coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8f05b2e1575a516b979919515582f257e193eea1
opaque-lattice/papers_txt/Integrating-IoT-security-practices-into-a-risk-based-f_2026_Computer-Standar.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

1403 lines
152 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Computer Standards & Interfaces 97 (2026) 104099
Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
Integrating IoT security practices into a risk-based framework for small and
medium enterprises (SMEs)
Samer Aoudi * , Hussain Al-Aqrabi
Department of Computer Information Science, Higher Colleges of Technology, Sharjah, UAE
A R T I C L E I N F O A B S T R A C T
Keywords: The growing integration of Internet of Things (IoT) technologies within Small and Medium Enterprises (SMEs)
IoT security has introduced new operational efficiencies while simultaneously expanding the cybersecurity threat landscape.
Risk assessment However, most SMEs lack the resources, technical expertise, and institutional maturity required to adopt existing
SME cybersecurity
security frameworks, which are often designed with large enterprises in mind. This paper proposes a risk-based
Threat modeling
STRIDE
framework specifically developed to help SMEs identify, assess, and mitigate IoT-related security risks in a
CVSS structured and scalable manner. The framework integrates key components such as asset classification, STRIDE-
Bayesian inference based threat modeling, CVSS-driven vulnerability assessment, and dynamic risk prioritization through Bayesian
inference. Emphasis is placed on cost-effective mitigation strategies that are feasible within SME resource con­
straints and aligned with regulatory requirements. The framework was validated through a real-world case study
involving a digitally enabled retail SME. Results demonstrate tangible improvements in vulnerability manage­
ment, security control implementation, and organizational readiness. Additionally, qualitative feedback from
stakeholders highlights the frameworks usability, adaptability, and minimal disruption to operations. This
research bridges a critical gap in the current literature by contextualizing established cybersecurity methodol­
ogies for the SME sector and providing a practical toolset for managing IoT risks. The proposed framework offers
SMEs a viable path toward improving cybersecurity resilience in increasingly connected business environments.
1. Introduction However, this rapid adoption has introduced heightened cybersecurity
concerns. SMEs often lack dedicated cybersecurity personnel and oper­
The Internet of Things (IoT) is reshaping the digital landscape, ate with limited financial and technical resources, leaving them espe­
driving innovation across industries by interconnecting billions of de­ cially vulnerable to IoT-specific threats and system misconfigurations.
vices. From smart sensors and industrial controllers to home automation The growth trajectory of IoT is further accelerated by advancements
systems and connected medical equipment, IoT enables continuous data in artificial intelligence (AI) [4], edge computing [57], and 5 G net­
exchange, automation, and real-time analytics. Its widespread integra­ works [8]. AI-integrated IoT systems enhance threat detection and
tion is transforming sectors such as healthcare, manufacturing, trans­ support autonomous decision-making. Edge computing enables
portation, and retail. Projections indicate that IoT device adoption will low-latency data processing at the device level, and 5 G introduces
exceed 39.9 billion units by 2033, outpacing traditional computing ultra-high bandwidth and reliable communication, powering real-time
platforms such as laptops and smartphones [1]. industrial and smart city applications. Together, these technologies
In the business domain, IoT technologies are instrumental in boost­ signal an era of unprecedented connectivity, in which SMEs must
ing operational efficiency, reducing costs, and enabling agile service navigate both operational transformation and an increasingly complex
models. For instance, in logistics, IoT-enabled tracking systems improve cybersecurity threat landscape.
supply chain visibility and inventory accuracy, minimizing losses and
enhancing responsiveness [2]. In healthcare, connected medical devices 1.1. Problem statement
allow for real-time patient monitoring and timely clinical interventions,
elevating care standards [3]. SMEs, in particular, are increasingly While the Internet of Things (IoT) offers significant operational ad­
adopting IoT solutions to streamline operations and remain competitive. vantages, it also exposes organizations, particularly SMEs, to
* Corresponding author.
E-mail address: samer_aoudi@hotmail.com (S. Aoudi).
https://doi.org/10.1016/j.csi.2025.104099
Received 10 June 2025; Received in revised form 3 November 2025; Accepted 21 November 2025
Available online 26 November 2025
0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
increasingly complex and evolving cyber threats [911]. The diverse yielding tangible improvements in vulnerability reduction, risk mitiga­
and heterogeneous nature of IoT devices introduces system-level chal­ tion efficiency, and staff security awareness. In doing so, this study
lenges such as default credentials, outdated firmware, insecure provides a pragmatic and empirically validated model that bridges the
communication protocols, and insufficient access controls [1215]. gap between complex security theory and implementable practice for
These technical shortcomings, combined with limited in-house expertise SMEs [23,24].
and constrained budgets, hinder SMEs from effectively securing their The remainder of this paper is structured as follows. Section 2 re­
IoT infrastructures [16]. Moreover, compliance with emerging regula­ views existing literature on IoT security and related frameworks, with a
tions such as the European Unions General Data Protection Regulation focus on challenges specific to SMEs. Section 3 outlines the research
(GDPR) and the UAEs Federal Personal Data Protection Law (PDPL) methodology, including the case study design and evaluation approach.
further complicates security governance for SMEs. Section 4 presents the proposed five-step risk-based framework. Section
Several well-known cybersecurity frameworks, such as the National 5 applies the framework to a real-world SME and reports both quanti­
Institute of Standards and Technology (NIST) Cybersecurity Framework tative results and qualitative feedback. Section 6 discusses the frame­
(CSF) [17], NIST SP 800183 [18], ISO/IEC 27005 [19], European works effectiveness, compares it with existing standards, addresses
Union Agency for Cybersecurity (ENISA) IoT security guidelines [20, regulatory compliance, and reflects on cost and SME applicability.
21], and the Open Web Application Security Project (OWASP) IoT Section 7 concludes the paper and outlines directions for future work.
Project [22], offer valuable guidance for addressing IoT risks. However,
these frameworks are often too complex, resource-intensive, or abstract 2. Literature review
for SMEs to adopt without significant adaptation. Many lack actionable,
SME-friendly methodologies or assume levels of organizational maturity This section reviews the academic and industry literature related to
not representative of typical small businesses [23,24]. IoT security, with a particular emphasis on the unique challenges faced
A critical gap exists in the cybersecurity literature: the absence of a by SMEs. It also evaluates existing cybersecurity frameworks and their
risk-based, scalable, and accessible framework that effectively addresses limitations in SME contexts.
the specific limitations and operational realities of SMEs operating IoT
environments. While numerous frameworks exist, most are designed for 2.1. Foundations of IoT security challenges
large enterprises and are ill-suited for small businesses with constrained
resources. This study focuses specifically on SMEs that deploy IoT- The cybersecurity implications of IoT adoption have been widely
enabled infrastructure, aiming to support them in managing the discussed across academic and industry literature yet challenges specific
growing complexity of IoT-related cybersecurity risks through tailored, to SMEs remain underexplored. This section reviews the foundational
resource-aware risk assessment practices. security concerns of IoT environments and critically examines existing
frameworks and their limitations in SME contexts.
1.2. Research objectives The rapid proliferation of Internet of Things (IoT) technologies has
ushered in unprecedented levels of interconnectivity, automation, and
This research aims to develop a structured, risk-based framework operational efficiency across a wide range of sectors, including health­
tailored to the cybersecurity needs of Small and Medium Enterprises care, manufacturing, logistics, and retail [3]. While this technological
(SMEs) operating Internet of Things (IoT) environments. The proposed advancement offers substantial benefits, it also significantly enlarges the
approach is designed to help SMEs systematically identify, assess, and cybersecurity threat surface, introducing complex risks that are both
mitigate IoT-related threats while accounting for their limited technical systemic and persistent. As noted by Tawalbeh et al. [9], the decen­
expertise and financial constraints. Rather than introducing entirely new tralized architecture, device-level resource constraints, and protocol
tools, the framework repurposes and integrates well-established meth­ heterogeneity inherent in IoT environments collectively give rise to a
odologies into a coherent, resource-aware process that SMEs can real­ multi-dimensional security landscape that defies traditional protection
istically adopt and sustain. models. These concerns are amplified in 5G-enabled IoT deployments,
Rather than introducing novel technical tools, the framework which, as highlighted by Wazid et al. [8], are vulnerable to a combi­
repurposes and streamlines established methods to create a workflow nation of legacy threats and emerging attack vectors enabled by
accessible to SMEs with minimal cybersecurity maturity. In doing so, it increased bandwidth and connectivity.
contributes to the IoT security literature by addressing persistent gaps in Fundamental to the cybersecurity discourse surrounding IoT is the
the applicability, scalability, and adaptability of existing frameworks for difficulty of enforcing the foundational triad of information security:
SMEs. This study advances the field in three key dimensions. confidentiality, integrity, and availability (C.I.A). Prior research has
First, it emphasizes SME-centricity by grounding the proposed shown that IoT ecosystems struggle to uphold these principles uniformly
framework in the operational realities of a real-world case study. Unlike due to the diversity of hardware and software platforms and the often-
enterprise-focused research, this study captures the practical limitations limited computational capacity of devices [12,25]. Compounding this
SMEs face, including limited staffing, budget constraints, and frag­ issue are persistent security misconfigurations, such as the widespread
mented infrastructure. Second, the framework offers a multi-layered use of default credentials, outdated firmware, and unencrypted
integration of essential cybersecurity practices. It links asset classifica­ communication channels, vulnerabilities that remain common despite
tion with STRIDE-based threat modeling, CVSS-informed vulnerability increased awareness and guidance from sources such as the OWASP IoT
assessment, and Bayesian-driven dynamic risk updates into a coherent, Project [22].
stepwise model. While these components are well-documented indi­ The evolution toward Industry 4.0, characterized by the convergence
vidually, their consolidation for SME contexts is novel. Third, the in­ of IoT, cyber-physical systems, and autonomous control, has further
clusion of Bayesian post-mitigation risk reassessment enables accelerated IoT adoption across business domains [26]. However, this
continuous recalibration of threat likelihoods, a feature often absent shift has also intensified security concerns, particularly for SMEs that
from SME-targeted frameworks. lack the organizational maturity, infrastructure, and expertise required
This contribution bridges the gap between complex enterprise to manage these complex systems effectively. Empirical studies consis­
models and the lightweight, accessible solutions SMEs need, while tently emphasize the resulting security and privacy implications,
extending the utility of standards such as ENISAs guidelines [21] and including data leakage, unauthorized system access, and operational
ISO/IEC 27005 [19] by contextualizing them for low-resource envi­ disruption [27]. These risks are especially pronounced in SME envi­
ronments. Moreover, the value of this research lies in its practical ronments, where cybersecurity preparedness often lags behind techno­
orientation: the proposed framework was tested in a real-world SME, logical adoption [28].
2
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
2.2. Existing IoT risk assessment frameworks subjective assessments and oversimplified likelihood-impact scoring
systems [33]. These models frequently fail to incorporate real-time
Multiple frameworks have attempted to codify IoT security risk threat intelligence or context-aware decision-making, which are crit­
management, drawing from well-established standards such as ISO/IEC ical for dynamic and heterogeneous IoT environments.
27005 [19] and NISTs Cybersecurity Framework [18]. While these Emerging approaches involving artificial intelligence (AI) and ma­
frameworks provide generic guidance for identifying, assessing, and chine learning (ML) show promise in areas such as anomaly detection
mitigating risks, their practical applicability to SMEs with limited and automated vulnerability discovery [4,11,34]. However, such solu­
cybersecurity maturity remains questionable [24]. tions are often opaque, computationally intensive, and dependent on
ENISA [20,21] provides IoT-specific guidance by recommending advanced technical skills, barriers that place them out of reach for many
baseline security controls and governance practices for critical infra­ SMEs. Research by Kong et al. [35] and Aoudi et al. [36] has advanced
structure. However, its approach tends to be prescriptive and often as­ intelligent IoT frameworks, yet these too generally assume the avail­
sumes high organizational maturity and resourcing. Similarly, the NIST ability of enterprise-grade infrastructure and cybersecurity expertise.
