research-article

SAFER: Development and Evaluation of an IoT Device Risk Assessment Framework in a Multinational Organization

Authors:

Sebastian Feger,

Paweł W. Woźniak,

Dayana Spagnuelo,

Stefan Lüders,

Albrecht Schmidt,

Frank KarglAuthors Info & Claims

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies, Volume 4, Issue 3

Article No.: 114, Pages 1 - 22

https://doi.org/10.1145/3414173

Published: 04 September 2020 Publication History

Abstract

Users of Internet of Things (IoT) devices are often unaware of their security risks and cannot sufficiently factor security considerations into their device selection. This puts networks, infrastructure and users at risk. We developed and evaluated SAFER, an IoT device risk assessment framework designed to improve users' ability to assess the security of connected devices. We deployed SAFER in a large multinational organization that permits use of private devices. To evaluate the framework, we conducted a mixed-method study with 20 employees. Our findings suggest that SAFER increases users' awareness of security issues. It provides valuable advice and impacts device selection. Based on our findings, we discuss implications for the design of device risk assessment tools, with particular regard to the relationship between risk communication and user perceptions of device complexity.

Supplementary Material

oser (oser.zip)

Supplemental movie, appendix, image and software files for, SAFER: Development and Evaluation of an IoT Device Risk Assessment Framework in a Multinational Organization

Download
589.35 KB

References

[1]

Omar Alrawi, Chaz Lever, Manos Antonakakis, and Fabian Monrose. 2019. Sok: Security evaluation of home-based iot deployments. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 1362--1380.

[2]

Douglas Bates, Martin Mächler, Ben Bolker, and Steve Walker. 2015. Fitting Linear Mixed-Effects Models Using lme4. Journal of Statistical Software 67, 1 (2015), 1--48. https://doi.org/10.18637/jss.v067.i01

[3]

Giampaolo Bella and Lizzie Coles-Kemp. 2012. Layered analysis of security ceremonies. In IFIP International Information Security Conference. Springer, 273--286.

[4]

Ann Blandford, Dominic Furniss, and Stephann Makri. 2016. Qualitative HCI Research: Going Behind the Scenes. Morgan & Claypool Publishers, 51--60. https://doi.org/10.2200/S00706ED1V01Y201602HCI034

[5]

David A. Borman, Robert T. Braden, and Van Jacobson. 1992. TCP Extensions for High Performance. RFC 1323. https://doi.org/10.17487/RFC1323

[6]

Danilo Caivano, Fabio Cassano, Rosa Lanzilotti, and Antonio Piccinno. 2018. Towards an IoT Model for the Assessment of Smart Devices. In Proceedings of the 2018 International Conference on Advanced Visual Interfaces (Castiglione della Pescaia, Grosseto, Italy) (AVI '18). ACM, New York, NY, USA, Article 57, 3 pages. https://doi.org/10.1145/3206505.3206587

Digital Library

[7]

Yaliang Chuang, Lin-Lin Chen, and Yoga Liu. 2018. Design Vocabulary for Human-IoT Systems Communication. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI '18). ACM, New York, NY, USA, Article 274, 11 pages. https://doi.org/10.1145/3173574.3173848

Digital Library

[8]

Aaron Yi Ding, Gianluca Limon De Jesus, and Marijn Janssen. 2019. Ethical hacking for boosting IoT vulnerability management: a first look into bug bounty programs and responsible disclosure. In Proceedings of the Eighth International Conference on Telecommunications and Remote Sensing. ACM, 49--55.

Digital Library

[9]

Andreas Ekelhart, Stefan Fenz, and Thomas Neubauer. 2009. Ontology-based decision support for information security risk management. In 2009 Fourth International Conference on Systems. IEEE, 80--85.

Digital Library

[10]

Pardis Emami-Naeini, Yuvraj Agarwal, Lorrie Faith Cranor, and Hanan Hibshi. 2020. Ask the Experts: What Should Be on an IoT Privacy and Security Label? arXiv preprint arXiv:2002.04631 (2020).

