Automated Vulnerability Scanning and Prioritisation for Domestic IoT Devices/Smart Homes: A Theoretical Framework

1. Introduction

The rapid expansion of Internet of Things (IoT) devices in domestic smart homes has introduced both new conveniences and significant cybersecurity challenges. Devices such as connected cameras, wearables and household appliances are increasingly embedded in everyday life, yet many are deployed with weak authentication and default credentials that make them vulnerable to compromise [1]. Insecure implementations of widely used protocols such as Zigbee and CoAP further intensify device exposure [2], while misconfigurations and poor lifecycle management amplify household risks [3]. Firmware flaws have also been shown to be readily exploitable in penetration test environments [4] and the resulting vulnerabilities can have severe privacy implications, such as leakage of sensitive data from domestic surveillance devices [5]. Heterogeneity across manufacturers and protocols amplifies these issues, leaving households exposed to Denial-of-Service and enumeration attacks risks when protections are inconsistently applied [6].

Although research in IoT security has advanced in many directions, the evidence base remains fragmented. Vulnerability studies, scanning techniques, prioritisation frameworks and protocol analyses are often published in isolation, making it difficult for non-technical households to benefit from a unified model.

The systematic literature review presented in Section 2 highlighs four structural gaps:

• Vulnerability knowledge is dispersed, with inconsistent classifications across devices and studies.
• Scanning approaches such as penetration testing, fuzzing and traffic monitoring remain siloed, preventing their integration into a coherent process [4,7].
• Prioritisation models such as CVSS tend to emphasise technical severity while neglecting household-specific context such as device function, privacy impact and protocol exposure [1,5].
• Finally, weak standardisation across common IoT protocols, including MQTT, Zigbee, Z-Wave, BLE and CoAP; results in uneven protections across households [2,6].

These shortcomings underscore the need for a theoretical framework that systematically consolidates academic evidence into an artefact tailored to domestic IoT security. The primary research question guiding this study is:

How can a theoretical framework be developed to enable automated vulnerability scanning and prioritisation for non-technical users in domestic IoT Smart Home environments?

These study aims to design a Vulnerability Knowledge Base that consolidates dispersed academic evidence into a coherent repository, to develop an Automated Scanning Engine that integrates multiple approaches into a single process, to design a Context-Aware Prioritisation Module that embeds household relevance into risk scoring and to propose a Standardisation and Interoperability Layer that harmonises security features across common IoT protocols. Together, these objectives define a layered theoretical framework that responds directly to the gaps revealed in the literature.

The framework is conceived as an iterative refinement cycle rather than a fixed linear sequence. Feedback loops between its first three modules, vulnerability knowledge, automated scanning and context-aware prioritisation; allow new scanning outputs to update the knowledge base and influence future prioritisation decisions. This design ensures adaptability as domestic IoT ecosystems evolve and aligns with the Design Science Research Methodology principle of artefact evolution [8].

2. Literature Review

This section synthesises 40 academic sources to provide the theoretical grounding for this work. The discussion is organised in alignment with the layers of the expected theoretical framework: 1. Vulnerabilities in domestic IoT, 2. Automated vulnerability scanning tools, 3. Prioritisation strategies and 4. Standardisation and interoperability. By identifying commonalities, limitations, and gaps across these bodies of work, this literature review demonstrates the need for a domestic IoT security framework tailored for non-technical users.

2.1. Prevalent Vulnerabilities in Domestic IoT Devices

The literature shows that domestic IoT devices remain susceptible to vulnerabilities that undermine both functionality and household security. Early surveys classified vulnerabilities into categories spanning hardware, software and communication layers. Classic taxonomies remain influential, with [9] identifying early gaps in trust, privacy and security. For instance, [1] demonstrated how insecure firmware updates, poor key management and default credentials leave devices easily compromised. Recent analyses also emphasise device-specific weaknesses in smart homes [1]. Similarly, [10] identified systemic weaknesses including side-channel attacks, hardware Trojans and inadequate access control that expose smart home devices to escalating threats. [11] further highlighted how permission escalation within IoT hubs could compromise multiple devices in a single household, amplifying the risk from a single exploit. From a foundational perspective, [12] emphasise the systematic nature of IoT risks, linking device constraints and ecosystem complexity to persistent exposure in consumer settings. [5] reinforced these findings, showing that vulnerability surfaces in consumer IoT remain fragmented, heterogeneous and largely unmitigated despite increased research attention.

Empirical research provides concrete evidence of these weaknesses. [1] tested commercially available smart home devices using open-source tools, identifying vulnerabilities that were not only numerous but also remotely exploitable. Their findings stress the importance of distinguishing between vulnerabilities that require physical access and those that can be exploited remotely. The former present lower risk to most consumers, while the latter can threaten millions of devices simultaneously. Large-scale incidents have demonstrated the catastrophic potential of remote compromise in consumer IoT. Hijacking campaigns against smart cameras and household devices have shown how poorly secured endpoints can be leveraged at scale to disrupt services and compromise household privacy [1,5]. Similarly, at DEF CON 2017, researchers disclosed 47 new vulnerabilities in 23 devices from 21 manufacturers, underscoring the persistent industry-wide exposure [1]. Databases such as Exploitee.rs and HardwareSecurity.org, referenced in [1], continue to catalogue vulnerabilities across more than 200 devices, nearly half of which are designed for smart home environments.

Weak authentication, unencrypted communications and outdated firmware have been reported for different types of IoT devices, including smart cameras, thermostats, smart lighting, and home appliances. Table 1 summarises vulnerabilities found in Domestic IoT devices.

This evidence demonstrates that vulnerabilities in domestic IoT vary significantly in impact, with remote exploits posing the greatest household risks. While existing research identifies these weaknesses comprehensively, there is no unified framework that contextualises them according to household exposure. These findings define Gap #1: Absence of a unified vulnerability framework for contextualising domestic IoT risks, addressed by Module #1: Vulnerability Knowledge Base in the proposed framework.

Having established the range of prevalent vulnerabilities in domestic IoT devices, the next section considers how automated scanning tools have been developed to identify such weaknesses and assess their potential impact.

2.2. Automated Vulnerability Scanning Tools

Automated scanning is a cornerstone of vulnerability discovery in IoT ecosystems, but existing tools differ significantly in scope, accuracy and household applicability. State-of-the-art surveys of IoT vulnerability scanning approaches highlight the limits of existing automated tools [13]. Traditional network scanners such as Nmap and Masscan remain foundational for device discovery and port analysis. These tools provide wide coverage and efficiency in enumerating services and identifying exposed ports, but they cannot detect deeper firmware vulnerabilities or device-specific flaws [14,15]. At the internet scale, Shodan enables global enumeration of IoT devices and services but is limited by its reliance on banner grabbing, which restricts the precision of vulnerability identification [6].

Dynamic and emulation-based analysis techniques attempt to address these shortcomings by inspecting device behaviour at runtime. Frameworks such as Avatar and Firmadyne enable re- hosting of IoT firmware and symbolic execution, allowing the discovery of hidden vulnerabilities such as authentication bypasses and insecure default services [1]. These approaches expose flaws that cannot be captured by surface-level scanning alone, but their reliance on resource-intensive processes and technical expertise makes them unsuitable for direct application in domestic settings [7,14,15]. Addressing resource constraints, [16] proposes a scalable, lightweight AI-driven security framework that applies optimisation and game-theoretic strategies, highlighting pathways to reduce overhead while sustaining detection efficacy in constrained IoT settings. Automated penetration testing for smart-home devices has been operationalised in prototype frameworks [17].

