A Weighted Risk Score Model for IoT Devices

  • Shachar SiboniEmail author
  • Chanan Glezer
  • Asaf Shabtai
  • Yuval Elovici
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11637)


The Internet of Things (IoT) defines a new era where ordinary physical objects are being transformed into smart connected devices. These advanced devices have the ability to sense, compute, and communicate with their surroundings via the Internet. This may result in severe network security breaches, as these devices in-crease the attack surface by exposing new vulnerabilities and infiltration points into restricted networks. One of the major challenges in such deployments is determining the security risks that IoT devices pose to the environment they operated in. This paper proposes an IoT device risk score model, denoted as the Weighted Risk Ranking (WRR) model. The proposed approach focuses on quantifying the static and dynamic properties of a device, in order to define a risk score. Our practical proof of concept demonstrates the use of the WRR scheme for several IoT devices in the context of an enterprise network, showing the feasibility of the suggested solution as a tool for device risk assessment in modern networks where IoT devices are widely deployed.


Internet of Things Security Device risk assessment Device-centric approach Security risk score 


  1. 1.
    Atzori, L., Iera, A., Morabito, G.: The Internet of Things: a survey. Comput. Netw. 54(15), 2787–2805 (2010)CrossRefGoogle Scholar
  2. 2.
    Sicari, S., Rizzardi, A., Grieco, L.A., Coen-Porisini, A.: Security, privacy and trust in Internet of Things: the road ahead. Comput. Netw. 76, 146–164 (2015)CrossRefGoogle Scholar
  3. 3.
    Weber, R.H.: Internet of Things-New security and privacy challenges. Comput. Law Secur. Rev. 26(1), 23–30 (2010)MathSciNetCrossRefGoogle Scholar
  4. 4.
    Roman, R., Zhou, J., Lopez, J.: On the features and challenges of security and privacy in distributed Internet of Things. Comput. Netw. 57(10), 2266–2279 (2013)CrossRefGoogle Scholar
  5. 5.
    Abomhara, M. Køien, G.M.: Security and privacy in the Internet of Things: current status and open issues. In: 2014 International Conference on Privacy and Security in Mobile Systems (PRISMS), pp. 1–8. IEEE, May 2014Google Scholar
  6. 6.
    Chang, S.I., Huang, A., Chang, L.M., Liao, J.C.: Risk factors of enterprise internal control: Governance refers to Internet of Things (IoT) environment, RISK (2016)Google Scholar
  7. 7.
    Bi, Z., Da Xu, L., Wang, C.: Internet of Things for enterprise systems of modern manufacturing. IEEE Trans. Ind. Inf. 10(2), 1537–1546 (2014)CrossRefGoogle Scholar
  8. 8.
    Nurse, J.R., Creese, S., De Roure, D.: Security risk assessment in Internet of Things systems. IT Prof. 19(5), 20–26 (2017)CrossRefGoogle Scholar
  9. 9.
  10. 10.
    Stine, I., Rice, M., Dunlap, S., Pecarina, J.: A cyber risk scoring system for medical devices. Int. J. Crit. Infrastruct. Prot. 19, 32–46 (2017)CrossRefGoogle Scholar
  11. 11.
    Watkins, L.A., Hurley, J.S.: Cyber maturity as measured by scientific-based risk metrics. J. Inf. Warfare 14(3), 57–65 (2015)Google Scholar
  12. 12.
    Rapid7: Nexpose, a weighted model for risk calculation (2018). Accessed 10 Mar 2019
  13. 13.
    Mohajerani, Z., et al.: Cyber-related risk assessment and critical asset identification within the power grid. In: IEEE PES on Transmission and Distribution Conference and Exposition (2010)Google Scholar
  14. 14.
    Abie, H., Balasingham, I.: Risk-based adaptive security for smart IoT in eHealth. In: Proceedings of the 7th International Conference on Body Area Networks, pp. 269–275. Institute for Computer Sciences, Social-Informatics and Telecommunications Engineering (2012)Google Scholar
  15. 15.
    Jacobsson, A., Boldt, M., Carlsson, B.: A risk analysis of a smart home automation system. Future Gener. Comput. Syst. 56, 719–733 (2016)CrossRefGoogle Scholar
  16. 16.
    Rahmati, A., Fernandes, E., Eykholt, K., Prakash, A.: Tyche: a risk-based permission model for smart homes. In: 2018 IEEE Cybersecurity Development (SecDev), pp. 29–36. IEEE, September 2018Google Scholar
  17. 17.
    NIST: NVD vulnerability metrics and severity ratings for CVSS v3.0 (2019). Accessed 10 Mar 2019
  18. 18.
    Tenable: Nessus vulnerability scanner tool for network security (2018). Accessed 10 Mar 2019
  19. 19.
    Kdnuggets: Removing outliers using standard deviation in Python (2017). Accessed 10 Mar 2019
  20. 20.
    Siboni, S., Shabtai, A., Tippenhauer, N.O., Lee, J., Elovici, Y.: Advanced security testbed framework for wearable IoT devices. ACM Trans. Internet Technol. (TOIT) 16(4), 26 (2016)CrossRefGoogle Scholar
  21. 21.
    Siboni, S., et al.: Security testbed for Internet-of-Things Devices. IEEE Trans. Reliab. 68(1), 23–44 (2018)CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Shachar Siboni
    • 1
    Email author
  • Chanan Glezer
    • 2
  • Asaf Shabtai
    • 1
  • Yuval Elovici
    • 1
  1. 1.Department of Software and Information Systems EngineeringBen-Gurion University of the NegevBeer-ShevaIsrael
  2. 2.Department of Industrial Engineering and ManagementAriel UniversityArielIsrael

Personalised recommendations