Security Requirements Engineering in medical IoT: comparing literature and developers’ practices

Abstract

In the Internet of Things paradigm, everyday objects communicate with each other to form a worldwide dynamic network which provides opportunities for innovative services and applications in almost every field. Nevertheless, such a dynamic network also brings serious security issues to users, society, and even to the internet. Things that lack of basic security requirements turn out to be an attractive target for hackers and a doorway into the information technologies’ infrastructure and personal data. To reduce the impact of security failures and take advantage of the growing opportunities that the IoT brings to users and businesses, a secure development of the IoT must be encouraged. A secure system development can be achieved by disseminating knowledge of security and development among academy and industry. However, it seems that there is a gap between developers’ management of requirements and security requirements frameworks and methods. Based on a qualitative study, we collect data on developers’ practices to handle security requirements of IoT medical applications, and the context of development. Developers’ practices to manage security requirements are compared with recommended practices of the security requirements engineering field. Besides, factors that influence developer’s practices are identified. The results show that small companies do not have a distinctive process to handle security requirements. Moreover, practices, as described by the field of security requirements engineering, are partially adopted. Differences occur because of incorrect assumptions regarding developers’ motivations to address security, methods that do not match development approaches, and the dynamic nature of security. This research contributes to the security field by providing insights on how developers perceptions and practices to handle security requirements during the development of IoT medical applications.