When Your Thing Won’t Behave: Security Governance in the Internet of Things

IF 6.9 3区管理学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information Systems Frontiers Pub Date : 2024-08-22 DOI:10.1007/s10796-024-10511-z

Martin Brennecke, Gilbert Fridgen, Jan Jöhnk, Sven Radszuwill, Johannes Sedlmeir

{"title":"When Your Thing Won’t Behave: Security Governance in the Internet of Things","authors":"Martin Brennecke, Gilbert Fridgen, Jan Jöhnk, Sven Radszuwill, Johannes Sedlmeir","doi":"10.1007/s10796-024-10511-z","DOIUrl":null,"url":null,"abstract":"<p>In the Internet of Things (IoT), interconnected smart things enable new products and services in cyber-physical systems. Yet, smart things not only inherit information technology (IT) security risks from their digital components, but they may also aggravate them through the use of technology platforms (TPs). In the context of the IoT, TPs describe a tangible (e.g., hardware) or intangible (e.g., software and standards) general-purpose technology that is shared between different models of smart things. While TPs are evolving rapidly owing to their functional and economic benefits, this is partly to the detriment of security, as several recent IoT security incidents demonstrate. We address this problem by formalizing the situation’s dynamics with an established risk quantification approach from platforms in the automotive industry, namely a Bernoulli mixture model. We outline and discuss the implications of relevant parameters for security risks of TP use in the IoT, i.e., correlation and heterogeneity, vulnerability probability and conformity costs, exploit probability and non-conformity costs, as well as TP connectivity. We argue that these parameters should be considered in IoT governance decisions and delineate prescriptive governance implications, identifying potential counter-measures at the individual, organizational, and regulatory levels.</p>","PeriodicalId":13610,"journal":{"name":"Information Systems Frontiers","volume":"1 1","pages":""},"PeriodicalIF":6.9000,"publicationDate":"2024-08-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information Systems Frontiers","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1007/s10796-024-10511-z","RegionNum":3,"RegionCategory":"管理学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

In the Internet of Things (IoT), interconnected smart things enable new products and services in cyber-physical systems. Yet, smart things not only inherit information technology (IT) security risks from their digital components, but they may also aggravate them through the use of technology platforms (TPs). In the context of the IoT, TPs describe a tangible (e.g., hardware) or intangible (e.g., software and standards) general-purpose technology that is shared between different models of smart things. While TPs are evolving rapidly owing to their functional and economic benefits, this is partly to the detriment of security, as several recent IoT security incidents demonstrate. We address this problem by formalizing the situation’s dynamics with an established risk quantification approach from platforms in the automotive industry, namely a Bernoulli mixture model. We outline and discuss the implications of relevant parameters for security risks of TP use in the IoT, i.e., correlation and heterogeneity, vulnerability probability and conformity costs, exploit probability and non-conformity costs, as well as TP connectivity. We argue that these parameters should be considered in IoT governance decisions and delineate prescriptive governance implications, identifying potential counter-measures at the individual, organizational, and regulatory levels.

Abstract Image

查看原文本刊更多论文

当你的东西不听话时：物联网的安全治理

在物联网（IoT）中，相互连接的智能物可以在网络物理系统中实现新的产品和服务。然而，智能物联网不仅从其数字组件中继承了信息技术（IT）安全风险，而且还可能通过使用技术平台（TPs）加剧这些风险。在物联网背景下，技术平台描述的是一种有形（如硬件）或无形（如软件和标准）的通用技术，不同型号的智能物联网共享这种技术。虽然物联网通用技术因其功能和经济效益而发展迅速，但正如最近发生的几起物联网安全事件所表明的那样，这在一定程度上损害了安全性。为了解决这个问题，我们利用汽车行业平台中的一种成熟的风险量化方法，即伯努利混合模型，将情况的动态形式化。我们概述并讨论了相关参数对物联网中使用 TP 的安全风险的影响，即相关性和异质性、脆弱性概率和符合性成本、利用概率和不符合性成本以及 TP 连接性。我们认为，在物联网治理决策中应考虑这些参数，并划定规范性治理影响，确定个人、组织和监管层面的潜在应对措施。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Information Systems Frontiers 工程技术-计算机：理论方法

CiteScore

13.30

自引率

18.60%

发文量

127

审稿时长

9 months

期刊介绍： The interdisciplinary interfaces of Information Systems (IS) are fast emerging as defining areas of research and development in IS. These developments are largely due to the transformation of Information Technology (IT) towards networked worlds and its effects on global communications and economies. While these developments are shaping the way information is used in all forms of human enterprise, they are also setting the tone and pace of information systems of the future. The major advances in IT such as client/server systems, the Internet and the desktop/multimedia computing revolution, for example, have led to numerous important vistas of research and development with considerable practical impact and academic significance. While the industry seeks to develop high performance IS/IT solutions to a variety of contemporary information support needs, academia looks to extend the reach of IS technology into new application domains. Information Systems Frontiers (ISF) aims to provide a common forum of dissemination of frontline industrial developments of substantial academic value and pioneering academic research of significant practical impact.