Aeri Lee (Barun ICT Research Center, Yonsei University)
Beomsoo KIM (Barun ICT Research Center, Yonsei University)
IoT spreads, the quantity of newly collected information and geometric progression of data collection devices is increasing, and the issues of personal information protection and privacy violations are also gaining attention.
Many such violations have actually occurred in the IoT environment. These include the unauthorized collection of personal information by Onstar, a telematics system used by General Motors; a video leak by the webcam manufacturer Trendnet; the hacking of a baby monitor ser vice; a personal information leak using drones; and the demonstration of smart-car hacking by the global security company Kaspersky Lab.
Similarly, although personal and societal dangers through violations of personal information in the IoT environment are increasing, systematic legal, administrative, and technical measures relevant to personal information in the IoT have yet to be offered.
Dr. Aeri Lee at Yonsei University’s Barun ICT Research Center has identified the posible dangers of personal information leaks or privacy violations in IoT, and has shared a risk analysis framework for dangers regarding personal information in the IoT era.
The following study refers to investigations into existing studies and services that have been forecasted to lead to IoT usage, which can be classified into five categories: smart communication devices, connected cars, smart homes, smart healthcare, and Smart infra.
To create a risk analysis framwork in the IoT environment, three risk measurement methods based on existing major risk analysis techniques, i.e., American National Institute of Standards and Technology (NIST) SP800-3-: 2002, Korean Industrial Standards KS X ISO/IEC 27005, and ISCARISKIT, were analyzed with a focus on “risk assessment,” which is the key to identifying risk factors and establishing risk analysis systems. Because these three measurement methos are all specialized and centered on risk management analyses within an organizational business environment, they are not suitable for a personal information risk analysis in the IoT environment. Therefore, a new supplemental framework is required.
Dr. Aeri Lee referred to the risk measurement methods from the existing frameworks and made modifications to reflect the characteristics and influence of personal information. The constitutive variable of his newly posed risk analysis framework, expressed as a modification,
resembles [Picture 1].
In the following study, “asset” was replaced with “personal information,” and “vulnerability” was replaced with “impact.” Personal information includes the types of personal information and aspects of sensitivity.
[Figure 1] Calculus for IoT Risk Analysis
Considering the difficulty of analyzing the weaknesses of services in the IoT environment, social impact is the focus of a risk measurement, and is a variable projecting the weakness of personal information leakage. Social impact, as a variable, is also relevant to the damage incurred through the leaking of an individual’s information and the violation of privacy, as well as the consequent social shock. In detail, social impact consists of the number of IoT service users, frequency of use, market size, and a second combined market size.
Threats refer to information threatened by personal information leakage and privacy violations, and in the IoT environment reflect the threats to devices, networks, or servers that generate, deliver, and process personal information.
The IoT service sectional risk analysis results verifying the proposed framework are shown in [Table 1]. For example, for identifiable types of personal information, connected car and Smart commuication devices are at high risk, but with regard to personal information sensitivity, smart homes are at higher risk than connected cars, and all business fields show a different degree of risk concerning each risk factor.
It has been predicted that as IoT grows, debate regarding the supplementation of personal information protection and assisting measures will actively take place. In the following study, the proposed risk analysis framework can be consulted for future personal information protection measures and risk management systems.