[11]

Pardis Emami-Naeini, Henry Dixon, Yuvraj Agarwal, and Lorrie Faith Cranor. 2019. Exploring how privacy and security factor into IoT device purchase behavior. In Proceedings of the 2019 CHI Conference on Human Factors in Computing Systems. ACM, 534.

Digital Library

[12]

ENISA. 2017. ENISA Baseline Security Recommendations for IoT. https://www.enisa.europa.eu/publications/baseline-security-recommendations-for-iot

[13]

ENISA. 2019. ENISA IoT Security Standards Gap Analysis. https://www.enisa.europa.eu/publications/iot-security-standards-gap-analysis

[14]

Mikhail Fomichev, Max Maass, Lars Almon, Alejandro Molina, and Matthias Hollick. 2019. Perils of zero-interaction security in the Internet of Things. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 3, 1 (2019), 1--38.

Digital Library

[15]

Ester Fritsch, Irina Shklovski, and Rachel Douglas-Jones. 2018. Calling for a Revolution: An Analysis of IoT Manifestos. In Proceedings of the 2018 CHI Conference on Human Factors in Computing Systems (Montreal QC, Canada) (CHI '18). ACM, New York, NY, USA, Article 302, 13 pages. https://doi.org/10.1145/3173574.3173876

Digital Library

[16]

Gartner. 2019. Gartner Says 5.8 Billion Enterprise and Automotive IoT Endpoints WillBe in Use in 2020. https://www.gartner.com/en/newsroom/press-releases/2019-08-29-gartner-says-5-8-billion-enterprise-and-automotive-io

[17]

Anteneh Girma. 2018. Analysis of Security Vulnerability and Analytics of Internet of Things (IOT) Platform. In Information Technology-New Generations. Springer, 101--104.

[18]

Torsten Hothorn, Frank Bretz, and Peter Westfall. 2008. Simultaneous Inference in General Parametric Models. Biometrical Journal 50, 3 (2008), 346--363.

[19]

Xin Huang, Paul Craig, Hangyu Lin, and Zheng Yan. 2016. SecIoT: a security framework for the Internet of Things. Security and communication networks 9, 16 (2016), 3083--3094.

[20]

Timo Jakobi, Gunnar Stevens, Nico Castelli, Corinna Ogonowski, Florian Schaub, Nils Vindice, Dave Randall, Peter Tolmie, and Volker Wulf. 2018. Evolving Needs in IoT Control and Accountability: A Longitudinal Study on Smart Home Intelligibility. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2, 4 (2018), 1--28.

Digital Library

[21]

Audun Jøsang. 2016. Subjective Logic:A Formalism for Reasoning Under Uncertainty. Springer International Publishing Switzerland. https://doi.org/10.1007/978-3-319-42337-1

[22]

Mahmood Khadeer, Marc Dupuis, and Samreen Khadeer. 2018. Educating Consumers on the Security and Privacy of Internet of Things (IoT) Devices. In Journal of The Colloquium for Information System Security Education, Vol. 5. 20--20.

[23]

Iacovos Kirlappos and M Angela Sasse. 2014. What usable security really means: Trusting and engaging users. In International Conference on Human Aspects of Information Security, Privacy, and Trust. Springer, 69--78.

Digital Library

[24]

Hyosun Kwon, Joel E Fischer, Martin Flintham, and James Colley. 2018. The connected shower: Studying intimate data in everyday life. Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies 2, 4 (2018), 1--22.

Digital Library

[25]

Franco Loi, Arunan Sivanathan, Hassan Habibi Gharakheili, Adam Radford, and Vijay Sivaraman. 2017. Systematically Evaluating Security and Privacy for Consumer IoT Devices. In Proceedings of the 2017 Workshop on Internet of Things Security and Privacy (Dallas, Texas, USA) (IoTS&P '17). ACM, New York, NY, USA, 1--6. https://doi.org/10.1145/3139937.3139938

Digital Library

[26]

Jean Everson Martina and Marcelo Carlomagno Carlos. 2010. Why should we analyse security ceremonies. Proc. of CryptoForma (2010).

