ArticlePDF Available

Security Risk Analysis in IoT Systems through Factor Identification over IoT Devices

Applied Sciences

March 2022
12(6):2976

DOI:10.3390/app12062976

License
CC BY 4.0

Authors:

Roberto Omar Andrade

Universidad San Francisco de Quito

Sang Guun Yoo

National Polytechnic School

Iván Ortiz-Garcés

Universidad de Las Américas

Jhonattan J Barriga

National Polytechnic School

IoT systems contribute to digital transformation through the development of smart concepts. However, the IoT has also generated new security challenges that require security tools to be adapted, such as risk analysis methodologies. With this in mind, the purpose of our study is based on the following question: Which factors of IoT devices should be considered within risk assessment methodologies? We have addressed our study with a 4-phase design-research methodology (DRM) that allows us, based on systematic literature review, to experiment and draw upon expert judgment; as a final product, we obtain a risk assessment methodology based on the characteristics of IoT devices. At the end of this study, we establish seven main constructs—Organization, Risk Behaviors, Dependency, Attack Surface, Susceptibility, Severity and Uncertainty—over which security risk in IoT systems can be evaluated.

Phases of Design Research Methodology (DRM) to development risk analysis methodology for IoT systems.

…

Screenshot of the tool Rayyan used during screening process to select the primary sources for the full text review process.

…

PRISMA methodology used in SLR process to identify factors in IoT devices that could affect security risk.

…

Density of the codes related with factors of IoT devices that could affect risk values.

…

+27

Initial reference model for risk analysis in IoT systems based on IoT device factors.

…

Figures - available from: Applied Sciences

This content is subject to copyright.

Access to this full-text is provided by MDPI.

Content available from Applied Sciences

This content is subject to copyright.





Citation: Andrade, R.O.; Yoo, S.G.;

Ortiz-Garces, I.; Barriga, J. Security

Risk Analysis in IoT Systems through

Factor Identiﬁcation over IoT Devices.

Appl. Sci. 2022,12, 2976. https://

doi.org/10.3390/app12062976

Academic Editors: Petros

Nicopolitidis and Laurence T. Yang

Received: 12 January 2022

Accepted: 23 February 2022

Published: 15 March 2022

Publisher’s Note: MDPI stays neutral

with regard to jurisdictional claims in

published maps and institutional afﬁl-

iations.

Licensee MDPI, Basel, Switzerland.

This article is an open access article

distributed under the terms and

conditions of the Creative Commons

Attribution (CC BY) license (https://

creativecommons.org/licenses/by/

4.0/).

applied

sciences

Article

Security Risk Analysis in IoT Systems through Factor

Identiﬁcation over IoT Devices

Roberto Omar Andrade 1, Sang Guun Yoo 1,2 , Iván Ortiz-Garces 3,* and Jhonattan Barriga 1,2

1Escuela Politécnica Nacional, Facultad de Ingeniería de Sistemas, Quito 170525, Ecuador;

roberto.andrade@epn.edu.ec (R.O.A.); sang.yoo@epn.edu.ec (S.G.Y.); jhonattan.barriga@epn.edu.ec (J.B.)

2Smart Lab, Escuela Politécnica Nacional, Quito 170525, Ecuador

Escuela de Ingeniería en Tecnologías de la Información, FICA (Facultad de Ingenierías y Ciencias Aplicadas),

Universidad de Las Américas, Quito 170125, Ecuador

*Correspondence: ivan.ortiz@udla.edu.ec

Abstract:

IoT systems contribute to digital transformation through the development of smart concepts.

However, the IoT has also generated new security challenges that require security tools to be adapted,

such as risk analysis methodologies. With this in mind, the purpose of our study is based on

the following question: Which factors of IoT devices should be considered within risk assessment

methodologies? We have addressed our study with a 4-phase design-research methodology (DRM)

that allows us, based on systematic literature review, to experiment and draw upon expert judgment;

as a ﬁnal product, we obtain a risk assessment methodology based on the characteristics of IoT

devices. At the end of this study, we establish seven main constructs—Organization, Risk Behaviors,

Dependency, Attack Surface, Susceptibility, Severity and Uncertainty—over which security risk in

IoT systems can be evaluated.

Keywords: IoT security; risk analysis; attack graphs; security modeling

1. Introduction

Digital transformation is used in organizations to improve their strategic and opera-

tional processes by incorporating “Smart” concepts [

]. Currently, this “Smart” concept can

be implemented in agriculture, transportation, energy, homes and cities [

]. Implementing

the smart concept from a technological perspective is based on the use of emerging technolo-

gies such as artiﬁcial intelligence (AI), big data, machine learning (ML), Internet of Things

(IoT) and the cloud [

]. However, including these technologies has introduced additional

aspects related to cybersecurity. The IoT has certain particularities in relation to security

in contrast with AI, big data, ML and cloud; this is because of factors such as location in

less protected environments such as streets, trafﬁc lights and agricultural ﬁelds, among

others [

]. IoT devices have inherent characteristics, such as heterogeneity of technologies

and protocols, reduced computational capacity and limited security mechanisms [

]. This

aspect of IoT systems has motivated the development of several works of research related

to IoT security. Some contributions have focused on establishing security strategies, such

as the zero trust model for IoT [

] and security veriﬁcation on IoT systems [

]. These

strategies have two aspects in common. The ﬁrst one is related to the fact that they focus on

establishing phases or procedures based on the security level of the IoT device. For instance,

“Zero-trust” establishes a minimum-security level that an IoT device must meet to join the

network, while “Security Veriﬁcation” requires evaluating, as a ﬁrst step, the compliance

of IoT devices based on risk proﬁles. The second aspect is related to the requirements

of these two strategies for their ﬁrst step in developing “Risk analysis”, which is often

based on the identiﬁcation and evaluation of critical assets (IoT devices) [

]. In relation

to this second aspect, applying a security risk analysis method in an IoT context has been

discussed by some researchers in recent years, because of the argument that IoT systems

Appl. Sci. 2022,12, 2976. https://doi.org/10.3390/app12062976 https://www.mdpi.com/journal/applsci

Appl. Sci. 2022,12, 2976 2 of 32

have characteristics and behaviors of IT (Information Technology) systems. For instance,

Kandasamy et al. [

] mentions that the complexity and heterogeneity of the technology and

data of IoT systems create additional issues related to security risk that cannot easily ﬁt in

the existing risk frameworks. In the same vein, Nurse et al. [

] mentions that risk analysis

methodologies must adapt to dynamic IoT scenarios, as well as consider the possibility of

limited historical data related with attacks on IoT devices and the interconnection of IoT

with other non-IoT systems.

