The information age, created by the rapid advancement of information and communications technology (ICT) and the widespread adoption of wireless technologies, has presented an exciting new capability for both humans and diverse applications to extend the interconnectivity through the new dimension of “things” communication and integration [21]. Cisco predicts that by 2020, 50 billion things will be connected to the Internet via Internet of Things (IoT) technologies, generating revenues in excess of $19 trillion for industries worldwide [32].

As defined by Shin [42], IoT is a global network infrastructure, linking physical and virtual objects through the exploitation of data and communication capabilities that involves a high degree of autonomous data capture, event transfer, network connectivity, and interoperability. IoT is becoming increasingly omnipresent at the service level, allowing people and things to be connected anytime, anyplace, with anything and anyone, ideally using Any path/network and Any service [21]. As IoT proliferates throughout hyper-connected society, significant opportunities in a variety of industries and services, including healthcare, home network (e.g., smart home), urban planning, energy (e.g., smart grid), and agriculture, will be created using this new technology. Indeed, its powerful and potentially disruptive impact will be felt across all industries and all areas of society [28].

Combined with preeminent technologies such as big data, social media, and cloud, the interconnected “things” (e.g., sensors and smart mobile) monitor and collect nearly all kinds of data from any event or process in order to provide advanced and intelligent services for hyper-connected society [57]. However, as with many new technologies, there are several challenges when it comes to achieving success in IoT adoption. Two of the biggest concerns for manufacturers, developers, service providers, and end-users are security and privacy [38, 55].

From a technical perspective, increased accessibility and a simplified procedure for accessing the network means an environment that is rather susceptible to security threats, such as spoofing, tampering, repudiation, information disclosure, denial of service (DoS), and elevation of privilege, which undermine data confidentiality and user privacy [35, 54]. In fact, the ubiquitousness of wireless channels and media for exchanging data in real-time increases the risk of violation from remote access capabilities, which potentially expose the system to eavesdropping and masking attacks [31].

Because IoT not only deals with huge amounts of sensitive data but also has the power to influence both the physical and virtual environment with its control abilities, securing the network and system and protecting user privacy must be considered as the top priority [1]. Although security research has been extensively addressed within the information systems (IS) discipline, there is a great need for a deeper understanding of how to achieve security in the IoT environment. Moreover, although strategic decisions regarding security depend on the fundamental question of how to allocate security resources within the key security requirements and their elements [45], a limited number of studies discuss specifically how to evaluate and make decisions regarding IoT security strategy. Therefore, the main purpose of this research is to investigate key security requirements in IoT architecture and to introduce a security assessment framework for IoT service.

Assessing the various aspects and requirements of IS (e.g., IoT) security is a complex process, as it involves both objective and subjective conditions of information, qualitative assessments on the effect, and the consideration of multiple and conflicting criteria. This multidimensional nature of IoT security assessment justifies the use of multi-criteria decision-making (MCDM) methods in which the criteria being considered can be both qualitative and quantitative and usually involve different units of measurement [47, 49].

In this study, an integrated fuzzy MCDM (FMCDM) approach has been applied to propose a general security assessment framework for IoT service. The integrated method uses an analytic network process (ANP) in combination with the decision-making trial and evaluation laboratory (DEMATEL) technique under fuzzy set theory in order to increase the sensitivity of interrelationships among diverse security requirements.

First, the fuzzy DEMATEL is applied to derive cause-and-effect interrelationships between the criteria of IoT security requirements. Then, based on the information gained from the fuzzy DEMATEL, fuzzy ANP is implemented to calculate the weight of each security requirement and, finally, to introduce the security assessment framework for IoT service. The main contribution of this research lies in the fact that it will provide practitioners and researchers with implications on how to design security-related IoT services.

The remainder of this paper is organized as follows: Sect. 2 provides a review of the literature regarding the basic concept of IoT and its architectures. A hybrid FMCDM model integrating DEMATEL and ANP with fuzzy set theory is introduced in Sect. 3. An empirical analysis is illustrated in Sect. 4. The last section presents conclusions.

1 Security requirements for IoT service

In this section, to derive the security criteria to be considered in the overall security assessment framework for the IoT service environment, we review key concepts about the security mechanisms and requirements used to address security considerations in IoT architecture.

Table 1 Conventional security requirements for the IoT environment
Full size table

Security and privacy are critical to the safe and reliable operation of IoT service. The number of things connected to the network for IoT service is increasing rapidly, which raises a significant security risk to users and service providers. IoT presents a variety of potential security risks that can be exploited to harm both the system operation and user device by (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Perceived risks to privacy and security in users, even if not realized, would seriously undermine confidence in the ability of these technologies to meet their full potential, and may constrain the widespread adoption of the technology itself [17]. Thus, in order for IoT services to be beneficial to industry and end-users, data and service security is a basic requirement.