Recent research has sought to combine static and dynamic techniques to improve accuracy. Complementing these hybrid approaches, [18] present a machine-learning- based cybersecurity framework for IoT devices that operationalises classifier-driven detection within practical deployment constraints, reinforcing the role of ML as a bridging mechanism between surface scanning and deeper behavioural analysis. [19] proposed an automated IoT assessment framework that integrates firmware re-hosting with network scanning, reducing blind spots across the analysis spectrum. [7] advanced this trajectory by introducing generative fuzzing tailored to IoT networks, capable of automatically generating new test cases that go beyond signature-based detection. At a broader level, [20] review generative-AI applications for IoT security, indicating that model-driven generation can extend beyond fuzzing to support adaptive detection and mitigation strategies across heterogeneous devices. While these hybrid approaches improve comprehensiveness, they remain fragmented across toolchains and lack integration into user-friendly solutions for households. Complementary studies classify consumer IoT software vulnerabilities, improving scanning workflows [21]. Table 2 compares these different approaches.

While Table 2 compares scanning approaches in terms of technical attributes, Figure 1 presents a timeline that combines chronology with methodological categories, it illustrates when key contributions emerged, beginning with early academic contributions such as [2,11], which referenced surface-level enumeration tools such as Nmap and Shodan [1,5]. Scanning practices then evolved toward automated discovery, firmware analysis and auditing, culminating in AI-driven fuzzing.

The evidence shows that automated scanning in IoT is simultaneously powerful and fragmented. Traditional tools provide shallow insight, while emulation-based and fuzzing methods achieve depth at the cost of usability. No framework consolidates these methods into an accessible form suitable for smart home environments. These findings define Gap #2: Fragmentation of automated scanning approaches, which remain tool-specific and poorly integrated, addressed by Module # 2: Automated Scanning Engine.

While scanning tools help reveal a wide spectrum of flaws, the challenge of prioritising which vulnerabilities to address first requires a different perspective.

2.3. Prioritisation Strategies

Identifying vulnerabilities is only the first step; determining which to address first is equally critical for effective mitigation in domestic IoT environments. The most widely adopted system for prioritisation is the Common Vulnerability Scoring System (CVSS), which rates vulnerabilities based on exploitability, impact and access vectors. While CVSS remains a global standard, its application in smart home environments has been criticised for misrepresenting risk. Risk scoring for IoT devices has also been modelled through fuzzy logic and optimisation, demonstrating alternative prioritisation strategies beyond CVSS [22]. For instance, a high CVSS score for a smart light bulb may receive more attention than a moderate vulnerability in a security camera, despite the latter presenting a far greater household security threat [5]. Risk scoring for IoT devices has also been modelled through fuzzy logic and optimisation, demonstrating alternative prioritisation strategies beyond CVSS [22].

Alternative frameworks attempt to correct these shortcomings. Firmware auditing reviews reveal gaps in prioritisation at the binary level, where vulnerabilities are often documented but not contextualised for remediation [15]. [23] applied Machine Learning models to detect IoT attacks early, generating rankings derived from anomaly detection metrics. Predictive approaches have also been proposed to anticipate malicious behaviour in IoT devices, strengthening the link between identification and actionable prioritization [24]. While technically robust, these methods still privilege exploit signatures and fail to account for device criticality in household settings. [3] developed AI-driven systemic risk models, connecting technical vulnerabilities to organisational and societal impacts. While this improves the systemic relevance of prioritisation, it lacks granularity at the level of household devices. More directly, [25] introduced the CRASHED framework, explicitly targeting smart home contexts by incorporating device roles and exposure into prioritisation logic. [26] proposed the IoT Security Framework (ISF), which emphasised device interdependencies and ecosystem-wide risk rather than isolated technical vulnerabilities. Table 3 presents prioritisation frameworks.

The literature shows that prioritisation frameworks have yet to balance technical severity with household context. Without this, security resources risk being misallocated to less impactful flaws while more dangerous vulnerabilities remain unaddressed. This defines the Gap #3: Over-reliance on technical severity in prioritisation frameworks, with limited recognition of household context, addressed by the Module #3: Context-Aware Prioritisation. Figure 2 shows a conceptual model of Technical vs User-Centric (User Context) Prioritisation.

Although prioritisation strategies enhance the management of vulnerabilities, they rely on the quality of underlying communication protocols. Section 2.4 therefore examines the standards, interoperability and security features that underpin IoT ecosystems.

Despite these innovations, the overall picture remains fragmented. CVSS and ML-based systems are weighted heavily toward technical severity, while more context-aware approaches like CRASHED and ISF show promise but remain poorly integrated with widely used scoring systems. This misalignment creates a persistent blind spot: vulnerabilities that are simultaneously high-severity and high-criticality within households are not systematically prioritised.

Intrusion Detection and Anomaly Detection in Domestic IoT. While prioritisation frameworks identify which vulnerabilities matter most, effective protection in domestic IoT also depends on mechanisms that can detect exploitation attempts in real time. Intrusion detection systems (IDS) and anomaly detection frameworks extend the security posture beyond scanning by monitoring device and network behaviour for malicious patterns.

[23] demonstrated that machine-learning-based IDS at the network edge can detect IoT botnet activity at an early stage, preventing attacks before household compromise occurs. [27] provided a systematic review of machine learning approaches for IoT botnet detection, consolidating the role of classifiers such as random forests, SVMs and neural networks in anomaly detection. [28] introduced READ-IoT, a reliable anomaly detection framework designed to maintain event integrity in heterogeneous device environments. [29] proposed ADRIoT, an edge-assisted anomaly detection framework that distributes detection workloads, improving scalability for large domestic IoT networks. [30] advanced this direction with SARIK, a Kubernetes-based policy and security framework for IoT devices, enabling anomaly detection and mitigation in containerised environments. [31] contributed a hybrid deep-learning framework for IoT security, combining convolutional and recurrent models to improve anomaly detection accuracy. Extending this line, [32] integrate CoviNet with a Granger- causality-inspired graph-neural approach to compress and analyse cloud-side IoT streams, improving anomaly detection scalability for deployments that blend edge devices with cloud services. [33] extended the application of IDS beyond households, analysing vulnerabilities and intrusion detection strategies in smart city environments, highlighting how these methods can be transferred to domestic contexts. To improve interpretability for non- technical users, [34] propose an explainable-AI design for smart-home IDS, indicating that transparent feature attributions can support user-centred remediation decisions.

Together, these studies confirm that IDS and anomaly detection techniques are essential complements to vulnerability identification and prioritisation, enabling proactive responses to evolving attacks. However, most remain highly technical, lacking the usability and integration required for household adoption, thereby reinforcing the need for a framework that translates advanced detection into user-accessible protection.

2.4. Protocols, Interoperability and Security Features

The security posture of domestic IoT ecosystems depends not only on device architecture but also on the protocols that interconnect them. These protocols embed varying levels of protection, yet their inconsistent adoption across devices and vendors creates systemic risks for households.

At the application layer, the Message Queuing Telemetry Transport (MQTT) protocol has become a dominant standard for lightweight messaging. It supports TLS encryption, but implementation is optional and many consumer devices ship with unencrypted configurations [1]. The Constrained Application Protocol (CoAP) was designed for constrained devices and provides Datagram Transport Layer Security (DTLS). However, its computational overhead makes it unsuitable for highly resource-constrained hardware, leading to limited deployment in practice [2].

