Keywords

1 Introduction

The recent years have seen an increase in the number of smart devices that can connect to the Internet with ease. This paper focuses on the study of the Internet of Things abbreviated as IoT in the 21st century. With the ever-expanding population of IoT devices, the need to address their susceptible security becomes crucial and demanding.

The research on the Internet of Things (IoT) is an interesting subject because it is a common phenomena in today’s world. Almost everyone in the modern society has access to smart digital devices such as smart phones, smart TVs, smart watches, and smart technologically-driven cities among others. Furthermore, the sub-topics of legal policies and regulations surrounding IoT security is also interesting because the society needs to maintain their legal and moral standards in this digital age [17].

Previous literature shows that the availability and access to IP-enabled devices (IoT) continue increasing exponentially every year. Additionally, it shows that there is a need to address the susceptible security concerns that come alongside the IoT devices [30]. Our research highlights various policy regulations around the world that govern the use of the smart technologies. However, previous research conducted in the past provides limited information addressing the shortcomings of challenges associated with data analytics and policy regulations in improving the security of data and devices in the digital era.

Using a sample of the companies that use data analytics and selected IoT devices, it has been analyzed that there is a dire need to develop policy regulations and quantitative techniques to improve IoT security. There exist some challenges when formulating and implementing policies for improving the security of the IoT devices.

This research contributes to the literature in the field of Information and Communication Technology by showing that both data analytics and policy regulations play a critical role in the improvement of security across IoT devices. Future studies need to address the empirical analysis of all the existing guidelines relating to data analytics and privacy concerns around the world from 2017 to 2021Footnote 1.

The remainder of the paper is organized as follows. In Sect. 2, we describe the research methodology in detail. In Sect. 3, we introduce the wearable IoT and related devices. We emphasize security and privacy issues in IoT based on different types of attacks in Sect. 4. In Sect. 5, we provide a summary of this paper and conclude.

2 Research Methodology

We present a comprehensive review of published research on wearable Iot security and privacy issues. To operationalize this, we searched for published papers in international peer-reviewed journals or books in electronic bibliographical sources mainly by keywords or combination of keywords such as wearable Internet of Things (IoT), Radio Frequency Identification (RFID), wearable devices, security, privacy. We then expanded our search by using additional keywords obtained from the results of our initial search like electroactive fabrics, cyber-attack. This resulted in 40 papers after filtering by categories, topic relevance, time of publication, and contributions.

The distribution of papers across journals shows that the papers were mainly published in journals that cover interdisciplinary topics such as Decision Support Systems, European Journal of Information Systems, and Operations Research. The distribution of published papers across years 2001–2018 is shown in Fig. 1, indicating the increasing attention paid to this general area. To the best of our knowledge, this paper is the first of its kind to simultaneously review the security and privacy issues in wearable IoT from the technology and policy perspective.

3 Wearable IoT, Technology and Devices

‘Internet of Things’, commonly referred to as IoT, had its name coined in 1998 by Ashton of Procter & Gamble who described it to be a network of IP-enabled devices with the ability to connect and exchange data [1]. Ranging from everything “SMART” - smart homes, smart cars, smart watches, smart cities, IoT is assumed to consist of approximately 20.8 billion connected devices by the end of 2020Footnote 2. Subsequently, IoT devices that can be worn by individuals on their bodies are referred to as wearable devices, although it can go around by several names.

To put the vulnerability of IoT devices into perspective, recent years have seen dozens of medical devices potentially vulnerable to cyber-attack threats by researchers. Millions of smart-TVs are vulnerable to click fraud, bot-nets, data theft and even ransomware. In the world of smart cars, Fiat Chrysler recalled 1.4 million vehicles after researchers demonstrated a proof-of-concept attack where they managed to take control of the vehicle remotely. In the UK, attackers managed to hack key-less entry systems to steal cars. In retrospect and according to recent reports, it has been predicted that cyber-crime damage costs are estimated to hit a total of $6 trillion annually by 2021. Furthermore, cyber-security investment and spending are to exceed $1 trillion (see footnote 2) in the next years.