If system-level security (e.g., confidentiality, integrity, authenticity, and privacy of user data) is not ensured, IoT applications will not be adopted on a large scale by the relevant stakeholders [31]. One of the main security challenges comes from a distinct feature of IoT: (device) heterogeneity. IoT aims to interconnect a vast amount of heterogeneous devices (e.g., sensors, RFID, and smart mobile) to provide advanced applications in various fields. This high level of heterogeneity provides a great potential to influence the network and protocol security [31, 38]. Furthermore, as identified by Europol [15] in 2014: “With more objects being connected to the Internet and the creation of new types of critical infrastructure, we can expect to see (more) targeted attacks on existing and emerging infrastructures, including new forms of blackmailing and extortion schemes (e.g., ransomware for smart cars or smart homes), data theft, physical injury and possible death, and new types of botnets.” In other words, the more chances there are to access the network, the more vulnerabilities there are to exploit [15, 26].

The inherent complexity of IoT, where thousands of entities scattered throughout various contexts and applications, further complicates the design of scalable security mechanisms [38]. IoT needs to be built in a way that ensures easy and safe user control. For users to fully embrace the application and enjoy its potential benefits, they must be confident that it poses no major risks to their security and privacy [19].

Although the literature on security-related topics related to the IoT environment is still in its infancy, there is a substantial body of work that investigates the security considerations that are critical fulfilling the security requirement in IoT applications [2, 4, 12, 22, 33, 37]. Most of research has agreed that all common aspects of information security requirements (e.g., CIA triad) must be considered from the initial stage of IoT system design and development. The conventional security requirements for the IoT environment are described in Table 1.

For this study, we have carefully reviewed the above-mentioned features and functions as well as many other security requirements and solutions. Of course, all of these security requirements are critical for reliable and safe service operations. However, due to the constraints of devices, network congestion, system interoperability and so forth, strategic approaches to designing and allocating these security resources are necessary [43]. Whereas desktop PCs benefit from many add-on security features that increase safety; IoT applications usually use tiny little sensors or mobile devices that have low computing capacity and battery constraints. For this reason, it is necessary to make choices among the security requirements and decide how to allocate those security resources. For these strategic decisions, we first group the security requirements into four logical security components (criteria) based on their functionalities and service architecture. Figure 1 illustrates the security criteria and their sub-criteria to be considered in the IoT service environment.

Fig. 1
figure 1

Security criteria to be considered in IoT service

Full size image

2 A hybrid MCDM approach to a security assessment framework for IoT service

This study proposes a security assessment framework for IoT service based on a hybrid MCDM model that integrates fuzzy DEMATEL and fuzzy ANP. The general overview of the proposed model and analysis flow is shown in Fig. 2.

Fig. 2
figure 2

A proposed hybrid MCDM model and research flow

Full size image

2.1 Fuzzy set theory and fuzzy numbers

Fuzzy set theory, introduced by Zadeh [62], is a mathematical method used to explain uncertainty in events or systems where uncertainty arises due to imprecision in the decision process [5]. The imprecision may be from unquantifiable or immeasurable information, inaccessible or incomplete data, or partial ignorance. In many processes of evaluation, judgement, and decision making, natural human languages and linguistic variables are employed to articulate subjective perceptions, and the linguistic terms used might not have a clear and well-defined meaning [46]. When such a linguistic term is applied as a label, the boundaries of the set to which objects do or do not belong will become fuzzy. To better cope with this problem and make more precise judgement, fuzzy logics and fuzzy numbers are applied in order to help linguistic variables be expressed appropriately [27]. When applying fuzzy logic, a linguistic variable can be represented by a fuzzy number assigned to a membership function [47].

Since its initial introduction, fuzzy set theory has proved to be very useful for modelling the kind of uncertainty associated with vagueness in various research fields [27]. Fuzzy logic is useful for modeling linguistic evaluations as it allows for capturing imprecisions, which are interpreted as a form of vagueness [46]. Many uncertain influencers and factors affect security problems. Moreover, in many cases of decisions regarding security strategy, judgements on determining the risk value, risk probability of occurrence of security attack, or the consequence of occurrence of security threat are conducted according to the decision maker’s experiences. This implies that substantial level of subjectivity is involved; accordingly, it would be very appropriate to apply the fuzzy concept in this problem [59].

Among fuzzy numbers, triangular fuzzy numbers (TFN) have been identified as useful in quantifying the uncertainty in decision making because of their intuitive appeal, efficiency, and simplicity in computation [20, 23].