SP 800183 report [17] conceptualizes the "Network of Things," offering Moreover, the fragmented nature of IoT security standards further
terminologies and abstraction layers for risk management but stops complicates adoption. Brass et al. [37] and Webb & Hume [38] highlight
short of operationalizing a dynamic risk response model. the lack of harmonized, SME-centric guidance, which results in imple­
Zheng et al. [29] and Queiroz et al. [30], have explored digital mentation ambiguities and regulatory compliance challenges. To
transformation frameworks for supply chains and smart manufacturing, contextualize these issues, Table 1 summarizes the major limitations of
respectively, but their emphasis is primarily on strategic alignment and current frameworks when applied to SMEs, including their complexity,
technological enablement rather than actionable risk quantification. scalability issues, and lack of actionable guidance tailored to smaller
This subsection reviews key frameworks that inform our approach: organizational contexts.
The framework proposed in this study seeks to overcome these
• NIST Cybersecurity Framework (CSF) and NIST Special Publication challenges by distilling best practices from established standards such as
800183: The NIST CSF is one of the most widely adopted frame­ NIST and ISO, and restructuring them into a pragmatic, lightweight, and
works for managing cybersecurity risks. It provides a flexible and accessible model. In doing so, it provides SMEs with a pathway to
scalable approach organized into five core functions: Identify, Pro­ improved IoT security posture that aligns with their operational realities
tect, Detect, Respond, and Recover [17]. While the NIST CSF is and capacity constraints.
comprehensive, its implementation often requires significant re­
sources and expertise, which may be beyond the capacity of many
2.4. Theoretical foundation
SMEs [23].
• ISO/IEC 27005: ISO/IEC 27005 provides guidelines for information
The formulation of a risk-based framework for securing Internet of
security risk management, emphasizing the importance of risk
Things (IoT) environments in SMEs is anchored in three foundational
assessment and treatment [19]. Although it is highly detailed, its
cybersecurity concepts: risk assessment, threat modeling, and vulnera­
complexity and resource-intensive nature make it less accessible for
bility analysis. Together, these pillars provide the conceptual structure
SMEs, particularly those with limited cybersecurity expertise [24].
necessary for systematically identifying, evaluating, and mitigating the
• OWASP IoT Project: The Open Web Application Security Project
unique security challenges that arise in SME-operated IoT ecosystems.
(OWASP) IoT Project focuses on identifying and mitigating common
This section articulates the theoretical basis for the proposed frame­
vulnerabilities in IoT devices and applications [15,22]. While it of­
work, establishing its relevance and rigor in addressing real-world SME
fers practical guidance, it lacks a structured risk assessment process,
constraints.
making it difficult for SMEs to prioritize and address risks
Risk assessment is a critical process that enables organizations to
systematically.
identify, analyze, and evaluate risks to their digital assets, operations,
• ENISA IoT Security Guidelines: The European Union Agency for
and stakeholders [19]. Within the IoT domain, risk assessment facilitates
Cybersecurity (ENISA) has developed guidelines for securing IoT
the mapping of potential security threats to specific devices and services,
ecosystems, covering areas such as device hardening, secure
supporting informed decision-making about risk mitigation and
communication, and lifecycle management [21]. However, these
resource allocation. The NIST Cybersecurity Framework [18] highlights
guidelines are often too generic and do not provide actionable steps
risk assessment as a central component of a proactive cybersecurity
for SMEs with limited technical capabilities.
strategy. For SMEs, whose resources are often severely constrained, a
well-structured risk assessment process becomes indispensable for
2.3. Shortcomings in current approaches
prioritizing security efforts and ensuring that the most pressing
Despite the availability of numerous frameworks and guidelines
designed to enhance the security of IoT ecosystems [31], a persistent gap Table 1
Gaps in Existing Frameworks for SMEs.
remains in their applicability to SMEs. Many of these frameworks were
developed with large organizations in mind, requiring considerable Gap Description
technical expertise, financial investment, and operational maturity. As Resource Intensity Frameworks such as NIST CSF and ISO/IEC 27,005 require
Chidukwani et al. [23] emphasize, most SMEs lack the resources significant financial and technical resources, which are often
necessary to implement comprehensive cybersecurity programs, making unavailable to SMEs [24,19].
Complexity The technical complexity of ISO/IEC 27,005 and related
the adoption of existing frameworks impractical without significant standards can be overwhelming for SMEs lacking dedicated
adaptation. This challenge is compounded by the complexity and pre­ cybersecurity teams [23,24].
scriptive nature of these models, which often overwhelm smaller orga­ Lack of IoT-Specific Frameworks like the OWASP IoT Project address IoT
nizations seeking feasible entry points into IoT security. Focus vulnerabilities but do not integrate end-to-end risk
assessment and mitigation [15,39].
In addition to resource constraints, SMEs face methodological limi­
Scalability Issues Many existing frameworks assume organizational maturity
tations in the tools commonly used for risk assessment. Czekster et al. that SMEs typically do not possess, hindering their
[32] point to the rigidity of static risk models, which struggle to applicability [21,24].
accommodate evolving threat landscapes or adjust post-control risk Limited Practical Most frameworks offer general recommendations but lack
levels based on new evidence. Traditional risk matrices, while widely Guidance detailed, step-by-step guidance tailored to SME operational
contexts [23,32,33].
adopted for their simplicity, have drawn criticism for their reliance on
3
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
vulnerabilities are addressed efficiently. anomalies). This capacity for ongoing refinement makes Bayesian
Threat modeling offers a complementary lens by systematically inference especially relevant in IoT ecosystems, where device configu­
identifying potential threats based on a systems architecture, interfaces, rations, exposure profiles, and threat landscapes are in constant flux.
and usage patterns [40]. Among the most recognized methodologies are However, despite its suitability, Bayesian modeling remains largely
STRIDE [41] and PASTA [42]. STRIDE categorizes threats into six ar­ absent in SME-oriented IoT security literature, underscoring a signifi­
chetypes, Spoofing, Tampering, Repudiation, Information Disclosure, cant and timely gap that this study seeks to address through its proposed
Denial of Service, and Elevation of Privilege, enabling structured anal­ framework.
ysis of attack surfaces. In contrast, PASTA adopts a business-aligned,
process-driven perspective, aiming to connect technical threats with 2.6. Integrating threat modeling and vulnerability scanning
organizational impact. Both methodologies provide a rigorous basis for
uncovering and preemptively addressing IoT-specific threats, including Structured threat modeling and automated vulnerability assessment
unauthorized access, device manipulation, and data exfiltration. represent two foundational components of modern cybersecurity prac­
Vulnerability analysis completes the triad by identifying exploitable tices. Among threat modeling methodologies, the STRIDE framework
weaknesses across the IoT stack from hardware and firmware to has emerged as a widely accepted standard due to its systematic tax­
communication protocols and cloud services [43]. Given the diversity onomy, encompassing Spoofing, Tampering, Repudiation, Information
and scale of IoT deployments, SMEs often struggle to conduct vulnera­ Disclosure, Denial of Service, and Elevation of Privilege, and its align­
bility assessments systematically. Tools such as Nessus and OpenVAS ment with system-level architectural analysis [4042]. Despite its con­
offer automated scanning capabilities that facilitate the identification ceptual strengths, the operational deployment of STRIDE remains
and classification of vulnerabilities, often using metrics like CVSS scores largely limited to organizations with mature secure development life­
to guide remediation priorities [44]. Nevertheless, the effective use of cycles, rendering it inaccessible to many SMEs that lack formalized se­
these tools still requires a framework that contextualizes findings within curity engineering practices.
the operational realities of SMEs. Parallel to threat modeling, vulnerability scanning tools such as
The integration of these three theoretical domains, risk assessment, Nessus [43] and OpenVAS [44] provide powerful means for identifying
threat modeling, and vulnerability analysis, forms the analytical core of known security flaws, misconfigurations, and software weaknesses.
the proposed framework. Their synergy enables a comprehensive, end- These tools generate Common Vulnerability Scoring System
to-end approach that is both methodologically rigorous and practically (CVSS)-based severity ratings, offering actionable insights for technical
adaptable. For instance, asset classification, an essential element of risk remediation. However, as Neshenko et al. [39] observe, these tools are
assessment, provides the input for targeted threat modeling, which, in frequently underutilized in SME contexts, not due to a lack of relevance,
turn, informs vulnerability scanning strategies. This layered methodol­ but because their outputs are rarely integrated into broader, dynamic
ogy supports SMEs in navigating complex IoT security landscapes with risk evaluation frameworks. In SMEs, where security decisions must
limited expertise and resources, offering a structured yet flexible model often be made with minimal human oversight and limited technical
for scalable, cost-effective cybersecurity risk management. capacity, such disconnection diminishes the practical value of vulnera­
bility data.
2.5. Probabilistic and Bayesian approaches Case-specific studies by Fernandes et al. [14] and Cherian and Varma
[13] illustrate isolated applications of threat analysis in environments
The incorporation of probabilistic reasoning into cybersecurity such as smart homes and SDN-based IoT networks. While valuable in
decision-making has gained traction in recent years, particularly in the highlighting device-specific risks, these contributions remain narrowly
context of dynamic risk estimation and adaptive threat modeling. focused and lack generalizable, system-level integration. More critically,
Among these approaches, Bayesian inference stands out for its ability to they do not account for the potential of combining threat modeling and
systematically update risk assessments based on new evidence, offering vulnerability data with probabilistic risk updating, such as Bayesian
a mathematically grounded mechanism for recalibrating threat likeli­ inference, to inform risk prioritization and post-control reassessment.
hoods over time [45]. Despite its demonstrated value in broader There remains, therefore, a notable gap in current literature and
cybersecurity contexts, the application of Bayesian methods within practice: the absence of a unified, SME-oriented framework that sys­
IoT-specific risk frameworks remains underexplored, particularly in tematically links structured threat modeling (e.g., STRIDE), automated
environments characterized by constrained resources and operational vulnerability scanning (e.g., Nessus, OpenVAS), and dynamic risk
variability, such as SMEs. quantification. This study addresses that gap by proposing an integrated
Existing literature acknowledges the need for dynamic models methodology that operationalizes these elements into a cohesive
capable of responding to the fluidity of IoT threat landscapes. Czekster workflow tailored to the constraints and capabilities of SME
et al. [32] advocate for adaptive risk models but fall short of articulating environments.
concrete implementation pathways that are feasible for SMEs. Similarly,
Lee [46] underscores the promise of probabilistic techniques in IoT 3. Methodology
cybersecurity but highlights their limited uptake in practice, citing
challenges such as computational overhead, model complexity, and the This section outlines the research design used to develop and vali­
lack of accessible tooling to support real-time updates. date the proposed framework. A sequential mixed-methods approach is
A critical shortfall in current frameworks is the absence of structured adopted, combining theoretical integration with case-based evaluation.
post-control risk reassessment. Once security controls, such as patch
deployment or network segmentation, are implemented, most models 3.1. Research design
fail to revise the underlying threat likelihoods accordingly. This omis­
sion can lead to persistent overestimation or underestimation of risk, The goal of this study is to develop and validate a cybersecurity risk
resulting in inefficient allocation of limited security resources. ENISA management framework tailored to the needs and constraints of SMEs
[21] and empirical investigations such as Younis et al. [2] reinforce the adopting IoT technologies. To ensure methodological rigor and practical
importance of continuous reassessment to maintain alignment between relevance, a sequential mixed-methods design was adopted. This
perceived and actual risk postures. approach combines qualitative and quantitative data collection and
Bayesian models offer a theoretically robust solution to this problem analysis in a phased sequence, where the qualitative phase informs the
by enabling the integration of prior risk estimates with real-time evi­ quantitative one, an established design in applied security research [47,
dence (e.g., vulnerability scan results, threat intelligence, or behavioral 48].
4
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
As illustrated in Fig. 1, the study follows a two-phase structure practical, real-world outcomes over strict epistemological adherence, an
grounded in pragmatic philosophy and a deductive research strategy. essential stance when addressing the operational constraints of SMEs.