Fig. 1.
figure 1

Distribution of number of publications by year

Full size image

3.1 Wearable IoT

Wearable technology is often touted as one of the greatest applications of the IoT with good reason. Wearable technology has the potential to transform the way people live. So what is ‘Wearable Technology’ one may ask? Wearable technology, which goes around by several names such as ‘Wearable Electronics’, ‘Wearable Connected Devices’, ‘Wearable IoT (WIoT)’ or just simply as ‘Wearables’, includes small electronics devices that people can wear on their bodies with ease of comfort [36, 37]. In the broadest sense, any computer device that is carried with a person to assist them could conceivably be called a ‘Wearable’. In particular, glasses, jewelry, watches, head-bands, contact lenses and even clothing. Alternatively, one might also come across a more invasive form of this concept as in the case of implanted devices used to measure electrical activities from the body [38]. Coker (2015)Footnote 3 described few examples of Wearable IoT devices (some currently being developed) that can be implanted inside a human body (Table 1):

Table 1. Wearable IoT applications on human being
Full size table

Ultimately, whether a device is worn on or incorporated into the body, the purpose of wearable technology is to create constant, convenient, seamless, portable, and mostly hands-free access to electronics and computers [23].

The implications and uses of wearable technology are far-reaching and can influence the fields of health and medicine, fitness, aging, disabilities, education, transportation, enterprise, finance, gaming and music [32]. However, it is in the fields of health-care, medicine, and fitness where wearable technology potentially has its greatest influence. There are beliefs that wearable devices, over the next 10 years, will transform healthcare sector by [8] (Table 2):

Table 2. Benefits of wearable devices in healthcare
Full size table

The most successful wearable devices as of today are smart watches and health and fitness trackers [33, 35]. In fact, over 170 million units of wearable wrist-wear devices are forecast to be shipped in 2020. According to another forecast, sales of smart watches alone are going to reach 141 million units worldwide with Apple’s watchOS being the most used smart wrist wear operating system to be usedFootnote 4.

Wearable technology usages can be broadly categorized into two major categories as shown in Table 3Footnote 5:

The market for wearable technology looks promising as the number of connected Wearable devices worldwide is expected to grow from an estimate of 325 million in 2016 to over 830 million in 2020. A little over than 2.5 times in a span of only 4 years!

3.2 Devices to Enhance User Experience

Visitors of the Walt Disney World in the US can now encounter the MyMagic+ program. MyMagic+ incorporates a wearable MagicBand that uses a number of technologies, all designed to enhance the user’s experience and provide useful data to Disney. The MagicBand can connect to a number of systems in the theme park and can assist visitors to make reservations for rides electronically in order to avoid long waiting times using the MagicBand. They can also purchase on-site meals which can be electronically charged to their Disney Hotel room using this band. This largely improves user experience and in return the profits for the business. The MagicBand allows Disney to easily track the movements and actions of park visitors so that staff and services can be efficiently allocated to meet emerging needs.

Table 3. Two categories of wearable technology usages
Full size table

The Disney example depicts how powerful Wearables can be in a controlled space where number of variables are limited. Speaking of tracking movements, some companies are inventing Wearable Technology to track a companion animal’s movements and health, and even to track the activities of their infants and pre-schooling children. It is often debatable if one’s privacy is being compromised in exchange for an improved user experience or the ease of life [4].

3.3 Wearable Electroactive Fabrics and Bio-monitoring Devices

Some of wearable devices are capable of recording biomechanical variables from its users. The system included in the wearable device is able to record the vital signs and movement of its user. Research has made improvement in the development of smart textiles: devices that are capable of recording several human vital signs and wearable motion-capture systems. The use of those devices impacts important tool for promoting sustainable development and progress in different fields such as healthcare, ergonomics, art and sport [3, 24].

