When Your Thing Won’t Behave : Security Governance in the Internet of Things

Titelangaben

Brennecke, Martin ; Fridgen, Gilbert ; Jöhnk, Jan ; Radszuwill, Sven ; Sedlmeir, Johannes:
When Your Thing Won’t Behave : Security Governance in the Internet of Things.
In: Information Systems Frontiers. (2024) .
ISSN 1572-9419
DOI der Verlagsversion: https://doi.org/10.1007/s10796-024-10511-z

Volltext

	Format: PDF Name: s10796-024-10511-z.pdf Version: Veröffentlichte Version Verfügbar mit der Lizenz Creative Commons BY 4.0: Namensnennung
	Download (771kB)

Abstract

In the Internet of Things (IoT), interconnected smart things enable new products and services in cyber-physical systems. Yet, smart things not only inherit information technology (IT) security risks from their digital components, but they may also aggravate them through the use of technology platforms (TPs). In the context of the IoT, TPs describe a tangible (e.g., hardware) or intangible (e.g., software and standards) general-purpose technology that is shared between different models of smart things. While TPs are evolving rapidly owing to their functional and economic benefits, this is partly to the detriment of security, as several recent IoT security incidents demonstrate. We address this problem by formalizing the situation’s dynamics with an established risk quantification approach from platforms in the automotive industry, namely a Bernoulli mixture model. We outline and discuss the implications of relevant parameters for security risks of TP use in the IoT, i.e., correlation and heterogeneity, vulnerability probability and conformity costs, exploit probability and non-conformity costs, as well as TP connectivity. We argue that these parameters should be considered in IoT governance decisions and delineate prescriptive governance implications, identifying potential counter-measures at the individual, organizational, and regulatory levels.