[27]

D Harrison Mcknight, Michelle Carter, Jason Bennett Thatcher, and Paul F Clay. 2011. Trust in a specific technology: An investigation of its components and measures. ACM Transactions on Management Information Systems (TMIS) 2, 2 (2011), 12.

Digital Library

[28]

Keith W Miller, Jeffrey Voas, and George F Hurlburt. 2012. BYOD: Security and privacy considerations. It Professional 14, 5 (2012), 53--55.

Digital Library

[29]

MITRE. 2019. Common Vulnerabilities and Exposures. www.cve.mitre.org

[30]

John C. Nash. 2014. On Best Practice Optimization Methods in R. Journal of Statistical Software 60, 2 (2014), 1--14. http://www.jstatsoft.org/v60/i02/

[31]

National Institute of Standards and Technology. 2005. Common Vulnerability Scoring System v2.0. https://nvd.nist.gov/vuln-metrics/cvss

[32]

Pascal Oser, Frank Kargl, and Stefan Lüders. 2018. Identifying Devices of the Internet of Things Using Machine Learning on Clock Characteristics. In International Conference on Security, Privacy and Anonymity in Computation, Communication and Storage. Springer, 417--427.

[33]

Edoardo Pignotti and Peter Edwards. 2013. Trusted Tiny Things: Making the Internet of Things More Transparent to Users. In Proceedings of the International Workshop on Adaptive Security (Zurich, Switzerland) (ASPI '13). ACM, New York, NY, USA, Article 2, 4 pages. https://doi.org/10.1145/2523501.2523503

Digital Library

[34]

Stefan Poslad, Mohamed Hamdi, and Habtamu Abie. 2013. Adaptive Security and Privacy Management for the Internet of Things (ASPI 2013). In Proceedings of the 2013 ACM Conference on Pervasive and Ubiquitous Computing Adjunct Publication (Zurich, Switzerland) (UbiComp '13 Adjunct). ACM, New York, NY, USA, 373--378. https://doi.org/10.1145/2494091.2499770

Digital Library

[35]

R Core Team. 2020. R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria. https://www.R-project.org/

[36]

Dark Reading. 2018. Internet-Connected CCTV Cameras Vulnerable to 'Peekaboo' Hack. https://www.darkreading.com/iot/internet-connected-cctv-cameras-vulnerable-to-peekaboo-hack/d/d-id/1332841

[37]

Los Angeles Times. 2016. Our privacy is losing out to Internet-connected household devices. https://www.latimes.com/business/la-filazarus-20160115-column.html

[38]

WIRED. 2019. Don't Get Your Valentine an Internet-Connected Sex Toy. https://www.wired.com/story/internet-connected-sex-toys-security/

Cited By

Linsner SDemuth KSurminski SDavi LReuter C(2024)Building trust in remote attestation through transparency – a qualitative user study on observable attestationBehaviour & Information Technology10.1080/0144929X.2024.2374889(1-21)Online publication date: 11-Jul-2024
https://doi.org/10.1080/0144929X.2024.2374889
Nasirinejad MSampalli S(2023)Evaluating Consumer Behavior, Decision Making, Risks, and Challenges for Buying an IoT ProductIoT10.3390/iot40200054:2(78-94)Online publication date: 25-Mar-2023
https://doi.org/10.3390/iot4020005
Waqdan MLouafi HMouhoub M(2023)An IoT Security Risk Assessment Framework for Healthcare Environment2023 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC58260.2023.10324002(01-08)Online publication date: 23-Oct-2023
https://doi.org/10.1109/ISNCC58260.2023.10324002
Show More Cited By

Index Terms

SAFER: Development and Evaluation of an IoT Device Risk Assessment Framework in a Multinational Organization
1. Human-centered computing
2. Security and privacy
  1. Human and societal aspects of security and privacy
    1. Usability in security and privacy