In this context, some proposed security risk methodologies focused on IoT have been

developed. These proposals include features of IoT systems, such as heterogeneity, a

layered model, and several IoT devices. However, each proposed method uses different

factors or characteristics of IoT systems in comparison with the others, and sometimes, there

is not a rational justiﬁcation about the selection of the speciﬁc factors used. The analysis,

in conjunction with the factors used by the different methodologies, could contribute to a

deeper calculation of IoT security risk. Thus, there is a gap in relation to having a formal

IoT security risk analysis method, and in relation to the factors that could contribute to

more accurate and effective construction of a security risk analysis method for the IoT.

This context allows us to deﬁne our primary research question: How can we develop an

effective security risk assessment in IoT systems?

Based on this primary research question, we propose the following objectives for

this study:

Identify the most relevant factors that allow the deﬁnition of the security risk level of

an Internet of Things system.

2. Evaluate the relationships between the factors of the Internet of Things.

Establish a method to calculate an approximate value of the security risk level of an

IoT system.

Risk analysis methodologies have been considered as a starting point, since zero trust

is based on deﬁning a risk level for IoT devices, while security veriﬁcation is based on

deﬁning a risk proﬁle for IoT devices. Therefore, we deﬁne the start point on this study

as the analysis of the common element of these two strategies, the “IoT device” and its

relationship with security risk. For this reason, an epistemic approach to understanding the

factor of the IoT device and its relationship with security risk is addressed, to accomplish

objectives 1 and 2 of this study. For the analysis of the relationship between IoT devices

and security risk, we deﬁne the following questions related to IoT devices:

Which factors of IoT devices should be considered to deﬁne an adequate security level

for low cyber risk?

For which factors of IoT devices should risk assessment methodologies be considered?

3. Which factors of IoT devices could deﬁne a risk’s proﬁle?

This identiﬁcation allows us to address the development of risk analysis methodologies

for IoT systems, leaving, for future work, the question of how these factors could be used in

zero-trust strategies and security veriﬁcation methodologies. Under this scope, the purpose

of this work seeks to contribute to the following objectives:

Identify the most relevant factors that allow the deﬁnition of the security risk level of

an IoT device.

2. Evaluate the relationships between the factors of IoT devices and security risk.

Establish a method to calculate an approximate value of the security risk level of an

IoT system.

The rest of this paper is structured as follows. Section 2presents an overview of works

related to methodologies of risk analysis in IoT ecosystems. Section 3presents the design

research methodology to identify the factors of IoT devices that contribute to risk security.

Section 4presents an analysis of the results obtained from the design research, to determine

the contribution of the factors of IoT devices to security risk. Finally, Section 5concludes

this study.

Appl. Sci. 2022,12, 2976 3 of 32

2. Background and Related Works

Risk analysis methodologies have been widely used in computer science to assess

security risk in computer systems. Some of the most widely used risk methodologies are

presented in Table 1with their strengths and weaknesses.

Table 1. Strengths and weaknesses of risk methodologies used in computer science.

Methodologies Focus On Strength Weakness

NIST [11] Security controls Guidelines to execute security

controls according to risk assessment.

Needs work with other standards

to address compliance.

ISO [12] Compliance of security controls

Analysis of information security risks

according to speciﬁc criteria.

Coordination and integration to

remember to update the standard.

MAGERIT [13] Assets values

Assessments of critical assets, and the

mitigation of threats and risks that

could degrade them.

Requires time for identiﬁcation of

critical assets.

TARA [14] Attacks Deﬁnition of a list of attacks. Does not quantify risk impact.

However, some researchers have mentioned that these traditional methodologies have

some limitations for IoT systems. For instance, Nurse mentions that current risk assessment

methods fail in the following aspects [10]:

•

Short assessment periods: Risk methodologies are not usually designed to be per-

formed in short periods of time; however, the IoT ecosystem is continuously changing

because of the addition of new devices.

•

Limited knowledge of IoT systems: Most risk assessments are focused on traditional

systems and do not include the IoT ecosystem.

•

Connections to other systems: IoT devices connect to other systems or technologies

such as cloud computing, big data and traditional systems. This situation expands the

attack surface of IoT ecosystems.

•

Not considering the asset as an attack platform: IoT devices can perform new attacks.

In this context, some research has been proposed for the development of risk analysis

methodologies focused on IoT. Kandasamy proposes that the following parameters should

be considered for assessing the security risk in IoT system network type (nwt), protocol type

(prt), the heterogeneous system involved (het), device security (des) and CIA impact type

(cia) [8]. From these criteria, the risk impact of a device would be given by Equation (1):

w(d)=1

5[nwt(d)+prt (d)+het (d)+des(d)+cia(d)] (1)

where

wd—level of risk impact;

nwt—network type;

prt—protocol type;

het—heterogeneous systems involved;

des—level of device security;

cia—level of impact on cia components.

The probability of risk would be given by the weight of past attacks (pat), the weight

of the IoT layer with more attacks (lyr), the weight of the sector where the IoT solution

is applied (scr) and the risk factor of the device according to its use (drf). Based on these

criteria, the risk probability of a device would be given by Equation (2):

S(d)=1

4[pat(d)+lyr(d)+scr (d)+drf(d)] (2)

where

Appl. Sci. 2022,12, 2976 4 of 32

pat—weight of past attacks;

lyr—weight IoT layer;

scr—weight of sector of IoT;

drf—risk factor.

Finally, the proposal presented by Kandasamy evaluates risk (Rs) as a function of

impact by probability, denoted as the product of w(d) by S(d). The exploitation of this

proposal is interesting because it includes characteristic aspects of IoT solutions, such as the

application sector and the layered architecture of IoT. The proposal covers the components

without discussing more details about the threats, attacks or vulnerabilities of IoT systems,

allowing for the establishment of the weights for risk calculation. In addition, a method

could be included to reduce subjectivity when considering the weights of each component.

