An Exploratory Analysis of the Security Risks of the Internet of Things in Finance

  • Carlton Shepherd
  • Fabien A. P. Petitcolas
  • Raja Naeem Akram
  • Konstantinos Markantonakis
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10442)


The Internet of Things (IoT) is projected to significantly impact consumer finance, through greater customer personalisation, more frictionless payments, and novel pricing schemes. The lack of deployed applications, however, renders it difficult to evaluate potential security risks, which is further complicated by the presence of novel, IoT-specific risks absent in conventional systems. In this work, we present two-part study that uses scenario planning to evaluate emerging risks of IoT in a variety of financial products and services, using ISO/IEC 20005:2008 to assess those risks from related work. Over 1,400 risks were evaluated from a risk assessment with 7 security professionals within the financial industry, which was contrasted with an external survey of 40 professionals within academia and industry. From this, we draw a range of insights to advise future IoT research and decision-making regarding potentially under-appreciated risks. To our knowledge, we provide the first empirical investigation for which threats, vulnerabilities, asset classes and, ultimately, risks may take precedence in this domain.


Internet of Things Risk assessment Finance Security 



The authors would like to thank those at Vasco Data Security, who initiated and supported this work; the participants of the user survey for their time and consideration; and the anonymous reviewers who provided their insightful and helpful comments. Carlton Shepherd is supported by the EPSRC and the UK government as part of the Centre for Doctoral Training in Cyber Security at Royal Holloway, University of London (EP/K035584/1).


