{"title":"Knowledge elicitation methodology for evaluation of Internet of Things privacy characteristics in smart cities","authors":"Nil Kilicay‐Ergin, Adrian Barb, Namrata Chaudhary","doi":"10.1002/sys.21726","DOIUrl":null,"url":null,"abstract":"Abstract One of the impediments to transforming urban cities into smart cities is the security and privacy concerns that arise due to use of Internet of Things (IoT) devices in various smart city applications. While IoT device vendors publish their security and privacy policies, manual evaluation of these policies is tedious and prone to misinterpretation as there is a lot of variability in the language used across IoT vendors. Local administrations and policy analysts are faced with understanding the implications of integrating IoT devices with differing security and privacy characteristics but lack methods that support them in analysis of privacy characteristics from a holistic perspective. In this paper, a methodology for knowledge elicitation from textual information is outlined to evaluate privacy characteristics of IoT devices. The methodology includes natural language processing and deep learning techniques to evaluate the relevance of IoT privacy policies to the National Institute of Standards and Technology (NIST) security and privacy framework 5 . Based on the analysis, text similarity scores are calculated for each IoT privacy policy document and each section of the policy document is labeled to NIST categories and functions. Analysis of these resulting labels and scores helps analysts to gain insights on each privacy policy as well as provide a holistic perspective of the privacy characteristics of IoT devices used in smart city applications. For example, all the policy documents used in the study talk about Protect domain and half of the documents cover Detect domain. However, most of the policies contain gaps regarding the Identify , Respond , and Recover domains. The study has implications for policy analysts, IoT vendors, and smart city administrators in terms of understanding the privacy gaps in IoT devices with respect to the NIST framework which can ultimately support policy alignment to address privacy concerns for smart cities.","PeriodicalId":54439,"journal":{"name":"Systems Engineering","volume":"43 1","pages":"0"},"PeriodicalIF":1.6000,"publicationDate":"2023-10-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Systems Engineering","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1002/sys.21726","RegionNum":3,"RegionCategory":"工程技术","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q4","JCRName":"ENGINEERING, INDUSTRIAL","Score":null,"Total":0}
引用次数: 0
Abstract
Abstract One of the impediments to transforming urban cities into smart cities is the security and privacy concerns that arise due to use of Internet of Things (IoT) devices in various smart city applications. While IoT device vendors publish their security and privacy policies, manual evaluation of these policies is tedious and prone to misinterpretation as there is a lot of variability in the language used across IoT vendors. Local administrations and policy analysts are faced with understanding the implications of integrating IoT devices with differing security and privacy characteristics but lack methods that support them in analysis of privacy characteristics from a holistic perspective. In this paper, a methodology for knowledge elicitation from textual information is outlined to evaluate privacy characteristics of IoT devices. The methodology includes natural language processing and deep learning techniques to evaluate the relevance of IoT privacy policies to the National Institute of Standards and Technology (NIST) security and privacy framework 5 . Based on the analysis, text similarity scores are calculated for each IoT privacy policy document and each section of the policy document is labeled to NIST categories and functions. Analysis of these resulting labels and scores helps analysts to gain insights on each privacy policy as well as provide a holistic perspective of the privacy characteristics of IoT devices used in smart city applications. For example, all the policy documents used in the study talk about Protect domain and half of the documents cover Detect domain. However, most of the policies contain gaps regarding the Identify , Respond , and Recover domains. The study has implications for policy analysts, IoT vendors, and smart city administrators in terms of understanding the privacy gaps in IoT devices with respect to the NIST framework which can ultimately support policy alignment to address privacy concerns for smart cities.
期刊介绍:
Systems Engineering is a discipline whose responsibility it is to create and operate technologically enabled systems that satisfy stakeholder needs throughout their life cycle. Systems engineers reduce ambiguity by clearly defining stakeholder needs and customer requirements, they focus creativity by developing a system’s architecture and design and they manage the system’s complexity over time. Considerations taken into account by systems engineers include, among others, quality, cost and schedule, risk and opportunity under uncertainty, manufacturing and realization, performance and safety during operations, training and support, as well as disposal and recycling at the end of life. The journal welcomes original submissions in the field of Systems Engineering as defined above, but also encourages contributions that take an even broader perspective including the design and operation of systems-of-systems, the application of Systems Engineering to enterprises and complex socio-technical systems, the identification, selection and development of systems engineers as well as the evolution of systems and systems-of-systems over their entire lifecycle.
Systems Engineering integrates all the disciplines and specialty groups into a coordinated team effort forming a structured development process that proceeds from concept to realization to operation. Increasingly important topics in Systems Engineering include the role of executable languages and models of systems, the concurrent use of physical and virtual prototyping, as well as the deployment of agile processes. Systems Engineering considers both the business and the technical needs of all stakeholders with the goal of providing a quality product that meets the user needs. Systems Engineering may be applied not only to products and services in the private sector but also to public infrastructures and socio-technical systems whose precise boundaries are often challenging to define.