The pragmatic stance prioritizes actionable, real-world solutions over The deductive approach enables theory-driven framework construction,
rigid adherence to a single philosophical paradigm, allowing for meth­ which is then empirically validated through real-world application.
odological flexibility and contextual adaptation [49]. The deductive Finally, the sequential mixed-methods strategy allows qualitative in­
approach supports theory-driven framework development, followed by sights to shape the development of the framework in Phase 1, while
empirical validation. quantitative evaluation in Phase 2 ensures measurable impact. These
Phase 1 centers on framework development, which forms the pri­ guiding principles shaped both the structure and execution of the study,
mary contribution of this study. Drawing from ISO/IEC 27005 [19], the as illustrated in Fig. 1.
NIST Cybersecurity Framework [17], and threat modeling strategies
such as STRIDE and PASTA [41,42], this phase involved synthesizing 3.1.1. Phase 1: framework development
best practices into a lightweight, five-step process appropriate for The initial phase of this research focuses on the design of a struc­
resource-constrained SMEs. This structured integration offers a novel tured, risk-based cybersecurity framework tailored to the specific con­
contribution by operationalizing concepts such as CVSS-based vulnera­ straints and operational realities of SMEs. To inform this development, a
bility scoring and Bayesian risk updating within an accessible, systematic review was conducted encompassing existing IoT security
implementation-ready format. The uniqueness of this integration lies in frameworks, risk assessment methodologies, and documented SME-
its combination of STRIDE-based threat modeling, CVSS-driven vulner­ specific security challenges [50]. This review served not only to map
ability scoring, and Bayesian updating into a cohesive workflow that the current state of practice but also to identify key gaps in applicability,
enables SMEs to perform dynamic risk prioritization using lightweight, usability, and scalability that constrain existing solutions in SME
resource-aware processes. environments.
Phase 2 focuses on framework validation, conducted through a The proposed framework does not introduce novel security mecha­
single-case study in a real-world SME. This phase triangulates data from nisms. Instead, it synthesizes established methodologies into an inte­
stakeholder interviews, vulnerability scans, and document analysis to grated, coherent structure optimized for resource-limited organizations.
assess the frameworks usability, scalability, and effectiveness in It draws from recognized standards such as the NIST Cybersecurity
improving cybersecurity posture. This design ensures that the frame­ Framework (CSF) [17] and ISO/IEC 27005 [19] for risk assessment,
work is not only theoretically grounded but also contextually feasible while employing threat modeling techniques like STRIDE [40] and
and adaptable for small business environments. PASTA [41] to systematically identify and categorize threats. These
Together, these phases are underpinned by a unified research design components are combined to form a pragmatic, stepwise process that
grounded in three foundational elements: pragmatism, deductive logic, lowers the entry barrier for SMEs seeking to enhance their cybersecurity
and a sequential mixed-methods strategy. Pragmatism emphasizes posture.
Fig. 1. Research Design.
5
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
The resulting framework consists of five interlinked components: To protect the integrity and privacy of sensitive organizational data, all
collected information was anonymized and securely stored on encrypted
1. Asset Classification: Systematic identification and categorization of systems, with access restricted to the research team.
IoT assets based on business criticality and functional dependencies. Despite its contributions, the study is subject to several methodo­
2. Threat Modeling: Application of STRIDE and PASTA to analyze logical limitations that warrant consideration. First, the use of a single-
potential attack vectors and system vulnerabilities. case study design, although well-suited to in-depth, context-specific
3. Vulnerability Assessment: Technical analysis of system weaknesses exploration, may limit the generalizability of the findings to other SME
using industry-standard tools such as Nessus and OpenVAS. contexts or industry sectors. While the selected case is representative of
4. Risk Prioritization: Development of a context-aware risk matrix many SME characteristics, broader validation across diverse organiza­
that accounts for both likelihood and business impact, tailored to tional settings is necessary to strengthen external validity.
SME constraints. Second, a portion of the data collected, particularly through stake­
5. Mitigation Strategies: Selection of cost-effective and scalable se­ holder interviews, is self-reported, and thus potentially subject to biases
curity controls, including technical (e.g., encryption, access control) such as recall error or social desirability. However, these limitations
and procedural (e.g., regular patching) safeguards. were mitigated through methodological triangulation, including the
integration of quantitative vulnerability scan data and document anal­
3.1.2. Phase 2: framework validation ysis. This multi-source validation strategy enhances the credibility of the
The second phase involves empirical validation of the proposed findings and supports a more holistic understanding of the frameworks
framework through a single-case study conducted in a real-world SME effectiveness.
setting. This qualitative-quantitative design enables the evaluation of Overall, while recognizing its constraints, the study is designed with
the frameworks practical relevance, scalability, and impact under sufficient methodological rigor to ensure reliability and relevance. These
authentic operational constraints. The case study subject, Lilac Studio, is limitations also offer pathways for future research, particularly in
a Dubai-based SME operating in the retail sector. It was selected using extending validation efforts to additional SMEs and industry domains.
purposive sampling based on three criteria: (1) active use of IoT tech­
nologies, (2) resource limitations typical of SMEs, and (3) willingness to 4. Proposed framework
participate in comprehensive evaluation procedures [51].
Data collection in this phase employed triangulated methods to This section introduces the five-step IoT risk-based framework
enhance reliability and capture multidimensional insights: developed specifically for SMEs. Each component of the framework is
discussed in detail, emphasizing practical implementation and
• Semi-structured interviews were conducted with six SME stake­ scalability.
holders, including two business owners, two IT personnel, and two
operational staff, all based in the United Arab Emirates. While the 4.1. Overview
sample size is small, it reflects key functional roles commonly found
in SMEs and provides a representative cross-section of perspectives This section introduces the proposed risk-based IoT security frame­
within the organization. The findings are contextually relevant for work, which builds on insights from prior research and established in­
other SMEs operating in sectors such as retail, logistics, and hospi­ dustry practices. Designed specifically for SMEs, the framework
tality, which share similar IoT adoption patterns and cybersecurity systematically addresses the unique cybersecurity challenges that arise
constraints. in managing IoT environments. SMEs are particularly susceptible to IoT-
• Vulnerability scanning was performed using Nessus and OpenVAS related threats due to constrained budgets, fragmented infrastructure,
before and after framework implementation, providing objective and limited in-house expertise. To address these realities, the framework
metrics on system-level improvements. provides a structured yet accessible approach that strengthens security
• Document analysis of internal security policies and historical inci­ without introducing unnecessary complexity or financial burden.
dent reports was conducted to establish a baseline and track proce­ The framework comprises five sequential steps, asset classification,
dural enhancements. threat modeling, vulnerability assessment, risk prioritization, and miti­
gation planning. Each step builds on the preceding one, ensuring a
This multi-source approach ensures that the frameworks effective­ logical and scalable progression toward comprehensive risk manage­
ness is evaluated both technically and operationally, supporting its ment. These components are elaborated in detail in Section 4.2, with
practical relevance and broader applicability to similarly structured emphasis on real-world applicability, cost-effectiveness, and compati­
SMEs. bility with SME operational models.
While the single-case design enables deep contextual analysis, it By consolidating established cybersecurity practices, such as those
inherently limits the generalizability of the findings to other SME set­ found in the NIST Cybersecurity Framework and ISO/IEC 27005, into a
tings or industry domains. The selected case represents a typical streamlined and integrated process, the framework combines theoretical
example of a digitally enabled SME in a resource-constrained environ­ rigor with practical usability. It enables SMEs to identify critical assets,
ment, but further validation across multiple organizations and sectors is assess threats, quantify risks, and implement appropriate mitigation
needed to confirm the frameworks broader applicability. This limita­ strategies, all while remaining within realistic operational and resource
tion is acknowledged as a trade-off for depth and realism in early-phase boundaries. Unlike traditional frameworks that treat these components
framework evaluation. in isolation, this framework uniquely fuses STRIDE, CVSS, and Bayesian
inference into a continuous cycle, supporting iterative risk reassessment
3.2. Ethical considerations and limitations as new evidence emerges.
This study was conducted in strict accordance with established 4.2. Process
ethical research protocols, with particular attention to the principles of
informed consent, participant confidentiality, and data anonymization The operational logic of the proposed framework is realized through
[47]. All participants involved in interviews and data collection activ­ five interlinked stages that guide SMEs through the identification,
ities were fully briefed on the studys objectives, procedures, and their evaluation, and mitigation of IoT security risks. Each step balances
rights, including the right to withdraw at any point without conse­ methodological precision with operational feasibility, allowing imple­
quence. Written informed consent was obtained prior to participation. mentation by teams with limited cybersecurity expertise.
6
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
Fig. 2 illustrates the five-step IoT security risk framework, presenting lightweight algorithm that computes a risk score for each threat using
each component in a sequential, SME-friendly format. This visual rep­ impact and likelihood metrics. Where available, Bayesian scoring re­
resentation supports structured implementation by mapping the flow places subjective estimations to enhance accuracy. The algorithm filters
from asset identification to final mitigation. threats through a resource constraint lens, selecting only those for which
Risk prioritization within the framework is further operationalized mitigation is feasible within the SMEs available capacity.
through Algorithm 1, which presents a lightweight, resource-aware This algorithm enables SMEs to focus their limited resources on
approach for ranking threats based on likelihood, impact, and feasi­ mitigating the highest-priority threats. The incorporation of Bayesian
bility of mitigation. The algorithm integrates static scoring and, where inference allows for dynamic recalibration of risk scores as new data
applicable, Bayesian inference to support dynamic risk recalibration. becomes available, ensuring that the framework remains both adaptive
and aligned with the evolving threat landscape.
1. Asset Classification: The process begins with the identification and
categorization of IoT assets based on their criticality to core business
operations. This step creates a foundational asset inventory and es­ 4.3. Scalability and adaptability
tablishes dependencies, which are essential for contextualizing sub­
sequent risk assessments. The asset classification process follows a A key strength of the proposed framework lies in its adaptability
structured algorithm designed specifically for SMEs, which accounts across a wide range of SME IoT contexts. Recognizing that IoT imple­
for device criticality, functional dependencies, and data sensitivity. mentations vary in scale, complexity, and purpose even within the SME
The steps are detailed in Algorithm 2 in Appendix A. segment, the framework is designed to be modular and context-aware. It
2. Threat Modeling: Leveraging established methodologies such as enables SMEs to tailor adoption based on their existing infrastructure,
STRIDE, organizations systematically map threat categories to technical maturity, and regulatory requirements, while maintaining
identified assets. This process uncovers potential attack vectors and alignment with core risk management principles.
anticipates their business impacts. The application of STRIDE for Rather than attempting to generalize across all industry sectors, the
threat modeling is guided by a structured procedure adapted for SME framework is explicitly focused on IoT-enabled SMEs, particularly those
environments. The detailed steps are outlined in Algorithm 3 in deploying connected devices for operational monitoring, automation, or
Appendix A. service delivery. These include SMEs in retail, logistics, and light in­
3. Vulnerability Assessment: Automated scanning tools such as dustrial settings, domains where IoT adoption is growing and where
Nessus and OpenVAS are employed to detect known vulnerabilities SMEs remain key stakeholders.
across device, network, and software layers. The results are The framework also supports adaptation along two practical
augmented by CVSS-based exploitability scores, yielding actionable dimensions:
insights for remediation. The vulnerability assessment process is
carried out using a three-stage procedure that includes automated • Maturity-Based Adaptations: SMEs with limited technical capacity
scanning and optional penetration testing, tailored to SME capacity. can adopt a lightweight implementation by prioritizing essential
This process is described in Algorithm 4 in Appendix A, while tool- steps such as asset classification and risk assessment using default
specific configurations are detailed in Appendix B. STRIDE and CVSS templates. More mature SMEs can integrate
4. Risk Prioritization: Identified threats and vulnerabilities are eval­ advanced tools, including Bayesian updating and automated
uated using a custom risk matrix that considers likelihood, business vulnerability scanning, for deeper security insights.
impact, and resource constraints. For SMEs with access to advanced • Regulatory Adaptability: The framework is compatible with
data, Bayesian inference can be used to dynamically update risk jurisdiction-specific compliance mandates. For example, SMEs
levels based on new evidence, providing a more accurate and operating in the European Union can incorporate GDPR-aligned
responsive prioritization model. safeguards, while those in the UAE can tailor their implementation
5. Mitigation Planning: Based on the prioritized risks, SMEs imple­ to meet the requirements of the Federal Personal Data Protection
ment cost-effective and scalable controls such as firmware updates, Law (PDPL).
network segmentation, access control mechanisms, or employee
training. These mitigation actions are aligned with organizational By focusing on IoT-reliant SMEs and enabling scaling based on
capacity and regulatory requirements (e.g., GDPR Article 32 and the operational maturity and legal context, the framework offers a propor­
UAE PDPL), ensuring both compliance and operational fit. Associ­ tionate and sustainable approach to risk management without over­
ated cost and effort estimates are provided in Appendix C. extending its intended scope.
