an IoT security assessment checklist could be used to ensure that security requirements are met [73].

Security policies provide a criterion that facilitate security services [16], with IoT risk assessment results also being used to facilitate security policies and requirements, by ensuring they are up to date to maintain security [39,47,66,67]. Using security policies relating to authentication and access control can be preventive measures that decrease the likelihood of easy attacks, as well-known vulnerabilities within IoT often relate to weak, guessable, or hard coded passwords with attacks that can be avoided. For example, password policies can be used to lock-out attackers that try to brute force access, while controller policies avoid false requests. These measures make it impractical to attempt an attack using these methods. However, IoT security policies need to be implemented as effectively as possible to prevent attacks. Poor password policies negate password length and complexity which can led to brute force attacks [45,69], and access control policies not being implemented correctly make it very easy for an attacker to gain access [55], Therefore, IoT security policies need to be reviewed [55], with Ksibi et al., [61] considering security policy issues such as non-conformity and misconfigurations that can affect policies from operating as intended and need to be tighten. Within Wangyal et al., [76], a risk that is of a low likelihood, but high impact reflects a lack of enforced security requirements, which can be transferred with the help of a policy or insurance adoption. In Nakamura and Ribeiro [65], authors suggest that stakeholders of the OCARIoT platform should build a security policy that ensures security objectives, such as smart applications and devices being coded and transported securely. Such policies need to focus on the authors risk assessment results, safety of the operational aspects of the OCARIoT Platform pertaining to its safety, security, reliability, resilience, and privacy.

Smart homes are often not regulated with the same rigour that an organisation can provide, with risk assessments needing to be used to define security requirements [58]. By extension, [42] suggest that risk assessment is one of the steps to understanding smart home security and facilitating the establishment of appropriate security requirements to ensure that they are improving. Given the nature of smart homes, Mohsin et al., [64] build functional and environmental requirements based on operational policies to reflect how sensor data is processed and actuation is triggered, with these policies being mapped to IoT controllers. Despite traditional security requirements relating to confidentiality, integrity, and availability being used for IoT security policies [52], IoT risk management frameworks have shown the need for tighter security requirements due to the increased physical damages and domestic impact an attack may have. Due to this, Mohsin et al., [63,64] establish user-defined policies to act as satisfying conditions that trigger actuator actions by using a “if this then that” methodology, where a precondition is needed to command an action. Such policies are used to govern the behaviour of smart home services, for example a functional requirement of a smart fire alarm is to detect smoke and for the controller to open doors. By doing this, the authors use risk assessment results to assess policies that may been to be protected in the case of an attack.

Insight 13: From the literature, IoT security relies on meeting a defined set of security objectives to reduce risk to acceptable levels, with RQ3 referring to how IoT risk management paper defines security objectives. Despite its importance, most papers do not discuss security objectives. Forming security objectives carries the benefit of justifying controls in an easier way. IoT security policies use security objectives, with security policies (such as passwords policies) using a criterion that needs to be adhered to prevent attacks. For all IoT domains, traditional objectives like CIA may not encompass all the security objectives needed for an IoT domain, thus affecting security policies. Overcoming this issue, the approach within Mohsin et al., [63,64] allows for user defined policies based on what a user should be doing and how a device’s functioned is used safely. Interaction and communication can be depicted using the "if this then that" method, for example if a user initiates a trigger, then the expected outcome is for a smart bulb to turn on.

5.1.2. Consider Resources for Risk control

Various resources will be needed to implement security controls, with resources including time, money, people, device capabilities etc. Within, James [57] the most suitable mitigation strategies are not only those that decrease risk, but strategies that are feasible based on the available resources at disposal. Concerning this, Ivanov et al., [56] characterise the security of a smart infrastructure by using integral security indicators that can be used to choose security controls based on risk scores and the resources that are available.