A TFN is shown in Fig. 3. The TFN is denoted simply as (lmu). The parameters l, m, and u, respectively, denote the smallest possible value, the most promising value, and the largest possible value that describe a fuzzy event. Each TFN has linear representations on its left and right side such that its membership function can be defined as follows:

$$\begin{aligned} \mu _A \left( x \right) =\left\{ {\begin{array}{cc} \left( {x-l} \right) /\left( {m-l} \right) &{}\quad l\le x\le m \\ \left( {u-x} \right) /\left( {u-m} \right) &{}\quad m\le x\le u \\ 0&{}\quad \textit{otherwise} \\ \end{array}} \right\} \end{aligned}$$
(1)
Fig. 3
figure 3

Triangular fuzzy number

Full size image

The operational principles for TFNs of two fuzzy numbers \( \tilde{A}_1 =\left( {l_1,m_1,u_1 } \right) \) and \(\tilde{A}_2=\left( {l_2,m_2,u_2 } \right) \) are shown in Eq. (2) [44, 46]:

(2)

In our approach, the linguistic variables referring to the importance of the criteria and the ratings of the alternatives are made based on a 5-point scale, as shown in Fig. 4 and Table  2.

Fig. 4
figure 4

A fuzzy membership function for linguistic variables

Full size image
Table 2 Fuzzy linguistic variables
Full size table

2.2 Fuzzy DEMATEL

DEMATEL, which originated from the Geneva Research Centre of the Battelle Memorial Institute, is a comprehensive technique for building and analyzing a structural model involving cause and effect interrelationships between complex criteria [18, 52]. DEMATEL helps to analyze the influential status and strength between the factors and criteria, and converts them into an explicit structural mode of a system. DEMATEL has been utilized in numerous contexts as a practical tool [7, 25, 48, 56, 59, 60].

DEMATEL has been proven as a useful method to solve complicated MCDM problems. However, in many MCDM cases, human judgments and preferences are difficult to express in crisp values due to the fuzziness [56, 60]. Thus, to address this problem, we applied fuzzy theory to the DEMATEL in order to quantify the qualitative judgments on the interrelationships among security criteria.

The equations and calculation procedures for applying fuzzy DEMATEL are described below [7, 10, 46]:

2.2.1 Step 1: construct (initial) fuzzy direct-relation matrix

Experts make sets of the pairwise comparisons in terms of influence and direction within necessary criteria from \(\tilde{A} \), whose \(\hbox {TFN}\tilde{a}_{ij} =\left( {l_{ij},m_{ij},u_{ij} } \right) \) represents the degree to which the element i affects the element j.

2.2.2 Step 2: acquire fuzzy normalized direct-relation matrix

Establish normalized fuzzy direct-relation matrix \(\tilde{\hbox {X}}\) obtained from matrix \(\tilde{\hbox {A}}\) by using Eq. (3):

$$\begin{aligned}&\tilde{X}=s \times \tilde{A}\nonumber \\&\hbox {where}\;s =1/\textit{max}_{1\le i\le n} \mathop \sum \limits _{j=1}^n u_{ij}\;\hbox {and}\;\tilde{a}_{ij} =\left( {l_{ij} ,m_{ij} ,u_{ij} } \right) .\nonumber \\ \end{aligned}$$
(3)

2.2.3 Step 3: acquire fuzzy total-relation matrix

After establishing the normalized direct-relation matrix \(\tilde{X}\), the fuzzy total-relation matrix \(\tilde{T}\) can be established using the following equations, in which I is denoted as the identity matrix.

Let \(\tilde{x}_{ij} =\left( {l_{ij},\;m_{ij},\;u_{ij}} \right) \) be the element of matrix \(\tilde{X}\). It is necessary to define three crisp matrices, whose elements are extracted from \(\tilde{X}\) as shown in Eqs. (4) and (5) [46]:

$$\begin{aligned} \begin{aligned} X_l&=\left[ {{\begin{array}{cccc} 0 &{} l_{12} &{}\cdots &{}l_{1n} \\ l_{21} &{} 0 &{}\cdots &{} l_{2n} \\ &{}\vdots &{} &{} \\ l_{n1} &{} l_{n2} &{}\cdots &{} 0 \\ \end{array} }} \right] , \quad X_m =\left[ {{\begin{array}{cccc} 0 &{}m_{12} &{}\cdots &{} m_{1n} \\ m_{21} &{} 0 &{}\cdots &{} m_{2n} \\ &{}\vdots &{} &{} \\ m_{n1} &{} m_{n2} &{}\cdots &{} 0 \\ \end{array} }} \right] ,\\ X_u&=\left[ {{\begin{array}{cccc} 0 &{} u_{12} &{} \cdots &{} u_{1n} \\ u_{21}&{} 0&{} \cdots &{} u_{2n} \\ &{}\vdots &{} &{}\\ u_{n1} &{} u_{n2} &{}\cdots &{}0 \\ \end{array} }} \right] \end{aligned} \end{aligned}$$
(4)

