Abstract
This study proposes a security-quality-metrics method tailored for the Internet of things (IoT) and evaluates conformity of the proposed approach with pertinent cybersecurity regulations and guidelines for IoT. Cybersecurity incidents involving IoT devices have recently come to light; consequently, IoT security correspondence has become a necessity. The ISO 25000 series is used for software; however, the concept of security as a quality factor has not been applied to IoT devices. Because software vulnerabilities were not the device vendors’ responsibility as product liability, most vendors did not consider the security capability of IoT devices as part of their quality control. Furthermore, an appropriate IoT security-quality metric for vendors does not exist; instead, vendors have to set their security standards, which lack consistency and are difficult to justify by themselves. To address this problem, the authors propose a universal method for specifying IoT security-quality metrics on a globally accepted scale, inspired by the goal/question/metric (GQM) method. The method enables vendors to verify their products to conform to the requirements of existing baselines and certification programs and to help vendors to tailor their quality requirements to meet the given security requirements. The IoT users would also be able to use these metrics to verify the security quality of IoT devices.
Highlights
Security becomes more important with the proliferation of Internet of Things (IoT)devices
We considered the need for a methodology that would allow IoT vendors to tailor security-quality metrics in addition to existing quality metrics for their products
This study proposes a method for tailoring security-quality metrics for IoT devices to ensure the quality of IoT security, and the method demonstrates the validity to evaluate the characteristics of the emerging requirements and suggestions of relevant laws, regulations, guidelines, and certification programs in IoT security based on the produced metrics
Summary
Security becomes more important with the proliferation of Internet of Things (IoT)devices. Researchers of IoT security have made significant progress in mitigating security threats and vulnerabilities, such as remote attacks via wireless connectivity such as Wi-Fi, Bluetooth, or Zigbee [7,8,9], and securing an architecture to meet security requirements [4,10] Because these functions and mitigation technologies are not self-developed by IoT vendors in most cases, but are externally procured components, IoT vendors are required to assess the security quality of the communication components they adopt. EDSA (Embedded Device Security Assurance) certification based on IEC 62443 [23] These certifications are extremely professional: ISO 15408 focuses on quality assurance and does not specify what initiatives to take, whereas IEC 62443 is specific to critical infrastructure in the industrial control system, which generally does not apply to. Benchmarks and assessment methods for information security have been proposed [24,25], both fall short from a web-specific and a lifecycle perspective when utilized for product security in IoT
Sign-in/Register to view highlights & summary Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
