AI security and cyber risk in IoT systems

Abstract

Internet-of-Things (IoT) refers to low-memory connected devices used in various new technologies, including drones, autonomous machines, and robotics. The article aims to understand better cyber risks in low-memory devices and the challenges in IoT risk management. The article includes a critical reflection on current risk methods and their level of appropriateness for IoT. We present a dependency model tailored in context toward current challenges in data strategies and make recommendations for the cybersecurity community. The model can be used for cyber risk estimation and assessment and generic risk impact assessment. The model is developed for cyber risk insurance for new technologies (e.g., drones, robots). Still, practitioners can apply it to estimate and assess cyber risks in organizations and enterprises. Furthermore, this paper critically discusses why risk assessment and management are crucial in this domain and what open questions on IoT risk assessment and risk management remain areas for further research. The paper then presents a more holistic understanding of cyber risks in the IoT. We explain how the industry can use new risk assessment, and management approaches to deal with the challenges posed by emerging IoT cyber risks. We explain how these approaches influence policy on cyber risk and data strategy. We also present a new approach for cyber risk assessment that incorporates IoT risks through dependency modeling. The paper describes why this approach is well suited to estimate IoT risks.

Keywords: AI security; Internet-of-Things (IoT); artificial intelligence; cyber risk assessment; cyber risk estimation; cyber risk insurance; cyber risk management; risk impact assessment.

Figure 1

The IoT risk assessment process.

Figure 2

Dependency modeling for IoT risk assessment. (A) Dependency relationships among IoT components (C₁, C₂, C₃, C₄, C₅, C₆). The circles (C₁, C₂, C₃, etc.) represent different IoT components. The directional arrows (t₁, t₂, t₃, etc.) represent dependency flows between components. For example: t₁ is the dependency flow from component C₁ to component C₃. t₂ is the dependency flow from component C₁ to C₄. t₄ represents a dependency from C₂ to C₄. This structure shows how the functioning of one IoT component is dependent on the successful function of another connected component. (B) Layer-based dependencies in an IoT system. AL (Application Layer), Represents higher-level software components and services (e.g., analytics functions or cloud services); NL (Network Layer), Represents components such as communication switches or Programmable Logic Controllers (PLCs), through which data (t₁, f₁, etc.) is transmitted; PL (Perception Layer), Represents sensors or actuators, such as photoelectric sensors or conveyor belt switches, which interact with the physical world. The arrows in this part show how dependencies flow through these layers, with t₁ and f₁ representing different types of functional or data dependencies between the layers.

Figure 3

Connection configured.

Figure 4

Worst-case dependency impact.

Figure 5

The new emerging security incident response approach.

Figure 6

Simulation of the goal-oriented approach.