According to crisp case, we define the fuzzy total-relation matrix \(\tilde{T}\) based on the following equation:

$$\begin{aligned} \tilde{T}= & {} \tilde{X} +\tilde{X}^{2}+\cdots \tilde{X} ^{k}= \tilde{X} \left( {I+\tilde{X} +\tilde{X} ^{2}+\cdots \tilde{X}^{k-1}} \right) \nonumber \\= & {} \tilde{X} \left( {I+\tilde{X} +\tilde{X}^{2}+\cdots \tilde{X} ^{k-1}} \right) \left( {I-\tilde{X} } \right) \left( {I-\tilde{X}} \right) ^{-1}\nonumber \\= & {} \tilde{X} \left( {I-\tilde{X} } \right) ^{-1},\;\textit{when}\;\mathop {\lim }\limits _{k\rightarrow \infty } \tilde{X}^{k}=\left[ 0 \right] _{nxn} \end{aligned}$$
(5)

Here, if \(\tilde{T}=\left[ {{\begin{array}{cccc} \tilde{t}_{11} &{}\tilde{t}_{12} &{} \cdots &{} \tilde{t}_{1n} \\ \tilde{t}_{21} &{} \tilde{t}_{22} &{} \cdots &{} \tilde{t}_{2n} \\ &{}\vdots &{} &{} \\ l_{n1} &{} l_{n2} &{} \cdots &{} 0 \\ \end{array} }} \right] \) and \(\tilde{t}_{ij} =\left( {{l}''} \right) _{ij},{m}''\), then

$$\begin{aligned}&\text {Matrix}\; (l^{\prime }_{ij})=X_l \left( {I-X_l } \right) ^{-1}\\&\text {Matrix}\; \left( {{m}''} \right) _{ij}=X_m \left( {I-X_m} \right) ^{-1}\\&\text {Matrix}\; \left( {{u}''} \right) _{ij}=X_u \left( {I-X_u} \right) ^{-1} \end{aligned}$$

2.2.4 Step 4: obtain inner dependence matrix, and obtain network relation map

In order to obtain the values of inner dependence between elements within the same cluster, elements of matrix \(\tilde{T}\) are defuzzified based on the following Eq. (6) [60]:

$$\begin{aligned} dF_{ij} =\frac{\left( {\left( {u_{ij} -l_{ij} } \right) +\left( {m_{ij} -l_{ij} } \right) } \right) }{3}+l_{ij} \end{aligned}$$
(6)

The sum of rows and the sum of columns is represented as vectors d and r, respectively, in the total influence matrix T, as in Eq. (7):

$$\begin{aligned} T= & {} \left[ {t_{ij} } \right] , i,j\in \left\{ {1,2,\ldots ,n} \right\} \nonumber \\ d= & {} \left( {d_i } \right) _{n\times 1} =\left[ {\mathop \sum \limits _{j=1}^n t_{ij} } \right] _{n\times 1} ;r=\left( {r_j } \right) ^{{\prime }}_{n\times 1} =\left[ {\mathop \sum \limits _{i=1}^n t_{ij} } \right] ^{{\prime }}_{n\times 1}\nonumber \\ \end{aligned}$$
(7)

\(d + r\) represents the degree of importance (effect) that the criterion plays in the entire system, with a higher value signifying a greater effect. \(d - r\) represents the causal relations among the criteria, with a higher value indicating that the criteria are the causes of other criteria, and a lower one indicating that they are the results of other criteria [59]. The network relation map (NRM) can be acquired by mapping the dataset of (d + r, d - r) where the horizontal axis is \(d + r\) and the vertical axis is \(d - r\). In practice, to reduce the complexity of the NRM, the decision maker sets a threshold value for the influence level to filter out minor effects. When the threshold value and the relative NRM have been decided, the NRM can be drawn accordingly [52].