Shokeen et al., [73] consider the number of resources that needed to ensure a risk is minimised as much a possible based on the nature of the associated vulnerability. The number of available resources for IoT will greatly differ depending on the environment. For an organisation that uses IoT, it is likely that a group of employees would carry the responsibility for cyber risk management, having a designated budget and mitigation mechanisms. However, IoT domains like smart homes, will not have the same people power, budget, and mitigation mechanisms that an organisation has. Parsons et al., [68] considers that there are less resources within smart homes, which means that other assessments and controls would be needed to accommodate this. Not only this, but IoT devices in general have a limited set of security capabilities. An assessment that Al et al., [41] suggests before controls are implemented is a cost-benefit analysis that is used to understand the cost of implementation and impact. When it comes to financial resources for organisations, the estimated value of an IoT control can be determined by the cost of implementation, threat event occurrence rate and expected losses. Considering the cheapness of IoT devices, some controls may not be suitable with the control cost outweighing the risk. [45]

Insight 14: IoT risk responses need to be determined based on accessible resources, with money being the most discussed resource. As part of answering RQ3, the consideration of resources is limited within the surveyed papers. This is an issue due to For unregulated personal IoT domains, types of controls may be limited, for example, smart home residents may not want to learn and buy an Intrusion Detection System due to the amount of money and time required to use this control. This means that there needs to be an assessment of control benefits and drawbacks, with no access to certain controls affecting the acceptable risk threshold or requiring another control.

5.1.3. Optimise Control Strategies

As defined by NIST, optimisation of controls refers to the process of minimising negative and maximising positive consequences and probabilities depending on risks, costs, and legal obligations [36]. In practice, optimal decision making for cyber security involves a trade-off between available resources for risk control and the minimisation of risk [97,98], which poses several issues when finding the best set of security controls. While the effectiveness of a control can be estimated in a probabilistic way [97,98], controls do not always maintain maximum effectiveness [99] and may not always be an attack preventive measure [97]. The analysis of how a control performs at different levels of implementation can aid in making long term optimal decisions by estimating the amount of time maximum effectiveness can be maintained [99]. In turn, different controls can be used for different actions, such as prevention, detection, and recovery [97], with control classifications helping to distinguish between these. The optimisation of controls within IoT is integral to ensure a balance between resource spending and the minimisation of risk, based on context information and the need to prioritise security controls [65]. However, IoT domains can carry the burden of lacking resources and the potential negative cost benefits due to how cheap IoT devices are, with [46] concluding that to reach the optimum solution for IoT decision making, a cost model needs to be integrated into their framework to balance risk and costs. In turn, the implementation and modification of security controls need to be carried out quickly for controls to be the most optimal given emerging risks and risk assessment results [50].

According to Ksibi et al., [61] contextual information is required to optimise IoT decision making accuracy, alongside adaptive risk assessment. For Ksibi et al., [61], an initial risk threshold is set by a security administrator to reflect anomalous scenarios, which is used to generate a risk value. Vakhter et al., [75] suggest that IoT engineers need to assign weights to security controls to achieve the best trade-off between safety, reliability, resilience, and privacy. Here, this trade-off ensures that optimal controls are implemented based on a defined value, for example effectiveness of a control and the amount of money needed to implement a security control correctly. When an IoT risk is to be mitigated, the trade-off between security effectiveness and network performance is integral to ensure safe usage with little impact on performance, which is explicitly important within Wireless Body Area Networks. To optimise security controls, Arfaoui et al., [47] use a game theoretic approach based on IoT device capabilities and the Quality of survive objectives to find the Nash equilibrium. This equilibrium reflects the most desirable IoT security outcome by following a strategy, being optimal given decisions from other players. The authors defined such a strategy is via the use of an adaptive risk assessment that assess contextual information and threat model, using a Markov decision process that is defined by the finite set of states, possible actions, probability, and reward obtained from the execution of an action. From this process, payoff functions can be determined to show increase in security versus performance degradation.