The framework is further supported by a practical and reusable
A core strength of the framework lies in its resource-aware risk pri­ toolset tailored to the constraints of IoT-enabled SMEs. It incorporates
oritization mechanism, which enables SMEs to direct limited efforts widely recognized methodologies and tools, including STRIDE for threat
toward the most critical risks. This process is operationalized through a modeling, Nessus Essentials and OpenVAS for vulnerability assessment,
CVSS v3.1 calculators for risk quantification, and optional Bayesian
Fig. 2. Five-Step IoT Security Risk Framework for SMEs.
7
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
Algorithm 1
Risk Prioritization for IoT Systems in SMEs.
Require: Threat list T, Vulnerability set V, Asset inventory A, Resource constraints R. Optional: Bayesian posterior probabilities P (t |E)
Ensure: Prioritized threat list P
1: P ←∅
2: for all threat t ∈T do
3: Retrieve associated asset a ∈A
4: if Bayesian scoring available then
5: L(t) ← P(tE)
6: else
7: Assign likelihood L(t) ∈{1, 2, 3} ▹ Low, Medium, High
8: end if
9: Assign impact I(t) ∈{1, 2, 3}from asset criticality
10: Compute risk score R(t) ←L(t) × I(t)
11: end for
12: Sort T in descending order of R(t)
13: for all threat t ∈T do
14: Estimate mitigation effort E(t) (cost or hours)
15: if E(t) ≤R then
16: Add t to P
17: R ←R E(t)
18: end if
19: end for
20: return P
inference scripts for post-mitigation risk updating. All components are In sum, the framework offers a cost-effective, scalable, and techni­
either open-source or available under free/community licenses, making cally feasible solution for SMEs seeking to secure their IoT ecosystems.
them accessible and cost-effective for resource-constrained organiza­ By integrating essential components, asset classification, threat
tions while ensuring methodological rigor. modeling, vulnerability assessment, risk prioritization, and mitigation
planning, it provides a structured and context-sensitive approach that
accommodates the diverse capabilities and constraints of SME envi­
4.4. Cost effectiveness ronments. Its emphasis on affordability, adaptability, and operational
clarity makes it especially valuable in an era of rapidly expanding IoT
The proposed framework has been intentionally designed with cost adoption among smaller organizations.
efficiency as a core principle, acknowledging the significant financial
and technical constraints that characterize many SMEs. In contrast to 5. Case study
enterprise-grade security models that often require substantial in­
vestments in personnel, infrastructure, and proprietary technologies, To evaluate the proposed framework, a case study was conducted in
this framework offers a practical and economically viable pathway for a real-world SME environment. This section details the application
enhancing IoT cybersecurity in resource-constrained environments. process, observed results, and validation methodology.
Several interrelated features contribute to its cost-effectiveness:
5.1. SME profile
• Use of Readily Available and Open-Source Tools: The framework
emphasizes reliance on established, freely accessible resources, such Lilac Studio is a Dubai-based SME operating in the retail sector,
as Nessus Essentials, OpenVAS, and CVSS calculators, thereby elim­ specializing in curated lifestyle products such as celebration robes,
inating the need for costly commercial solutions or vendor lock-in. personalized accessories, and gift boxes. The company employs a hybrid
This approach significantly reduces implementation costs while operational model, combining a physical storefront located in a com­
maintaining analytical rigor. mercial retail complex with an e-commerce platform that serves regional
• Scalability and Incremental Adoption: The framework supports customers across the United Arab Emirates. To streamline operations
modular deployment, allowing SMEs to implement core components, and enhance the customer experience, Lilac Studio has adopted several
such as asset classification and basic threat modeling, before grad­ Internet of Things (IoT) technologies, including smart inventory sensors,
ually expanding to include more sophisticated elements like Wi-Fi-enabled point-of-sale (PoS) systems, and mobile-connected sur­
Bayesian-based risk updating. This progressive rollout aligns with veillance cameras.
variable budget cycles and evolving security maturity. These IoT-enabled systems support real-time inventory tracking,
• Risk-Based Prioritization: By incorporating a customized risk prior­ efficient transaction processing, and continuous physical security
itization algorithm, the framework ensures that security investments monitoring, illustrating the increasing digitalization of operational
are directed toward the most critical threats and vulnerabilities. This workflows even within small retail environments. However, despite its
targeted approach enhances return on investment by aligning miti­ growing technological footprint, Lilac Studio operates with minimal
gation efforts with business-critical assets and realistic threat internal IT staffing and a modest cybersecurity budget, consistent with
likelihoods. the broader profile of resource-constrained SMEs.
• Operational Simplicity: The framework is designed to be intuitive This juxtaposition of digital dependency and limited cybersecurity
and accessible, requiring minimal cybersecurity expertise to deploy. maturity renders Lilac Studio an ideal testbed for evaluating the pro­
SMEs can follow structured processes and algorithmic guidance posed IoT risk management framework. The case study captures the
without needing to hire specialized security consultants or establish typical challenges faced by SMEs attempting to secure complex, inter­
dedicated SOC teams. connected systems in the absence of dedicated security personnel or
• Structured Methodology: Its clear, step-by-step architecture reduces advanced infrastructure. As such, it provides a realistic and relevant
ambiguity and streamlines implementation. This structure helps context for assessing the frameworks applicability, usability, and
SMEs avoid ad hoc security practices and fosters consistent risk effectiveness in achieving measurable improvements in cybersecurity
management practices over time. posture.
8
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
5.2. Application of the framework Table 3
Threat Modeling (STRIDE).
The proposed risk-based framework was applied to Lilac Studios IoT Asset Threats Identified
environment to evaluate its practicality and impact in a real-world SME
Smart Inventory Sensors Spoofing, Information Disclosure
context. The implementation followed the frameworks five core com­ PoS Terminal Elevation of Privilege, Tampering, Repudiation
ponents: asset classification, threat modeling, vulnerability assessment, Surveillance Cameras Information Disclosure, Denial of Service
risk prioritization, and mitigation planning. E-Commerce Platform Spoofing, Tampering, Information Disclosure
IoT Gateway Denial of Service, Elevation of Privilege
5.2.1. Asset classification
The first step involved identifying and categorizing the organiza­
tions IoT assets based on their criticality to business operations, the Table 4
sensitivity of data processed, and integration with other digital systems. Severity Distribution.
Asset value scores, ranging from 1 (low importance) to 10 (critical, were CVSS Severity Vulnerability Examples Count
determined through consultations with the operations manager, sales Critical IoT Gateway default credentials, firmware RCE 5
personnel, and a brief technical audit. These scores provide the foun­ High SQLi on PoS, weak TLS/SSL ciphers 8
dation for subsequent threat analysis and risk prioritization. The iden­ Medium Input validation flaws 4
tified IoT assets were categorized based on their business criticality, Low Weak password policy, missing headers 2
functional roles, and interdependencies, as shown in Table 2.
5.2.2. Threat modeling Table 5
Using the STRIDE methodology, each asset was evaluated to identify Static Risk Scores.
potential threat types, enabling a structured assessment of the organi­ Asset Value Score Likelihood Static Risk Score
zations attack surface. STRIDE threats were mapped to each asset to
Surveillance Cameras 6 8.5 51.0
anticipate likely exploitation scenarios and their associated business PoS Terminal 9 7.2 64.8
impacts. The results of this mapping are presented in Table 3, which IoT Gateway 9 9.0 81.0
aligns each asset with its corresponding threat categories based on
Note: The likelihood is CVSS-derived.
architectural vulnerabilities and exposure vectors.
Each threat is evaluated using a standard risk scoring formula:
5.2.3. Vulnerability assessment
Comprehensive vulnerability scans were conducted using OpenVAS R=L×I (2)
and Nessus Essentials across all five IoT-enabled assets. The assessment
uncovered 19 vulnerabilities, categorized using CVSS v3.1 severity where R represents the overall risk score, L denotes the likelihood of
ratings. These included 5 critical vulnerabilities, such as remote code threat occurrence (rated as 1 = low, 2 = medium, 3 = high), and I
execution flaws in surveillance firmware and exposed default creden­ represents the potential business impact (1 = minor, 2 = significant, 3 =
tials on the IoT gateway, along with additional high, medium, and low critical). This simple but effective method allows SMEs to rank threats
severity issues. The distribution and examples of identified vulnerabil­ based on operational severity, forming the foundation for prioritized
ities across severity levels are summarized in Table 4. mitigation planning.
See Appendix B for the scan setup, plugin families used, and repre­ The resulting calculations and classifications are presented in
sentative CVSS vectors. Table 5, which shows the risk levels for the most business-critical assets
based on static risk scoring.
5.2.4. Risk prioritization Risks were then categorized using a simple 3-tier model:
To determine which threats warranted immediate mitigation, a
structured risk scoring model was applied. Each assets value score was • Low (015)
multiplied by the CVSS-based likelihood estimate of exploitation, pro­ • Medium (1640)
ducing a static risk score. The resulting calculations and classifications • High (41100)
are presented in Table 5, which shows the risk levels for the most
business-critical assets based on static risk scoring. The risk categorization thresholds were defined using expert judg­
( ) ment and SME-specific resource constraints. This approach is consistent
Static Risk Scorei,j = V aj L(ti ) (1) with ISO/IEC 27005 guidance [19] and ENISA recommendations [21],
Where: both of which support context-aware, non-uniform risk boundaries
based on operational impact, resource availability, and business risk
• V(aj): Asset value score for asset aj tolerance. In resource-constrained environments like SMEs, risk priori­
• L(ti): Likelihood of threat ti, derived from CVSS or other metrics tization emphasizes operational feasibility over statistical uniformity,
allowing high-impact threats to be surfaced more aggressively even if
scoring intervals are uneven.
This prioritization ensured that mitigation strategies targeted the
Table 2
most business-critical vulnerabilities, particularly those impacting
IoT Asset Classification.
customer data and payment infrastructure. Lower-risk assets were
IoT Asset Description Value incorporated into a secondary mitigation schedule based on resource
Score
availability.
Smart Inventory Tracks stock levels and updates in real- 8
Sensors time
5.2.5. Mitigation strategies
Cloud-Connected PoS Handles transactions and customer 9
payments Based on the risk assessment results, tailored mitigation strategies
Surveillance Cameras Monitors physical store remotely 6 were developed for each high-risk asset class. These controls address
E-Commerce Platform Customer ordering 10 both hardware and software vulnerabilities, including application-level
IoT Gateway/Router Connects all devices to central network 9 issues such as unpatched content management systems (CMS) and
9
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
insecure APIs. The mitigation efforts prioritize technical feasibility, cost- The results of applying Bayesian inference to adjust threat likeli­
efficiency, and regulatory alignment with data protection requirements hoods based on post-control evidence are presented in Table 7, which
such as the GDPR and UAE PDPL. illustrates the resulting risk score reductions across key IoT assets.
Table 6 below summarizes the selected mitigation actions, grouped Full scoring examples and base vector configurations are included in
by asset: Appendix B.