2.3 Fuzzy ANP

Saaty proposed ANP as a new MCDM method to overcome the problems of interdependence and feedback among criteria and alternatives in decision-making processes through a “supermatrix” approach [39, 40]. The ANP is a general form of the analytic hierarchy process (AHP), which extends the hierarchy relation of MCDM to a network structure [35]. ANP imposes a network that replaces the single-direction relationships of AHP with dependence and feedback [39]. ANP uses ratio scale measurements based on pairwise comparisons, and models a decision problem using a systems-with-feedback approach. By pairwise comparisons, ANP derives weights and priorities of criteria based on relative importance and reaches its final goal through judgement of alternatives. Using a supermatrix approach, ANP synthesizes the outcome of dependence and feedback within and between clusters of elements (criteria) [58]. Figure 5 shows the supermatrix representation of a hierarchy with four levels. The vector \(W_{21} \) represents the impact of the goal on the factors, the vector \(W_{32} \) represents the impact of the factors on each of the sub-factors, the vector \(W_{43} \) represents the impact of the sub-factors on each of the alternatives, and I is the identity matrix. However, the influence of alternatives on sub-factors, influence of sub-factor on upper level factors and influence of factors on decision goal are also able to be evaluated, since, the difference between AHP and ANP lies in the fact that ANP imposes an interrelation among factors and sub factors by allowing dependence and feedback.

Fig. 5
figure 5

Decision hierarchy in supermatrix

Full size image

As indicated in the previous section, human judgments on preferences are often unclear and hard to estimate using exact numerical values. However, qualitative judgement is needed in order to evaluate relative importance among various security requirements. Thus, the use of fuzzy logic is justified in evaluating the security assessment of the IoT, as it mitigates the problems of vagueness and imprecision.

Furthermore, a hybrid MCDM combining ANP and DEMATEL to solve the dependence and feedback problems has been successfully used in various fields [3, 7, 9, 46, 52, 59, 60]. In traditional ANP approaches, each criterion in a column is divided by the number of clusters (upper level criteria) so that each column adds up to unity, which implies that each cluster has the same weight. However, in the real world, there are different degrees of influence among the clusters of factors and criteria. Thus, the assumption of equal weights for each cluster to obtain the weighted supermatrix is unrealistic and needs to be improved. This study uses the results from DEMATEL to improve the normalization process in ANP. Here, DEMATEL is used not only to construct the interrelations between factors/criteria in building an NRM but also to improve the overall normalization process of ANP [58].

Equations and calculation steps of fuzzy ANP are described below [7]:

2.3.1 Step 1: construct fuzzy pairwise comparison matrix

Based on pairwise comparisons, fuzzy comparison matrix \(\tilde{A}'\) is constructed as:

$$\begin{aligned} \tilde{A'}={\left[ {{\begin{array}{cccc} \tilde{a'}_{11}&{}\tilde{a'}_{12} &{} \cdots &{} \tilde{a''}_{1n}\\ \tilde{a'}_{21} &{}\tilde{a''}_{22} &{} \cdots &{} \tilde{a''}_{2n} \\ &{}\vdots &{} &{}\\ \tilde{a ''}_{n1} &{} \tilde{a''}_{n2} &{} \cdots &{} \tilde{a''}_{nn} \\ \end{array} }} \right] ,} \end{aligned}$$

where \(\tilde{a''}_{ij} = \left( {{l}''} \right) ij\) indicates the importance among the compared criteria (importance of i over j), and where \(i=j=1,2,\ldots ,n\).

2.3.2 Step 2: calculate weights of criteria

Using priority vectors from each pairwise comparison matrix, complete the various supermatrix submatrices. Estimate triangular fuzzy priorities \(\bar{w}_k \), where \(k=j=1,2,\ldots ,n\) from the judgment matrix.

There are many fuzzy AHP methods for calculating weights to be used in the supermatrix of fuzzy ANP, as proposed by various researchers [6, 8, 11, 14, 24, 29, 53]. These methods are systematic approaches to the alternative selection and justification problem using the concepts of fuzzy set theory and hierarchical structure analysis [52, 61].

In this study, the logarithmic least-squares method, as shown in Eq. (8), is used for calculating the overall weights of criteria [34, 36, 50, 51]:

$$\begin{aligned}&\tilde{W}_k =\left( {w_k^l, w_k^m, w_k^u } \right) , \quad k=1,2,\ldots ,n\nonumber \\&\hbox {where}\;w_k^s =\frac{(\mathop \prod \nolimits _{i=1}^n a_{kj}^s )^{1/n}}{\mathop \sum _{i=1}^n (\mathop \prod \nolimits _{i=1}^n a_{ij}^m )^{1/n}}, \quad s\in \left\{ {l,m,u} \right\} \nonumber \\&\hbox {for}\;0<\alpha \le 1\;\hbox {and all}\;i, j = 1, 2, \ldots ,n,\; j = 1,2,\ldots ,n.\nonumber \\ \end{aligned}$$
(8)

