Cybersecurity risk assessment for identifying threats, vulnerabilities and countermeasures in the IoT

Main Article Content

Mohammed Amin Almaiah
Rami Shehab
Tayseer Alkhdour
Mansour Obeidat
Theyazn H.H. Aldhyani

Abstract

To increase the number of connected devices in IoT networks, several types of new cyber threats and attacks also arise in the IoT. Any cyber-attack can cause significant damage to IoT networks and loss of service. Therefore, identifying these threats is one of the main steps in risk assessment and should be considered to create a robust security strategy to avoid IoT network breaches. Cybersecurity assessment in IoT networks is a prime process due to the evolving nature of cyberattacks. Therefore, this research focuses on addressing the current gap by performing a comprehensive analysis to identify the critical threats, vulnerabilities and countermeasures on IoT layers, including physical, data link, network, and transport and application layers. The findings of this study indicated that DDoS attacks and fishing threats were the most common technical threats in the IoT application layer, with percentages of 72% and 66%, respectively. In addition, the results revealed that the SQL injection threat, cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks were also classified as second-level technical threats in the IoT, with percentages of 55%, 53% and 52%, respectively. The third level of technical threats in the IoT was password cracking attacks, with a percentage of 48%. The results revealed that TCP/UDP port scanning, TCP/UDP flooding attack and MQTT attack were the most common technical threats in the IoT transport layer, with percentages of 34%, 33% and 31%, respectively. In addition, DNS poisoning, SYN flooding and desynchronization attacks were also classified as second-level technical threats in the IoT, with percentages of 27%, 26% and 24%, respectively. The third level of technical threats in the IoT included lateral movement attacks and DoS attacks, with percentages of 18% and 15%, respectively. The framework in this study is considered a vital tool for practitioners, policymakers, and researchers to identify, classify, and mitigate cyber threats within IoT systems. The findings from this work can help organizations understand the types of cyber threats and develop robust strategies against cyberattacks.





 


 


 


 

Article Details

Section

Articles

How to Cite

Cybersecurity risk assessment for identifying threats, vulnerabilities and countermeasures in the IoT (M. A. . Almaiah, R. . Shehab, T. . Alkhdour, M. . Obeidat, & T. H. . Aldhyani , Trans.). (2025). Mesopotamian Journal of CyberSecurity, 5(2), 514-537. https://doi.org/10.58496/MJCS/2025/032

References

[1] K. Ntafloukas, D. P. McCrum, and L. Pasquale, "A cyber-physical risk assessment approach for Internet of Things enabled transportation infrastructure," Applied Sciences , vol. 12, no. 18, p. 9241, Sep. 2022.

[2] C. Sánchez-Zas, X. Larriva-Novo, V. A. Villagrá, D. Rivera, and A. Marín-Lopez, "A methodology for ontology-based interoperability of dynamic risk assessment frameworks in IoT environments," Internet of Things , vol. 27, p. 101267, Oct. 2024.

[3] I. Hussain, "Secure, sustainable smart cities and the Internet of Things: Perspectives, challenges, and future directions," Sustainability , vol. 16, no. 4, p. 1390, Feb. 2024.

[4] A. Abdulhamid, M. M. Rahman, S. Kabir, and I. Ghafir, "Enhancing safety in IoT systems: A model-based assessment of a smart irrigation system using fault tree analysis," Electronics , vol. 13, no. 6, p. 1156, Mar. 2024.

[5] T. S. AlSalem, M. A. Almaiah, and A. Lutfi, "Cybersecurity risk analysis in the IoT: A systematic review," Electronics , vol. 12, no. 18, p. 3958, Sep. 2023.

[6] S. Kerimkhulle et al., "Fuzzy logic and its application in the assessment of information security risk of industrial Internet of Things," Symmetry , vol. 15, no. 10, p. 1958, Oct. 2023.

[7] J. Lemos et al., "A system for individual environmental risk assessment and management with IoT based on the worker’s health history," Applied Sciences , vol. 14, no. 3, p. 1021, Jan. 2024.

[8] R. M. Czekster, P. Grace, C. Marcon, F. Hessel, and S. C. Cazella, "Challenges and opportunities for conducting dynamic risk assessments in medical IoT," Applied Sciences , vol. 13, no. 13, p. 7406, Jun. 2023.

[9] A. Alzahrani and M. Z. Asghar, "Intelligent risk prediction system in IoT-based supply chain management in logistics sector," Electronics , vol. 12, no. 13, p. 2760, Jun. 2023.

[10] E. K. Parsons, E. Panaousis, G. Loukas, and G. Sakellari, "A survey on cyber risk management for the Internet of Things," Applied Sciences , vol. 13, no. 15, p. 9032, Aug. 2023.

