Building Confidence using Beliefs and Arguments in Security Class Evaluations for IoT
Original version
10.1109/FMEC49853.2020.9144957Abstract
The proliferation of IoT (Internet of Things) though making life easier, comes with security and privacy challenges. We have previously proposed a security classification methodology meant to help in practice build IoT systems focused on security during the development process. This method departs from classical risk analysis and certification methods in two ways: (i) it can be used at design time and (ii) it caters for the needs of system designers by helping them to identify protection mechanisms necessary for the connectivity required by their system under development. However, similarly to many risk analysis methods, this methodology was unable to provide assurance in the evaluation results. In this paper, we add two confidence parameters: belief and uncertainty to the assessment tree of arguments of a class. Thus, the final result is now a tuple <; C, B, U>, where C is the class to which the system belongs, together with a belief measure B in the evaluation aspects of C, and the uncertainty U in the evaluation details. Looking at the confidence parameters tells how well the security assessment is justified. To exemplify this enhanced security classification methodology, we systematically apply it to control mechanisms for Smart Home Energy Management Systems.