In the same vein, Toapanta deﬁnes the cybersecurity performance algorithm, where Ef

is the Efﬁciency; Dev is the number of devices connected to the network; Sor is the number

of sensors; Svs is the number of services and processes; Int is the number of interfaces;

Met is the number of reports, indicators or metrics; Dat is the number of data structures;

Scf is the number of smart contract functions; and Prot is the number of protocols or

standards adopted [15].

Ef =100 −(√Dev ×Sor

√Dat ×Scf .(Svs +Int +Met)

(5π+Prot)(3)

where

Dev—number of devices connected to the network;

Sor—number of sensors;

Svs—number of services and processes;

Int—number of interfaces;

Met—number of reports;

Dat—number of data structures;

Scf—number of smart contract functions;

Prot—number of protocols or standards adopted.

Toapanta’s proposal considers the characteristics of IoT systems from the perspective

of the large number of devices, sensors, and processes. The proposal addresses the security

aspects of the IoT in a general approach, without going into detail on how aspects of the

IoT are affected by distinct threats. The proposal considers all IoT devices equally, which

could limit the selection of security controls to reduce risk, because it does not detail the

type of information on the IoT device or the criticality of the IoT device for health- or

energy-related applications.

In the same line, Aydos proposes that the risk assessment be based on a four-stage

approach: (a) Measurement of threats to the layers; (b) processes/procedures for securing

data in the layers; (c) third parties and human factors affecting layer security; and (d) criti-

cality of the layers and the scale of the attack surface [

]. The model proposes a qualitative

risk assessment based on three criticality scales: low, medium, and high. Aydos, again,

mentions the importance of considering in the risk assessment the heterogeneous systems

involved in the IoT system and attacks on different layers of IoT systems. The proposal

does not address how to establish component values to have a more accurate or focused

risk value.

From Popescu’s perspective, he proposes a risk management strategy reference model

(IoTSRM2) based on six domains: Asset Management, Business Environment, Governance,

Risk Assessment, Risk Management Strategy, and Supply Chain Risk Management. Within

the domains are included aspects such as hardware inventory, software inventory, crit-

ical dependencies and functions, resilience of critical services, security-related policies,

structures and responsibilities, regulatory requirements, governance and risk management

plans, vulnerability discovery, threat identiﬁcation, risk analysis and risk responses [

The framework establishes a set of security criteria that could improve the security level

Appl. Sci. 2022,12, 2976 5 of 32

of IoT systems based on the analysis of 25 international security frameworks. A potential

drawback of the proposal is that it does not present a detailed operational process for

developing each of the security criteria proposed in the framework.

Finally, Levitsky proposes a risk assessment on IoT devices using scores between 0 and

1 for subcomponents of ﬁve different attack categories on an IoT device (Physical, Network,

Mobile, Web, Unknown Risk) [

]. Levitsky deﬁnes the risk “ri” for each category based

on normalizing the sum of each of the subcomponents ci and dividing by the value of S,

which is the total score of all subcomponents of an attack category.

ri =1

∑

i=1

Ci (4)

where

ri—level of risk;

S—total weight of score of all components;

Ci—subcomponents of IoT system.

Levisky’s proposal focuses on attacks on the three layers of the IoT model, although

Levisky separates mobile and web, which are part of the application layer; this separation

could allow more detail on risk analysis because they are components that have a different

dynamic with the user; however, for establishing a risk weight for the layer, this value

could be doubled. A limitation of the proposal is the consideration of a few IoT attacks.

In addition, the weighting of the subcomponents depends directly on the experience and

subjectivity of the evaluator. A relevant aspect to consider is the weight of unknown factors

for the total risk value.

Based on the analysis of the proposals about risk methodologies for IoT systems,

they focus on taking into consideration IoT aspects such as: the heterogeneity of devices

and networks; vulnerabilities and attacks to the physical, communication and application

layers of the IoT architecture; the application domain of the IoT system; and the number

of IoT devices. However, is not clearly detailed in the proposals why these factors have

been selected or how the weight of these factors was selected for the total risk value. Risk

assessment methodologies such as MAGERIT, TARA and OCTAVE [

], among others,

have the advantage of much documentation of their use; these documents present details

of formulas, tools and methodologies to deﬁne the values of the components used in the

risk assessment process. However, as we mention the criteria of some of the research cited

in this section, traditional methodologies do not cover all aspects of IoT systems that are

related to risk; therefore, there is a gap to be addressed by these risk analysis methodologies

or by means of the new proposals focusing on IoT, to obtain a more practical and repeatable

security risk analysis process in IoT systems.

3. Materials and Methods

The Research Methodology (DRM) used in this study is based on the proposal by

Blessing [

], which covers four stages: (i) Research Clariﬁcation, which uses as a basic

Systematic Literature Review to create an overview of the main IoT device factors, which is

the objective of this study; (ii) Descriptive Study I, based on an empirical analysis to deﬁne

and understand the relationships between IoT device factors associated with security risk;

(iii) Prescriptive study, based on experiments, tests and a focus group, to support the weight

of the factors and the relationships between them; and (iv) Descriptive study II, based on

empirical analysis to evaluate the methodology for calculating risk based on IoT device

factors. A representation of the DRM methodology is presented in Figure 1.

Appl. Sci. 2022,12, 2976 6 of 32

Appl. Sci. 2022, 12, x FOR PEER REVIEW 6 of 32

Figure 1. Phases of Design Research Methodology (DRM) to development risk analysis methodol-

ogy for IoT systems.

3.1. Research Clarification

This first phase of the DRM supports the identification of the most relevant factors of

IoT devices that could be considered in the security risk assessment process. For this pur-

pose, we conducted a systematic literature review (SLR) based on articles that focus on

analyzing the security of IoT devices. The SLR was established using the PRISMA meth-

odology, which is based on four stages: identification, screening, eligibility analysis, and

inclusion. Study selection, establishing inclusion and exclusion criteria, manual search,

and elimination of duplicates are some of the steps included in the identification stage.

The screening stage comprised reviewing titles and abstracts. The eligibility analysis stage

was performed by reading the full texts of the selected articles. Finally, the inclusion stage

comprised data extraction.