At the network and transport layers, Zigbee and Z-Wave are widely used in smart homes. Zigbee integrates AES-128 encryption, yet, published analyses report key-extraction and replay- style attacks that undermine reliability [2,10]. Z-Wave strengthened its security with the introduction of the S2 framework and Elliptic Curve Diffie- Hellman (ECDH) key exchange, yet legacy devices lacking these features remain prevalent in households [10]. Bluetooth Low Energy (BLE) supports multiple pairing and bonding mechanisms but continues to be susceptible to downgrade and sniffing attacks [10].

At the perception layer, devices such as sensors, RFID tags and hardware modules form the foundation of the IoT ecosystem. While critical to data collection, they typically operate under resource constraints and rely on proprietary or lightweight communication standards with limited encryption. As [2] noted, RFID and sensor networks are particularly exposed due to heterogeneous deployments and lack of unified standards. [10] further emphasised hardware-level vulnerabilities such as side-channel attacks, hardware Trojans and sensor spoofing, which remain outside the coverage of higher-layer security mechanisms.

The coexistence of these protocols across layers in a single household intensifies risks, as hubs and gateways often link devices across standards. This creates complex interoperability chains where a weakness in one layer may cascade into others. For example, perception-layer spoofing of sensor data can propagate through network protocols into application-layer compromises. [2] highlighted that such cross-layer interactions amplify risks, particularly when proprietary extensions and vendor-specific implementations prioritise functionality over consistent security enforcement. According to early analyses of the IoT security landscape [12], protocol-layer protections may be undermined by heterogeneous deployments and legacy implementations. Table 4 summarizes the used protocols and their security features.

Figure 3 consolidates information per layer and highlights cross-layer risks; vulnerabilities that extend beyond a single protocol layer. Data leakage arises when perception-layer devices such as RFID tags or sensors transmit unencrypted information, exposing it as it moves through transport and application protocols. Spoofing occurs when malicious or compromised devices inject false data at the perception layer, which is then propagated by higher-layer protocols into application services. Weak enforcement reflects the inconsistent application of security features across layers; for example, even if CoAP enforces DTLS at the application level, its protections may be undermined by weaker or legacy encryption in underlying transport protocols such as Zigbee. These cross-layer risks underscore the need for integrated security enforcement, as weaknesses at one layer can compromise the resilience of the entire smart home ecosystem [2,10].

The evidence demonstrates that IoT protocols and device communication mechanisms embed useful security features but fail in practice due to inconsistent adoption, legacy vulnerabilities and cross-layer risks. Weak encryption at the perception layer, fragmented adoption of secure transport standards and uneven enforcement of application-layer protections illustrate how vulnerabilities can cascade across layers. Adaptive policy frameworks dynamically adjust IoT security at the edge [35]. Fog computing research highlights unresolved privacy/security trade-offs [36]. These dynamics confirm Gap #4: Weak standardisation of IoT protocols, enabling interoperability failures and cross-layer vulnerabilities, gap addressed by Module #4: Standardisation and Interoperability Layer.

Protocol and interoperability related weaknesses establish how systemic flaws persist across IoT layers. To integrate these observations into a coherent structure, Section 2.5 consolidates evidence across all subsections and maps it into research gaps and framework modules.

2.5. Evidence to Framework Traceability

The literature reviewed in Section 2.1 through 2.4 confirms that research on IoT security has generated significant insights, but it also reveals persistent structural limitations that affect domestic applicability. To ensure transparency between the evidence base and the design of the proposed framework, it is essential to map contributions from the literature to unresolved gaps and then to the modules that will address them in Section 4.

Four major gaps emerge:

• Gap #1 (vulnerabilities): Absence of a unified vulnerability framework for contextualising domestic IoT risks.
• Gap #2 (scanning tools): Fragmentation of automated scanning approaches, which remain tool-specific and poorly integrated.
• Gap #3 (prioritisation): Over-reliance on technical severity in prioritisation frameworks, with limited recognition of household context.
• Gap #4 (frameworks and protocols): Weak standardisation of IoT protocols, enabling interoperability failures and cross- layer vulnerabilities.

Gaps 1 to 4 motivate a framework with four modules:

• Vulnerabilities highlight the need for Module #1: Vulnerability Knowledge Base.
• Scanning tools confirm the need for Module #2: Automated Scanning Engine.
• Prioritisation strategies demonstrate the need for Module #3: a Context-Aware Prioritisation Module.
• Protocols underscore the necessity of Module #4: a Standardisation and Interoperability Layer.

Table 5 consolidates the connections between research gaps identified from literature and the framework modules.

The evidence presented demonstrates that the proposed framework is not speculative but a structured response to gaps systematically identified in the literature. Each module emerges directly from deficiencies observed across prior work, ensuring academic rigour and practical relevance for domestic IoT environments.

The analysis across vulnerabilities, scanning tools, prioritisation strategies and protocols shows that while progress has been made in understanding domestic IoT risks, critical gaps remain unresolved. The persistence of these issues indicates that individually, solutions cannot adequately protect households; instead, a coherent framework is required to integrate the diverse contributions of prior research.

3. Methodology

This section explains the selection of the Design Science Research Methodology (DSRM) as the guiding methodology, describes the use of a Systematic Literature Review (SLR), the curated dataset of 40 academic sources and introduces the mapping strategies (Evidence-to-Framework) that ensure transparency and traceability.

3.1. Design Science Research Methodology (DSRM)

This work employs the Design Science Research Methodology (DSRM) to guide the construction of a theoretical framework for automated vulnerability scanning and prioritisation in domestic IoT devices. DSRM provides a structured process for developing artefacts that both addresses identified problems and maintain academic rigour.

The methodology consists of six stages [8,37]: 1) Problem Identification and Motivation, 2) Define Objectives of a Solution, 3) Design and Development, 4) Demonstration, 5) Evaluation, 6) Communication. Each stage is tailored to the context of IoT security:

Problem Identification and Motivation. The literature review in section 2 revealed fragmentation across four domains: vulnerabilities, scanning tools, prioritisation models and standardisation. These challenges directly affect households adopting smart home technologies, motivating the development of a framework that consolidates these aspects into a coherent structure.

Define Objectives of a Solution. The primary objective is to design a theoretical framework that integrates automated scanning, context-aware prioritisation and standardisation principles.

Design and Development. The framework is constructed through an evidence-to- module mapping process. Thematic tables and figures from Section 2 provide the design inputs. Each identified gap (summarised in Table 5 and Table 6) is mapped to a framework module, resulting in a layered model that systematically addresses domestic IoT security challenges.

Demonstration. Demonstration is limited to conceptual validation by showing that the framework adequately addresses the gaps identified in the literature. Practical prototyping or empirical validation is deferred to future work.

Evaluation. Evaluation aims to ensure the proposed framework is rigorous and credible. Following the guidance on evaluation within the DSR body of work [8], this study emphasises traceability and construct validity across the artefact’s modules. Two forms of assessment are employed: i) Internal consistency check – verifying that each framework module directly addresses the gaps identified in the dataset, and ii) Traceability assurance – employing Table 5 (Research Gaps Identified from Literature and mapping to framework modules) to ensure transparent alignment between sources, gaps and design modules.

Communication. The final stage communicates the artefact and its contribution to academic and practitioner audiences.