These mitigation controls were selected to balance impact severity
with implementation complexity, ensuring that the organization could 5.3.1. Integration with the framework
address the most critical vulnerabilities within its operational capacity. The Bayesian risk model is integrated into the proposed framework
Where possible, open-source tools and existing infrastructure were as a second-stage enhancement, augmenting the initial static risk matrix
leveraged to minimize cost. All actions were documented to support with dynamic, evidence-driven recalibration. While the qualitative
audit readiness and regulatory compliance. matrix offers an accessible entry point for SMEs, particularly during
early-stage assessments, its static nature limits responsiveness to real-
5.3. Probabilistic risk modeling using probability time changes in threat conditions. The Bayesian component addresses
this limitation by introducing probabilistic updating, enabling SMEs to
To overcome the rigidity of static risk matrices, the framework in­ refine risk estimates as new evidence becomes available (e.g., via
corporates Bayesian inference to revise likelihood estimates based on scanner logs, incident reports, or patch records).
post-control conditions. For example, after firmware updates were Recommended Implementation Flow:
applied to the surveillance cameras, the likelihood of successful
exploitation dropped significantly. Bayes Theorem for Posterior 1. Initial Risk Matrix: Risk scores are calculated based on static
Likelihood: likelihood-impact assessments, typically using CVSS data and asset
value scores.
P(E|ti ).P(ti )
P(ti |E) = (3) 2. Evidence Collection: SMEs gather new data from system logs,
P(E)
vulnerability scanners, and update records that inform post-control
Bayesian-adjusted risk score: conditions.
( ) 3. Bayesian Update: Posterior threat probabilities are computed using
Bayesian Risk Scorei,j = V aj × P(ti |E) (4) Bayes Theorem, allowing likelihood scores to reflect real-world
Where: changes.
4. Reprioritized Mitigation: Updated risk scores guide resource reallo­
• P(ti): Prior probability of threat ti cation, shifting focus to residual or emerging risks.
• P(Eti): Likelihood of observing evidence E given ti
• P(tiE): Updated probability after evidence is collected This probabilistic integration enhances cost efficiency, as SMEs avoid
• V(aj): Asset value, same as before overspending on already mitigated threats. It also improves agility,
enabling organizations to shift posture without complex reengineering
or external consultation. From a usability perspective, the model is
designed to function with basic spreadsheet tools or lightweight scripts,
Table 6 making it feasible for SMEs with limited technical resources. Together,
Asset-Specific Mitigation Strategies Addressing Hardware and Software Threats. the static matrix and Bayesian model offer a scalable, hybrid approach,
Asset Identified Threats/ Mitigation Strategies starting with simplicity and evolving into adaptive precision as opera­
Vulnerabilities tional maturity improves.
Surveillance Remote code execution (RCE), - Apply latest firmware
Cameras default credentials, updates to patch RCE flaws 5.3.2. Deriving Bayesian parameters in practice
unencrypted streams - Disable remote admin Applying Bayesian inference in the context of an SME, such as Lilac
access
Studio, involves translating observable operational indicators and
- Enable TLS for video feeds
PoS Terminal SQL injection, lack of input - Implement server-side
domain knowledge into probability estimates. The key components of
validation, insecure API input validation and Bayes Theorem, prior probability, evidence, likelihood, and marginal
connections sanitization probability, are derived as follows:
- Deploy a Web Application
Firewall (WAF)
• Prior Probability P(ti): Represents the baseline likelihood of a specific
- Enforce HTTPS and secure
API keys threat. In this case, Lilac Studio assigns a prior probability of 0.3 to a
IoT Gateway Default login credentials, open - Replace default credentials Denial-of-Service (DoS) attack on its IoT gateway, based on historical
ports, weak authentication with unique strong latency issues and sector-specific threat intelligence.
passwords • Evidence E: The new observation that may indicate an active threat.
- Enable multi-factor
authentication (MFA)
Lilac Studio identifies increased traffic volume and repeated port
- Implement network scanning attempts from untrusted IP addresses during business
segmentation hours.
E-Commerce Unpatched CMS, exposed - Regularly update CMS
Platform admin panel, insecure session plugins and core
management - Restrict admin access by IP
and enforce MFA
- Implement secure cookie Table 7
settings and session timeout Bayesian-Adjusted Risk Scores.
Smart Inventory Lack of authentication, - Enforce mutual
Asset Value Posterior Bayesian Risk
Sensors spoofing risk, insecure data authentication between
Score Likelihood Score
transmission sensors and gateway
- Encrypt data in transit Surveillance 6 2.0 12.0
(TLS) Cameras
- Configure MAC address PoS Terminal 9 4.0 36.0
whitelisting IoT Gateway 9 3.0 27.0
10
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
• Likelihood P(E|t i): The probability of observing this evidence if the Table 8
threat (T) is actually occurring. Drawing from industry reports, 80 % Vulnerability Comparison by Severity.
of confirmed DoS attacks are preceded by similar traffic anomalies, Severity Pre-Mitigation Post-Mitigation % Change
giving P(E|T) = 0.80.
Critical 5 1 80 %
• Marginal Probability P(E): The overall chance of seeing the observed High 8 2 75 %
anomaly, regardless of whether a DoS attack is underway. Historical Medium 4 5 +25 % (reclassified)
logs suggest such events occur approximately 40 % of the time, Low 2 3 +50 %
resulting in P(E) = 0.40. Total 19 11 ¡42.1%
Note: Certain vulnerabilities were reclassified based on reduced exploitability
Applying Bayes Theorem: following partial remediation.
P(E|ti ).P(ti ) 0.8 × 0.3
P(ti |E) = = = 0.6 (5) • Pre-Implementation: Mean = 8.1, SD = 1.23
P(E) 0.4
• Post-Implementation: Mean = 5.6, SD = 1.91
• Interpretation: After incorporating real-time evidence, the proba­ This corresponds to a 30.9 % reduction in average vulnerability
bility of an active DoS attack increases from 0.30 (prior) to 0.60 severity, indicating a substantial improvement in the organizations
(posterior). This represents a substantial escalation in risk security posture. The increase in standard deviation is expected, as the
perception. remaining vulnerabilities were more dispersed across lower severity
• Use in Framework: The updated posterior probability (0.60) replaces categories following mitigation efforts. These quantitative results vali­
the static likelihood score in the risk calculation formula. For date the frameworks effectiveness in reducing exposure to critical and
instance, for the IoT gateway, with an asset value of 9: high-risk threats in a real-world SME environment. The outcomes also
( ) support the suitability of the frameworks structured approach for in­
Bayesian Risk Scorei,j = V aj × P(ti |E) = 9 × 0.6 = 5.4 (6)
cremental, cost-efficient risk reduction.
5.4.4. Qualitative feedback
In addition to the quantitative findings, qualitative feedback was
This revised score compared to a pre-mitigation score of 81.0 (static
gathered to assess the perceived usability, effectiveness, and organiza­
risk based on likelihood 9.0), demonstrates a quantifiable reduction in
tional impact of the proposed framework. Informal interviews were
perceived risk due to implemented controls and new contextual evi­
conducted with four key stakeholders at Lilac Studio: the business
dence. The use of historical cases such as the Mirai botnet [52] further
owner, store manager, inventory manager, and a frontline employee.
validates the approach, as they illustrate the real-world plausibility of
The feedback was analyzed using thematic analysis, following the six-
IoT devices being exploited in DoS attacks. Such precedents justify
phase methodology outlined by Braun and Clarke [53]. These phases
assigning elevated prior probabilities in similar contexts.
included familiarization with the data, generation of initial codes,
identification and refinement of themes, and narrative synthesis.
5.4. Quantitative and qualitative results
Three dominant themes emerged from the analysis, reflecting the
frameworks practical influence across different organizational levels:
To empirically evaluate the effectiveness of the proposed risk-based
framework, two full-spectrum vulnerability scans were conducted, one
• Practicality and Accessibility: Stakeholders consistently emphasized
prior to the implementation of mitigation strategies and another after
the ease of implementation. The business owner stated, “The
the controls were applied. Scanning was performed using both Nessus
framework provided a clear roadmap for securing our IoT systems
Essentials and OpenVAS, covering the same five IoT-enabled assets. All
without overwhelming our small team.” Both technical and non-
results were analyzed and categorized in accordance with the Common
technical staff described the frameworks step-by-step structure as
Vulnerability Scoring System (CVSS) v3.1, ensuring consistency and
intuitive and scalable, suggesting its accessibility even in low-
comparability.
resource environments.
• Operational Continuity: The store manager noted that “the security
5.4.1. Pre-implementation vulnerability scan
improvements were seamless and didnt disrupt daily operations.”
The initial vulnerability scan identified 19 total vulnerabilities across
This observation was echoed by the inventory manager, who re­
critical IoT assets, with severity levels ranging from low to critical.
ported increased system reliability and fewer discrepancies in stock
Notable weaknesses included default administrative credentials,
management, suggesting that the framework enhanced security
outdated firmware, and SQL injection flaws. These findings are quanti­
without compromising efficiency.
fied by severity level and summarized in Table 7, which highlights the
• Awareness and Confidence: A frontline employee remarked, “The
scope of exposure prior to the implementation of mitigation strategies.
training was really helpful; I understand the risks better now.” This
feedback reflects a broader organizational shift toward increased
5.4.2. Post-implementation vulnerability scan
security awareness and procedural clarity. Staff members expressed
Following the mitigation efforts, a second vulnerability scan
greater confidence in managing and responding to cyber risks.
revealed a marked reduction in total and high-severity vulnerabilities.
The comparative results between pre- and post-mitigation periods,
These insights corroborate the quantitative results presented earlier.
including percent change in each category, are detailed in Table 8,
Stakeholders reported improved trust in the security of their systems and
illustrating the frameworks measurable impact on reducing cyberse­
expressed confidence in the organizations preparedness to address
curity risk across the SMEs IoT environment.
future threats. The frameworks non-disruptive and user-centric design
appears to have contributed to both technical readiness and organiza­
5.4.3. Statistical impact analysis
tional alignment.
To further quantify the reduction in overall risk, the mean CVSS
Overall, the qualitative findings affirm that the framework is not only
score for detected vulnerabilities was calculated for both assessment
functionally effective but also culturally adoptable, making it well-
periods:
suited for replication in similarly structured SMEs. Its ability to foster
11
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
staff engagement, procedural clarity, and operational continuity high­ methodology, spanning asset classification, threat modeling, vulnera­
lights its value as a pragmatic cybersecurity solution for resource- bility assessment, risk prioritization, and mitigation planning, enabled
constrained environments. the organization to identify and remediate critical risks in a systematic,
resource-aware manner.
5.4.5. Key performance indicators (KPIs) By categorizing IoT assets based on business impact and integrating
To objectively evaluate the impact of the proposed framework, a set these classifications into a multi-layered risk evaluation process, the
of Key Performance Indicators (KPIs) was defined and tracked before organization was able to focus its limited cybersecurity resources on the
and after implementation. These indicators were selected to reflect most pressing threats. The application of targeted mitigation strategies,
critical dimensions of cybersecurity maturity, including technical risk including firmware updates, credential hardening, network segmenta­
reduction, procedural readiness, and organizational awareness. tion, and the deployment of a Web Application Firewall (WAF), resulted
Together, they provide a holistic view of the frameworks effectiveness in a substantial reduction in the number and severity of vulnerabilities.
in a real-world SME setting. Quantitative improvements included a 42.1 % reduction in total vul­
The following five KPIs were used: nerabilities and a 30.9 % decrease in average CVSS scores, demon­
strating the frameworks capacity to drive measurable security
• %Critical Vulnerabilities: The proportion of total vulnerabilities outcomes.
classified as Critical as CVSS ≥9.0 indicating exposure to the most Equally important were the organizational benefits. The inclusion of
severe threats. structured security awareness training increased employee engagement
• Mean CVSS Score: The average severity of all detected vulnerabil­ and contributed to a culture of proactive security management, as re­
ities, serving as a composite indicator of overall system risk. flected in the 90 % training participation rate. Positive stakeholder
• Time to Mitigation (TtM): The average time (in days) required to feedback further validated the frameworks accessibility, scalability,
remediate high and critical vulnerabilities, reflecting operational and minimal disruption to day-to-day operations.
responsiveness. Overall, the Lilac Studio case study illustrates how a cost-effective,
• Incident Response Preparedness: The presence or absence of docu­ modular, and methodologically rigorous framework can empower
mented and tested incident response (IR) procedures. SMEs to improve their cybersecurity posture without exceeding their
• Employee Security Awareness: The percentage of staff who operational or financial limits. The results support the frameworks
completed foundational security awareness training, reflecting broader applicability across similarly structured SMEs, positioning it as
organizational readiness and cultural alignment. a scalable solution for enhancing cybersecurity resilience in the rapidly
expanding IoT landscape.