3.4 Self-tracking Technologies in the Workplace

Companies are willing to use wearable devices at the workplace, in order to increase the productivity by increasing the wellness and health of their employee, and also in order to measure and quantify their behavior and performanceFootnote 6. Wearable devices can take many forms such as armbands, badges, rings and smart watches, using Bluetooth, infrared sensors and accelerometers. In the workplaces’ use of these devices, companies store data on their employee regarding stress level, heart rate, physical activity and body temperature, altogether becoming great implication for the company due to the huge amount of data created per day and the privacy of the information [25]. The use of wearable devices is raising questions about legal, privacy and data protection issues. Because this ability of gathering data is new, it is also unregulated. But most important thing about insecurity comes from that employees, in this specific case, use their own devices at work: data security standards are not respected [29].

3.5 Wearable Medical Devices

Wearable medical devices, such as continuous health monitoring devices for individuals, have generated a vast quantity of data. There has been a proposition on an IoT architecture that intends to store and process the data for healthcare applications [14, 26]. More concretely, the architecture that has been proposed cover MetaFog-Redirection (MF-R) and Grouping & Choosing (GC). In this same proposition, logistic regression has been conducted based on prior records from a certain heart disease database and data retrieved from health sensors on patients. Based on this regression analysis a prediction model can be created that uses the current body sensor health data of blood pressure, heart rate and blood sugar level in order to predict the risk of heart disease.

Implanted medical Wearables have diversified uses too. Health professionals are adopting the cyber-implant technology among their patients in order to track diseases in real-time. These devices are fed and they retrieve health data directly into smart phones. An example of this is the ‘Bionic Pancreas’ which is used to monitor blood-sugar levels for diabetics (see footnote 3). Cyber-Pills with microprocessors are being developed by British Researchers which communicate directly from inside the body to a smart phone to help health specialists monitor the users regular medication intake and its possible side-effects.

Slender Smart Tattoos made of computer fibers are being used to track body functions and processes. Individuals can also use their fingers to unlock or enter codes with the aid of an NFC chip inserted into their fingertips using tattoo-like procedures.

4 Security and Privacy Issues in IoT

Our IoT world represents a danger to users because of high cyber-risk. Users are sharing highly personal information as in the example of home devices (alarms, clocks, lights, doors and garage openers). They can be extremely dangerous because the crucial information embedded and shared via IoT devices represents an attraction for hackers: since in every perfect IoT ecosystem, there is a danger in security [21]. Other sectors as media and telecom technologies are targeted by hackers and lead to a real combat against cyber-risks due to the high value of the data shared and created. The other industries that are prone to being hacked are healthcare and life sciences, infrastructures and smart cities, transports and urban mobility and finally industrial systems and sensors [39].

Company leaders try their best to take actions against threats and their impacts at three levels of an organization: they prevent and anticipate IoT related cyber-threats before they take hold; they monitor and neutralize threats that are already operating, and finally, they restore regular operations as soon as possible after treat.

Organizations need to find a balance between cyber-risk management and innovation. This means that the use of IoT and the increased use of information not only increase the possibilities of creating value for the organization, but they also increase the possibilities of cyber-risks. When data is overprotected, it hinders innovation and creation of values but at the same time, if data is left open and unprotected, this would leave the organization vulnerable to cyber-risks.

There are no global risk standards governing the IoT at the moment because of the novelty of IoT; however, it does not mean that organizations between them - public or private, share awareness and operate strategically and cooperatively to ensure the immense value of data. There is a danger of security breach because the shared responsibility does not always work. Saif voiced that IoT solutions need to be implemented in such a way that they blend organization-specific operational capabilities with multi-layered cyber-risk management techniques [21].