3.2. Systematic Literature Review Process

The review was conducted in accordance with PRISMA 2020 guidelines, ensuring transparency and replicability. The process involved:

• Database searches. Targeted searches were performed in leading scientific databases (ACM Digital Library, IEEE Xplore, ScienceDirect and SpringerLink) using structured strings focused on IoT security and vulnerability management. The primary search string combined three clusters of terms: (1) device/domain scope (“Internet of Things” OR “IoT” OR “smart home” OR “domestic IoT”), (2) vulnerability dimension (“vulnerability scanning” OR “automated vulnerability detection” OR “vulnerability prioritization” OR “vulnerability prioritisation”) and (3) framework context (“cybersecurity framework” OR “security framework” OR “theoretical framework”). Complementary search strings were applied to capture additional studies on protocols, risk scoring and prioritisation models. Abstract-level filters ensured a domestic IoT focus (e.g., “smart home”).
• Screening and eligibility. Titles, abstracts and keywords were screened against predefined inclusion and exclusion criteria to ensure relevance to domestic IoT ecosystems.
• Deduplication and quality appraisal. Duplicate records were removed and retained studies were assessed for credibility and scholarly rigour. Inclusion criteria required studies to be peer-reviewed journal articles, conference papers or book chapters published in English between 2015 and 2025, explicitly addressing vulnerabilities, scanning, prioritisation or protocol security in domestic IoT contexts. Exclusion criteria removed studies on industrial IoT, non-networked devices, physical hardware vulnerabilities, non-English publications and grey literature without peer review.
• Selection of dataset. From an initial pool of 722 records, a final dataset of 40 academic sources was established.

This process is documented in the PRISMA 2020 Flow Diagram (Figure 4), which illustrates the numbers of records identified, screened, excluded and retained.

Dataset. The curated dataset consists of 40 peer-reviewed academic sources covering the four thematic clusters:

• Vulnerabilities in Domestic IoT Devices (e.g., default credentials, firmware flaws, weak encryption).
• Automated and AI-Driven Scanning Approaches (e.g., Nmap, Shodan, Avatar, Firmadyne, generative fuzzing).
• Prioritisation Frameworks (e.g., CVSS, CRASHED, ISF, ML-based anomaly detection).
• Protocols and Interoperability Models (e.g., MQTT, Zigbee, Z-Wave, CoAP, BLE).

The literature was examined to identify limitations, blind spots and systemic challenges. Examples include fragmented vulnerability taxonomies, siloed scanning tools, prioritisation models that lack household context and inconsistent adoption of secure protocols. These weaknesses were consolidated into the four structural gaps described in Section 2.

3.3. Limitations

While the methodological design of this work ensures rigour and transparency, several limitations must be acknowledged:

Absence of Primary Data Collection. This research relies exclusively on secondary data in the form of published academic literature. No primary data were collected from households, device vendors or security practitioners. While this ensures methodological consistency and avoids the ethical complexities of human participation, it also means that user-centric considerations are inferred indirectly from prior studies rather than directly validated through empirical field work.

Dependence on Published Sources. The curated dataset consists of 40 peer-reviewed academic sources derived from an initial pool of 722 records. Although these sources were carefully selected for relevance and academic quality, they remain subject to the inherent limitations of publication cycles and research reporting. For example, even looking to use academic sources published between 2015 and 2025 (including academic sources from the SLR), emerging vulnerabilities or proprietary industry practices may not yet be reflected in academic literature. As a result, the framework is based on the best available evidence but may require updating as the IoT security landscape evolves.

Scope and Contextual Boundaries. The framework is explicitly tailored to domestic IoT ecosystems. Its design emphasises household devices, user accessibility and non-technical contexts. While some principles may be applicable to broader IoT domains such as industrial control systems or healthcare, generalisability is limited. Caution should therefore be exercised when extrapolating findings beyond the domestic setting without further adaptation and validation.

Evaluation Constraints. Evaluation in this work is restricted to conceptual validation, including internal consistency checks and traceability mechanisms. Although this ensures methodological rigour, it does not provide empirical testing of the framework in real-world deployments. Future research should extend this evaluation through expert validation, prototyping or pilot studies in household environments to further confirm the framework’s practical applicability.

These limitations do not undermine the validity of the study but define the boundaries within which the findings should be interpreted.

4. Theoretical Framework

This Section presents the theoretical framework developed through the Design Science Research Methodology (DSRM) to address the research question: How can a theoretical framework be developed to enable automated vulnerability scanning and prioritisation for non-technical users in domestic IoT Smart Home environments?

The framework is the culmination of the Systematic Literature Review (SLR) of 40 peer- reviewed academic sources presented in Section 2 and the methodological process detailed in Section 3. It consolidates vulnerabilities, integrates scanning tools, introduces user-contextual prioritisation and enforces protocol standardisation into a single model designed for the domestic IoT environment.

Consistent with DSRM, the framework is a theoretical artefact. It provides constructs (vulnerability classes, scanning methods, prioritisation dimensions, protocol security features) and a model (the layered framework) that together address the four structural gaps identified in Section 2.

4.1. Framework Overview

The framework is designed as a layered system with four modules:

• Vulnerability Knowledge Base. Consolidates dispersed vulnerability evidence.
• Automated Scanning Engine. Operationalises detection using integrated methods.
• Context-Aware Prioritisation Module. Ranks vulnerabilities with household relevance.
• Standardisation & Interoperability Layer. Ensures secure integration across IoT protocols.

Figure 5 presents the high-level architecture of the system. This layered architecture reflects bottom-up logic: the Knowledge Base (Table 1) supplies evidence, the Scanning Engine (Table 2) operationalises detection, the Prioritisation Module (Table 3) contextualises results and the Interoperability Layer (Table 4) aligns controls across protocols.

Although the framework is illustrated as a four-layer sequence, its design is iterative rather than strictly linear. Bidirectional flows between Modules 1 and 2 and between Modules 2 and 3, allow scanning outputs to refine the Knowledge Base and prioritisation insights to adjust scanning processes. In addition, Module 3 can feed back directly into Module 1 if contextual analysis reveals missing categories or overlooked vulnerability evidence. These feedback loops make the framework an iterative refinement cycle, ensuring that the input reaching the Standardisation and Interoperability Layer (Module 4) has been validated and refined through earlier stages.

4.2. Framework Modules

4.2.1. Module 1 – Vulnerability Knowledge Base

Gap addressed: Fragmented and dispersed vulnerability knowledge.

As illustrated in Table 1 (Section 2), vulnerabilities in domestic IoT environments are numerous and varied, spanning device-level weaknesses, network exposure, firmware flaws and poor encryption practices. However, the literature reports these vulnerabilities in fragmented ways, often tied to specific devices, protocols or case studies, without a unifying taxonomy accessible to households. This fragmentation was formalised as Gap #1 in Table 5. Foundational taxonomies such as [9] provide the early conceptual structures for trust, privacy and security, reinforcing the rationale for consolidation.

The academic sources dataset shows consistent emphasis on this problem. For instance, [1] highlighted weak authentication practices in household IoT devices, warning that default credentials remain a recurring entry point for attacks. [2] showed that vulnerabilities are aggravated by protocol-level weaknesses, such as insecure implementations of Zigbee and CoAP. [4] demonstrated how firmware flaws are exploited in penetration testing of IoT testbeds, while [5] drew attention to vulnerabilities with direct privacy consequences, such as data leakage from smart cameras. Similarly, [3] noted that device misconfigurations often go unnoticed by end-users, leaving IoT ecosystems vulnerable. [6] identified insecure network services as a persistent exposure vector in domestic environments. Device-level analyses such as [39] on smart cameras highlight household-critical vulnerabilities that remain underrepresented in current classifications. Beyond technical weaknesses, socio-technical risks have been evidenced by [40], who documented digital harms associated with smart home adoption, including surveillance, coercion, and privacy loss.

