Articles Data Breaches and Identity Theft | Page 3

66 M. Abomhara and G. M. Køien
gradually permeated all aspects of modern human life, such as education,
healthcare, and business, involving the storage of sensitive information about
individuals and companies, financial data transactions, product development
and marketing.
The vast diffusion of connected devices in the IoT has created enormous
demand for robust security in response to the growing demand of millions or
perhaps billions of connected devices and services worldwide [3–5].
The number of threats is rising daily, and attacks have been on the increase
in both number and complexity. Not only is the number of potential attackers
along with the size of networks growing, but the tools available to potential
attackers are also becoming more sophisticated, efficient and effective [6, 7].
Therefore, for IoT to achieve fullest potential, it needs protection against
threats and vulnerabilities [8].
Security has been defined as a process to protect an object against physical
damage, unauthorized access, theft, or loss, by maintaining high confidential-
ity and integrity of information about the object and making information about
that object available whenever needed [7, 9]. According to Kizza [7] there is no
thing as the secure state of any object, tangible or not, because no such object
can ever be in a perfectly secure state and still be useful. An object is secure if
the process can maintain its maximum intrinsic value under different condi-
tions. Security requirements in the IoT environment are not different from any
other ICT systems. Therefore, ensuring IoT security requires maintaining the
highest intrinsic value of both tangible objects (devices) and intangible ones
(services, information and data).
This paper seeks to contribute to a better understanding of threats and their
attributes (motivation and capabilities) originating from various intruders like
organizations and intelligence. The process of identifying threats to systems
and system vulnerabilities is necessary for specifying a robust, complete set
of security requirements and also helps determine if the security solution is
secure against malicious attacks [10]. As well as users, governments and IoT
developers must ultimately understand the threats and have answers to the
following questions:
1.
2.
3.
4.
5.
6.
What are the assets?
Who are the principal entities?
What are the threats?
Who are the threat actors?
What capability and resource levels do threat actors have?
Which threats can affect what assets?