Recommendations

Short Paper: Organizational Security: Implementing a Risk-Reduction-Based Incentivization Model for MFA Adoption
Financial Cryptography and Data Security
Abstract
Multi-factor authentication (MFA) is a useful measure for strengthening authentication. Despite its security effectiveness, the adoption of MFA tools remains low. To create more human-centric authentication solutions, we designed and evaluated the ...
Security beliefs and barriers for novice Internet users

End-users are now recognized as being at increased risk in online scenarios, with a range of threats that seek to specifically target them and exploit their systems. Novice users are particularly likely to face difficulties in this context, as their ...
IoT security vulnerabilities and predictive signal jamming attack analysis in LoRaWAN

Internet of Things (IoT) gains popularity in recent times due to its flexibility, usability, diverse applicability and ease of deployment. However, the issues related to security are less explored. The IoT devices are light weight in nature and have low ...

Comments

Information & Contributors

Information

Published In

cover image Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies

Proceedings of the ACM on Interactive, Mobile, Wearable and Ubiquitous Technologies Volume 4, Issue 3

September 2020

1061 pages

EISSN:2474-9567

DOI:10.1145/3422862

Issue’s Table of Contents

Copyright © 2020 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 04 September 2020

Published in IMWUT Volume 4, Issue 3

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
341
Total Downloads

Downloads (Last 12 months)44
Downloads (Last 6 weeks)4

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Linsner SDemuth KSurminski SDavi LReuter C(2024)Building trust in remote attestation through transparency – a qualitative user study on observable attestationBehaviour & Information Technology10.1080/0144929X.2024.2374889(1-21)Online publication date: 11-Jul-2024
https://doi.org/10.1080/0144929X.2024.2374889
Nasirinejad MSampalli S(2023)Evaluating Consumer Behavior, Decision Making, Risks, and Challenges for Buying an IoT ProductIoT10.3390/iot40200054:2(78-94)Online publication date: 25-Mar-2023
https://doi.org/10.3390/iot4020005
Waqdan MLouafi HMouhoub M(2023)An IoT Security Risk Assessment Framework for Healthcare Environment2023 International Symposium on Networks, Computers and Communications (ISNCC)10.1109/ISNCC58260.2023.10324002(01-08)Online publication date: 23-Oct-2023
https://doi.org/10.1109/ISNCC58260.2023.10324002
Feger SWindl MGrootjen JSchmidt A(2023)ConnectivityControl: Providing Smart Home Users with Real Privacy Configuration OptionsEnd-User Development10.1007/978-3-031-34433-6_11(180-188)Online publication date: 6-Jun-2023
https://dl.acm.org/doi/10.1007/978-3-031-34433-6_11
Windl MHiesinger AWelsch RSchmidt AFeger S(2022)SaferHome: Interactive Physical and Digital Smart Home Dashboards for Communicating Privacy Assessments to Owners and BystandersProceedings of the ACM on Human-Computer Interaction10.1145/35677396:ISS(680-699)Online publication date: 14-Nov-2022
https://dl.acm.org/doi/10.1145/3567739
Windl MHenze NSchmidt AFeger S(2022)Automating Contextual Privacy Policies: Design and Evaluation of a Production Tool for Digital Consumer Privacy AwarenessProceedings of the 2022 CHI Conference on Human Factors in Computing Systems10.1145/3491102.3517688(1-18)Online publication date: 29-Apr-2022
https://dl.acm.org/doi/10.1145/3491102.3517688
Oser PEngelmann FLüders SKargl F(2022)Evaluating the Future Device Security Risk Indicator for Hundreds of IoT DevicesSecurity and Trust Management10.1007/978-3-031-29504-1_3(52-70)Online publication date: 29-Sep-2022
https://dl.acm.org/doi/10.1007/978-3-031-29504-1_3
Zuo JLu YGao HPeng TGuo ZAn TLiu E(2021)Security-Critical Components Recognition Algorithm for Complex Heterogeneous Information SystemsComputers, Materials & Continua10.32604/cmc.2021.01662368:2(2579-2595)Online publication date: 2021
https://doi.org/10.32604/cmc.2021.016623

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Issue’s Table of Contents