Systematic Literature Review

Phase 1. Selection of studies

The selection of studies was based on a systematic review following the PRISMA

guidelines [21]. The following databases were used: Springer, Scopus, IEEE, Association

for Computing Machinery (ACM), Web of Science, and Science Direct. These databases

were chosen because they are the most relevant sources of information for Computer Sci-

ence. The range of publications spans from 2016 to 2021.

Inclusion and exclusion criteria

The inclusion criteria were: (i) manuscripts published by peer-reviewed academic

sources; and (ii) manuscripts that analyzed factors enabling security attacks on IoT sys-

tems. The exclusion criteria included: (i) manuscripts that, despite including technical as-

pects, did not detail the factors enabling the security attack; and (ii) manuscripts that ad-

dressed proposed risk analysis methodologies to avoid subjectivities. The following re-

search strings used were:

“(IoT OR Internet of thing)” AND “(Security attacks OR cybersecurity attacks)”

“(IoT OR Internet of thing)” AND “(Security risk OR cybersecurity risk)”

“(IoT OR Internet of things)” AND “(Threats OR vulnerabilities)”

From the search string, we found 1607 articles. Table 2 shows the searched articles

distributed in: conferences, journals, series, chapters and books.

Figure 1.

Phases of Design Research Methodology (DRM) to development risk analysis methodology

for IoT systems.

3.1. Research Clariﬁcation

This ﬁrst phase of the DRM supports the identiﬁcation of the most relevant factors

of IoT devices that could be considered in the security risk assessment process. For this

purpose, we conducted a systematic literature review (SLR) based on articles that focus

on analyzing the security of IoT devices. The SLR was established using the PRISMA

methodology, which is based on four stages: identiﬁcation, screening, eligibility analysis,

and inclusion. Study selection, establishing inclusion and exclusion criteria, manual search,

and elimination of duplicates are some of the steps included in the identiﬁcation stage.

The screening stage comprised reviewing titles and abstracts. The eligibility analysis stage

was performed by reading the full texts of the selected articles. Finally, the inclusion stage

comprised data extraction.

Systematic Literature Review

Phase 1. Selection of studies

The selection of studies was based on a systematic review following the PRISMA

guidelines [

]. The following databases were used: Springer, Scopus, IEEE, Association for

Computing Machinery (ACM), Web of Science, and Science Direct. These databases were

chosen because they are the most relevant sources of information for Computer Science.

The range of publications spans from 2016 to 2021.

Inclusion and exclusion criteria

The inclusion criteria were: (i) manuscripts published by peer-reviewed academic

sources; and (ii) manuscripts that analyzed factors enabling security attacks on IoT systems.

The exclusion criteria included: (i) manuscripts that, despite including technical aspects,

did not detail the factors enabling the security attack; and (ii) manuscripts that addressed

proposed risk analysis methodologies to avoid subjectivities. The following research strings

used were:

“(IoT OR Internet of thing)” AND “(Security attacks OR cybersecurity attacks)”

“(IoT OR Internet of thing)” AND “(Security risk OR cybersecurity risk)”

“(IoT OR Internet of things)” AND “(Threats OR vulnerabilities)”

From the search string, we found 1607 articles. Table 2shows the searched articles

distributed in: conferences, journals, series, chapters and books.

Appl. Sci. 2022,12, 2976 7 of 32

Table 2. Publication types of articles according to inclusion and exclusion criteria.

Label for Hypothesis Factors

Conferences 807

Journal article 559

Series 215

Chapter 23

Book 3

Duplicate manuscripts were eliminated through a manual review of the collected

articles. During this process, 23 duplicates were eliminated.

Phase 2. Screening

The screening process was based on a review of article titles and abstracts using the

Rayyan web application (Rayyan), created for the systematic review process by MIT. The

web application allows each reviewer to view the titles and abstracts of the articles collected

while maintaining a blinded review process. Articles that did not meet the inclusion criteria

in the title or abstract were excluded at this stage of the study. A screenshot of the process

carried out in the Rayyan tool is shown in Figure 2.

Appl. Sci. 2022, 12, x FOR PEER REVIEW 7 of 32

Table 2. Publication types of articles according to inclusion and exclusion criteria.

Label for Hypothesis

Factors

Conferences

807

Journal article

559

Series

215

Chapter

Book

Duplicate manuscripts were eliminated through a manual review of the collected ar-

ticles. During this process, 23 duplicates were eliminated.

Phase 2. Screening

The screening process was based on a review of article titles and abstracts using the

Rayyan web application (Rayyan), created for the systematic review process by MIT. The

web application allows each reviewer to view the titles and abstracts of the articles col-

lected while maintaining a blinded review process. Articles that did not meet the inclusion

criteria in the title or abstract were excluded at this stage of the study. A screenshot of the

process carried out in the Rayyan tool is shown in Figure 2.

Figure 2. Screenshot of the tool Rayyan used during screening process to select the primary sources

for the full text review process.

Phase 3. Eligibility analysis

A full text review of each of the 370 articles was conducted to determine those with

more detail related to the factors during IoT security attacks. After this process, 55 articles

were selected for the data mining process. A flowchart of the PRISMA process is presented

in Figure 3.

Figure 2.

Screenshot of the tool Rayyan used during screening process to select the primary sources

for the full text review process.

Phase 3. Eligibility analysis

A full text review of each of the 370 articles was conducted to determine those with

more detail related to the factors during IoT security attacks. After this process, 55 articles

were selected for the data mining process. A ﬂowchart of the PRISMA process is presented

in Figure 3.

Phase 4. Inclusion

Data extraction

For this stage, we developed a qualitative analysis of the 55 documents from the

eligibility analysis phase using ATLAS TI version 9. During the qualitative analysis,

11 codes were deﬁned in the Atlas TI associated with factor:

application domain

, related to

the verticals in which IoT systems have been implemented [

–

];

attack surface

, related

to the entry and exit points via which attacks can be performed [

];

interdependency

related to the relationship of the IoT system with other IT/OT/IoT systems that could

increase the severity of the attack [

];

scalability

, related to the coverage area that can

be affected by the propagation of the attack [

];

severity

, related to the value of the

damage that can be caused by the attack [

];

susceptibility

, related to the predisposition

to pick up the effects of an attack [

];

type of attack

, related to the attack vector, technique

or methodology [

];

device type

, related to the type of IoT device [

];

type of

information

, related to the type of information processed, stored, or transmitted by the

Appl. Sci. 2022,12, 2976 8 of 32

device [

];

uncertainty

, related to the unknown factors that could affect the security of IoT

systems [

];

vulnerabilities

, related to the weak points that IoT systems may have and

that may increase the possibility of being affected by an attack [

–

]. The density values

of the codes (factors) are shown in Figure 4.