The impact of the framework across key cybersecurity performance
dimensions is summarized in Table 9, which tracks changes in technical, 6.2. Framework effectiveness
procedural, and organizational metrics before and after implementation.
These results demonstrate substantial improvements across all five The effectiveness of the proposed framework is demonstrated not by
indicators. The percentage of critical vulnerabilities was reduced by the invention of new cybersecurity mechanisms, but by its strategic
over 65 %, while the average CVSS score declined by 30.9 %. The Time realignment of established practices toward the unique needs of SMEs.
to Mitigation improved significantly, dropping from an unstructured 30- At Lilac Studio, the framework enabled a comprehensive and systematic
day cycle to a more agile 10-day process. Moreover, the organization assessment of the organizations IoT ecosystem. By categorizing assets
moved from having no formal incident response plan to one that was based on business criticality and aligning these with structured risk
both documented and tested. Perhaps most notably, employee security assessment techniques, the company was able to prioritize its limited
awareness increased from 0 % to 90 %, indicating a strong cultural shift cybersecurity resources efficiently.
toward proactive cyber hygiene. Collectively, these KPI trends affirm the One of the most impactful elements was the frameworks tailored
frameworks capacity to produce measurable, multidimensional im­ risk prioritization process, which directed attention to the most critical
provements in SME cybersecurity posture, spanning technical risk, vulnerabilities. This approach ensured that mitigation efforts were not
operational agility, and human factors. diluted across all identified issues but instead focused on those posing
the greatest business risk. The application of controls, such as firmware
6. Discussion updates, web application firewalls, and network segmentation, resulted
in measurable improvements in vulnerability reduction, operational
This section discusses the effectiveness of the proposed framework, continuity, and staff awareness. These interventions were specifically
synthesizing both the quantitative and qualitative results. It also com­ selected for their low cost, ease of implementation, and regulatory
pares the framework against established models and reflects on broader alignment with standards like the GDPR and UAE PDPL.
implications for SME cybersecurity practice. Another strength of the framework lies in its accessibility. Its step-by-
step design, supported by practical tools and algorithms, allowed non-
specialist staff to participate in the security improvement process
6.1. Application of the framework without requiring advanced expertise. The use of scalable controls and
guidance documents made the implementation feasible for an organi­
The implementation of the proposed risk-based framework at Lilac zation with minimal internal IT capacity.
Studio offers compelling evidence of its practical value in addressing IoT Importantly, the framework enabled Lilac Studio to shift from a
security challenges within a real-world SME context. The structured reactive to a proactive security posture. Instead of responding to in­
cidents ad hoc, the company began adopting preventive measures based
Table 9 on formalized asset risk profiles and updated threat intelligence. This
Key Performance Indicators (KPIs). cultural shift was reinforced by a 90 % employee participation rate in
KPI Pre-Implementation Post-Implementation security training and by the introduction of documented incident
% Critical Vulnerabilities 26.3 % 9.1 % response protocols, both of which were absent prior to framework
Mean CVSS Score 8.1 5.6 adoption.
Time to Mitigation (TtM) 30 days (ad hoc) 10 days (structured) The inclusion of Bayesian risk scoring in the framework further
IR Preparedness None Documented + tested enhanced its analytical depth and responsiveness. However, to maintain
Employee Security Awareness 0% 90 %
focus in the discussion section, the Bayesian scoring formula and
12
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
numerical example have been relocated to Section 5.3.2, where quan­ mechanisms.
titative risk adjustments are explained in detail. This separation pre­ In contrast, the proposed framework explicitly incorporates
serves the clarity of the narrative while ensuring methodological measurable KPIs such as CVSS severity reduction, time to mitigation,
transparency. and employee readiness, offering a practical, scalable, and data-driven
Quantitative outcomes further validate the frameworks utility. Over approach tailored to the operational realities of SMEs.
a six-week implementation period, Lilac Studio experienced a 42.1 %
reduction in total vulnerabilities and a 30.9 % decrease in mean CVSS
scores. These metrics highlight the frameworks capacity to deliver both 6.4. Threat modeling results and documentation
immediate and sustainable security improvements in an SME environ­
ment. Collectively, the results confirm that when security strategies are This section presents the results of the threat modeling process,
aligned with operational constraints, even small organizations can which employed the STRIDE methodology to identify, categorize, and
achieve significant cybersecurity gains. evaluate potential threats to Lilac Studios IoT infrastructure. The
methodology was implemented following the structured workflow out­
lined in Algorithm 3 (Appendix A), which systematically maps threats to
6.3. Comparison of existing frameworks
asset attributes and system configurations. This approach ensures
comprehensive coverage and operational relevance in the SME context.
Existing frameworks for IoT security, such as the NIST Cybersecurity
Using the classified asset inventory developed during the initial
Framework (CSF), ISO/IEC 27005, and OWASP IoT Project, provide
assessment phase, each IoT asset was evaluated against the six STRIDE
valuable guidance but often fall short in addressing the unique needs of
threat categories: Spoofing, Tampering, Repudiation, Information
SMEs. The NIST CSF, while comprehensive, requires significant re­
Disclosure, Denial of Service, and Elevation of Privilege. Specific vul­
sources and expertise, making it challenging for SMEs with limited
nerabilities were identified based on configuration weaknesses, expo­
budgets and technical capabilities to implement effectively. Similarly,
sure to external interfaces, and known exploit vectors. These were then
ISO/IEC 27005 offers detailed guidelines for risk management but is
linked to corresponding business impacts, ensuring that the threat
often too complex and resource-intensive for smaller organizations. The
analysis remained both technically rigorous and business centric.
OWASP IoT Project, though practical, lacks a structured risk assessment
To improve traceability and practical usability, the threat docu­
process, leaving SMEs without clear prioritization of risks. These
mentation process recorded the affected asset, observed vulnerability,
frameworks also tend to be generic, lacking tailored guidance for the
likely exploitation vector, and anticipated operational consequence.
specific challenges SMEs face, such as limited IT infrastructure and
This mapping, carried out in accordance with Steps 28 of Algorithm 3,
cybersecurity expertise. While recent frameworks target industrial
supports both technical remediation and decision-making by non-
control systems specifically [54], they often assume PLC-centric archi­
tectures, limiting applicability to general-purpose IoT infrastructures
found in SMEs. Table 11
Validation of Threats Based on STRIDE Utilizing Asset Inventory.
The proposed framework addresses these gaps by offering a cost-
effective, scalable, and SME-focused approach to IoT security. It sim­ Threat Description Asset Identified Impact
Category Vulnerability
plifies complex methodologies like risk assessment and threat modeling,
making them accessible to non-technical stakeholders. By integrating Spoofing Potential for Sensors Lack of False
asset classification, vulnerability analysis, and risk prioritization, the unauthorized authentication inventory
devices to data
framework provides a structured yet flexible process that SMEs can
inject false
adapt to their specific contexts. Additionally, it emphasizes practical, inventory data
actionable steps and leverages readily available tools, reducing the need Tampering Risk of data Inventory Insecure data Corrupted
for specialized expertise or significant financial investment. This manipulation Server, PoS handling records,
System financial
tailored approach ensures that SMEs can enhance their IoT security
loss
posture without overburdening their resources, bridging the gap left by Repudiation Lack of audit PoS System Absence of Dispute
existing frameworks. trails for logging resolution
The comparative strengths and limitations of the proposed frame­ transactions mechanisms failure
work relative to established alternatives such as NIST CSF, ISO/IEC Information Exposure of Network Unencrypted Privacy
Disclosure customer data Infrastructure traffic breach,
27005, ENISA, and the OWASP IoT Project are summarized in Table 10,
through legal
using a set of measurable KPIs to highlight practical applicability for unsecured penalties
SMEs. networks
While ISO/IEC 27005 provides a comprehensive methodology for Denial of Overloading Sensors, Lack of traffic Downtime,
Service the IoT Network filtering or operational
information security risk management, it assumes a level of maturity
network Infrastructure rate limits loss
and resourcing that many SMEs lack. Its abstract treatment of likelihood, causing
impact, and risk response mechanisms often requires consulting exper­ service
tise to operationalize. OWASPs IoT Top 10 is valuable for threat iden­ disruptions
tification but lacks integrated risk assessment or prioritization
Table 10
KPI-Based Comparative Framework Assessment.
Feature NIST CSF ENISA ISO 270005 OWASP IoT Proposed Framework
KPI-Driven Evaluation Not explicit Limited Not defined No Yes
CVSS Integration Indirect No Indirect No Native
Dynamic Risk Scoring No Partial No No Bayesian updating
Risk Prioritization Guidance High-level Prespective Detailed No Structured, contextual
Resource Constraint Awareness Low Medium Low Low High
Usability for SMEs Low Medium Low Medium High
Time to Mitigation (TtM) No No No No Embedded metric
Employee Readiness Optional No No No Yes
13
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
technical stakeholders. In the UAE context, the framework aligns with provisions of the
Table 11 summarizes the threat-to-asset mapping. It illustrates how Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data
identified vulnerabilities, such as lack of authentication on sensors or (PDPL) [58], which similarly requires entities to adopt appropriate
unencrypted traffic on the network infrastructure, correspond to STRIDE cybersecurity measures to protect data confidentiality, integrity, and
threat categories and lead to concrete business risks such as data availability. The inclusion of employee training, incident response
integrity failures or service disruption. This actionable mapping pro­ readiness, and periodic risk reassessment in the framework addresses
vides SMEs with a prioritized and contextualized understanding of IoT Article 5 of the PDPL, which emphasizes both technical and organiza­
security threats, allowing them to implement targeted mitigation stra­ tional security measures [58].
tegies without overextending limited resources. Recent case studies have shown that mapping ISO 27005, NIST CSF,
Threat assessment is based on predefined likelihood and impact and SP 80053 to enterprise contexts remains complex [59]; this
scores, which are detailed in Section 5.2.4 as part of the risk prioriti­ framework simplifies that mapping by focusing on risk outputs action­
zation methodology. able for SMEs. By embedding these legal principles into its structure, the
framework not only enhances operational security but also serves as a
6.5. Implications for SMEs pragmatic tool to support ongoing regulatory compliance. This is espe­
cially beneficial for SMEs that often lack dedicated legal or compliance
The proposed framework offers significant practical benefits for teams and must rely on integrated approaches to meet both security and
SMEs, addressing their unique challenges and resource constraints while legal expectations.
enhancing their IoT security posture. By providing a structured yet
flexible approach, the framework enables SMEs to systematically iden­ 6.7. Limitations
tify, assess, and mitigate IoT security risks without requiring extensive
technical expertise or financial investment (See Appendix C for guidance While the proposed framework demonstrates significant potential for
on resource allocation and cost minimization strategies.). Its emphasis enhancing IoT security in SMEs, it is important to acknowledge its
on asset classification and risk prioritization ensures that limited re­ limitations. First, the frameworks effectiveness is highly dependent on
sources are allocated efficiently, focusing on the most critical vulnera­ the accuracy of the initial asset classification and risk assessment, which
bilities and threats. may be challenging for SMEs with limited technical expertise or
The frameworks scalability allows SMEs to start small and expand incomplete knowledge of their IoT ecosystems. Second, the frameworks
their efforts as needed, making it adaptable to businesses of varying sizes reliance on vulnerability scanning tools and penetration testing may not
and industries. Additionally, the inclusion of cost-effective security uncover all potential risks, particularly those related to zero-day vul­
controls and practical, actionable steps empowers SMEs to implement nerabilities or sophisticated attack vectors. Third, the case studys focus
robust security measures without overburdening their operations. By on a single SME, Lilac Studio, limits the generalizability of the findings,
integrating staff training and clear guidance, the framework also builds as the results may not fully represent the diverse challenges faced by
internal capacity, fostering a culture of cybersecurity awareness. SMEs in different industries or regions. Additionally, the frameworks
Moreover, SME-specific frameworks in smart manufacturing success in other contexts may vary based on factors such as the
emphasize the importance of operational continuity, real-time moni­ complexity of the IoT ecosystem, the level of stakeholder engagement,
toring, and layered security [55], all of which align with the goals of this and the availability of resources.
framework. Overall, the framework equips SMEs with the tools and Finally, while the framework emphasizes cost-effectiveness, some
knowledge needed to secure their IoT ecosystems, reducing the risk of SMEs may still face financial or logistical barriers to implementing
disruptions, data breaches, and financial losses, while supporting busi­ certain security controls. These limitations highlight the need for further
ness continuity and growth. research and validation across a broader range of SMEs to refine the
framework and ensure its applicability in diverse settings.