2.3.3 Step 3: consistency test

In order to control the result of the method, the consistency ratio for each of the matrices and the overall inconsistency for the hierarchy are calculated as follows:

$$\begin{aligned}&CR=CI/RI\\&\hbox {where }CI=\frac{i_{\textit{max}} -n}{n-1} \end{aligned}$$

\(i_{\textit{max}} \) is the Perron root or principal eigenvalue of matrix \(\tilde{A} \) [16]. \(\textit{RI}\) is the value for matrices of various sizes [39]. Here, n = 2,...,8, and \(\textit{RI}\) is 0.00; 0.58; 0.90; 1.12; 1.24; 1.32; 1.41, respectively. The consistency ratio (CR) is used to directly estimate the consistency of the pairwise comparisons and should be less than 0.10 to be considered as acceptable; otherwise, they are not acceptable. In this study, the inconsistency ratios for all the comparison matrices were calculated for the mean values of the fuzzy numbers. Because the lower and upper values provide flexibility for human judgments, they are not expected to have rigid consistency.

2.3.4 Step 4: obtain the weights and priorities of criteria from the limit supermatrix

By entering the priorities found by fuzzy DEMATEL and fuzzy ANP into the appropriate columns, an initial supermatrix can be constructed. Each of the columns may be normalized by dividing each weight in the column by the sum of that column. By multiplying the weight of the criteria to the initial supermatrix, the weighted supermatrix is acquired. The final step in the process is to obtain a priority ranking for each of the alternatives. To derive the overall priorities of elements, the normalized supermatrix is raised to limiting powers, and thus the cumulative influence of each element on every other element with which it interacts is obtained [35].

3 Empirical analysis

A primary focus of this research is to derive a security assessment framework for the IoT environment. For this purpose, a hybrid MCDM model combining fuzzy DEMATEL and fuzzy ANP is proposed to investigate internal relations among various security criteria (or requirements) and to analyze overall weights and priorities for those criteria. To determine and evaluate the security assessment framework, we organized a committee of 38 expert members who each had over 8 years of experience in mobile security and IS architecture and are now working as IoT security experts in various fields.

Table 3 Initial fuzzy direct-relation matrix among criteria
Full size table
Table 4 Initial fuzzy direct-relation matrix among sub-criteria of system dependability (C1)
Full size table
Table 5 Initial fuzzy direct-relation matrix among sub-criteria of service layer (C2)
Full size table

Most of the committee members (32) are taking part in the “Vitathon Project,” a national IoT project in Korea, working as project managers in the IoT security and architecture design section [30]. The overall aim of the project is to revitalize the national economy by implementing various types of ICT, especially IoT, in a myriad of traditional industries and services (e.g., agriculture, healthcare, SOC, and education). It is a 3-year project with revenues of 100 billion won (approximately US$100 million per year and one of the biggest IoT projects in Korea. Some of the expert members are either professors (2) or senior researchers (2) who have participated in the working group for national IoT roadmap planning as advisory committee members, and the remainders (2) are researchers from the Korea Internet Security Agency (KISA) who are managing and conducting an IoT security-related project. The background of the expert members verifies their profound knowledge and understanding of the IoT security field as well as their capability to make decisions and evaluate the security assessment framework for IoT service. Most of the expert evaluations were gathered by face-to-face meetings, and a few were collected by e-mail. The expert evaluations were conducted two times: the first evaluation was for internal relations among security criteria based on fuzzy DEMATEL, and the second involved pairwise comparisons based on fuzzy ANP.

Experts’ evaluation was conducted to collect a pair-wise comparison matrix from the four evaluation criteria and 19 sub-criteria based on two phases of analysis. The first phase of the analysis is to investigate the interrelations of the security criteria according to the architectural view point. The experts were given the first set of questionnaires which consist of a scale of 1, 3, 5, 7, and 9 representing the range from “has no influence” to “has extremely high influence”, with respondents proposing the degree of direct influence that each criteria on other criteria. The data from the first questionnaires were then analyzed using fuzzy DEMATEL method. The second phase of the analysis was to investigate the weights of importance/preference of the sub-criteria based on the above-mentioned experts’ judgements. Here, also questionnaires which consist of a 5 fuzzy scale of 1, 3, 5, 7, and 9 representing the range from “equally important/preferred” to “extremely important/preferred” were given to the experts. The corresponding data were used to analyze weights of each criteria and sub-criteria using ANP method. After linguistic judgements on the relations and importance of each criteria/sub-criteria were obtained, the linguistic judgements were converted in to TFN by using Table 2. These linguistic judgements were aggregated to crisp values which represent the degree to which evaluation criteria have direct impacts on each other (for DEMATEL) and the degree to which evaluation criteria and sub-criteria have importance on each other (for ANP). The initial direct-relation matrix (Tables 3, 4, 5, 6, 7) is obtained and the total-relation matrix (Tables 8, 9, 10, 11, 12, 13) is obtained by normalize initial direct relation. Finally, overall weights of each criteria and sub-criteria were obtained by limiting supermatrix (Fig. 8). Detailed explanation on each step of analysis is as illustrated in following sections.