  1. 1.
    BS ISO/IEC 27005:2008 Information technology - Security techniques - Information security risk management. British Standards (BSI), June 2008Google Scholar
  2. 2.
    Flying 2.0 - Enabling automated air travel by identifying and addressing the challenges of IoT & RFID technology. Technical report. European Network and Information Security Agency (ENISA) (2010)Google Scholar
  3. 3.
    ENISA EFR Framework - Introductory Manual. Technical report. European Network and Information Security Agency (ENISA) March 2013Google Scholar
  4. 4.
    Accenture: Connected commerce hits the road (2016).
  5. 5.
    Alahakoon, D., Yu, X.: Smart electricity meter data intelligence for future energy systems: a survey. IEEE Trans. Industr. Inf. 12(1), 425–436 (2016)CrossRefGoogle Scholar
  6. 6.
    Bodwell, W., Chermack, T.J.: Organizational ambidexterity: integrating deliberate and emergent strategy with scenario planning. Technol. Forecast. Soc. Chang. 77(2), 193–202 (2010)CrossRefGoogle Scholar
  7. 7.
    Cairns, G., Wright, G., Bradfield, R., van der Heijden, K., Burt, G.: Exploring e-government futures through the application of scenario planning. Technol. Forecast. Soc. Chang. 71(3), 217–238 (2004)CrossRefGoogle Scholar
  8. 8.
    Capgemini: Wearable Devices and their Applicability in the Life Insurance Industry. April 2014.
  9. 9.
    Chang, M.-S., Tseng, Y.-L., Chen, J.-W.: A scenario planning approach for the flood emergency logistics preparation problem under uncertainty. Transp. Res. Logistics Transp. 43(6), 737–754 (2007)CrossRefGoogle Scholar
  10. 10.
    Chawathe, S.S.: Beacon placement for indoor localization using bluetooth. In: 11th International IEEE Conference on Intelligent Transportation Systems, pp. 980–985. IEEE (2008)Google Scholar
  11. 11.
  12. 12.
    Franklin, R., Metzger, A., Stollberg, M., Engel, Y., Fjørtoft, K., Fleischhauer, R., Marquezan, C., Ramstad, L.S.: Future internet technology for the future of transport and logistics. In: Abramowicz, W., Llorente, I.M., Surridge, M., Zisman, A., Vayssière, J. (eds.) ServiceWave 2011. LNCS, vol. 6994, pp. 290–301. Springer, Heidelberg (2011). doi: 10.1007/978-3-642-24755-2_27 CrossRefGoogle Scholar
  13. 13.
    Gartner, Inc.: 6.4 Billion Connected ‘Things’ Will Be in Use in 2016, Up 30 Percent From November 2015.
  14. 14.
    Gren, M.: Finance stock watch on Google play (2016).
  15. 15.
    Gu, H., Wang, D.: A content-aware fridge based on RFID in smart home for home-healthcare. In: 11th International Conference on Advanced Communication Technology. ICACT 2009, vol. 2, pp. 987–990. IEEE (2009)Google Scholar
  16. 16.
  17. 17.
    Inaba, T.: Impact analysis of RFID on financial supply chain management. In: IEEE International Conference on Service Operations and Logistics, and Informatics, pp. 1–6 (2007)Google Scholar
  18. 18.
    Karvetski, C.W., Lambert, J.H., Linkov, I.: Scenario and multiple criteria decision analysis for environmental security of military and industrial installations. Environ. Assess. Manag. 7(2), 228–236 (2011)CrossRefGoogle Scholar
  19. 19.
    Kumara, S., Cui, L., Zhang, J.: Sensors, networks and internet of things: research challenges in health care. In: Proceedings of the 8th International Workshop on Information Integration on the Web, p. 2. ACM (2011)Google Scholar
  20. 20.
    Lewis, L., Wyatt, J.: mHealth and medical apps: a framework to assess risk and promote safer use. J. Med. Internet Res. 16(9), e210 (2014)CrossRefGoogle Scholar
  21. 21.
    Marinos, L.: ENISA threat taxonomy - a tool for structuring threat information. Technical report. European Union Agency for Network and Information Security (ENISA) (2016)Google Scholar
  22. 22.
    Melià-Seguí, J., Pous, R., Carreras, A., Morenza-Cinos, M., Parada, R., Liaghat, Z., De Porrata-Doria, R.: Enhancing the shopping experience through RFID in an actual retail store. In: Proceedings of the 2013 ACM Conference on Pervasive and Ubiquitous Computing, pp. 1029–1036. ACM (2013)Google Scholar
  23. 23.
    Morak, J., Schwarz, M., Hayn, D., Schreier, G.: Feasibility of mhealth and near field communication technology based medication adherence monitoring. In: 2012 IEEE International Conference on Engineering in Medicine and Biology, pp. 272–275. IEEE (2012)Google Scholar
  24. 24.
    Nadimi, E.S., Jørgensen, R.N., Blanes-Vidal, V., Christensen, S.: Monitoring and classifying animal behavior using ZigBee-based mobile ad hoc wireless sensor networks and artificial neural networks. Comput. Electron. Agric. 82, 44–54 (2012)CrossRefGoogle Scholar
  25. 25.
    NXP Semiconductors, FreeScale and ARM. What the Internet of Things (IoT) needs to become a reality (2013).
  26. 26.
    Schoemaker, P.J.H.: Scenario planning: a tool for strategic thinking. Sloan Manag. Rev. 36(2), 25–40 (1995)Google Scholar
  27. 27.
  28. 28.
    RAC Limited: Black box car insurance (2017).
  29. 29.
    Salesforce: Introducing Salesforce IOT Cloud (2016).
  30. 30.
    Saripalli, P., Walters, B.: Quirc: a quantitative impact and risk assessment framework for cloud security. In: 3rd International Conference on Cloud Computing, pp. 280–288. IEEE (2010)Google Scholar
  31. 31.
    Shepherd, C., Akram, R.N., Markantonakis, K.: Towards trusted execution of multi-modal continuous authentication schemes. In: Proceedings of the 32nd ACM Symposium on Applied Computing, pp. 1444–1451. ACM (2017)Google Scholar
  32. 32.
    Shrouf, F., Ordieres, J., Miragliotta, G.: Smart factories in industry 4.0: a review of the concept and of energy management approached in production based on the internet of things paradigm. In: IEEE International Conference on Industrial Engineering and Engineering Management, pp. 697–701. IEEE (2014)Google Scholar
  33. 33.
    Tata Constultancy: Banking, Financial Services: Pleasing Customers, Fighting Fraud (2016).
  34. 34.
    Theoharidou, M., Mylonas, A., Gritzalis, D.: A risk assessment method for smartphones. In: Gritzalis, D., Furnell, S., Theoharidou, M. (eds.) SEC 2012. IAICT, vol. 376, pp. 443–456. Springer, Heidelberg (2012). doi: 10.1007/978-3-642-30436-1_36 CrossRefGoogle Scholar
  35. 35.
    Varshney, U.: Pervasive healthcare and wireless health monitoring. Mobile Netw. Appl. 12(2–3), 113–127 (2007)CrossRefGoogle Scholar
  36. 36.
    Volkery, A., Ribeiro, T.: Scenario planning in public policy: understanding use, impacts and the role of institutional context factors. Technol. Forecast. Soc. Change 76(9), 1198–1207 (2009)CrossRefGoogle Scholar
  37. 37.
    Von Reischach, F., Guinard, D., Michahelles, F., Fleisch, E.: A mobile product recommendation system interacting with tagged products. In: Pervasive Computing and Communications, pp. 1–6. IEEE (2009)Google Scholar
  38. 38.
    Yan, Z., Zhang, P., Vasilakos, A.V.: A survey on trust management for IoT. J. Netw. Comput. Appl. 42, 120–134 (2014)CrossRefGoogle Scholar
  39. 39.
    Zhang, Z., Pang, Z., Chen, J., Chen, Q., Tenhunen, H., Zheng, L.-R., Yan, X.: Two-layered wireless sensor networks for warehouses and supermarkets. In: 3rd International Conference on Mobile Ubiquitous Computing, Systems, Services, and Technologies, pp. 220–224 (2009)Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Carlton Shepherd
    • 1
  • Fabien A. P. Petitcolas
    • 2
  • Raja Naeem Akram
    • 1
  • Konstantinos Markantonakis
    • 1
  1. 1.Information Security Group, Royal HollowayUniversity of LondonSurreyUK
  2. 2.Vasco Data SecurityWemmelBelgium

Personalised recommendations