6.6. Regulatory alignment and compliance implications
7. Conclusion and future work
While the primary goal of this framework is to enhance IoT cyber­
security posture within SMEs, it also supports alignment with key legal In an era of rapid digital transformation, SMEs face a growing need to
and regulatory obligations. For example, the European General Data adopt Internet of Things (IoT) technologies to enhance operational ef­
Protection Regulation (GDPR), particularly Article 32, mandates data ficiency, customer engagement, and competitive advantage. However,
controllers and processors to implement appropriate technical and this shift has significantly expanded their cybersecurity risk surface,
organizational measures to ensure the security of personal data [56]. exposing them to increasingly sophisticated threats while they remain
The proposed framework operationalizes this requirement through its constrained by limited budgets, technical capacity, and regulatory
risk-based approach, which drives the adoption of proportional controls burdens.
such as data encryption, network segmentation, and access restriction In summary, this study contributes a practical, cost-conscious IoT
mechanisms [21]. Additionally, recent approaches have demonstrated security framework specifically tailored to the operational constraints of
the feasibility of aligning threat modeling with ISO/IEC 27005 and SMEs. Drawing upon well-established methodologies, such as STRIDE
GDPR Article 32 through structured risk management methods [57]. for threat modeling [41], CVSS for vulnerability scoring [44], and
The proposed framework reflects this alignment by integrating threat Bayesian inference for dynamic risk reassessment [45], the framework
identification, CVSS scoring, and mitigation planning within a distills complex processes into a five-step model comprising asset clas­
GDPR-compliant process. sification, threat modeling, vulnerability assessment, risk prioritization,
Specifically, the asset classification and threat modeling stages of the and mitigation planning. This structured yet adaptable approach em­
framework allow organizations to identify where personal or sensitive powers SMEs to identify and address critical IoT vulnerabilities in a
data is processed, thus supporting data flow mapping and risk docu­ scalable and resource-aware manner.
mentation required under Articles 30 and 35 of the GDPR [26]. Simi­ The frameworks value was validated through a real-world case
larly, the use of vulnerability scanners and CVSS-based scoring directly study involving a digitally enabled retail SME, where implementation
supports the principle of “security by design and by default”. These led to a 42.1 % reduction in total vulnerabilities, a 65 % drop in critical
technical safeguards help SMEs demonstrate that personal data is issues, and measurable improvements in response time and employee
adequately protected against unauthorized access or loss, core expec­ security awareness. These outcomes underscore the frameworks prac­
tations under GDPRs security provisions. tical effectiveness and its ability to enhance cybersecurity posture
14
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
without imposing prohibitive costs or disruption to operations. By parameter calibration and facilitate continuous, autonomous risk
embedding regulatory considerations from GDPR [56] and the UAEs management.
PDPL [58], the framework also supports SMEs in fulfilling legal obli­ Overall, this study bridges the gap between enterprise-scale cyber­
gations while improving their security maturity. security models and SME feasibility, offering a robust, implementable
While the case study provides strong evidence of real-world appli­ pathway for improving IoT security resilience in resource-constrained
cability, it represents a single organizational context. As such, the environments.
findings may not fully generalize to SMEs in other sectors or regions.
Future work should therefore focus on broadening the generalizability CRediT authorship contribution statement
of this approach through multi-case studies across diverse industries and
geographical settings. Sector-specific adaptations, for example, in Samer Aoudi: Writing original draft, Validation, Supervision,
healthcare, manufacturing, and agriculture, may further refine the Methodology, Investigation, Formal analysis, Data curation, Conceptu­
frameworks utility by aligning with domain-specific threat landscapes alization. Hussain Al-Aqrabi: Writing review & editing, Visualization,
and regulatory contexts. Additionally, integrating artificial intelligence Methodology, Investigation, Formal analysis, Conceptualization.
(AI) and machine learning (ML) for anomaly detection and predictive
risk modeling offers promising avenues for enhancing responsiveness Declaration of competing interest
and precision in SME cybersecurity. Further research could also explore
embedding this framework within modular testbed environments or The authors declare that they have no known competing financial
extending its reach through integration with SIEM tools and automated interests or personal relationships that could have appeared to influence
log parsers. These enhancements would support real-time Bayesian the work reported in this paper.
Appendix A. Framework Algorithms
Algorithm 2 provides a structured approach to classifying IoT assets within SME environments. Accurate asset classification is essential for un­
derstanding business-critical dependencies and for ensuring that security resources are focused where they matter most. This algorithm supports SMEs
in developing a comprehensive asset inventory, capturing key metadata such as location, function, ownership, and criticality. It serves as the
foundational input for subsequent threat modeling and risk prioritization processes within the proposed framework.
Algorithm 2
IoT Asset Classification for SMEs.
Require: IoT environment E with devices, networks, and applications
Ensure: Structured asset inventory I with criticality levels
1: I ←∅
2: for all asset a ∈ E do
3: Identify asset type: device, network, or software
4: Record metadata: location, function, dependencies, owner
5: Assign criticality level C(a) based on:
6: Impact on core operations
7: Data sensitivity
8: Service continuity dependencies
9: Add entry {a, type, metadata, C(a)}to I
10: end for
11: return I
Algorithm 3 outlines a systematic method for applying the STRIDE threat modeling framework to classified IoT assets. By assessing each asset
against the six STRIDE categories, Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, the al­
gorithm helps identify specific threat scenarios that are relevant in the context of SME operations. This targeted threat mapping ensures that the risk
assessment process is grounded in the actual exposure and function of each asset, rather than relying on generic threat assumptions.
Algorithm 3
STRIDE-Based Threat Modeling for IoT Assets.
Require: Asset inventory I with criticality scores and configurations
Ensure: Threat list T mapped to assets and threat categories
1: T ←∅
2: for all asset a ∈ I do
3: Retrieve asset characteristics: access interfaces, communication protocols
4: for all STRIDE category s ∈{Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, 5:
Elevation of Privilege} do
6: Assess applicability of s to a using:
7: Known vulnerabilities
8: Exposure to external actors
9: Past incidents or threat intelligence
10: if s applicable then
11: Record threat t ←{a, s, impact level, justification}
12: Add t to T
13: end if
14: end for
15: end for
16: return T
15
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
Algorithm 4 describes a three-stage vulnerability assessment process suitable for SMEs. It combines automated scanning using tools like Nessus or
OpenVAS with optional penetration testing for high-value or high-risk assets. The algorithm also supports structured documentation and categori­
zation of vulnerabilities based on CVSS scores and exploitability levels. This ensures that the vulnerability data feeding into the risk prioritization step
is both comprehensive and context-sensitive, enabling more informed and defensible security decisions.
Algorithm 4
Vulnerability Assessment for IoT Systems.
Require: IoT assets E, security tools (e.g., Nessus, OpenVAS)
Ensure: Consolidated vulnerability report V with CVSS scores
1: V ←∅
2: for all asset a ∈ E do
3: Perform vulnerability scan using automated tools
4: Extract raw findings: CVE identifiers, descriptions, CVSS base scores
5: if critical service or internet-facing then
6: Conduct targeted penetration testing for a
7: end if
8: for all vulnerability v found on a do
9: Classify v by:
10: Severity: CVSS ∈{Low, M edium, High, Critical}
11: Exploitability: ∈{Low, M edium, High}
12: Add {a, v, CVSS, exploitability, description}to V
13: end for
14: end for
15: return V
Appendix B. Vulnerability Scanning Configuration and Use Case Details
To enhance reproducibility and provide implementation-level detail, this appendix outlines the configuration parameters and specific use cases
employed during the vulnerability assessment phase described in Sections 4.2 and 5.2.3.
B.1 Tools Used
• Nessus Essentials v10.5.1
• OpenVAS via Greenbone Security Assistant v22.4
B.2 Target Scope
• Devices scanned included IoT gateways, IP surveillance cameras, PoS terminals, and connected web-based interfaces.
• Internal scans were conducted over a segmented test VLAN with static IPs assigned for each IoT node.
B.3 Key Nessus Configuration
• Scan Template: “Advanced Scan”
• Plugin Families Enabled:
○ IoT Protocol Detection
○ Web Servers
○ General Plugins
○ SCADA
• Port Scanning:
○ TCP Full Connect Scan: Enabled
○ UDP Scan: Enabled (restricted to ports 53, 123, 161)
• Authentication: SSH credential-based scanning on PoS terminal
• Performance Settings:
○ Max simultaneous checks: 4
○ Max hosts per scan: 5
B.4 Key OpenVAS Configuration
• Scan Profile: “Full and fast”
• Timeouts: Increased to 120 s for embedded camera systems
• Log Level: Verbose
• Credentialed checks: Disabled (due to vendor restrictions on camera firmware)
B.5 CVSS Use Cases
Vulnerabilities were scored using CVSS v3.1 base scores from scan outputs. Example vectors:
• CVE-202222954 (PoS terminal input validation flaw):
16
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
○Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
○CVSS Score: 9.8 (Critical)
• CVE-202136260 (Surveillance camera RCE):
○ Vector: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
○ CVSS Score: 10.0 (Critical)
• Default credentials on IoT Gateway:
○ Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
○ CVSS Estimate: 7.4 (High), no CVE assigned; based on vendor advisory
These scores were directly used in the risk prioritization algorithm (Section 4.2) and in calculating static and Bayesian-adjusted risk scores (Section
5.3).
Appendix C. Estimated Effort and Budget for Framework Implementation in SMEs
This appendix outlines the estimated resource requirements for implementing the proposed IoT risk-based security framework in a typical SME
environment. Estimates are based on a single-site deployment with fewer than 50 IoT-enabled assets and no dedicated cybersecurity team.
Figures assume internal staff carry out most tasks, with optional external support for tool configuration or training.
C.1 Effort Estimate by Framework Component
• Asset Classification: 610 staff hours
(IT administrator or operations manager maps devices and dependencies)
• Threat Modeling (STRIDE): 812 hours
(Basic STRIDE mapping across 35 asset categories using checklists or templates)
• Vulnerability Assessment: 1015 hours
(Tool setup, scan execution, review of Nessus/OpenVAS output; includes re-scanning)
• Risk Prioritization: 68 hours
(Matrix creation, CVSS lookup, optional Bayesian update for top 3 risks)
• Mitigation Planning and Implementation: 1525 hours
(Patch application, credential changes, segmentation, training delivery, testing)
Total Staff Effort Estimate: 4570 hours
C.2 Budget Estimate by Activity Category
• Open-Source Tools (OpenVAS, CVSS calculators): $0
• Commercial Tool (Optional: Nessus Pro license): $2990/year
• Training Resources (Basic awareness kit): $200$500
• External Consultant Support (Optional): $1500$3000 for tailored threat modeling or scan review
Estimated Budget Range: $200 $6500 depending on tool/license choices and external assistance.
C.3 SME Cost Optimization Notes
Most SMEs can minimize costs by:
• Using free versions of scanning tools (e.g., Nessus Essentials)
• Relying on publicly available STRIDE and CVSS documentation
• Delivering internal security awareness training using open resources (e.g., OWASP guides)
• Prioritizing mitigation actions with minimal operational disruption (e.g., disabling unused ports)
These estimates provide a practical benchmark to help SMEs plan framework adoption incrementally while staying within budget.
Data availability [2] H. Younis, N. Shbikat, O.M. Bwaliez, I. Hazaimeh, B. Sundarakani, An overarching
framework for the successful adoption of IoT in supply chains, Benchmark. Int. J.
(2025).
The data that has been used is confidential. [3] L. Atzori, A. Iera, G. Morabito, Understanding the internet of things: definition,
potentials, and societal role of a fast-evolving paradigm, Ad. Hoc. Netw. 56 (2017)
122140, https://doi.org/10.1016/j.adhoc.2016.12.004.