Li and Xu [13] envisaged IoT as a multilayer network and they call the intelligent tags and sensors the “sensing layer” which could be devices such as RFID tags, readers, WSNs, BLE devices that are acquiring the information of the devices and/or their immediate environment. In implementing the sensing layer, organizations will need to take diverse security threats and vulnerabilities into account; more specifically unauthorized access, selfish threats, spoofing attacks, malicious code, DoS, transmission threats and routing attack [28]. In order to secure users, the authors proposed some measures to mitigate security risks: (i) implementing security standard for IoT and ensuring that all devices are produced by meeting specific security standards; (ii) building a trustworthy data sensing system and reviewing the security of all devices; (iii) forensically identifying and tracing the source of users; (iv) and finally that software or firmware at IoT end-node should be securely designed.

Privacy Concerns Related to Big Data: The volume of data in the world is increasing drastically. By 2021, Big Data will be of worth $66.9 billion which increases concerns about privacy and security of the dataFootnote 7. Currently, the number of cyber-crime victims is increasing on a daily basis, and people are urging the government to undertake actions to fight against these threats in order to provide full trust in the utilizing and sharing of their data. For example, the more data is contained in a single source, the easier it is to be cyber-hacked. Companies need to accept the greater responsibilities for personal information they have on people and could use third-party providers to help them store their data in clouds and other areas [34].

4.1 Different Types of Cyber-Attacks on IoT

Distributed Denial of Service (DDoS) Attacks. Nowadays, technology enables industries to use IoT embedded into small devices, allowing the integration of physical things into an information network. IoT faces a lot of challenges due to its low power, low processing, and low memory because of its small-sized housing. A multitude of attacks can impact an IoT network and Denial of Service attacks (DoS) is known to be the most sought attacking method. An attack is referred to as ‘Distributed’ Denial of Service attack when the attack is diffused from different sources (DDoS) [22]. These attacks can block usage of the IoT device for the users and can drive network resources or consumption of the bandwidth to be unavailable or modified. For the healthy functionality of IoT, data needs to be confidential during its transmission; it needs to maintain its integrity because it should be the same, sent as received; it needs to be available for the users, and lastly, it needs to be authentic with the right identity claimed.

The five DDoS Attack types are respectively called the ‘UDP flood’, which leads to the inaccessibility of the target host resources; the ‘ICM/PING flood’, which leads to a significant overall system slowdown; the ‘SYN flood’ and the ‘Ping of Death’, both of which lead to a denial of service; and the ‘Zero-Day DDoS’, which cannot be described because it has never been seen before. DDoS attacks globally change the expected functionality of the IoT and can lead to several adverse impacts on the users.

IoT is vulnerable to DDoS attacks even from an architectural perspective. The architecture of IoT is divided into three layers called the Perception layer, which collects ubiquitous data from the physical environment; the Network layer, which processes the data; and the Application layer, which contains the business logic for the user. On each of those layers, different varieties of DDoS attacks can befall. On the Perception Layer, the main reader technology RFID can be hacked. It will be unable to communicate with the reader, or completely disabled. It could also lose its authentication capability and synchronization between the system and the tag. On the Network Layer, attacks can disrupt the authentication availability, fake replicate request instead of original ones, consume enormous amounts of the victim’s resources, and amplify the traffic for breakdown. On Application Layer, attacks can create infinite loopholes to disable the accessibility of network resource and create infinite waiting time for reply, along with communication paths that replay data packets or insert infected data packets [31].

Social Engineering. Social Engineering can be perceived as an act of manipulation of people through their personal information but more globally it is an art or a science of skilfully maneuvering human beings to take action in some aspects of their lives [7].

There are different types of social engineering which could be classified as friendly or malicious. The first type, which is the most malicious, is the Hackers. Because of the complexity of today’s software, hackers are turning towards social engineering skills, mixed with the use of hardware and personal skills. The second type is quite similar but represents the friendly approach: the Penetration Testers. These are individuals who are meant to follow and think like a hacker in order to disrupt the client’s security by mimicking actions that of a hacker. Spies, identity thieves, disgruntled employees, scam artists are considered as types of social engineering which can cause harm to other people. Executive recruiters, sales-people, governments, doctors, psychologists, and lawyers are also other types of social engineer, which are not meant to harm people.

