In the traditional view, a good security practice was likely achieved through effective technologies, policies, standards and procedures that intended to ensure the CIA-triad: confidentiality, integrity and availability. Confidentiality is seen as the prevention of unauthorized disclosure, integrity as the prevention of the unauthorized modification, and availability as the prevention of unauthorized withholding of data [
38]. The CIA-triad has been extended over the years—e.g., the CIA+ to deal with network security attacks [
39]. Nonetheless, the IoT domain poses additional aspects that are not covered by the mentioned models. Additionally, in IoT systems, new security requirements have arisen due to specific features, e.g., use of cloud technology and properties e.g., constrained resources, of IoT systems. Even if security and privacy must go hand-in-hand, there are often situations when the prior becomes a cause for concern for the former. For example, strengthening surveillance systems for a better security comes at the expense of privacy. In light of the aspects mentioned above, below we provide an overview of related studies by mapping with interview data while identifying and highlighting different security aspects (see details in
Table 3).
IoT Awareness: Raising awareness for
data management in terms of sensitive information in the IoT domain current practices is an important feature [
40,
41,
42]. However,
training and education require broader spectrum of stakeholders to be included, such as policy makers, regulators and the general public in order to raise such awareness regarding IoT challenges, risks and opportunities [
37,
43] (all respondents). More specifically, there is a need for
user awareness and security education for both developers and users of smart products and services [
44] (R5). The best way to keep security on users’ attention is to offer continuous security awareness and education programs [
45]. Because these smart products and services should be
designed-in security concepts in mind [
43,
46] and at the same time dealing with
ethical concerns in terms of bringing awareness to owners of IoT smart products related to the degree of privacy [
47],
continuous education for engineers and other stakeholders in IoT field is important for enabling life-long learning regarding security and privacy aspects likewise [
27,
37,
45,
48]. Additional features for organizing learning mechanisms, team building and knowledge management systems need to be provided in connection to
people and team management aspects [
49]. For raising awareness among IoT industry management and practitioners, there is a need for an adequate
legal framework that would take the underlying technology into account [
14]. This legal framework could be established by the legislator which can also be supplemented by the IoT industry according to their specific needs [
14]. Furthermore, a legal framework could ensure stakeholders awareness and protection of subjects, e.g., when it comes to privacy breaches [
50]. In order to place this framework into practice,
policy enforcement as another feature of IoT security awareness aspect is important to be considered [
51,
52]. Security should be introduced in a form of
security as a process aspect that would help with thinking about security from the initial design phase and throughout the development lifecycle (R5). Developers should understand the
context of operation and then apply security patterns, mechanisms and tools that work for their team (all respondents). This is especially important in IoT as often it is not possible to state general practices or guidelines for designing secure IoT system (R1, R5).
Learn by observing instead of reinventing the wheel is another aspect, as there is a need to look at the success models because often the problems IoT practitioners face are already encountered and solved in other mature industries (R5).
Addressing the digital divide aspect deals with IoT practitioners that need to have larger responsibility for securing IoT users, mainly because of their various levels of understanding the security and privacy risks (R1, R6). Security is a continuous process, thus the
keep secure always aspect could enable timely upgrades and updates of the system by issuing necessary and critical fixes (all respondents). Security fixes must be enforced on the IoT users to keep their system always secure (R6).
Plan for end-to-end security should be designed and implemented addressing all the components of an IoT ecosystem, from the end-user to devices to network, and so on (R6).
IoT Assessment: Building trust in humans is an essential assessment item of security and privacy within the IoT field [
51,
53]. IoT devices need to be designed with
identity management appropriate for the IoT environment [
51,
54,
55] for e.g., in terms of maximizing data integrity and ensuring trust mechanisms [
27]. Security risks can arise due to multiple reasons, e.g., unawareness of maliciously manipulated products or the lack of information on potential countermeasures [
44]. In order to avoid certain vulnerabilities and risks,
risk management is an important aspect of assessment in security in terms of threat modeling, code reviews, and various testing aspects such as white/black-box testing [
37,
43,
46,
56] (R5, R6). In this case, mitigation measures should also be considered by utilizing
security and privacy by design principles [
43,
48,
50,
57] (all respondents). Having
trust management usually helps to overcome the uncertainties and risks within the IoT environment [
19,
52,
55] (R1, R2).
Auditing is another important IoT feature [
27]) (R5, R6). This feature is important as it leans more towards transparency when implementing the security of IoT devices [
27]. In particular, auditing when done repeatedly against security standards, helps in building user trust [
58]. In the end,
compliance sets the frontal image of how assessment should be developed within the IoT infrastructure [
20,
27,
43]. Having an IoT provider compliant to security standards may also contribute in attracting more users to use the provider services [
58]. Assessment for IoT developers should let them think about necessary
tools and software assessment. A security toolbox helps practitioners conduct e.g., threat modeling, architectural review, code review, and running automated security tests (R5). IoT stakeholders should think about
data assessment aspects as well, in order to assess data for its correctness, trustworthiness, and reliability (R1, R6) [
19,
43,
57].
IoT Challenges: Many IoT devices used today were originally designed in
closed way for non-internet use and with
proprietary code, and often using weak protocols and practices [
6,
41,
42,
43]. Even though many
standardization bodies together with industry tried to provide solutions for security and privacy aspects [
42,
43], standardization in IoT still remains as a continuous challenge [
44] (R2, R6).
IoT complexity makes it almost impossible to realize secure systems efficiently in terms of the problems related to scalability and interoperability [
37,
48] (all respondents). Adding to the complexities are also the availability of multiple platforms, numerous protocols, large numbers of APIs and well evolving standards.
IoT environment constraints to date present many security challenges in terms of devices computational power, memory, battery, network, operating system, and bandwidth, among others [
19,
22,
43,
52] (R1, R2, R6).
Constant evolution of new IoT technologies,
heterogeneity and continuous updates of technologies present challenges regarding potential security vulnerabilities [
22,
49] (R6). Furthermore,
business and technical level standards must not be taken lightly as IoT security constraints [
44].
Fragmentation of IoT market with incompatible devices, platforms and protocols impose further challenges in implementing effective security measures (R1, R2).
Multiple Verticals systems as created by IoT stakeholders contribute to fragmentation and interoperability problems within the IoT industry creating standardization challenges (R2).