Using graph modelling George and Thampi [54] consider the optimal set of vulnerabilities should be healed while considering the constrains of IIoT networks, such as the lack of vulnerability patches and the cost of patching. To integrate this, the authors suggest risk mitigation strategies based on finding the number of vulnerabilities that can be patched considering constrains to improve IIoT security. Cost modelling within IIoT networks is circumstantial, with a lack of accepted standards to aid security administrators. To this end, a security administrator needs to set risk threshold values (the maximum cumulative threat value in any attack path) in a way that allows for the optimal set of vulnerabilities to be patched. Meanwhile, Ivanov et al., [56] use a developed software toolkit to formulate attack graphs that allow for an iterative search of optimal countermeasures based on the number of vulnerabilities that need to be eliminated and priority. By using criticality indicators that characterise IoT security, the model selects security measures based on reducing risk levels based on resources that can be used during an intrusion. However, recalculating indicators to select the most optimal security measure takes a large amount of time then more connected components there are, which the authors suggest needs to be further optimised to reduce the operating time expense.

Finally, Parsons et al., [68] consider the optimal smart home security practices that need to be implemented by users, with controls being selected based reducing high risk behaviours, increasing a user’s ability to perceive and prevent attacks, as well as ensuring security familiarity. For example, in an optimal scenario, users should be risk-averse and be highly familiar with security practises, showing the requirements of a secure smart home. The authors suggest that optimising the awareness towards and knowledge of good security practices allows for enhanced IoT security and the assurance that basic good practices are being enforced.

Insight 15: Optimisation for IoT control within the surveyed papers is limited, despite its importance to implementation of controls and the justification of doing so. Within RQ3 and prior sections, we have discussed the need for resources and security objectives when choosing controls. Finding the best controls for IoT depends on several factors defined by the IoT domain, with resources and security objectives being some of the most common. The key component of optimisation for IoT is the balance and trade-off between identified factors and the effectiveness of each control, Different types of IoT controls (e.g., prevention, detection, and recovery [97]) control risks in different ways with varying degrees of effectiveness may degrade over time. While not specific to IoT, game theory approaches attempt to find the best strategies with the most beneficial outcome considering the trade-offs. However, of the surveyed papers, few use this approach. One challenge optimisation solves is the estimation of security control effectiveness alongside many attack paths and resource requirements [97] to achieve an equilibrium strategy.

5.2. Risk Monitoring

According to NIST [7], monitoring is the process of ”maintaining ongoing awareness“ into threats, vulnerabilities, and controls to support risk management decisions. This means that risk management processes such as risk assessment are not definitive once conducted, with cyber risk management systems are often continuous to ensure that risks can be reviewed and updated.

For IoT, risk monitoring involves observing key risks to find vulnerabilities that may arise, for example systems that monitor authentication attempts [69]. Regular monitoring of IoT networks also allows for suspicious behaviours to be uncovered [71] and the anticipation of future risks given the development of IoT technology, with new vulnerabilities being discovered [75]. Not only this. but well known cyber risk management frameworks use continuous risk monitoring, with Andrade et al., [45] exploring NIST’s cyber framework and ISO 3100 in the context of smart cities.

The monitoring of risks can also be a process that IoT cyber risk management frameworks use to ensure dynamic decision making and continuous risk management. As part of managing risks, Vakhter et al., [75] specify that risk factors (like threats, vulnerabilities, device capabilities, and attacker intent) should be monitored for changes that could affect security, which can then be used to update risk assessments. Meanwhile, Al et al., [41] propose a monitor and anticipate risks step within their model with the goal of ensuring that risk response is correctly implemented, determine the effectiveness of responses, and uncover changes that cause risk parameter to transpose. In doing this, the authors ensure that IoT devices are as up to date as possible to maintain a satisfactory level of security. Ksibi et al., [61] suggest the use of a risk adaptation phase which monitors risk rates, allowing for the adjustment of security controls depending on the risks. Rather than being a phase within a model, monitoring could be seen as a security objective, where processes, infrastructures and logs must be monitored to ensure that unauthorised actions are detected [48]. In contrast, monitoring can be viewed as a type of security control, using with Echeverria et al., [52] suggesting the use of the Network Monitoring and Defence control from CIS controls to ensure IoT audit log management by use of maintenance, monitoring, and analysis.

