Knowledge elicitation methodology for evaluation of Internet of Things privacy characteristics in smart cities

IF 1.6 3区工程技术 Q4 ENGINEERING, INDUSTRIAL Systems Engineering Pub Date : 2023-10-09 DOI:10.1002/sys.21726

Nil Kilicay‐Ergin, Adrian Barb, Namrata Chaudhary

{"title":"Knowledge elicitation methodology for evaluation of Internet of Things privacy characteristics in smart cities","authors":"Nil Kilicay‐Ergin, Adrian Barb, Namrata Chaudhary","doi":"10.1002/sys.21726","DOIUrl":null,"url":null,"abstract":"Abstract One of the impediments to transforming urban cities into smart cities is the security and privacy concerns that arise due to use of Internet of Things (IoT) devices in various smart city applications. While IoT device vendors publish their security and privacy policies, manual evaluation of these policies is tedious and prone to misinterpretation as there is a lot of variability in the language used across IoT vendors. Local administrations and policy analysts are faced with understanding the implications of integrating IoT devices with differing security and privacy characteristics but lack methods that support them in analysis of privacy characteristics from a holistic perspective. In this paper, a methodology for knowledge elicitation from textual information is outlined to evaluate privacy characteristics of IoT devices. The methodology includes natural language processing and deep learning techniques to evaluate the relevance of IoT privacy policies to the National Institute of Standards and Technology (NIST) security and privacy framework 5 . Based on the analysis, text similarity scores are calculated for each IoT privacy policy document and each section of the policy document is labeled to NIST categories and functions. Analysis of these resulting labels and scores helps analysts to gain insights on each privacy policy as well as provide a holistic perspective of the privacy characteristics of IoT devices used in smart city applications. For example, all the policy documents used in the study talk about Protect domain and half of the documents cover Detect domain. However, most of the policies contain gaps regarding the Identify , Respond , and Recover domains. The study has implications for policy analysts, IoT vendors, and smart city administrators in terms of understanding the privacy gaps in IoT devices with respect to the NIST framework which can ultimately support policy alignment to address privacy concerns for smart cities.","PeriodicalId":54439,"journal":{"name":"Systems Engineering","volume":null,"pages":null},"PeriodicalIF":1.6000,"publicationDate":"2023-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Systems Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1002/sys.21726","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"ENGINEERING, INDUSTRIAL","Score":null,"Total":0}

引用次数: 0

Abstract

Abstract One of the impediments to transforming urban cities into smart cities is the security and privacy concerns that arise due to use of Internet of Things (IoT) devices in various smart city applications. While IoT device vendors publish their security and privacy policies, manual evaluation of these policies is tedious and prone to misinterpretation as there is a lot of variability in the language used across IoT vendors. Local administrations and policy analysts are faced with understanding the implications of integrating IoT devices with differing security and privacy characteristics but lack methods that support them in analysis of privacy characteristics from a holistic perspective. In this paper, a methodology for knowledge elicitation from textual information is outlined to evaluate privacy characteristics of IoT devices. The methodology includes natural language processing and deep learning techniques to evaluate the relevance of IoT privacy policies to the National Institute of Standards and Technology (NIST) security and privacy framework 5 . Based on the analysis, text similarity scores are calculated for each IoT privacy policy document and each section of the policy document is labeled to NIST categories and functions. Analysis of these resulting labels and scores helps analysts to gain insights on each privacy policy as well as provide a holistic perspective of the privacy characteristics of IoT devices used in smart city applications. For example, all the policy documents used in the study talk about Protect domain and half of the documents cover Detect domain. However, most of the policies contain gaps regarding the Identify , Respond , and Recover domains. The study has implications for policy analysts, IoT vendors, and smart city administrators in terms of understanding the privacy gaps in IoT devices with respect to the NIST framework which can ultimately support policy alignment to address privacy concerns for smart cities.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

智慧城市物联网隐私特征评价的知识启发方法

将城市转变为智慧城市的障碍之一是由于在各种智慧城市应用中使用物联网(IoT)设备而产生的安全和隐私问题。虽然物联网设备供应商发布了他们的安全和隐私策略，但由于物联网供应商使用的语言存在很大差异，因此手动评估这些策略非常繁琐且容易被误解。地方政府和政策分析师面临着理解具有不同安全和隐私特征的物联网设备集成的影响，但缺乏从整体角度分析隐私特征的支持方法。本文概述了一种从文本信息中获取知识的方法，用于评估物联网设备的隐私特征。该方法包括自然语言处理和深度学习技术，以评估物联网隐私政策与国家标准与技术研究院(NIST)安全和隐私框架的相关性5。在此基础上，计算每个IoT隐私策略文档的文本相似度分数，并将策略文档的每个部分标记为NIST类别和功能。对这些结果标签和分数的分析有助于分析师深入了解每个隐私政策，并提供智慧城市应用中使用的物联网设备隐私特征的整体视角。例如，研究中使用的所有策略文件都涉及保护领域，一半的文件涉及检测领域。但是，大多数策略包含关于识别、响应和恢复域的差距。该研究对政策分析师、物联网供应商和智慧城市管理员在了解物联网设备相对于NIST框架的隐私差距方面具有重要意义，最终可以支持政策协调，以解决智慧城市的隐私问题。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

Systems Engineering 工程技术-工程：工业

CiteScore

5.10

自引率

20.00%

发文量

审稿时长

6 months

期刊介绍： Systems Engineering is a discipline whose responsibility it is to create and operate technologically enabled systems that satisfy stakeholder needs throughout their life cycle. Systems engineers reduce ambiguity by clearly defining stakeholder needs and customer requirements, they focus creativity by developing a system’s architecture and design and they manage the system’s complexity over time. Considerations taken into account by systems engineers include, among others, quality, cost and schedule, risk and opportunity under uncertainty, manufacturing and realization, performance and safety during operations, training and support, as well as disposal and recycling at the end of life. The journal welcomes original submissions in the field of Systems Engineering as defined above, but also encourages contributions that take an even broader perspective including the design and operation of systems-of-systems, the application of Systems Engineering to enterprises and complex socio-technical systems, the identification, selection and development of systems engineers as well as the evolution of systems and systems-of-systems over their entire lifecycle. Systems Engineering integrates all the disciplines and specialty groups into a coordinated team effort forming a structured development process that proceeds from concept to realization to operation. Increasingly important topics in Systems Engineering include the role of executable languages and models of systems, the concurrent use of physical and virtual prototyping, as well as the deployment of agile processes. Systems Engineering considers both the business and the technical needs of all stakeholders with the goal of providing a quality product that meets the user needs. Systems Engineering may be applied not only to products and services in the private sector but also to public infrastructures and socio-technical systems whose precise boundaries are often challenging to define.