The Vulnerability Knowledge Base module was therefore designed as the foundational layer of the framework. Its function is to consolidate these dispersed findings into a structured repository, ensuring that vulnerabilities identified across multiple devices, platforms and protocols are normalised into coherent categories. By grounding this consolidation in the evidence gathered from the academic sources used [1,2,3,4,5,6], the module directly responds to Gap #1 and establishes the baseline for subsequent framework layers.

4.2.2. Module 2 – Automated Scanning Engine

Gap addressed: Fragmented and siloed scanning tools.

As summarised in Table 2, the dataset revealed a diversity of scanning approaches (including penetration testing, network scanning, fuzzing and emulation) yet these approaches remain fragmented. Each tool or framework operates in isolation, addressing a narrow layer of the IoT attack surface. This fragmentation was formalised as Gap #2 in Table 5.

Multiple sources illustrate this problem. [4] demonstrated penetration testing of IoT testbeds, showing how firmware flaws can be uncovered but without integration into broader vulnerability discovery pipelines. [7] advanced fuzzing techniques to expose vulnerabilities in IoT networks, but these methods operate separately from device scanning tools. [6] proposed automated vulnerability discovery at the network level, but the focus remained on service enumeration without integration into higher-layer prioritisation. [4] explored traffic analysis for anomaly detection, while [1] addressed authentication weaknesses but did not link them to automated detection methods. Techniques such as CoviNet with graph-based temporal dependencies [32] can be leveraged within the passive-monitoring stream when traffic is relayed to cloud services.

Complementary studies have extended scanning toward intrusion detection and anomaly monitoring. [23,27] showed how machine-learning-based IDS at the network edge can detect botnet activity; [28] introduced READ-IoT for reliable anomaly detection in heterogeneous IoT environments; [29] proposed ADRIoT, an edge-assisted detection framework improving scalability; [30] introduced SARIK, enabling containerised anomaly detection and policy enforcement; [31] advanced hybrid deep-learning models for anomaly detection; and [33] extended IDS analysis to smart city infrastructures, highlighting transferability to domestic contexts.

The Automated Scanning Engine module was designed to unify these siloed approaches. Through DSRM’s design stage, the evidence in Table 2 was mapped to three complementary streams, active probing, passive monitoring and emulation/fuzzing. In line with this integration, [18] demonstrate how ML pipelines can be embedded alongside probing and monitoring to elevate detection recall in consumer IoT scenarios. Incorporating IDS and anomaly detection into the passive monitoring stream further strengthens this design, ensuring the engine captures both pre-deployment vulnerabilities and runtime exploitation attempts. By integrating methods highlighted in [4,6,7], supported by broader insights from [1,4], the module transforms fragmented tool capabilities into a single conceptual process. This design directly addresses Gap #2 and provides the operational layer of the framework. Design choices prioritise low overhead; for instance, [16] shows how optimisation-aware, lightweight AI can retain performance under domestic device and bandwidth constraints.

4.2.3. Module 3 – Context-Aware Prioritisation Module

Gap addressed: Prioritisation frameworks lacking household/user context.

As synthesised in Table 3, existing prioritisation frameworks such as CVSS, SAFER, ML- based approaches and dependency-based methods provide mechanisms for scoring vulnerabilities but remain largely technical. They rank based on severity and exploitability but omit contextual household factors such as device function, role in daily life or privacy implications. This was identified as Gap #3 in Table 5, where lack of user-centric focus was a recurring shortcoming across multiple sources.

The academic sources used provide evidence of this limitation. [4] highlighted how camera and wearable device vulnerabilities pose privacy risks not captured by standard severity scores. [3] emphasised that misconfigurations in household devices could have different impacts depending on whether the device served a safety-critical role or not. [6] noted that network exposure measures fail to account for user-facing consequences. [22] proposed fuzzy-logic and optimisation-based scoring methods that better capture uncertainty in IoT configurations, offering more nuanced prioritisation than CVSS alone. [7] illustrated that fuzzing results often identify technical weaknesses without guidance on their household relevance.

[15] showed that firmware-level vulnerabilities are frequently catalogued without prioritisation logic, reinforcing the need to integrate lifecycle context into household scoring. [1,2] similarly observed that vulnerabilities at the protocol level (e.g., weak authentication or insecure Zigbee sessions) carry household impacts that severity-only models overlook. [24] advanced predictive analytics approaches, demonstrating how vulnerability prioritisation can be informed by models that forecast exploitation likelihood in specific device categories.

The Context-Aware Prioritisation Module therefore extends existing frameworks by embedding contextual dimensions into prioritisation outputs. Through DSRM mapping, evidence from Table 3 was classified into two categories:

• Retain technical dimensions (e.g., severity, exploitability).
• Embed household context (device criticality, privacy impact, protocol exposure).

This transformation, directly informed by the academic dataset, ensures prioritisation is not only technically valid but also meaningful for non-technical users. Explainability is critical to user- centric decisions; insights from explainable-AI IDS design [34] can be surfaced in prioritisation outputs to justify rankings to end-users.

4.2.4. Module 4 – Standardisation & Interoperability Layer

Gap addressed: Lack of protocol standardisation and inconsistent adoption.

As summarised in Table 4 (Section 2), household IoT ecosystems rely on diverse communication protocols, including MQTT, Zigbee, Z-Wave, BLE and CoAP; that vary significantly in their embedded security features. This heterogeneity results in fragmented protections across devices, complicating household security. The issue was formalised as Gap #4 in Table 5, where inconsistent protocol adoption was shown to be a systemic barrier to secure IoT.

The dataset provides clear evidence for this gap. [1] highlighted persistent weaknesses in authentication and encryption across common IoT protocols, stressing the risks of insecure default implementations. [2] offered comparative analysis of Zigbee, CoAP and other protocols, showing how insecure design decisions propagate across devices and layers. Nordnes (2024) demonstrated that protocol vulnerabilities can be exploited in penetration testing environments, while [3] emphasised that misconfigured devices often fail to enforce even the minimal protections offered by protocols. [6] further noted that network-level inconsistencies expose households to DoS and enumeration risks. [35] expanded this evidence by showing how adaptive policy frameworks can dynamically enforce protocol security at the edge, reducing inconsistency across heterogeneous devices.

The Standardisation & Interoperability Layer addresses these fragmented protections by providing a central module that ensures consistent enforcement of security controls across protocols. Through DSRM’s design mapping, protocol-level vulnerabilities reported in Table 4 were translated into requirements for standardisation (e.g., encryption, authentication, cross- layer consistency). Evidence from [1,2], reinforced by [3,4,6], provides the foundation for this design. [36] complement this foundation by analysing fog computing deployments, highlighting unresolved privacy and security trade-offs that arise when protocols lack integrated enforcement. The module thus directly closes Gap #4 by embedding interoperability and standardisation into the framework.

4.3. Framework Evaluation

As explained in Section 3, evaluation of the framework follows DSRM Stage 5. Two complementary mechanisms are applied: internal consistency check and traceability assurance. This ensures that the framework is both conceptually sound and transparently derived from the dataset of 40 academic sources.