Within Garcia et al., [53] monitoring and reviewing risks is considered as an additional support activity to ensure that risk management is continuously ”controlling, reacting, and improving“ [53] the information needed by the risk management process. Considering that IoT risks can change quickly, continuous risk management processes that work dynamically are important. Abbass et al., [39] suggest that ASRAaaS’s responsive IoT risk assessment allows for continual monitoring based on preventive risk analysis, with this not being in real-time. Regardless, the monitoring and reviewing IoT risks dynamically in real time may require supplementary data and an increased set of computing resources. For example, Kalinin et al., [59] require supplementary training samples based on IoT scenarios within dynamic networks to ensure a high accuracy for risk assessment. Ryoo et al., [70] envision the use of a smart phone application within smart home, which allows users to quickly monitor IoT devices and view the security state of the home.

Arfaoui et al., [47] apply continuous monitoring of device channel attributes such as traffic nature and device capability to continuously estimate risk to find the best security controls dynamically. Monitoring IoT behaviour is key to find security risk that may develop over time. In the context of smart grids, operations are monitored by National Control Center (NCC) and a Regional Control Center (RCC), with servers monitoring and managing consumption patterns, which allows for differences in behaviours to be spotted [77]. In the same vein, Anisetti et al., [46] use assurance techniques to monitor the behaviour of devices, to ensure that device behaviour is legitimate with all mechanisms implemented acting as expected.

Insight 16: Monitoring IoT risks is integral to ensure that IoT controls are implemented and function as required and are replace when risk results change. Therefore, monitoring works in tandem with dynamic decision making to be as updated as possible. RQ4 questions how risk monitoring takes place, with the above papers using a risk monitoring phase as part of their framework, with monitoring also being considered as a type of control [52] or a security objective [61], The most common theme IoT risk monitoring papers is IoT networking monitoring, for example, Arfaoui et al., [47] monitoring IoT network and devices behaviour to update risk results. Overall, the discussion of IoT risk monitoring in current literature is limited, not appearing in many the surveyed papers.

5.2.1. Residual IoT Risk

Residual risk refers to the portion of risk that remains once security measures are implemented [16]. An organisation may assume that implemented security controls will used to the full potential all the time, which is not always the case, this issue causes risk to be underestimated. For example, the uncertainty for a trained user to still fall for a social engineering attack.

To combat this problem, Anisetti et al., [46] identify the amount of risk an organisation cannot control based on the difference between assets’ total risk and the total mitigated risk. In doing this, an organisation can better see the amount of risk that can be dealt with, and if the level remaining can be deemed as acceptable or if they need to adjust controls.

For IoT domains like smart homes a baseline of risk acceptance needs to be determined, Ryoo et al., [70] conceptualise this by asking users a series of questions when the proposed risk assessment application is first used. Despite not having a deep analysis of vulnerabilities, Andrade et al., [45] discuss the use of a tool called MAGERIT applied within the context of a smart city. MAGERIT which focuses on analyses of assets and control effectiveness, which allows for residual risk to be calculated from the remaining impact when controls are applied.

Monitoring remaining risk allows for the anticipation of future attacks that may have been deemed acceptable. Al et al., [41] utilise residual risks within a risk monitor stage, where risks that are not fully controlled are monitored in case, they become worse. Good practices for IoT need to be continuous, with practices such as devices patches and training being updated to remain up to date with future risks. However, some risks may never be fully controlled, as it may not be feasible resource wise when considering how much IoT devices cost [41]. Unlike Al et al., [41], Zahra and Abdelhamid [77] dedicates a phase to analyse residual risks to ensure that risks are acceptable. The authors assess groups of IoT mitigation controls, like access control mechanisms and cryptography, by mapping controls whether they control each risk and the extent they do so.

Insight 17: To further answer RQ4, residual IoT risks show the amount of remaining IoT risk upon the implementation of controls. The number of papers discussing residual risk is limited, which raises questions about how acceptable risk for an IoT domain is determined and how residual risk can be calculated. Despite Ryoo et al., [70] asking users a series of questions upon the first use of risk management application to gauge risk, the authors do not explore how these questions lead to the discovery of an acceptable risk threshold and do not provide examples. For the calculation of residual IoT risk, risk assessments could be performed again, or an equation could be used, as within Anisetti et al., [46] and Andrade et al., [45]. The value of residual IoT risk should also be monitored since controls may degrade over time [37].

