An Evaluation of IoT Security Guidance Documents: A Shared Responsibility Perspective

Abstract

Internet of Things (IoT) security is an ongoing and challenging issue. Manufacturers and developers are usually seen as the ones responsible for providing security features for IoT devices. Yet, after the release of the devices and services, their security starts to depend on end users as well. End users have the ability to use various privacy and security controls implemented by providers, but they often are not given the needed guidance in clear and understandable terms to set and configure the security controls of their devices and systems. Unlike manufacturers who have access to many IoT security guidelines, recommendations, and requirements aimed at helping them produce secure devices, end users are rarely addressed in such documentation. In this paper, we explore the extent to which existing guidance documentation supports a shared responsibility model between manufacturers and end users for IoT security. Based on a comparative analysis of existing documentation, we provide several recommendations for improving the state-of-the-art. We argue that IoT security is a shared responsibility, hence, end users must be supported with official guidance, clear recommendations, and understandable instructions on how to stay secure in the IoT environment.