Appl. Sci. 2022, 12, x FOR PEER REVIEW 8 of 32

Figure 3. PRISMA methodology used in SLR process to identify factors in IoT devices that could

affect security risk.

Phase 4. Inclusion

Data extraction

For this stage, we developed a qualitative analysis of the 55 documents from the eli-

gibility analysis phase using ATLAS TI version 9. During the qualitative analysis, 11 codes

were defined in the Atlas TI associated with factor: application domain, related to the

verticals in which IoT systems have been implemented [22–24]; attack surface, related to

the entry and exit points via which attacks can be performed [25]; interdependency, re-

lated to the relationship of the IoT system with other IT/OT/IoT systems that could in-

crease the severity of the attack [26]; scalability, related to the coverage area that can be

affected by the propagation of the attack [27]; severity, related to the value of the damage

that can be caused by the attack [28]; susceptibility, related to the predisposition to pick

up the effects of an attack [29]; type of attack, related to the attack vector, technique or

methodology [30,31]; device type, related to the type of IoT device [32,33]; type of infor-

mation, related to the type of information processed, stored, or transmitted by the device

[34]; uncertainty, related to the unknown factors that could affect the security of IoT sys-

tems [35]; vulnerabilities, related to the weak points that IoT systems may have and that

may increase the possibility of being affected by an attack [36–41]. The density values of

the codes (factors) are shown in Figure 4.

Figure 3.

PRISMA methodology used in SLR process to identify factors in IoT devices that could

affect security risk.

Appl. Sci. 2022, 12, x FOR PEER REVIEW 9 of 32

Figure 4. Density of the codes related with factors of IoT devices that could affect risk values.

From the quality analysis, we identified 11 factors of IoT devices that could affect that

security risk value. For the security analysis processes we defined three groups: A first

group of factors with values above 5, a second group of factors with values between 3 and

5, and finally, a third group of factors with values below 3. The first group of factors with

the highest relevance included the types of vulnerabilities (density = 17), followed by the

type of attack (density = 10), then the attack surface (density = 8), and finally, the interde-

pendence (density = 7). The second group included the factors: severity (density = 5), fol-

lowed by scalability (density = 4), then application domain (density = 4), and finally, de-

vice type (density = 3). The third group with the lowest relevance values corresponded to

the factors: type of information (density = 1), followed by uncertainty or unknown factors

(density = 0).

We order these factors by their density values in Table 3, to obtain a first view of the

relationships of the IoT devices’ factors with security risk. For instance, security risk

would be associated with the existence of vulnerabilities in IoT devices, followed by the

attacks; depending on whether it is a ransomware, a denial of service (DoS) or a man-in-

the-middle (MITM), the probability of risk could be higher. The third relevant factor that

could affect risk is the large attack surface, because of an increase in the number of IoT

devices, or the number of entry and exit points for connectivity with other IoT, IT and OT

systems. We can observe that there are other factors, such as the application domain,

wherein IoT devices operate that could increase the probability of security risk due to

being in open areas; this is the case for smart traffic and smart agriculture. Other factors

are the scalability that an attack may have because of the interdependence between de-

vices and systems, or the type of information in the IoT device. Although these factors

have a low-density value, this may be because the studies selected for the SLR do not

analyze these factors, and not because their contribution to security risk is low. At this

point of our study, we cannot confirm for certain that the contribution of these factors to

security risk is low, medium or high; for this reason, we define these factors as hypothesis

to test in the next part of our research methodology.

Table 3. Factors of IoT devices that could affect risk values and their values of density from the

quality analysis.

Label for Hypothesis

Factors

Density

Vulnerabilities

Type of attack

Attack surface

Interdependency

Figure 4. Density of the codes related with factors of IoT devices that could affect risk values.

From the quality analysis, we identiﬁed 11 factors of IoT devices that could affect

that security risk value. For the security analysis processes we deﬁned three groups: A

ﬁrst group of factors with values above 5, a second group of factors with values between

3 and 5, and ﬁnally, a third group of factors with values below 3. The ﬁrst group of

factors with the highest relevance included the types of vulnerabilities (density = 17),

followed by the type of attack (density = 10), then the attack surface (density = 8), and

Appl. Sci. 2022,12, 2976 9 of 32

ﬁnally, the interdependence (density = 7). The second group included the factors: severity

(

density = 5

), followed by scalability (density = 4), then application domain (density = 4),

and ﬁnally, device type (density = 3). The third group with the lowest relevance values

corresponded to the factors: type of information (density = 1), followed by uncertainty or

unknown factors (density = 0).

We order these factors by their density values in Table 3, to obtain a ﬁrst view of the

relationships of the IoT devices’ factors with security risk. For instance, security risk would

be associated with the existence of vulnerabilities in IoT devices, followed by the attacks;

depending on whether it is a ransomware, a denial of service (DoS) or a man-in-the-middle

(MITM), the probability of risk could be higher. The third relevant factor that could affect

risk is the large attack surface, because of an increase in the number of IoT devices, or the

number of entry and exit points for connectivity with other IoT, IT and OT systems. We can

observe that there are other factors, such as the application domain, wherein IoT devices

operate that could increase the probability of security risk due to being in open areas; this

is the case for smart trafﬁc and smart agriculture. Other factors are the scalability that

an attack may have because of the interdependence between devices and systems, or the

type of information in the IoT device. Although these factors have a low-density value,

this may be because the studies selected for the SLR do not analyze these factors, and not

because their contribution to security risk is low. At this point of our study, we cannot

conﬁrm for certain that the contribution of these factors to security risk is low, medium or

high; for this reason, we deﬁne these factors as hypothesis to test in the next part of our

research methodology.

Table 3.

Factors of IoT devices that could affect risk values and their values of density from the

quality analysis.