The basic goal of malicious social engineering is the same as hacking in general: to gain unauthorized access to systems or information in order to commit fraud, network intrusion, industrial espionage, identity theft, or simply to disrupt the system or network [6]. The Internet boom has its share of industrial engineering attacks as in start-ups as well, but attacks generally focus on larger entities.

Man in the Middle (MITM) Attacks. This type of attack encompasses the concept of intercepting (read, insert and modify) legitimate communications between two separate users or IP-connected-systems by a middle agent - the hacker [5]. The hacker uses an amalgamation of Eavesdropping and Alteration techniques to create a web of deceit and tricks the two systems into thinking they are communicating with each other. In this scenario, the hacker has control of the original communication and transmits messages to the two separate nodes [10]. According to a Europol news reported in 2015, 49 suspects were arrested for performing MITM attacks to sniff out and intercept payment requests from emails. Investigations uncovered international fraud totaling 6 million eurosFootnote 8.

For the MITM attack to work, the hacker would need to find an unsecured or poorly secured WIFI router. Then he injects malware into the connected-device, which installs itself into the victim’s web-browser without the victim’s knowledge. This malware can then record and route all information being exchanged between the victim and specific targeted websites (e.g. financial institutions) to the hacker’s computer. According to the McAfee Threat Reports of 2014, MITM attacks comprise 66% of total Top Network Attacks [5]. The MITM method of cyber-attack is gaining popularity among cyber-thieves due to its ease of execution and its arduous nature of being detected as these attacks can be accomplished without any trails left behind for the breach.

In Meyer’s paper, ‘A man-in-the-middle attack on UMTS’ [16], he displayed a man-in-the-middle attack on the Universal Mobile Telecommunication Standard (UMTS), one of the recently developing 3G portable advances. The assault enabled an interloper to mimic a legitimate GSM base station to an UMTS supporter paying little respect to the way that UMTS confirmation and key understanding are utilized. Accordingly, a gatecrasher could listen stealthily on all versatile station-started traffic. Since the UMTS standard requires shared confirmation between the portable station and the system, so far UMTS systems were thought to be secured against man-in-the-middle assaults. The system confirmation characterized in the UMTS standard relies upon both the legitimacy of the validation token and the honesty insurance of the consequent security mode command. Meyer demonstrated that both of these instruments are essential keeping the end goal to keep a man-in-the-middle assault in mind. As an outcome he demonstrated that an assailant can mount a pantomime assault since GSM base stations do not bolster trustworthiness insurance and possible victims to the attack are all mobile stations that support the UTRAN and the GSM air interface simultaneously.

Data and Identity Theft. Today in the US alone, there are 25 connected IoT devices per 100 inhabitants. It is safe to say that people are prepared to accept any reality as long as it is presented to them in a digitalized manner. In addition, people readily accept information from smart devices as a fact of life. However, it is believed that the biggest threat to the success of IoT devices lies in ID theft-related crimes [40].

ID theft is the action of unauthorized use of personal information (which is stored and used in an array of digital forms) by another individual for various gains. These gains range from espionage, revenge, terrorism, illegal immigration or assuming a new identity to evade criminal charges. The nature of personal data are names, addresses social security numbers, date of birth, driver’s licenses, passport numbers, and financial data. Various frauds range from: fraudulent unemployment claims, fraudulent tax returns, fraudulent loans, home equity fraud and payment card fraud. Original users can also endure the burden of increased loan interest rates; they can suffer involuntary payment with credit card fraud, and they can be denied from utility services, civil suits or criminal investigation [20].

