This study proposes a security-quality-metrics method tailored for the Internet of things (IoT) and evaluates conformity of the proposed approach with pertinent cybersecurity regulations and guidelines for IoT. Cybersecurity incidents involving IoT devices have recently come to light; consequently, IoT security correspondence has become a necessity. The ISO 25000 series is used for software; however, the concept of security as a quality factor has not been applied to IoT devices. Because software vulnerabilities were not the device vendors’ responsibility as product liability, most vendors did not consider the security capability of IoT devices as part of their quality control. Furthermore, an appropriate IoT security-quality metric for vendors does not exist; instead, vendors have to set their security standards, which lack consistency and are difficult to justify by themselves. To address this problem, the authors propose a universal method for specifying IoT security-quality metrics on a globally accepted scale, inspired by the goal/question/metric (GQM) method. The method enables vendors to verify their products to conform to the requirements of existing baselines and certification programs and to help vendors to tailor their quality requirements to meet the given security requirements. The IoT users would also be able to use these metrics to verify the security quality of IoT devices.
There has recently been a global increase in economic losses due to cyberattacks. However, research on the economic damage caused by cyberattacks has mainly focused on attacked companies, and spillover damage to other sectors has not been sufficiently investigated. This study analyzed the economic losses from cyberattacks in Japan using the production function and input–output model to improve the accuracy of damage prediction and various national measures. First, we provide an estimation method for the annual direct damage by industry using a production function. The mainstream input dataset is lost working hours owing to cyber incidents. Second, we devised a model to estimate the amount of spillover damage to the entire country using the input–output model. Third, although the cyber damage data were limited to only interview data by the JNSA and IPA, we showed the process of estimating direct and spillover damage in all sectors in Japan. As a result, we consider that our estimation method is feasible and effective at the national level. This study contributes to future research on cyber resilience by analyzing the damage caused by cyberattacks from a macroeconomic perspective using a production function and input–output model.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.