Label for Hypothesis Factors Density

H1 Vulnerabilities 17

H2 Type of attack 10

H3 Attack surface 8

H4 Interdependency 7

H5 Severity 5

H6 Application domain 4

H7 Scalability 4

H8 Type of device 3

H9 Susceptibility 2

H10 Type of information 1

H11 Uncertainty 0

Based on this ﬁrst phase of the DRM “research clariﬁcation”, an initial reference model

for risk analysis in IoT systems is proposed in Figure 5. The model is considered as the key

component of the application domain, e.g., in healthcare, education, transportation and

energy, which all use IoT devices for their digital transformation processes. Multiple IoT

devices can be used in the domain to increase the interdependency between IoT devices

and IT and OT systems, to increase the functionalities of the IoT system; however, this also

increases the attack surface and the scalability of attacks to other systems.

Appl. Sci. 2022,12, 2976 10 of 32

Appl. Sci. 2022, 12, x FOR PEER REVIEW 10 of 32

Severity

Application domain

Scalability

Type of device

Susceptibility

H10

Type of information

H11

Uncertainty

Based on this first phase of the DRM “research clarification”, an initial reference

model for risk analysis in IoT systems is proposed in Figure 5. The model is considered as

the key component of the application domain, e.g., in healthcare, education, transporta-

tion and energy, which all use IoT devices for their digital transformation processes. Mul-

tiple IoT devices can be used in the domain to increase the interdependency between IoT

devices and IT and OT systems, to increase the functionalities of the IoT system; however,

this also increases the attack surface and the scalability of attacks to other systems.

Figure 5. Initial reference model for risk analysis in IoT systems based on IoT device factors.

Attacks can use the vulnerabilities and susceptibilities of IoT devices to increase their

effectiveness. Attacks can also use the large attack surface and scalability to create greater

impact (severity) in their attack. The IoT device can be of different types and has different

information depending on its functionality in the domain application. Although the un-

certainty factor considered by Levistky was not found in the qualitative analysis, we con-

sider that it may be relevant in this initial risk assessment model.

To continue our st udy, we are interested in analyzing whether the 11 factors of IoT

devices, which are represented in the initial reference model of Figure 6, are covered by

the proposals of the risk analysis methodologies for the IoT from Section 2 of this study,

as shown in Table 4. We can observe that most of the factors of IoT devices are covered

for the IoT risk methodologies. However, the following factors are not completely covered

for these methodologies: application domain, scalability, type of information, susceptibil-

ity, severity and uncertainty. This opens the opportunity for the contribution of this study

to the understanding of these factors for use in the security risk methodologies of IoT

systems.

Figure 5. Initial reference model for risk analysis in IoT systems based on IoT device factors.

Attacks can use the vulnerabilities and susceptibilities of IoT devices to increase

their effectiveness. Attacks can also use the large attack surface and scalability to create

greater impact (severity) in their attack. The IoT device can be of different types and has

different information depending on its functionality in the domain application. Although

the uncertainty factor considered by Levistky was not found in the qualitative analysis, we

consider that it may be relevant in this initial risk assessment model.

To continue our study, we are interested in analyzing whether the 11 factors of IoT

devices, which are represented in the initial reference model of Figure 6, are covered by

the proposals of the risk analysis methodologies for the IoT from Section 2of this study, as

shown in Table 4. We can observe that most of the factors of IoT devices are covered for

the IoT risk methodologies. However, the following factors are not completely covered for

these methodologies: application domain, scalability, type of information, susceptibility,

severity and uncertainty. This opens the opportunity for the contribution of this study to

the understanding of these factors for use in the security risk methodologies of IoT systems.

Appl. Sci. 2022, 12, x FOR PEER REVIEW 11 of 32

Figure 6. Concurrence-Table option of Atlas TI to identify the relationships between codes.

Table 4. Analysis of the factors of IoT devices that are covered by the proposals of IoT risk method-

ologies.

Proposals\Factors

Kandasamy

Toapanta

Aydos

Popescus

Levitsky

Application domain

Partially Cov-

ered

Not covered Not covered Not covered Not covered

Attack surface

Covered

Interdependency

Covered

Not covered

Scalability

Not covered

Severity

Covered

Not covered

Covered

Susceptibility

Not covered

Type of attack

Not covered

Covered

Type of device

Covered

Not covered

Type of information

Not covered

Uncertainty

Not covered

Covered

Vulnerabilities

Not covered

Covered

Not covered

3.2. Descriptive Study I

This second phase identifies the relationships between the 11 factors, proposed by

the research clarification, with the risk value. To accomplish this goal, we used the con-

currence-table option of ATLAS TI and found a relationship between the “Severity” code

and the “Type of attack” code. We can also observed a relationship between the code

“Type of attack” and the code “Severity”, and with the code “Vulnerabilities”. In addition,

it is possible to observe a relationship between the code “Vulnerabilities” and the code

“Type of attack” (see Figure 6).

We can observe that the attack surface is associated with elements such as the size of

the network (number of nodes or devices), the interfaces and links, and the security ele-

ments of the IoT system components (see, Figure 7).

Figure 7. Components of attack surface in IoT systems according to quality analysis using Atlas TI.

Figure 6. Concurrence-Table option of Atlas TI to identify the relationships between codes.

Appl. Sci. 2022,12, 2976 11 of 32

Table 4.

Analysis of the factors of IoT devices that are covered by the proposals of IoT risk methodologies.

Proposals\Factors Kandasamy Toapanta Aydos Popescus Levitsky

Application

domain

Partially

Covered Not covered Not covered Not covered Not covered

Attack surface Covered Covered Covered Covered Covered

Interdependency Covered Covered Not covered Not covered Not covered

Scalability Not covered Not covered Not covered Not covered Not covered

Severity Covered Not covered Not covered Not covered Covered

Susceptibility Not covered Not covered Not covered Not covered Not covered

Type of attack Not covered Not covered Covered Covered Covered

Type of device Covered Not covered Not covered Not covered Not covered

Type of

information Not covered Not covered Not covered Not covered Not covered

Uncertainty Not covered Not covered Not covered Not covered Covered

Vulnerabilities Not covered Not covered Not covered Covered Not covered

3.2. Descriptive Study I

This second phase identiﬁes the relationships between the 11 factors, proposed by the

research clariﬁcation, with the risk value. To accomplish this goal, we used the concurrence-

table option of ATLAS TI and found a relationship between the “Severity” code and the

“Type of attack” code. We can also observed a relationship between the code “Type of

attack” and the code “Severity”, and with the code “Vulnerabilities”. In addition, it is

possible to observe a relationship between the code “Vulnerabilities” and the code “Type of

attack” (see Figure 6).