Table 6 Initial fuzzy direct-relation matrix among sub-criteria of network layer (C3)
Full size table

3.1 Internal relations among security criteria

As mentioned, the fuzzy DEMATEL method is applied to analyze internal relations among security requirements. The experts’ judgements were collected, and an initial fuzzy direct-relation matrix was obtained. The result of the initial fuzzy direct-relation matrix among criteria is provided in Table 3. Tables 4, 5, 6 and 7 present the result of the initial fuzzy direct-relation matrices among the sub-criteria of criteria C1–C4.

Next, the values in the fuzzy direct-relation matrix were transferred into the normalized direct-relation fuzzy matrix. After obtaining the normalized direct-relation fuzzy matrix, the fuzzy total-relation matrix is acquired. The final total-relation matrices among criteria and sub-criteria are produced through the defuzzification process.

The results of the total-relation matrix among criteria and among sub-criteria after defuzzification are shown in Tables 8, 9, 10, 11 and 12. A thread value of 0.79 is applied to the result of the total-relation matrix among criteria, whereas a thread value of 0.9 is applied to the result of the total-relation matrix among sub-criteria.

Fig. 6
figure 6

The NRM of the main criteria

Full size image
Fig. 7
figure 7

The NRM for sub-criteria. (a) The NRM for Sub-criteria of System Dependability. (b) The NRM for Sub-criteria of Service Layer. (c) The NRM for Sub-criteria of Network Layer. (d) The NRM for Sub-criteria of Privacy

Full size image

The NRMs were derived by mapping the dataset of (\(d + r, d - r\)) where the horizontal axis \(d + r\) represents the degree of the effect and the vertical axis d-r represents the direction of the effect. The higher the value of \(d + r\), the greater effect. A positive value of \(d - r\) indicates that the criteria are the causes of other criteria, and a negative value indicates that the criteria are affected by other criteria. In NRM, dotted lines denote that the threshold value was not achieved, and double arrows designate mutual effects between two criteria.

As shown in Table 8 and Fig. 6, System Dependability (C1) and Network Layer (C3) have positive \(d - r\) values, and are thus core areas of security that affect other security components. Service Layer (C2) and Privacy (C4) are both affected by all of the other dimensions. This result illustrates that security measures should be more focused at the Service Layer (C2), for it has the highest \(d + r\) value (with a positive \(d - r\) value). Moreover, security measures in the Network Layer (C3) play key role, affecting other dimensions of security components (Fig. 6).

Table 7 Initial fuzzy direct-relation matrix among sub-criteria of privacy (C4)
Full size table
Table 8 Total-relation matrix among criteria after defuzzification
Full size table
Table 9 Total-relation matrix among sub-criteria of system dependability (C1) after defuzzification
Full size table
Table 10 Total-relation matrix among sub-criteria of service layer (C2) after defuzzification
Full size table
Table 11 Total-relation matrix among sub-criteria of network layer (C3) after defuzzification
Full size table
Table 12 Total-relation matrix among sub-criteria of privacy (C4) after defuzzification
Full size table

Figure 7 presents the NRMs for sub-criteria of System Dependability (a), Service Layer (b), Network Layer (c) and Privacy (d). Regarding System Dependability (C1), Availability (c11) has the highest \(d + r\) value and the greatest effect among criteria, and Trust (13) is the largely affected by other security elements. This result is in line with that of causal relations in Service Level (C2). Service-Level Trust (c25) is alone at the bottom of the diagram with a negative \(d - r\) value. Thus, we can conclude that trust is rather affected by the designs of other security mechanisms and elements. Moreover, Availability (c21) in Service Layer (C2) security has the highest \(d + r\) value, meaning it has the greatest importance in service-level security. However, in Network Layer (C3), Confidentiality (c33) has a higher \(d + r\) value than Availability (c34) does. Regarding network perspective, Integrity (c31) and Anonymization (c33) affect other security elements, whereas Confidentiality (c33) and Availability (c34) are affected by other security elements. In Privacy (C4), Privacy Protection toward Users (c43) has the highest \(d + r\) value, meaning it has a higher degree of effect than do Privacy Protection in Infrastructure (c41) and Privacy Protection in Service (c42).