Internal Consistency Check. Each module was verified against the specific gap it was designed to address. For example, Module 1, Vulnerability Knowledge Base; responds directly to the fragmented vulnerability reporting documented by [1,2]. Module 2, Automated Scanning Engine; integrates scanning approaches that are otherwise siloed, as illustrated by [4,6,7]. Module 3, Context-Aware Prioritisation; embeds contextual criteria absent in traditional frameworks, as highlighted by [3,4]. Module 4, Standardisation & Interoperability Layer; enforces cross-protocol alignment, directly addressing the heterogeneity documented by [1,2].

This consistency check confirms that the framework has no “orphan gaps” as every shortcoming identified in Section 2 is closed by one design element in Section 4.

Traceability Assurance. The second evaluation mechanism involved ensuring that each module is traceable back to the outputs of Section 2 and the tools described in Section 3:

Module 1 draws directly on vulnerabilities classified in Table 1.

Module 2 integrates scanning methods catalogued in Table 2.

Module 3 extends prioritisation models summarised in Table 3.

Module 4 enforces alignment across protocols compared in Table 4.

This mapping is made explicit in Table 5.

4.4. The Framework

Contributions. The framework makes two key contributions: first, it provides a theoretical contribution by integrating vulnerability knowledge, scanning approaches, prioritisation dimensions and protocol security features into a single layered model (Figure 5, Figure 6 and Figure 7, Table 6, Table 7 and Table 8). This closes the four structural gaps identified in Section 2 and demonstrates the systematic transformation of literature evidence into a design artefact. Second, it offers practical contributions for domestic IoT security. By embedding contextual prioritisation criteria, the framework produces outputs that are meaningful for non-technical users, while also informing vendors and policymakers of the importance of cross-protocol standardisation.

Evaluations confirmed both internal consistency and traceability to the dataset of 40 academic sources, fulfilling the design objectives outlined in Section 3. The evaluation approach is aligned with DSR evaluation principles [41], focusing on internal coherence, transparency of evidence-to-design traceability and relevance to the application context.

Each module is explicitly supported by a cluster of sources:

• Module #1 consolidates vulnerability evidence [1,2,3,4,5,6,9,39,40].
• Module #2 integrates scanning methods, including IDS/anomaly detection [1,4,6,7,23,27,28,29,30,31,33].
• Module #3 embeds household context into prioritisation [1,2,3,4,6,7,15,22,24].
• Module #4 enforces interoperability [1,2,3,4,6,35,36].

This comprehensive mapping shows that all 40 sources from Section 2 are systematically embedded within the framework, ensuring transparency, coherence and academic rigour. The next section provides a comprehensive discussion of the framework’s theoretical positioning, practical implications, limitations and directions for future research.

5. Discussion

The discussion analyses the extent to which the framework resolves the identified gaps and how it advances the academic and practical understanding of domestic IoT security. In line with the Design Science Research Methodology [8], the emphasis here is on evaluation through internal consistency and traceability. The analysis is therefore structured around the four identified gaps, followed by a cross-module integration and reflection on practical and methodological implications. This approach ensures coherence with the literature base while demonstrating how the framework contributes to the advancement of IoT vulnerability management.

5.1. Addressing Gap #1: Unified Vulnerability Knowledge Base

Gap #1 highlighted the absence of a unified framework for contextualising domestic IoT vulnerabilities. Prior research offered valuable but fragmented contributions. For example, [9] emphasised early shortcomings in privacy and trust, while [10] catalogued side-channel and hardware-level threats. [11] demonstrated the risks of privilege escalation in smart hubs and [12] framed risks across multiple IoT layers. [1,4] provided empirical evidence of device-specific weaknesses, such as insecure firmware and remote exploits in smart cameras, yet their findings were isolated to particular device categories.

By consolidating this dispersed knowledge into Module #1, the framework advances from fragmented taxonomies to a structured Vulnerability Knowledge Base. This repository synthesises device-level, protocol-level and ecosystem-level vulnerabilities into a format that can be interpreted not only by researchers but also by non-technical users. The contribution lies in shifting the focus from isolated vulnerabilities to a systematic classification tailored to household exposure. In doing so, the framework strengthens contextual relevance. Remote exploits in consumer devices are distinguished from vulnerabilities requiring physical access, enabling prioritisation of risks that matter most to households [1]. Furthermore, by unifying empirical studies and taxonomic surveys, Module #1 bridges the gap between conceptual classifications [9,12] and operational evidence from penetration testing and vulnerability databases [5,11]. This integration is a key theoretical advancement, providing a coherent base upon which subsequent modules (scanning, prioritisation and interoperability), can operate effectively.

5.2. Addressing Gap #2: Fragmented Automated Scanning Approaches

Gap #2 identified the fragmentation of automated scanning approaches, which remain siloed across tools and unsuitable for direct adoption in household contexts. Traditional enumeration methods such as Nmap and Masscan remain widely used for device discovery and port analysis [6]. These tools provide broad coverage but are limited to surface-level information and do not capture deeper vulnerabilities embedded in firmware or device configurations. Shodan extends enumeration to the internet scale but similarly relies on banner grabbing, restricting precision [14].

Dynamic and emulation-based methods have been proposed to overcome these limitations. [1] demonstrated how frameworks such as Avatar and Firmadyne enable re- hosting of firmware images to reveal authentication bypasses and hidden services. While powerful, these approaches require specialist expertise and computational resources that prevent their straightforward application in domestic households. The OVER framework developed by [14] extended static analysis to firmware, open-source software and mobile applications, surfacing systemic vulnerabilities such as hard-coded passwords and outdated components but again did so without integration into user-friendly processes.

Recent research has sought to apply Artificial Intelligence (AI) to reduce blind spots and improve accuracy. [19] proposed a Machine-Learning pipeline for predicting missing CVSS metrics and combining them with attack graphs for system-level assessment. [7] advanced this trajectory through generative fuzzing that created new test cases from live traffic, enabling the discovery of previously undetected vulnerabilities. [27] contributed a systematic review of Machine-learning approaches for IoT botnet detection, highlighting the role of classifiers such as random forests and neural networks in anomaly detection. These contributions show the potential of AI-driven scanning to bridge static and dynamic approaches, but they remain methodologically isolated.

Practical prototypes have also highlighted the feasibility of tailored penetration testing for domestic IoT. [4] introduced IoTective, a tool capable of performing automated reconnaissance across Wi-Fi, Bluetooth and Zigbee, generating inventories of assets and reporting potential vulnerabilities. [6] presented AutoDES, a framework for automated vulnerability discovery and exploitation, capable of producing evidence of exploitability against IoT binaries. While these contributions demonstrate practical feasibility, their outputs are not yet embedded into unified frameworks accessible to households.

Module #2 of the proposed framework responds directly to this fragmentation by consolidating these scanning strategies into a conceptual Automated Scanning Engine. Rather than privileging one method, it layers traditional enumeration, firmware analysis, AI-enhanced techniques and penetration-style fuzzing into a structured process. This integration ensures that households benefit from comprehensive coverage without being required to navigate the complexity of individual toolchains. The theoretical contribution is therefore the articulation of a coherent scanning model that bridges tool silos and grounds vulnerability detection within an evidence-based, layered architecture.

5.3. Addressing Gap #3: Over-Reliance on Technical Severity in Prioritisation

Gap #3 highlighted the trend of existing frameworks to privilege technical severity, often overlooking the household context that determines real-world impact. The Common Vulnerability Scoring System (CVSS) remains the dominant standard, but its focus on exploitability and impact vectors has been criticised for misrepresenting risks in consumer settings [5]. For example, a vulnerability with a high CVSS score in a low- criticality device such as a smart light bulb may be prioritised over a moderate-scored flaw in a security camera, even though the latter presents greater consequences for household privacy and safety.