6. Recommendations

IoT technology has a multitude of applications to assist in the automation of daily tasks within numerous domains such as smart homes and healthcare. Different domains carry different requirements from an IoT cyber risk management framework to ensure the best IoT cyber risk management system that is applicable and suitable for users. Being suitable means that a IoT cyber risk management framework fills these requirements, for example available resources, devices capabilities, and legislation to be followed. A notable domain is a smart home, with users having significantly more freedom to use devices how they see fit, not having to comply with legislation since there are no laws to govern smart homes. In this section, we use the work presented and make recommendations for future researchers to consider when creating a IoT cyber risk management framework for a chosen IoT domain.

6.1. Recommendations for IoT Cyber Risk Identification

Being the first part of IoT Cyber risk assessment, identifying IoT risk parameters accurately is integral to assess risk. Our work has shown that IoT assets, users, threats, vulnerabilities, controls, impact, and likelihood all need to be identified within an IoT cyber risk management framework. RQ1 has provided insight into how identification processes may take place, which shows a number of areas that need to be considered within future IoT Cyber risk management frameworks. Below, we suggest questions for future works and recommend ways to overcome problems within IoT cyber risk identification processes.

How can IoT assets be defined given the constraints of the IoT domain?. IoT is intertwined with traditional IT assets, with devices using conventional hardware like routers, and notably deviate in functionality and data use, for example sensors and actuators, as well as the data produced by them. Asset classifications need to be dynamic and suitable for IoT, challenging researchers to find a fitting method of classification for an IoT domain. Furthermore, researchers need to consider how IoT assets are classified and how this aids with IoT cyber risk management, with the main point of contention being IoT devices. In this case, an IoT device can be targeted at various system components, with the most important being the sensors and actuators, thus we recommend that researchers at the very least consider sensors and actuators are individual assets from a device. By defining IoT assets, associated attributes and priorities can then be established, such as identifying the capabilities and limitations of IoT devices.

How influential are users to IoT risk? Asset classifications may define users as assets, however, consider that users are not assets and should be treated differently due to the potential lack of IoT cyber hygiene. In unregulated IoT domains like smart homes, users could be viewed as have a high influence on risk values. We found that most researchers do not focus on users in regard to how they influence risk and the increased complexity of user interactions with smart technology. For IoT users within an IoT domain, consider profiling users based on the risk actions and associated assets that they may use, this makes me easier to understand the links between users and assets, as well as users and security. Furthermore, researchers could pinpoint how users interact with device capabilities to better uncover threats.

How can suitable IoT threats be determine? When it comes to IoT threats, the commonly used threat modelling, STRIDE, is not IoT specific. The issue is that not all IoT threats are covered within the STRIDE model, thus researchers need to use additional methods to ensure that all threats are captured to fulfil security objectives. Furthermore, applicable threats may vary within different IoT domains, which raises the question of how suitable IoT threats can be determined. A solution is to use existing taxonomies or threat repositories that have been created for a specific IoT domain that outline the types of threats faced within a specific IoT domain. For example, Heartfield et al., [23] focus on providing a taxonomy of threats for smart homes.