We can observe that the attack surface is associated with elements such as the size

of the network (number of nodes or devices), the interfaces and links, and the security

elements of the IoT system components (see, Figure 7).

Appl. Sci. 2022, 12, x FOR PEER REVIEW 11 of 32

Figure 6. Concurrence-Table option of Atlas TI to identify the relationships between codes.

Table 4. Analysis of the factors of IoT devices that are covered by the proposals of IoT risk method-

ologies.

Proposals\Factors

Kandasamy

Toapanta

Aydos

Popescus

Levitsky

Application domain

Partially Cov-

ered

Not covered Not covered Not covered Not covered

Attack surface

Covered

Interdependency

Covered

Not covered

Scalability

Not covered

Severity

Covered

Not covered

Covered

Susceptibility

Not covered

Type of attack

Not covered

Covered

Type of device

Covered

Not covered

Type of information

Not covered

Uncertainty

Not covered

Covered

Vulnerabilities

Not covered

Covered

Not covered

3.2. Descriptive Study I

This second phase identifies the relationships between the 11 factors, proposed by

the research clarification, with the risk value. To accomplish this goal, we used the con-

currence-table option of ATLAS TI and found a relationship between the “Severity” code

and the “Type of attack” code. We can also observed a relationship between the code

“Type of attack” and the code “Severity”, and with the code “Vulnerabilities”. In addition,

it is possible to observe a relationship between the code “Vulnerabilities” and the code

“Type of attack” (see Figure 6).

We can observe that the attack surface is associated with elements such as the size of

the network (number of nodes or devices), the interfaces and links, and the security ele-

ments of the IoT system components (see, Figure 7).

Figure 7. Components of attack surface in IoT systems according to quality analysis using Atlas TI.

Based on the SLR, we could not ﬁnd more references to the relationships between

factors. The DRM methodology proposes, in the descriptive study phase I, the use of

empirical studies such as experimentation to ﬁll this gap in the literature review. To address

experimentation, we deﬁne a set of research items with their respective coding in Table 5.

The research items were based on the 11 factors of IoT devices from the previous phase

and deﬁned as hypotheses to test. The coding of research item was proposed according

to the relationships between the factors of IoT devices. For instance, the code “S-A”

represents the relationship between severity and application domain. The code “S-A-P” is

the relationship between severity, application domain, and pillars. We grouped the research

items into three proposed theoretical constructors related to risk—severity, susceptibility

and risk behaviors—to address the contribution of the factors of the IoT device and their

relationships with other factors of IoT devices with the security risk value.

Appl. Sci. 2022,12, 2976 12 of 32

Table 5.

Research items validated in experimentation to identify the relationships between factors of

IoT devices.

Hypothesis (Risk Factors) Code Research Items

H6. Application domain

S-A Cyberattacks on IoT systems could affect economic, social or

environmental domains.

S-A-P Cyberattacks on IoT systems could be targeted at IoT

solutions to health, energy, trafﬁc and agriculture.

H4. Interdependency

S-I-Sys

Cyberattacks on IoT systems could be affected by other IoT, IT

and OT systems.

S-I-nd The growth of the number of IoT devices could increase the

probability of cyberattacks.

H7. Level of scalability S-Scl

Cyberattacks on IoT systems could generate shock on markets

or risk systemic events.

H9. Level of susceptibility S-Sc

Security conﬁgurations on IoT devices depend on domains or

pillars where IoT devices will be used.

H4. Interdependency Sc-I-Sys

Interdependency of IoT device with other IoT, IT and OT

systems could increase the probability of attacks on IoT

systems and cause bigger damage.

H4. Attack surface Sc-As-nd

The growth in the number of IoT devices could increase

organizations’ susceptibility to suffering cyberattacks because

of the large attack surface.

H1. Vulnerabilities Sc-V

Vulnerabilities of IoT devices could increase the probability of

cyberattacks on IoT systems.

H9. Level of susceptibility Sc-Ta IoT devices are susceptible to speciﬁc types of cyberattacks.

H2. Types of attacks Sc-Ta2 Previous attack allows the execution of new attacks.

H2. Types of attacks Sc-Ta-L Attacks could be executed in different layers.

H8. Type of IoT device Sc-Td Security conﬁgurations on IoT devices could increase their

susceptibility to being attacked.

H5. Severity Rb-Sv-Ta Cyberattacks could generate degradation in the operation of

IoT devices.

H5. Severity Rb-Sv-Sr Cyberattacks could affect CIA on IoT systems.

H7. Level of scalability Rb-Scl

Cyberattacks could be scaled from one layer of an IoT system

to another one.

H11. Factors not known Rb-U-f The frequency of cyberattacks could increase their success.

H11. Factors not known Rb-U-Tp Short times of the propagation of cyberattacks could increase

their damage.

H7. Level of scalability Rb-Scl-L Cyberattack could affect different layers of IoT systems and

increase the surface of damage.

The experiments developed have the goal of generating an understanding of the

behavior of IoT devices against security events, to analyze their contribution to the three

proposed theoretical constructs of risk value: severity, susceptibility, and risk behaviors.

For this reason, we propose two experiments to simulate security attacks on a small IoT

system such as a smart home, and on a big IoT system such as a smart city, to analyze

the behavior of IoT devices, the susceptibility to attacks, and the severity of the attacks.

Then we propose a third experiment to evaluate the behavior, susceptibility, and severity

of IoT device in response to diverse types of attacks. Next, we propose the evaluation

of the effect of security attacks in a real scenario, to develop a prototype with low-cost

hardware, such as Raspberry and Arduino. Finally, we propose the evaluation of the effect

of security attacks in commercial hardware for IoT solutions such as Alexa, Google Home

Appl. Sci. 2022,12, 2976 13 of 32

and WeMo. The experiments were built based on the IoT-23 dataset developed by [

]. It

has 20 malware captures executed in three different IoT devices: a Philips HUE smart LED

lamp, an Amazon Echo Home intelligent personal assistant, and a Somfy smart doorlock.