Alternative approaches have been developed to address these shortcomings. [5] proposed the SAFER framework, which introduced Current and Future Device Security Risk Indicators (CDSRI/FDSRI) to capture both immediate and forecasted risk by incorporating vendor patch cadence and firmware update trends. [3] extended prioritisation to systemic levels through dependency-based models that quantified how vulnerabilities propagate across interconnected devices. [25] tailored prioritisation specifically to smart homes through the CRASHED framework, which embedded device roles and exposure into its logic. Similarly, [26] proposed the IoT Security Framework (ISF), emphasising device interdependencies and ecosystem-wide risk rather than isolated technical flaws. Collectively, these contributions signal a shift towards more context-aware models, yet they remain disconnected from widely adopted scoring systems and are not consistently operationalised.

Module #3 of the proposed framework advances this discussion by embedding household context directly into prioritisation. The Context-Aware Prioritisation Module combines technical severity scores with additional criteria such as device criticality, privacy impact and protocol exposure. In doing so, it addresses the limitations of relying solely on CVSS and integrates insights from forecasting approaches [5], dependency-aware models [3] and smart home-focused frameworks [25,26]. The theoretical contribution lies in providing a layered prioritisation logic that balances technical severity with domestic relevance, ensuring that households allocate resources to vulnerabilities that matter most.

5.4. Addressing Gap #4: Weak Protocol Standardisation and Interoperability

Gap #4 focused on the lack of consistent standardisation and the resulting interoperability issues across domestic IoT protocols. Prior research has repeatedly shown that protocol heterogeneity amplifies systemic risk. Early analyses by [2] identified how weaknesses at one layer could cascade across others, emphasising the risks of inconsistent adoption of encryption and authentication. [10] reinforced these findings by highlighting vulnerabilities in Zigbee, Z-Wave and Bluetooth Low Energy, including key extraction attacks and susceptibility to replay and sniffing. [1] provided empirical evidence that consumer devices frequently ship with optional or disabled encryption, undermining even well- established standards such as MQTT with TLS support.

More recent studies demonstrate how these protocol-level weaknesses create exploitable attack chains. [6] showed that legacy deployments of Zigbee and Z-Wave expose smart homes to enumeration and Denial-of-Service attacks risks when protections are unevenly enforced. [4] found that misconfigurations in consumer hubs, such as unpatched Home Assistant deployments and outdated firmware in Zigbee bridges, intensify protocol interoperability flaws. [3] further argued that dependency chains across perception, network and application layers increase the likelihood of cascading failures, particularly in heterogeneous environments where vendors apply security unevenly.

Module #4 of the proposed framework directly responds to these challenges by establishing a Standardisation and Interoperability Layer. This module harmonises security practices across MQTT, CoAP, Zigbee, Z-Wave and BLE, embedding cross-layer resilience into the framework. It synthesises the academic evidence to ensure that weaknesses in one protocol do not undermine the protections of others, thereby reducing the systemic risks identified by [2]. The theoretical contribution lies in translating fragmented standards and protocol- specific insights into a unified interoperability layer that supports household security. By embedding standardisation as a dedicated module, the framework ensures that protocol heterogeneity is addressed not as an addition but as a core element of domestic IoT security.

5.5. Cross-Module Integration and Contributions

While each module of the framework responds to a specific gap, their value emerges most clearly when considered in combination. Module #1, the Vulnerability Knowledge Base; provides the foundational repository that enables Modules #2 and #3 to function effectively. Without a consolidated classification of vulnerabilities, automated scanning outputs would remain fragmented, and prioritisation would lack contextual grounding [1,5,9]. Module #2, the Automated Scanning Engine, operationalises this repository by integrating enumeration, firmware analysis, AI-enhanced scanning and fuzzing into a coherent process [4,7,19]. Its layered design ensures that vulnerability evidence is comprehensive and diverse, feeding directly into Module #3.

The Context-Aware Prioritisation Module (Module #3) depends on the outputs of both Modules #1 and #2. By combining technical severity with household context, it advances beyond purely technical scoring models [5,25]. Notably, it links detection with decision-making, ensuring that vulnerabilities identified through scanning are assessed in relation to household relevance. Module #4, the Standardisation and Interoperability Layer, provides the systemic cohesion that enables the preceding modules to operate reliably across heterogeneous protocols. By addressing weaknesses in MQTT, Zigbee, Z-Wave and BLE [2,6,10] it ensures that vulnerabilities and scanning results are not undermined by protocol-level inconsistencies.

Together, the modules form a layered artefact that addresses the identified gaps. Notably, these modules interact through feedback loops: scanning may highlight gaps in the Knowledge Base, while prioritisation may reveal the need to adjust scanning coverage or classifications. This iterative design reinforces the internal consistency of the framework, ensuring that vulnerability management is not only comprehensive but also self-correcting. This contrasts with prior approaches that remained isolated in scope whether focused on machine learning detection [27], systemic risk modelling [3] or firmware analysis [14]. The framework’s novelty lies in its ability to integrate these contributions into a cohesive architecture tailored to domestic IoT contexts.

The theoretical contribution therefore extends beyond individual modules. It positions automated vulnerability scanning and prioritisation as an interconnected process that is transparent, evidence-driven and accessible for non-technical users. This aligns with the principles of Design Science Research Methodology [8], which emphasise artefacts that are both rigorously grounded in literature and practically relevant.

5.6. Practical Implications for Domestic IoT Users

The practical value of the framework lies in its ability to lower the barriers faced by non- technical households when managing IoT security. Prior research has shown that consumers often underestimate systemic vulnerabilities in their smart home ecosystems, leading to under- preparedness against attacks [5,11]. By consolidating vulnerabilities into a structured knowledge base (Module #1), the framework equips households with an accessible repository of risks that can be understood without specialist expertise. This addresses the persistent problem of fragmented vulnerability reporting, which has historically been confined to expert audiences [1].

The Automated Scanning Engine (Module #2) further contributes to practical impact by providing households with a structured process that unifies traditional tools, firmware analysis, AI-enhanced scanning and Fuzzing methods. While advanced approaches such as Generative Fuzzing [7] or Machine Learning–based anomaly detection [23,27] remain technically complex, their conceptual integration into the framework enables translation into lightweight implementations that can be adapted for household devices. Prototypes such as IoTective [4] already demonstrate the feasibility of simplified reconnaissance for end users, suggesting that household-ready scanning tools are achievable.

The Context-Aware Prioritisation Module (Module #3) ensures that consumers are not overwhelmed by technical risk scores. Based in device function, privacy impact and protocol exposure, the framework supports household decision-making that aligns with lived realities. For instance, while a high CVSS vulnerability in a smart bulb may appear urgent, Module #3 would direct attention to vulnerabilities in security cameras or home hubs where household privacy and integrity are more directly at risk [4,25].

The Standardisation and Interoperability Layer (Module #4) provides systemic protection for households by addressing protocol heterogeneity. In practice, this means that weaknesses in Zigbee or Bluetooth are not left unmitigated but harmonised within a broader security posture [2,6,10]. For end users, this reduces the risk that misconfigured or legacy devices undermine the resilience of the entire household network.