How can suitable IoT vulnerabilities be determine? Similar to IoT threats, IoT vulnerabilities vary within different IoT domains. IoT devices are subject to numerous weaknesses depending on manufacturing, exploits, and functionality. While vulnerabilities databases like CVE can aid in uncovering exploits, they are not IoT specific, making it a lengthy process to find and filter suitable IoT vulnerabilities. To avoid lengthy processes, an IoT vulnerability and exploit database could be used, for example VARIoT [100], which relies on existing databases and is not necessarily exhaustive but does allow for vendor and device model searches. Due to this, vulnerable classifications could also be used, which allows researchers to group applicable vulnerabilities for an IoT domain. In tandem, we suggest that human vulnerabilities should be a primary focus within IoT cyber risk management frameworks to target preventable risks, with OWASP showing preventable vulnerabilities such as the use of guessable or hardcoded passwords. We encourage researchers to focus on how human vulnerabilities can affect risk given high risk actions, security knowledge and awareness, susceptibility to social engineering, and misuse/misconfiguration. Part of this involves the question of how behaviour analysis can be integrated into models, and how this behaviour can affect risk factors like impact. This would require researchers to add behaviour analysis to each aspect of risk management, identifying risk factors and meaningful values as well as the assessment of risk with behaviour in mind. In turn, assessing the risk of a user and the potential increase in risk allows for the targeting of risk mitigation and training based on the user’s security profile.

How can existing IoT controls be used to assess risk more accurately? Both regulated and unregulated IoT domains are likely to contain several existing controls that can impact the likelihood of risk. We find that papers do not always consider control-based risk assessment, meaning that security controls are not explicitly factored into the risk assessment phase. Notably in cases where an IoT risk assessment is taking place for the first time, uncovering exiting controls is a necessary process to ensure risk is assessed accurately given an existing risk landscape. To include a process that finds existing controls, researchers could consider assessing the readiness of an IoT domain which filters practical cyber controls and good practises and estimating how effective these are.

How can the impact of an IoT threat event be defined? For the impact on IoT assets, CIA as well as privacy, trust, accountability, and non-repudiation are all important factors that can be affected by an attack. However, cyber impact does not encompass the myriad of ways in which users can be impacted by an IoT attack. An IoT use may be directly affected by an attack, thus is an impact of IoT risk on daily life. As an example, a medical IoT device may be exploited to cause physical harm to a user because of an attack on account access. Upon identifying impact types, researchers can map assets and users to the relevant impact types and prioritise the most important impact types within the IoT domain. Then, researchers can identify crucial impact types within an IoT domain and define a meaningful severity scale, for example a scale of physical harm from no risk to harm to life threatening harm. In cases of monetary loss, asset valuation could be used to better understand the potential value loss when a threat event is successful, while for other impact types a questionnaire could be used.

How can the likelihood of an IoT threat event be defined? When it comes to likelihood, one problem researchers may find is the lack of coherent data that suggests the likelihood of an attack occurring within different IoT domains, making it difficult to value the occurrence of an attack. Even with scales (such as low, medium, and high) determining likelihood values rely on using prior works as justification for likelihood as well as the cyber hygiene and controls used within the specific IoT setting that combat attacker attributes (accessibility, skills, equipment etc.). As an example, it is commonly known in research that social engineering can use diverse mediums, with attackers exploiting users unaware of such attacks. If a user is informed of social engineering methods, and does not provide information to the attacker, the likelihood of attack success drops. Given this, the link between existing controls and cyber hygiene to likelihood should not be unnoticed within future works.

6.2. Recommendations for IoT Cyber Risk Calculation

Being the second component to IoT Cyber risk assessment, the identified risk parameters are used to calculate risk in a meaningful way to determine risk. We have assessed multiple ways that risk can be assessed, however, risk parameters and results must be meaningful and easy to understand, aiding in risk decision-making. Risk calculations can represent risk in a semi-quantitative, quantitative, or qualitative way with researchers potentially using well-established risk calculation methods by adapting them to better suit IoT domains using a brand-new system which facilities cyber security standards. The common methods within the surveyed IoT cyber risk management frameworks were the uses of graph modelling, risk matrices, threat knowledge bases, and risk weighting, methods that researchers could use to determine risk within an IoT domain. Below, we suggest questions for future works and recommend ways to overcome problems within IoT cyber risk calculation processes.