References [4] S. Jayadatta, A study on latest developments in artificial intelligence (AI) and
internet of things (IoT) in current context, J. Appl. Inf. Sci. 11 (2) (2023) 2128.
[1] Transforma Insights, Global IoT Forecast Report, 2023-2033. https://tinyurl.com
/549jrpsv, May 2024.
17
S. Aoudi and H. Al-Aqrabi Computer Standards & Interfaces 97 (2026) 104099
[5] M. Satyanarayanan, The emergence of edge computing, Computer (Long. Beach. [31] E. Lee, Y.D. Seo, S.R. Oh, Y.G. Kim, A survey on standards for interoperability and
Calif.) 50 (1) (2017) 3039, https://doi.org/10.1109/MC.2017.9. security in the internet of things, IEEE Commun. Surv. Tutor. 23 (2) (2021)
[6] H. Al-Aqrabi, L. Liu, R. Hill, N. Antonopoulos, A multi-layer hierarchical inter- 10201047.
cloud connectivity model for sequential packet inspection of tenant sessions [32] R.M. Czekster, P. Grace, C. Marcon, F. Hessel, S.C. Cazella, Challenges and
accessing BI as a service, in: Proc. 2014 IEEE Int. Conf. High Perform. Comput. opportunities for conducting dynamic risk assessments in medical IoT, Appl. Sci. 13
Commun. (HPCC), 2014 IEEE 6th Int. Symp. Cyberspace Safety Security (CSS), (13) (2023) 7406.
2014 IEEE 11th Int. Conf. Embedded Softw. Syst. (ICESS), 2014, pp. 498505. [33] H. Taherdoost, Understanding cybersecurity frameworks and information security
[7] H. Al-Aqrabi, R. Hill, P. Lane, H. Aagela, Securing manufacturing intelligence for standards—A review and comprehensive overview, Electronics (Basel) 11 (14)
the industrial internet of things, in: Proc. 4th Int. Congr. Inf. Commun. Technol. (2022) 2181.
(ICICT), London, U.K. 2, 2019, pp. 267282. [34] M. Alauthman, A. Almomani, S. Aoudi, A. al-Qerem, A. Aldweesh, Automated
[8] M. Wazid, A.K. Das, S. Shetty, P. Gope, J. Rodrigues, Security in 5G-Enabled vulnerability discovery generative AI in offensive security, in: A. Almomani,
Internet of Things Communication: Issues, Challenges and Future Research M. Alauthman (Eds.), Examining Cybersecurity Risks Produced by Generative AI,
Roadmap, IEEE Access, 2020, https://doi.org/10.1109/ACCESS.2020.3047895, 1- IGI Global Scientific Publishing, 2025, pp. 309328, https://doi.org/10.4018/979-
1. 8-3373-0832-6.ch013.
[9] L.A. Tawalbeh, F. Muheidat, M. Tawalbeh, M. Quwaider, IoT Privacy and security: [35] L. Kong, J. Tan, J. Huang, G. Chen, S. Wang, X. Jin, P. Zeng, M. Khan, S. Das, Edge-
challenges and solutions, Appl. Sci. 10 (12) (2020) 4102. computing-driven Internet of Things: a Survey, ACM Comput. Surv. 55 (8) (August
[10] M. Azrour, J. Mabrouki, A. Guezzaz, A. Kanwal, Internet of things security: 2023) 41, https://doi.org/10.1145/3555308. Article 174pages.
challenges and key issues, Secur. Commun. Netw. 2021 (1) (2021) 5533843. [36] O. Aouedi, T.H. Vu, A. Sacco, D.C. Nguyen, K. Piamrat, G. Marchetto, Q.V. Pham,
[11] B.K. Mohanta, D. Jena, U. Satapathy, S. Patnaik, Survey on IoT security: challenges A survey on intelligent Internet of Things: applications, security, privacy, and
and solution using machine learning, artificial intelligence and blockchain future directions, IEEE Commun. Surv. Tutor. (2024).
technology, Internet of Things 11 (2020) 100227. [37] I. Brass, L. Tanczer, M. Carr, M. Elsden, J. Blackstock, Standardising a moving
[12] S. Sicari, A. Rizzardi, L.A. Grieco, A. Coen-Porisini, Security, privacy and trust in target: the development and evolution of IoT security standards. Living in the
Internet of Things: the road ahead, Comput. Netw. 76 (2015) 146164, https://doi. Internet of Things: Cybersecurity of the IoT-2018, IET, Stevenage, UK, 2018, p. 24.
org/10.1016/j.comnet.2014.11.008. [38] J. Webb, D. Hume, Campus IoT collaboration and governance using the NIST
[13] M.M. Cherian, S.L. Varma, Mitigation of DDOS and MiTM attacks using belief cybersecurity framework. Living in the Internet of Things: Cybersecurity of the IoT-
based secure correlation approach in SDN-based IoT networks, Int. J. Comp. Netw. 2018, IET, March 2018, pp. 17.
Inf. Secur. 14 (1) (2022) 52. [39] N. Neshenko, E. Bou-Harb, J. Crichigno, G. Kaddoum, N. Ghani, Demystifying IoT
[14] E. Fernandes, J. Jung, A. Prakash, Security analysis of emerging smart home security: an exhaustive survey on IoT vulnerabilities and a first empirical look on
applications, in: IEEE Symposium on Security and Privacy, 2016, pp. 636654, Internet-scale IoT exploitations, IEEE Commun. Surv. Tutor. 21 (3) (2019)
https://doi.org/10.1109/SP.2016.44. 27022733.
[15] OWASP, OWASP IoT Top Ten 2018, Open Web Application Security Project. [40] A. Shostack, Threat modeling: Designing for Security, John Wiley & Sons, 2014.
https://wiki.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=I [41] Microsoft, The STRIDE Threat Model, Microsoft Security Development Lifecycle,
oT_Top_10, 2018. 2005.
[16] I. Kuzminykh, B. Ghita, J.M. Such, The challenges with Internet of Things security [42] T. UcedaVelez, M.M. Morana, Risk Centric Threat modeling: Process for Attack
for business, in: International Conference on Next Generation Wired/Wireless Simulation and Threat Analysis, Wiley, 2015.
Networking, Springer International Publishing, Cham, August 2021, pp. 4658. [43] Tenable, Nessus vulnerability scanner, Tenable Network Security (2021).
[17] N.I.S.T. NIST, Special Publication 800-183: Networks of Things, National Institute [44] OpenVAS, Open Vulnerability Assessment System, Greenbone Networks, 2021.
of Standards and Technology, 2016, https://doi.org/10.6028/NIST.SP.800-183. [45] Y. Cherdantseva, P. Burnap, A. Blyth, P. Eden, K. Jones, H. Soulsby, K. Stoddart,
https://csrc.nist.gov/pubs/sp/800/183/final. A review of cyber security risk assessment methods for SCADA systems, Comput.
[18] C.I. Cybersecurity, Framework for improving critical infrastructure cybersecurity. Secur. 56 (2016) 127.
https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf, 2018. [46] I. Lee, Internet of Things (IoT) cybersecurity: literature review and IoT cyber risk
[19] ISO/IEC, ISO/IEC 27005:2022 Information security, cybersecurity and privacy management, Future Internet 12 (9) (2020) 157.
protection - Guidance on managing information security risks, 4th edition. [47] E. Bell, B. Harley, A. Bryman, Business Research Methods, Oxford University Press,
https://www.iso.org/standard/80585.html, October 2022. 2022.
[20] ENISA, Baseline Security Recommendations for Internet of Things in the context of [48] J.W. Creswell, J.D. Creswell, Research design: Qualitative, quantitative, and mixed
critical information infrastructures. https://www.enisa.europa.eu/publications/ba methods approaches, Sage Publications, 2017.
seline-security-recommendations-for-iot, 2017. [49] Keele, S., Guidelines for performing systematic literature reviews in software
[21] ENISA, Guidelines for Securing the Internet of Things. https://www.enisa.europa. engineering (Vol. 5), Technical report, ver. 2.3, EBSE Technical Report, 2007.
eu/publications/guidelines-for-securing-the-internet-of-things, 2020. [50] M. Casula, N. Rangarajan, P. Shields, The potential of working hypotheses for
[22] OWASP Foundation, OWASP Internet of Things Project, Retrieved June 8, 2025, deductive exploratory research, Qual. Quant. 55 (5) (2021) 17031725.
from, https://owasp.org/www-project-internet-of-things/, 2018. [51] R.K. Yin, Case Study Research and applications: Design and Methods, Sage
[23] A. Chidukwani, S. Zander, P. Koutsakis, A survey on the cyber security of small-to- Publications, 2017.
medium businesses: challenges, research focus and recommendations, IEEE Access [52] C. Kolias, G. Kambourakis, A. Stavrou, J. Voas, DDoS in the IoT: Mirai and other
10 (2022) 8570185719. botnets, Computer (Long. Beach. Calif.) 50 (7) (2017) 8084.
[24] F. Almeida, J.D. Santos, J.A. Monteiro, Challenges in cybersecurity: lessons from [53] V. Braun, V. Clarke, Using thematic analysis in psychology, Qual. Res. Psychol. 3
the ISO/IEC 27001 and ISO/IEC 27005 standards, J. Glob. Inf. Manage. 27 (4) (2) (2006) 77101.
(2019) 115. [54] Manubolu, G.S., A comprehensive security testing framework for PLC-based
[25] R. Roman, J. Zhou, J. Lopez, On the features and challenges of security and privacy industrial automation, 2024.
in distributed internet of things, Comput. Netw. 57 (10) (2013) 22662279. [55] Ramya, G., & Srinivasagan, K.G., Integrating cybersecurity threats into smart
[26] European Union, General Data Protection Regulation (EU) 2016/679, Official manufacturing: best practices and frameworks, In Artificial Intelligence Solutions
Journal of the European Union, 2016, p. L119. http://data.europa.eu/eli/reg/20 For Cyber-Physical Systems, pp. 120138, Auerbach Publications.
16/679/oj. [56] P. Voigt, A. Von dem Bussche, The EU General Data Protection Regulation (gdpr),
[27] M. Saleh, T. Kdour, A. Ferrah, H. Ahmed, S. AP, R. Azzawi, A. Ali, Health wearable A practical Guide, 1st ed., 10, Springer International Publishing, Cham, 2017,
IoT (WIoT) technology devices security and privacy vulnerability analysis, in: 2022 pp. 105555.
8th International Conference on Information Technology Trends (ITT), IEEE, 2022, [57] Flores, D.A., & Perugachi, R., A GDPR-compliant risk management approach based
pp. 1620. on threat modelling and ISO 27005, arXiv preprint arXiv:2306.04783, 2023.
[28] M. Aqeel, F. Ali, M.W. Iqbal, T.A. Rana, M. Arif, M.R. Auwul, A review of security [58] United Arab Emirates Government, Federal decree-law no. 45 of 2021 on the
and privacy concerns in the internet of things (IoT), J. Sens. (1) (2022) 5724168, protection of personal data (PDPL). https://u.ae/en/about-the-uae/digital-uae/da
2022. ta/data-protection-law, 2021.
[29] P. Zheng, H. Wang, Z. Sang, R.Y. Zhong, Y. Liu, C. Liu, X. Xu, Smart manufacturing [59] E.H.N. Safitri, H. Kabetta, Cyber-risk management planning using NIST CSF V1.1,
systems for Industry 4.0: conceptual framework, scenarios, and future perspectives, ISO/IEC 27005:2018, and NIST SP 800-53 Revision 5 (A Study Case to ABC
J. Manuf. Syst. 56 (2020) 112. Organization), in: 2023 IEEE International Conference on Cryptography,
[30] M.M. Queiroz, S.C.F. Pereira, R. Telles, M.C. Machado, Industry 4.0 and digital Informatics, and Cybersecurity (ICoCICs), IEEE, August 2023, pp. 332338.
supply chain capabilities: a framework for understanding digitalisation challenges
and opportunities, Benchmark. Int. J. 28 (5) (2019) 17611782.
18
Reference in New Issue View Git Blame Copy Permalink