Internet of Things: Security Guidelines for Management

Mikael Hansen

Student thesis: Master thesis


This report sets out to create a set of guidelines for organizations to use when they are thinking about implementing Internet of Things solutions in their organizations and do not know how to handle the IoT technology. The guidelines are created by reading the scientific literature on the IoT topic and then going in depth with the areas of which IoT can pose a threat to the company’s security or otherwise be a nuisance to the company.
By reading, the literature with a hermeneutic approach it is secured that there are no topics left untouched and with every aspect of IoT explored it was possible to create a framework, which includes all the essential topics found in the literature. This framework is the basis for how the theories were conceptualized in the context of IoT. By conceptualizing the theories a set of statements were made based on the literature, these statements were tested with expert knowledge in the security field.
The tests conclude that most of the hypotheses were verified, and therefore useful as a whole or broken down in to individual points in the guidelines. The findings were that the guidelines need to include regular IT security measures such as encryption, access control, privacy and regular network security theories such as network segmentation.
Furthermore, the results found showed that security measures are not everything the organization needs to be aware of. They also need to attend to organizational structure and readiness as these topics among others came fourth: strategy purpose, risk assessment, partners and manufacturers. Evaluating these can help secure a smooth implementation of IoT in the organization alongside having a secure IoT system.
Answering the research question: How can companies handle the introduction of IoT devices?
They can use the set of guidelines outlined in this report, to raise awareness and be skeptic about introducing new technologies without thinking about the potential consequences it can impose on the organization.

EducationsMSc in Business Administration and Information Systems, (Graduate Programme) Final Thesis
Publication date2017
Number of pages90
SupervisorsJacob Nørbjerg