How can future works use graph modelling to effectively calculate IoT risk? When comes to calculating risk, one of the most common methods is graph modelling, which allows researchers to easily visualise risks within a network by displaying entry points, attack paths, and data flow. It is notable that different graphical models can be used in several different ways, as discussed within our literature review. Researchers may consider using graph modelling and assess the benefits and drawbacks to using different types of graph models, dependent on available resources and functionality of IoT risk management tools. As an example, Bayesian networks are a common way to predict likelihood, showing probabilistic relationships between nodes based on conditional dependencies. A major advantage of Bayesian networks is when information is not fully known, which as we have described, is an issue affecting likelihood estimation. For IoT, it is integral to model the dynamic nature of IoT devices, however, like other graph modelling methods, the more nodes and updates required the more computational effort. While graph modelling is commonly used to capture risk on various parts of a network, human interactions are not represented by the works we have surveyed. To combat this, researchers may need to integrate human to IoT interactions to assess the dependencies that users have.

How can future works use risk matrices to effectively calculate IoT risk? Alternative to graph modelling, future works can examine the use of risk matrices to effectively calculate IoT risk, as a risk matrix provides a simpler way to visualise risk in a semi-quantitative chart format. Risk matrices need to have well defined risk categories that are accurately comparable to one another, making different levels of risk clear. An issue surrounding risk matrices is the potential for unreliable views of impact/likelihood values and oversimplification of risk values. In addition, more complex IoT risk matrices may be used, such as using an adjacency matrix to represent a graph. Notably, an increasingly complex risk matrix can be used to model dynamic system nature, which is prominent within IoT and could also be used to emulate user interaction.

How can future works use IoT threat knowledge bases to effectively calculate IoT risk? An IoT threat knowledge base is a great way to store threat data in a structured way, with simple risk calculations using likelihood and impact to define the risk of a threat. Future works need to consider the lack of existing knowledge bases for IoT, meaning that a threat knowledge base will need to be created. Despite this, another issue is the potential to neglect critical threat events and difficulty in estimating likelihood and impact. Existing bases, like CVE, contain records that are not always IoT specific, which requires researchers to filter out non-IoT records. Overcoming these issues requires threat, vulnerability, likelihood, and impact identification processes to be streamlined. In turn, the current uses of IoT threat knowledge bases does not necessarily consider human vulnerabilities which shouldn’t be overlooked. In turn, researchers may benefit from using risk matrices or graph modelling alongside a threat knowledge base.

How can future works use risk weighting to effectively calculate IoT risk? The use of weighted risk calculations focuses on the importance of various IoT risk parameters and how IoT critical components can be prioritised, which could also be implemented into graph models and risk matrices. IoT weighting is especially useful for prioritising crucial impact types, such as physical harm, where the potential consequences to an attack need to be eradicated. It is notable that IoT user interaction and behaviours could also be assigned weights to signify critical cyber hygiene practices and the lack of such.

6.3. Recommendations for IoT Cyber Risk Control

Risk assessment results facilitate the selection of appropriate risk responses to control risk. IoT risk response should not only consider the most suitable risk mitigation methods but also determine risk responses, such as transference, where possible. Future works need to consider how effective security decision-making can be performed to ensure that risk control is effective. Given the lack of in depth IoT cyber risk control within surveyed papers, there is also a need to pay attention to how IoT controls are chosen. Below, we suggest questions for future works and recommend ways to overcome problems within IoT cyber risk control processes.

What are the available IoT security controls and how effective they? Risk assessment results aid the selection of appropriate risk responses that reduce risk to acceptable levels. To be appropriate, identified controls need to be viable for an IoT domain, meaning they effectively reduce risk, meet security requirements, and examine the resources needed to do so. IoT security capabilities are often extremely limited, relying on user interaction and configurations to ensure security. For future works, identifying specific controls from IoT literature will aid in understanding available controls for an IoT domain, while also considering the upkeep of IoT cyber hygiene. IoT literature may also aid in estimation of control effectiveness and the rate at which effectiveness degrades to ensure the best controls are utilised.

What are the security requirements for an IoT domain and how can controls ensure security requirements are met? For organisations, security objectives are defined in line with regulations and law, however in non-organisational IoT domains (like smart homes) requirements may not have been formed. We found that researchers often did not describe specific security objectives that need to be met for risk to be acceptable. This missing aspect challenges future works to uncover what the security requirement are for an IoT domain and the controls that are needed to meet security goals. To combat this, IoT security requirements need to be clearly defined first, which for unregulated IoT domains can assist by risk assessment results. The defined IoT security requirements are the goals to be achieved by an IoT controls to satisfy a strong level of security.