Table 13 Unweighted supermatrix
Full size table
Table 14 Limit supermatrix
Full size table

3.2 Weights and priorities of security criteria

After calculations in fuzzy DEMATEL are finished, the fuzzy ANP approach is implemented to analyze the weights of importance among security requirements. Using pairwise comparisons, relations between elements (sub-criteria) belonging to different criteria (i.e., the outer dependencies) are established. Consistency of judgements is checked, and the CR value of all experts’ judgements was less than 0.10, which demonstrates that all judgements are acceptable to use in making final comparisons. The relative weights of elements are obtained, and the initial supermatrix is formed by entering the priorities found in fuzzy DEMATEL (see Table 13). By raising the supermatrix to the power 2p + 1 (where p is a sufficiently large number), the matrix is converging and thus forming the final limit supermatrix.

The result of the supermatrix is used to derive the overall weights and priorities among security requirements for the IoT environment are derived. As in the limit supermatrix in Table 14 and Fig. 8, Availability (c21) in the Service Layer (C2) is the most important consideration in the IoT environment. After that, the priorities are Trust (c25) in the Service Layer (C2) and Availability (c11) in System Dependency (C1). Traditional security mechanisms have put much focus on infrastructures, including system platform and network. However, much of effort is needed in the service layer, which is closer to end users.

Fig. 8
figure 8

Overall proprieties security requirements in IoT service

Full size image

4 Conclusion

This study applied a hybrid MCDM approach in order to propose a security assessment framework for the IoT environment. We defined the security requirements to be considered in the IoT context and grouped them into four logical components based on previous literature. The combined fuzzy DEMATEL and fuzzy ANP approaches used in this study offered a more precise and accurate analysis by integrating interdependent relations among criteria. As the complexity of the fuzzy ANP grows exponentially with the number of security requirements in the framework, the problem is simplified by using the fuzzy DEMATEL method for determining the degree of the inner dependencies between the security requirements [46]. What makes this paper stand out from other research in the field, in addition to a newly proposed hybrid MCDM model, is that it provides an approach for strategic decision regarding security assessment problem. The huge number of heterogeneous things being connected in IoT network raises serious challenges in terms of security for several reasons. The heterogeneous nature makes conventional security count measures inefficient because it requires different functionalities depending on the context of applications. It also complicates update and patch procedures to the point of increasing the window of vulnerability to a specific attack [13]. Moreover most of the things in IoT are characterized by limited-capabilities in terms of both energy and computing resources and thus, they cannot implement complex schemes supporting security. Security measures should further take into account the limited-capabilities of things and heterogeneous nature. Security mechanisms which provide different measures and different security resources based on IoT context should be developed, with particular focus on possible spoofing and DoS/DDoS attacks. By providing a practical guidance on how to allocate security resources within the security elements, security assessment framework from this study would help decision makers in IoT security field to better cope with diversified attacks in IoT environment.

In order to facilitate widespread adoption of IoT applications, a technically sound solution that guarantees users’ security and privacy is needed. Public acceptance of the IoT will happen only when strong security and privacy solutions are in place. Therefore, security and privacy should be integrated into IoT system design from the beginning stages. There are countless security considerations that need to be taken into account. All common aspects of conventional IS security requirements must be considered from the initial stage of IoT system development.

We anticipate that security issues in the IoT environment will soon become a challenging task, as the IoT paradigm will bridge the physical world with the Internet at some point in the future. The increasing complexity of systems will multiply the number of security challenges. It may sound like a perfect solution to put all of these security mechanisms in the system and introduce devices armed with hundreds of security add-ons. Unfortunately, this is not the answer to the security alerts of the IoT environment, as most devices at the end-point are small sensors or mobile devices that have relatively little computing capacity. According to our analysis result, the most important security area is the service layer. In particular, ensuring service availability is a top priority in the IoT environment. However, much of the concentration is still on infrastructure security for networks and systems. Looking at security and privacy from an infrastructure perspective is not enough. Service availability and trust in the application itself are necessary conditions to ensure user confidence. Security is always one of the most concerning issues for the digitalized society [41].

We believe that our hybrid MCDM model would be very useful for security assessment of IoT service, especially for the design of architecture and service implementation, as it helps to make strategic decisions on how to allocate various security assets and resources to the service layer. However, further study is needed due to limitations of the study. There are two kinds of security capabilities: generic security capabilities and specific security capabilities. Generic security capabilities are independent of applications, and they include the conventional security requirements this study has investigated. On the other hand, specific security capabilities are closely coupled with application-specific requirements (e.g., mobile payment, education, and healthcare). Whereas our study focuses on generic security capabilities, deriving specific security capabilities is also an urgent issue in the field. Thus, future research should be conducted on context-specific security measures.