Cyber Risk Management in the Internet of Things: Frameworks, Models, and Best Practices

Abstract

This paper contributes to the ongoing discourse by identifying key risks associated with IoT devices and environments and proposing strategies to mitigate them. The study focuses on three main objectives: (1) identifying the primary security threats affecting IoT devices, (2) outlining best practices for mitigating these risks, and (3) exploring the role of cyber risk management in securing IoT ecosystems. By addressing these aspects, the paper aims to support stakeholders in implementing more robust security frameworks, ensuring confidentiality, integrity, and safety in IoT deployments. Based on an analysis of 35 previous studies, it is evident that a variety of complementary risk management frameworks and models are available to support the secure deployment and operation of IoT devices. These frameworks have been developed for both governmental and commercial use, enabling organizations to tailor their risk management strategies to specific IoT contexts. Among the reviewed studies, seven utilized the ISO framework for risk management in IoT environments, while six applied the NIST framework. Additionally, three studies implemented the OCTAVE framework to assess and mitigate risks. Notably, nine studies each employed a distinct risk management model, including ELK Stack, PDCA Cycle, Cyber Kill Chain (CKC), CSRF, CRAMM, COBIT 5, IoTSRM2, and the Cyber Value at Risk (CVaR) model. These diverse approaches highlight the growing recognition of the need for structured, adaptable, and sector-specific risk management strategies in the rapidly evolving IoT landscape.