What are the IoT security resources that affect the selection of IoT controls? Another limited topic is the consideration of resources required to ensure effectiveness and usability. Resources are not just money, but the time and effort needed to use IoT controls. As an example, IoT domains like smart homes have significantly less access to costly and time consuming controls, making them less suitable, meaning that other controls need to be considered. Assessing control accessibility is integral to determine risk acceptance thresholds, as not all risks may be controlled due to a lack of resources for IoT controls.

How can IoT risk control find optimal control strategies? Overall, successful risk treatment needs to consider several factors to ensure risk is reduced. However, this can be optimised to uncover the best strategies for an IOT domain, with future work needing to facilitate optimal control strategies. To achieve this, future works need to assess resources and security goals by uncovering the trade-offs between different types of controls. IoT controls could be classified by control functions, such as prevention, detection, and recovery, where controls eliminate, reduce, expose, and recuperate IoT risks. Trade-offs assess the benefits and drawbacks of using an IoT control to ensure a positive balance between reducing risk and maximising resources.

6.4. Recommendations for IoT Cyber Risk Monitoring

IoT risk monitoring is a continuous process that allows for risk management processes to use up to date information that that maintain acceptable risk levels. Much like IoT risk control, we found that discussions into IoT risk monitoring were limited, and often not part of IoT cyber risk management frameworks. Below, we suggest questions for future works and recommend ways to overcome problems within IoT cyber risk monitoring processes.

How can IoT risk be dynamically monitored? Monitoring requires the observation of critical risks to find vulnerabilities that may manifest into threats. Such a process needs to be continuous to ensure that dynamic decisions for IoT control take place when risk becomes unacceptable. Within relegated IoT domains, monitoring processes are likely to be easier to implement due to more resources, for example the use of an intrusion detection system that monitors and detects unauthorised IoT system behaviours by users and devices at a network level. However, for other IoT domains, monitoring needs to be easy to understand for regular users, thus an IoT cyber risk management application may help. It is notable that user and system behaviours should be monitored to ensure that actions performed are legitimate and that user actions are not of a high risk, however preventing such risks from occurring will require additional IoT controls.

How can residual IoT risk be assessed to ensure risk is at an acceptable level? Residual risk is key to identify the amount of risk remaining once a set of controls has been implemented. Only a very limited number of works address residual risk, which is curious as it is an important aspect of risk control. We suggest that future works focus on the consideration of residual risk and identifying the amount of risk remaining to ensure that risk is acceptable., and what this means to IoT risk management. We suggest that researchers consider the use of residual risk to ensure that the determined risk is controlled to an acceptable level. This also requires dynamic risk monitoring where an organisation or user can update risk parameters to continuously assess risk, which can easily lead to quick preventive actions being implemented.

7. Conclusion

In this paper, we presented a systematic review and taxonomy of works that aim to build IoT cyber risk management, risk assessment, risk analysis, and IoT threat modelling frameworks. We introduced our evaluation criteria related to cyber risk management concepts, the needs of IoT, and human vulnerabilities. Using our evaluation criteria, we reviewed the literature and used our results to propose a taxonomy. We then use the criteria to compare the surveyed works and identify open issues that are not currently addressed in literature, with there being eight noteworthy issues/suggestions that we hope that researchers consider in the future. Finally, we made recommendations for future researchers to consider when they create a risk management system for IoT domains.

The biggest issue posed to IoT domains is that traditional cyber risk management systems may not be optimal for IoT due to the increasing needs, requirements, and capabilities of IoT technology. Overall, due to the increasing number of devices globally, it is integral to improve IoT cyber risk management and allow it to become optimal within all IoT domains. Therefore, our future work will be to use the recommendations we have suggested and use them to create a new IoT cyber risk management for a specific IoT domain.