Two Scenarios—Intentions
and Outcomes
We now have a solid foundation for understanding the security issues pertaining
to a range of IoT devices in the market today, as well as the impact that security vulnerabilities
can have on IoT device manufacturers and the lives of people using the devices. We have also
studied the process of coming up with an idea for an IoT product and building in the right
security controls early on, starting from the prototyping stage. At this point, we have a good
sense of how to measure risk by marrying our understanding of gaps in security controls and
of how threat agents are likely to take advantage of them.
In addition to understanding security controls, it is important to realize that security inci-
dents, when viewed holistically, are greatly influenced by the individuals who are involved and
how those individuals choose to react to the situations at hand.
In this chapter, we will take a look at two different scenarios to gain an appreciation of
how people can influence security incidents. In the first scenario, we will examine how an
executive at a large corporation attempts to leverage the buzz surrounding the topic of IoT
security with the hope that it will impress the board of directors. In the second scenario, we
will look at how an up-and-coming IoT service provider chooses to engage with and respond
to researchers and journalists, with the intention of preserving the integrity of its business.
The goal of this chapter is to illustrate that, ultimately, the consequences of security-related
scenarios are heavily influenced by the intentions and actions of the people involved.
The Cost of a Free Beverage
The cybersecurity field is riddled with vendors who want to sell software tools that are often
ineffective at reducing tangible risk, thereby giving organizations a false sense of security.
More specifically, tools that attempt to assess and secure emerging technologies and new
TWO SCENARIOS—INTENTIONS AND OUTCOMES 251CHAPTER 9