Nonetheless, whatever the underlying objective maybe, it all boils down to some sort of financial gain for the thief. Since IoT’s foundation is built on identity related services and (hence) any communication between devices is therefore based on the same identity, ID theft operated via a digital channel could easily be categorized as a cyber-crime. Vidalis and Angelopoulou propose a vulnerability assessment model that attempts to understand how an environment can be influenced by this type of attack. This can be established by the use of Vulnerability Trees to measure how the environment can be affected by the introduction of smart devices. This further can help in making appropriate and informed decisions in terms of management of such crimes. The user is known to constitute the biggest and least complex vulnerability of a system [27]. As a response to these breaches, governments all around the world have enhanced laws that require organizations to notify individuals when their own information has been hacked.

Recently, the European Union has launched the General Data Protection Regulation (GDPR) which will force companies to protect the personal information that they have on each individual. The policies’ goal is to protect natural persons with regard to the processing of personal data and on the free movement of such dataFootnote 9.

Botnets Attacks. Mobile botnet attacks are systems that are combined to distribute malware. They are used by criminals to exploit online-banking data and steal private information. The botnet operators control them via Command-and-Control-Servers. Mobile devices have their own constraints such as limited processing, less data storage capabilities and heterogeneity of operating systems (OS) (Android, Apple, Windows etc.), that restricts the security solutions to be programmed efficiently. Botnet is a network of compromised machines. The aim of botmaster is to disturb true blue administrations over the Internet or cheat private data. Botnets are advancing as a genuine danger towards focusing on cell phone gadgets. The motive of this attack is somewhat similar to that of traditional botnet attacks to access the assets, translate substance of portable client gadget and exchange control to the botnet initiator. In the long run, this programmer will probably perform pernicious and unapproved exercises including illicit telephone calls, ceasing control panel, sending emails, initialization of worm code and unauthorized file access or photos. ‘Andbot’ is a mobile bot, which utilizes URL transition and it is considered as a stealthy, minimal effort, and flexible bot, which utilizes botmaster for unlawful in mobile environment.

4.2 Three Main Types of Attacks on Wearable Devices

Wearables can fall victim to an array of security breaches. Marrington et al. broadly categorize these attacks into the categories below [15]:

Unauthorized Access to Wearable Devices. This is the classic case of the Sinkhole Attack where unauthorized users gain illegal access to the wearer’s wearable device adversely affecting their privacy. The concept of this attack requires a base station (e.g. a health monitoring application on a user’s smart phone that is connected to the operating system of the fitness tracking device worn by the user) and a Wireless Sensor Network (WSN). The small nodes that make up a WSN sense and send data to the base station. In the Sinkhole Attack, the hacker infiltrates a node(s) (preferably one that is closer to the base station, rather than all the nodes in the network), which causes the compromised node to attract all traffic from its neighboring nodes using fake routing information [11]. All packets of data then pass through the infiltrated node before reaching the base. This hinders the base station’s ability to receive complete and unaltered data.

This can have adverse effects on people and organizations who work with health-related wearable devices. Hospitals and other medical institutions rely on wearables to collect patient’s health information and track their behavioral habits; compromised medical data can jeopardize the wearer’s physical safety.

Attacking the Wearable Device Availability. All wearable devices depend on inbuilt battery-packs for their sustainability and operation. This dependency gives rise to the possibility of the Denial Of Service (DoS) attacks. As mentioned above, this type of attack encapsulates the concept wherein the Wearables’ OS is overwhelmed by malicious requests brought on by the attacker. This ultimately results in system crashes and draining the device’s battery.