The framework also has broader implications for policymakers, vendors and researchers. Policymakers may use the structure to design regulations that ensure minimum security baselines across protocols, while vendors may adapt the prioritisation logic to provide consumer-friendly vulnerability notifications. Researchers, in turn, can use the framework as a blueprint for empirical validation or as a foundation for developing deployable tools.

Collectively, these implications demonstrate that the framework offers tangible pathways for improving domestic IoT resilience. For households, the framework not only provides prioritised and actionable vulnerability lists but also evolves iteratively. The iterative nature of the design means that assessments are not static but adapt as new vulnerabilities and device contexts emerge, reducing the risk of blind spots over time. This dynamic quality makes the framework more resilient in practice, providing ongoing relevance for non-technical users.

5.7. Limitations

While the framework demonstrates clear contributions, it is important to reflect critically on the methodological boundaries of this study. The work adopted a Design Science Research Methodology approach, which emphasises artefact construction based on systematic evidence [8]. Evaluation was therefore conducted conceptually, focusing on internal consistency and evidence-to-framework traceability rather than empirical deployment. This reflects a deliberate methodological choice but introduces limitations.

First, the study relied exclusively on secondary data from 40 peer-reviewed academic sources published between 2015 and 2025. While this dataset was carefully curated through a systematic literature review process, it necessarily excludes insights from grey literature, industry reports and unpublished empirical findings. Consequently, the framework may not capture the full scope of emerging vulnerabilities or proprietary tools used in practice [1,5].

Second, while the framework incorporates an iterative refinement cycle between Modules 1 and 3, this study did not empirically test how such feedback would operate in domestic environments. Although the design illustrates how scanning outputs can enrich the Knowledge Base and how prioritisation can inform both knowledge and scanning processes, these feedback loops remain theoretical. Future work should validate whether such iterative mechanisms can be effectively implemented in practice, either through household trials or automated system integration.

Third, the absence of empirical validation limits the immediate applicability of the framework. Although prior studies have demonstrated proof-of-concept tools such as IoTective [4], automated fuzzing frameworks [7] and dependency-based risk models [3], this work did not implement or test these methods in live smart-home environments. As a result, claims about household usability remain theoretical. Future work should extend the framework through prototype development and user evaluation to confirm its practical effectiveness.

Fourth, the generalisability of the framework is constrained by the academic evidence base. While studies such as [23,27] demonstrate the adaptability of machine-learning techniques, most evaluations were conducted on testbeds or institutional networks rather than in domestic households. Similarly, protocol studies by [2] and [10] focused on broader IoT ecosystems, requiring careful adaptation to the domestic context. These limitations highlight the need for further empirical research that grounds the framework in real-world household deployments.

Beyond individual modules, the discussion demonstrated the integrative value of the framework. Together, the modules form a layered artefact that bridges micro-level vulnerabilities, meso-level scanning processes and macro-level systemic risks, offering a coherent and accessible structure for non-technical households. This discussion confirms that the framework responds directly to the identified research gaps and advances the field of domestic IoT security by integrating vulnerability knowledge, automated scanning, context-aware prioritisation and standardisation. It also establishes an iterative refinement cycle through which knowledge, scanning and prioritisation processes continuously inform one another, ensuring that the framework remains adaptive to emerging household contexts and vulnerabilities.

6. Conclusions and Future Work

Households face significant risks from insecure firmware, weak authentication, fragmented scanning tools and heterogeneous protocols [1,2,5]. In this context, this work identified four structural gaps in the literature: 1) Dispersed vulnerability knowledge, 2) Fragmented scanning approaches, 3) Prioritisation frameworks focused narrowly on technical severity, 4) Weak standardisation across protocols.

Section 3 and Section 4 described how these gaps were addressed through the Design Science Research Methodology [8], resulting in a four-module framework: the Vulnerability Knowledge Base, Automated Scanning Engine, Context-Aware Prioritisation Module and Standardisation & Interoperability Layer. Section 5 discussed how these modules collectively advanced both academic knowledge and household practice.

The modules of the framework operate as an integrated system: Module #1 provides evidence, Module #2 generates actionable data, Module #3 translates findings into household-relevant priorities and Module #4 secures the system across protocols. The originality of this framework lies not in isolated responses but in their interdependence, which transforms fragmented insights into a layered artefact for domestic IoT security strengthening. The framework operates as an iterative refinement cycle rather than a one-directional process: outputs from scanning and prioritisation continuously feed back into the Knowledge Base, ensuring that evidence and classifications evolve with emerging vulnerabilities.

6.1. Contributions

This study makes contributions at two levels:

Theoretical contribution: Building on Section 2, the framework integrates vulnerabilities, scanning methods, prioritisation strategies and interoperability challenges into a coherent design tailored for households. It bridges micro-level device risks, mid-level scanning and prioritisation and macro-level protocol resilience [3,27].

Practical contribution: Reinforced in Section 5, the framework lowers barriers for households by contextualising vulnerabilities, supports policymakers in defining baseline protections and guides vendors in developing consumer-friendly vulnerability reporting [5,11].

6.2. Limitations

Dataset constraints: The framework was built on 40 peer-reviewed sources from 2015 to 2025. While rigorous, this excluded grey literature and industry reports that may capture emerging threats [1,5].

Conceptual evaluation: The framework was assessed for internal consistency and traceability rather than tested in live households. Although prototypes such as IoTective [4] and Generative Fuzzing [7] show feasibility, practical validation remains as future work. Also, while the framework embeds feedback loops across Modules 1 to 3, these mechanisms remain conceptual and untested. Future empirical work should evaluate how such iteration functions in live household environments.

Generalisability: Much of the reviewed evidence was derived from laboratory or institutional testbeds [23,27], requiring adaptation to domestic contexts. This highlights the need to develop tools for managing IoT devices in household contexts.

These limitations highlight opportunities for future research.

6.3. Future Work

Short-term: Develop a prototype implementation of the framework and conduct household usability studies to test its accessibility for non-technical users [11,25].

Medium-term: Integrate real-time intrusion and anomaly detection at the edge and evaluate interoperability under realistic attack conditions across multiple protocols [6,10,23,27].

Long-term: Expand the knowledge base with industry threat intelligence, disclosure databases and longitudinal data, while exploring adoption pathways for policymakers and vendors [1].

This staged approach ensures that the framework evolves from a conceptual artefact into an empirically validated and widely applicable tool. Each stage should incorporate iterative refinement, enabling the framework to evolve through cycles of testing, evaluation and knowledge-base updating. This ensures that household-level security remains responsive to new device types, vulnerabilities and usage contexts.

To conclude, this work has developed a theoretical framework that addresses fragmented approaches to domestic IoT security. By unifying vulnerabilities, consolidating scanning methods, embedding household context in prioritisation and harmonising protocol protections, the framework responds to the four gaps identified in Section 2 and answers the research question posed in Section 1.

Methodologically, the work demonstrates how Design Science Research Methodology and systematic synthesis can be used to generate a transparent artefact. Practically, it provides households, policymakers and vendors with a structured foundation for strengthening IoT resilience. While limited to conceptual evaluation, the framework sets a foundation for future empirical work that can translate academic insight into deployable solutions. As domestic IoT adoption accelerates, protecting households requires not isolated defences but integrated frameworks. The artefact developed here demonstrates one such pathway, contributing to academic knowledge and laying the groundwork for real-world security in smart homes. By embedding an iterative refinement cycle within its design, the framework also establishes a mechanism for continuous learning and adaptation, aligning with Design Science Research Methodology principles of artefact evolution.