Print Email Facebook Twitter Have you updated your lightbulb? Title Have you updated your lightbulb?: Solving IoT vulnerabilities through governance Author de Roon, Tom (TU Delft Technology, Policy and Management; TU Delft Organisation and Governance) Contributor Parkin, S.E. (mentor) van Eeten, M.J.G. (graduation committee) Ubacht, J. (graduation committee) Krenn, R. (graduation committee) Degree granting institution Delft University of Technology Programme Complex Systems Engineering and Management (CoSEM) Date 2021-07-19 Abstract Connecting ‘things’ like a doorbell, webcam, lamp, or other objects to the web to provide a service or control is called the Internet of Things (IoT). These devices contain vulnerabilities that form risks for the device user and possibly the network owner through their heterogeneity. The identified knowledge gap is the need for more IoT governance but no specification on governance options and means to reach specific stakeholders. Using a dataset of network scan data of The Hague as the empirical context for the defined knowledge gap, this research aims to look into the vulnerabilities IoT devices carry, and then look into relevant stakeholders to see what they can do through governance and why they are not doing this. To answer the main research question: How can the municipality of The Hague use governance instruments to decrease cyber vulnerabilities in IoT devices? Using a literature study to define IoT concepts and the governance of IoT and current governance examples, background information is provided for the rest of this research. The database of 1649 IP addresses of network scan data from the area of The Hague is then used to find what vulnerabilities are present and what stakeholders are identifiable from this data. Exploring this network scan data showed only 191 devices are fully identifiable from the total number of IP addresses. These devices all carry vulnerabilities for the user of these devices, and being visible is by itself a vulnerability. No device owners could be directly identified, only the providers of the networks these devices are found in. This results in the identifiable stakeholders from the dataset: ISPs and device manufacturers. Governance options are defined for these stakeholders (e.g. security-by-design, informing users etc.). These options are assessed on viability and validity through semi-structured interviews with three ISPs and the municipality. The conclusion found is that the most viable action to take is informing device users since secure configuration and usage of a device would take away vulnerabilities while waiting for European legislation to be implemented. This legislation will force more security-by-design. The recommendation for the municipality is to take the role of leading actor, provide a better problematization with the data available, and use this to generate more urgency with other stakeholders. Starting public-private partnerships (with ISPs, device vendors, universities, other municipalities: different perspectives to progress the problem) and starting information campaigns and therefore try to reach as many people as possible. Even though ISPs can not provide in reaching vulnerable users directly, they can help in general information campaigns. Increasing security practices on the user side while waiting for legislation on the manufacturer's side. Subject internet of thingsIoTCybersecuritystakeholdersinterviewsqualitativeThe Haguegovernance To reference this document use: http://resolver.tudelft.nl/uuid:2e362af9-d32e-42b0-ada0-8b995fcb140e Part of collection Student theses Document type master thesis Rights © 2021 Tom de Roon Files PDF Have_your_updated_your_li ... e_Roon.pdf 2.75 MB Close viewer /islandora/object/uuid:2e362af9-d32e-42b0-ada0-8b995fcb140e/datastream/OBJ/view