FitBit allows users to automatically upload its data to the user’s online social networking account on a daily basis. This enables hackers to intercept data reported by FitBit to launch the DoS attack. To prove this, Rahman et al. [18] have built FiteBite which is a suite of tools that exploits vulnerabilities in the FitBit. The FitBit authorizes the dummy hacker to continuously query the victim FitBit (initially once every 15 min and subsequently on an average of 4 times per minute) in its vicinity, hence draining the FitBit’s battery at an alarmingly fast rate. In order to avoid suspicions, the FiteBit uploaded the victim FitBit’s data into the web server once every 15 min. Rahman et al. concluded via their experiment, that during the attack-free mode, the victim FitBit’s battery lasted for 29 days. In the 15 min upload mode, the battery lasted for 7 days and 18 h whereas, in the attack mode, the battery lasted for only 32.71 h (just a little over 1 day). This summarized that FitBit drained its battery 21 times faster prior to the Battery-Draining-Denial-of-Service Attack on the test.

False Data Injection on Wearables. A false data injection attack implies that data contained, and transmitted by a wearable device is forged [15]. In these attacks, the hacker may target Internet traffic as a point of attack. Wearable devices are made to transmit data to a central database using Internet protocols. In the case of transmission over the Internet attacks, the hacker modifies data transmitted over the Internet protocols and injects modified data, which eventually reflects on the target website [19].

Another exploitation of weak communication channels relates to attacks carried over Bluetooth protocols. In some instances, the hacker may also target data transmitted over WIFI protocols. The attacker can pair a device to the wearable one and avoid authentication in subsequent pairings when using Bluetooth and WIFI technologies [2]. Such a system can act as a conduit for the attacker to overwrite information transmitted between the wearable device and the target recipient, which he subsequently uses to inject false data.

Physical attacks can also facilitate data injection in wearable devices. In physical attacks, the hacker records data that has not been performed by the legitimate owner of the wearable device. In such cases, the wearable device records fabricated facts on the memory component of the device [12].

Hackers can also exploit vulnerabilities in application functions. For example, the failure of a developer to use HTTPS for application functions creates a vulnerable point for hackers to exploit. It was noted that the author fails to verify data contained in HTTPS POST requests, which are often used to upload data over the internet [9].

5 Conclusion

The accelerating emergence of IoT devices has resulted in a vast quantity of sensitive data entering the digital sphere. Thus, all this data are subjected to the risk of unwarranted infringements. Organizations are more likely to identify security incident earlier if they utilize big data cyber-security data analytics. However, due to the volume of abundant data that needs to be analyzed it is still highly challenging. Hence, this requires the usage of analytics solutions that can scale to the huge storage, memory and computation requirements.

Machine learning applied to security data and user behavioral analytic (UBA) are presented as the most promising methods of data analytics. Together with these technologies, measures should also be taken to have access to skilled labor to conduct statistical analysis to get valuable insights. However, there are a lack of people who can perform advanced degree analytics. A key approach for organizations and firms to improve detection of security threats is to utilize readily available frameworks such as Apache Hadoop and inexpensive hardware, which enable the user to collect, store and analyze huge amounts of security data across the whole enterprise in real time.

If the current frontier of cyber-security is predictive analytics, the next one involves automated actions. Often organizations want to investigate problems identified by analytics before taking corrective action, which means that the most effective cyber-security environments will be complex hybrids of human and machine intelligence. The combination of automated and analytics-driven alerts and human interventions will be extremely important for effective security.

Current worldwide policies and regulations related to IoT devices and data protection are insufficient. So far, worldwide organizations are using some guidelines, e.g. the OECD guidelines on the Protection of Privacy and Trans-Border Flows of personal Data or the guidelines of the association Online Trust Alliance. The Federal Trade Commission and the Department for Homeland Security in the United States have also only given non-binding guidelines that cover IoT devices and associated data. In the EU, the General Data Protection Regulation (2016/679) will enforce regulations to device manufacturers and provide a wider data protection for the consumer starting in 2018. A similar forcing regulation is necessary in United States, which is a major and international actor in data creation. This legal discrepancy needs to be eliminated since legal problems can arise when data about a person or entity is transmitted through different jurisdictions with dissimilar data protection laws. The discrepancies on the practices of how to respect security and data protection between organizations, within the same country, also need to be eradicated.