The IoT-23 dataset was obtained from PCAP ﬁles and transformed into a connection log.by

using Zeek, to obtain a high-level format with the following attributes: orig_p”, “id.resp_p”,

“orig_bytes”, “resp_bytes”, “missed_bytes”, “orig_pkts”, “orig_ip_bytes”, “resp_pkts”,

“resp_ip_bytes “ and “duration” [43].

The goal of these ﬁve experiments is to understand the behavior of IoT devices in

different scenarios. An overview of the 5 proposed experiments is presented below.

Experiment Setup 1.

We simulated an IoT system focused on the most common elements of a smart home

according to a literature review, using Phyton libraries in Google Collaborate, as shown in

Figure 8. The lights were interconnected to the IT network through a hub, which allowed

the connection with IT devices such as computers and smartphones, or by voice assistants

using the router (gateway). The smart home solution had two voice assistants based on

cloud services to control the lights. Then we deﬁned the random probabilities of attack in

each node to evaluate the impact of attacks on the smart home. We can observe in the IoT

graph of Figure 8that there are two paths for attacking smart lights. The attack could come

from the IT network using the router, or from the voice assistant (Alexa). In the ﬁrst path,

the owner could have more control over security conﬁgurations; however, that is not the

case with Alexa, because the security conﬁgurations depend on third parties. An extract of

probabilities used in the simulation is shown in Figure 9.

Appl. Sci. 2022, 12, x FOR PEER REVIEW 13 of 32

The experiments developed have the goal of generating an understanding of the be-

havior of IoT devices against security events, to analyze their contribution to the three

proposed theoretical constructs of risk value: severity, susceptibility, and risk behaviors.

For this reason, we propose two experiments to simulate security attacks on a small IoT

system such as a smart home, and on a big IoT system such as a smart city, to analyze the

behavior of IoT devices, the susceptibility to attacks, and the severity of the attacks. Then

we propose a third experiment to evaluate the behavior, susceptibility, and severity of IoT

device in response to diverse types of attacks. Next, we propose the evaluation of the effect

of security attacks in a real scenario, to develop a prototype with low-cost hardware, such

as Raspberry and Arduino. Finally, we propose the evaluation of the effect of security

attacks in commercial hardware for IoT solutions such as Alexa, Google Home and WeMo.

The experiments were built based on the IoT-23 dataset developed by [42]. It has 20 mal-

ware captures executed in three different IoT devices: a Philips HUE smart LED lamp, an

Amazon Echo Home intelligent personal assistant, and a Somfy smart doorlock. The IoT-

23 dataset was obtained from PCAP files and transformed into a connection log.by using

Zeek, to obtain a high-level format with the following attributes: orig_p”, “id.resp_p”,

“orig_bytes”, “resp_bytes”, “missed_bytes”, “orig_pkts”, “orig_ip_bytes”, “resp_pkts”,

“resp_ip_bytes “ and “duration” [43].

The goal of these five experiments is to understand the behavior of IoT devices in

different scenarios. An overview of the 5 proposed experiments is presented below.

Experiment Setup 1.

We simulated an IoT system focused on the most common elements of a smart home

according to a literature review, using Phyton libraries in Google Collaborate, as shown

in Figure 8. The lights were interconnected to the IT network through a hub, which al-

lowed the connection with IT devices such as computers and smartphones, or by voice

assistants using the router (gateway). The smart home solution had two voice assistants

based on cloud services to control the lights. Then we defined the random probabilities of

attack in each node to evaluate the impact of attacks on the smart home. We can observe

in the IoT graph of Figure 8 that there are two paths for attacking smart lights. The attack

could come from the IT network using the router, or from the voice assistant (Alexa). In

the first path, the owner could have more control over security configurations; however,

that is not the case with Alexa, because the security configurations depend on third par-

ties. An extract of probabilities used in the simulation is shown in Figure 9.

Figure 8. Simulated smart home scenario using Bayesian networks.

Appl. Sci. 2022,12, 2976 14 of 32

Appl. Sci. 2022, 12, x FOR PEER REVIEW 14 of 32

Figure 9. Probabilities of simulated smart home scenario using Bayesian networks.

Experiment Setup 2.

We simulated a smart city based on the most common IoT nodes, according to the

literature review. The graph representing a smart home (SH), smart grid (SG), smart agri-

culture (SA) and smart traffic (ST) is shown in the Figure 10. We defined random proba-

bilities in each node to evaluate the impact of attacks. The scenario was simulated using a

Bayesian network in the software Bayesian Server. We can observe, in the IoT graph of

Figure 10, the relationships between smart agriculture and smart grids through the IoT or

cloud nodes. In addition, there is a relationship between the attacks on smart grids or

smart homes and the impact on economic, social and environmental nodes.

Figure 10. Probabilities of attack to smart city domains.

Experiment Setup 3.

This experiment aimed to understand relationships among smart home attacks. It is

based on the work proposed by Dr. Mariam Wajdi Ibrahim, who simulated smart home

attacks based on JKind and Graphviz [44]. The work shows that if an attacker could exe-

cute a specific attack, such as phishing, then the attacker could execute DoS attacks. We

replicated this scenario and added probabilities. Thus, we observed that one type of attack

can also be related to further attacks. Figure 11 shows a graph of the relationships among

attacks on a smart home, and Figure 12 shows an extract of probabilities in Google Col-

laborate.

Figure 9. Probabilities of simulated smart home scenario using Bayesian networks.

Experiment Setup 2.

We simulated a smart city based on the most common IoT nodes, according to the

literature review. The graph representing a smart home (SH), smart grid (SG), smart

agriculture (SA) and smart trafﬁc (ST) is shown in the Figure 10. We deﬁned random

probabilities in each node to evaluate the impact of attacks. The scenario was simulated

using a Bayesian network in the software Bayesian Server. We can observe, in the IoT graph

of Figure 10, the relationships between smart agriculture and smart grids through the IoT

or cloud nodes. In addition, there is a relationship between the attacks on smart grids or