CYBER RISK IMPACT ASSESSMENT ASSESSING THE RISK FROM THE IOT TO THE DIGITAL ECONOMY Corresponding

We present an updated design process for adapting and integrating existing cyber risk assessment approaches for impact assessment for the risk from IoT to the digital economy. The new design process includes a set of changes to the original standards (e.g. NIST) that are adapted for the IoT cyber risk in this paper. This paper also presents a new framework for impact assessment of IoT cyber risk, specific for the digital economy.


Introduction
The developments in IoT technologies have presented new types of cyber risk which are difficult to assess with the existing cyber risk approaches. This creates a specific risk for the digital economy that cannot be assessed with the existing models. This research aims to define the parameters for adapting and integrating these models for performing cyber risk assessment with the existing cyber security frameworks, models and methodologies but for the IoT risk in the digital economy. This has not been done until present. The adapting and integrating process in this article refers to the compounding of knowledge to offer a better understanding of cyber risk assessments for the IoT risk in the digital economy.

Methodology
We use practical studies to bridge the gaps, to assess the impact and overcome some of the cyber risk limitations and to construct the relationship between IoT and the digital economy.
The methodology applies theoretical analysis through logical discourse of knowledge 1 , to define what does it mean to say that we understand something 2 , referring to the question of assessing cyber risk from IoT in the digital economy. The aim of the research is to define how do we understand that we really understand cyber risk assessment. This approach was considered relevant to this question because most cyber security frameworks and methodologies propose answers to a quantitative question with qualitative assessments 3-10 .

Literature Review
The increasing number of high-impact cyber-attacks has raised concerns of the economic impact 11 and the issues from quantifying cyber insurance 12 . This triggers questions on our ability to measure the impact of cyber risk 13 . The literature review is focused on defining the IoT risk vectors for the digital economy 14 , which are often overlooked by cyber security experts 10 . The IoT risk vectors are investigated in the context of Social Internet of Things 15 , the digital economy and the Industrial Internet of Things (IIoT). In the Social Internet of Things, the IoT is autonomously establishing social relationships with other objects, and a social network of objects and humans is created 16,17 . The digital economy is also known as the fourth industrial revolution and brings new operational risk for connected digital cyber networks 18 . Finally, the IIoT represents the use of IoT technologies in manufacturing 19 .
The cyber risk challenges from IoT technological concepts, mostly evolve around the design and the potential economic impact (loss) from cyber-attacks 4,5 . There are multiple attempts in literature where existing models are applied understand the economic impact of cyber risk 11 . However, understanding the shared risk is vital for risk assessment 20,21 . Because the cyber risk estimated loss range can vary significantly [22][23][24][25][26] .
IoT technologies need to be supported with supply chain process for updating the list of assets that are added to the network across multiple time-scales [27][28][29][30][31] , to prevent IoT components modified to enable a disruption 4,5,7 . But such digital supply chain system security is complex and risk assessing IoT systems for the digital economy is not easy. Regardless of the difficulties, the digital economy networks need to be secure, vigilant, resilient and integrated. But the reality of assessing security risks in Internet of Things systems is that 'If you can't understand it, you can't properly assess it!' 20 . In what follows, we reflect on cyber risk standards, frameworks and models. The diversity of approaches for cyber risk impact assessment, reemphasises the requirement for standardisation of cyber risk assessment approaches. This becomes clearly visible in Table 2. This variety of approaches presents conflict in risk assessment 4,5,14,[32][33][34][35][36][6][7][8][9][10][11][12][13] . To avoid such conflicts, the core cyber impact assessment concepts are extracted to defining the design principles for cyber risk impact assessment from IoT in the digital economy.

Proposed framework for IoT cyber risk assessment for the digital economy
To define a framework for IoT cyber risk assessment for the digital economy, firstly the controlled convergence method 31,37 is applied with a group of experts in the field. The results from the study were presented, including the  Table 2). In the transcription process, discourse analysis 41 is applied to interpret the data and for recognising the most profound concepts in the data 42 .
The    Secondly, the study recommends a decomposition process of cyber risk assessment standards. At a higher analytical level, in Figure 1, the new risk vectors are related to a step by step design process for assessing the cyber risk from IoT risk vectors. The design process refers to established risk assessment frameworks, methodologies and models that have extensively been discussed in existing literature 4,5,7,10-14 . The rationale of the proposed design process is that the design is developed to advance the existing efforts 20,32 in developing a standardised approach for assessing the impact of IoT cyber risks for the digital economy 34,43 .

Conclusion
This article decomposes the cyber risk assessment standards and combines concepts for the purposes of building a new IoT risk impact assessment approach for the digital economy. Despite the interest to standardise existing cyber risk frameworks, models and methodologies, this has not been done until present. Cyber risk impact assessment approach for the IoT risk in the digital economy currently does not exist in literature. The framework represents the first attempt to define a process for cyber risk impact assessment of IoT vectors. The study advances the efforts of integrating standards and governance on IoT cyber risk and offers a better understanding of the IoT impact assessment for cyber risk.

Limitations and further research
The framework in this article is derived from case studies, supported with theoretical analysis of a limited set of frameworks, models, methodologies and high-tech strategies. The set selection was