[11] J. Yi and L. Guo, "AHP-Based network security situation assessment for industrial internet of things," Electronics , vol. 12, no. 16, p. 3458, Aug. 2023.

[12] M. Shokry, A. I. Awad, M. K. Abd-Ellah, and A. A. Khalaf, "When security risk assessment meets advanced metering infrastructure: Identifying the appropriate method," Sustainability , vol. 15, no. 12, p. 9812, Jun. 2023.

[13] P. Cheimonidis and K. Rantos, "Dynamic risk assessment in cybersecurity: A systematic literature review," Future Internet , vol. 15, no. 10, p. 324, Sep. 2023.

[14] S. A. Baho and J. Abawajy, "Analysis of consumer IoT device vulnerability quantification frameworks," Electronics , vol. 12, no. 5, p. 1176, Feb. 2023.

[15] J. S. Park, H. M. Ham, and Y. H. Ahn, "Expansion joints risk prediction system based on IoT displacement device," Electronics , vol. 12, no. 12, p. 2713, Jun. 2023.

[16] A. T. Sheik, C. Maple, G. Epiphaniou, and M. Dianati, "Securing cloud-assisted connected and autonomous vehicles: An in-depth threat analysis and risk assessment," Sensors , vol. 24, no. 1, p. 241, Dec. 2023.

[17] Pritika, B. Shanmugam, and S. Azam, "Risk evaluation and attack detection in heterogeneous IoMT devices using hybrid fuzzy logic analytical approach," Sensors , vol. 24, no. 10, p. 3223, May 2024.

[18] A. Waqar, M. B. Khan, N. Shafiq, K. Skrzypkowski, K. Zagórski, and A. Zagórska, "Assessment of challenges to the adoption of IoT for the safety management of small construction projects in Malaysia: Structural equation modelling approach," Applied Sciences , vol. 13, no. 5, p. 3340, Mar. 2023.

[19] U. Tariq, I. Ahmed, A. K. Bashir, and K. Shaukat, "A critical cybersecurity analysis and future research directions for the Internet of Things: A comprehensive review," Sensors , vol. 23, no. 8, p. 4117, Apr. 2023.

[20] A. Amro and V. Gkioulos, "Evaluation of a cyber risk assessment approach for cyber–physical systems: Maritime- and energy-use cases," Journal of Marine Science and Engineering , vol. 11, no. 4, p. 744, Mar. 2023.

[21] E. Altulaihan, M. A. Almaiah, and A. Aljughaiman, "Anomaly detection IDS for detecting DoS attacks in IoT networks based on machine learning algorithms," Sensors , vol. 24, no. 2, p. 713, Jan. 2024.

[22] M. R. Islam and K. M. Aktheruzzaman, "An analysis of cybersecurity attacks against Internet of Things and security solutions," Journal of Computer and Communications , vol. 8, no. 4, pp. 1–11, Apr. 2020.

[23] U. Tariq, I. Ahmed, A. K. Bashir, and K. Shaukat, "A critical cybersecurity analysis and future research directions for the Internet of Things: A comprehensive review," Sensors , vol. 23, no. 8, p. 4117, Apr. 2023.

[24] H. Pourrahmani, A. Yavarinasab, and A. M. Monazzah, "A review of the security vulnerabilities and countermeasures in the Internet of Things solutions: A bright future for the blockchain," Internet of Things , vol. 23, p. 100888, Oct. 2023.

[25] A. A. Almuqren, "Cybersecurity threats, countermeasures and mitigation techniques on the IoT: Future research directions," Journal of Cyber Security and Risk Auditing , vol. 1, no. 1, pp. 1–11, Jan. 2025, doi: 10.63180/jcsra.thestap.2025.1.1.

[26] S. Otoom, "Risk auditing for digital twins in cyber physical systems: A systematic review," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 1, pp. 22–35, Jan. 2025, doi: 10.63180/jcsra.thestap.2025.1.3.

[27] A. Alshuaibi, M. Almaayah, and A. Ali, "Machine learning for cybersecurity issues: A systematic review," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 1, pp. 36–46, Feb. 2025, doi: 10.63180/jcsra.thestap.2025.1.4.

[28] R. S. Mousa and R. Shehab, "Applying risk analysis for determining threats and countermeasures in workstation domain," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 1, pp. 12–21, Jan. 2025, doi: 10.63180/jcsra.thestap.2025.1.2.

[29] E. Alotaibi, R. Bin Sulaiman, and M. Almaiah, "Assessment of cybersecurity threats and defense mechanisms in wireless sensor networks," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 1, pp. 47–59, Feb. 2025, doi: 10.63180/jcsra.thestap.2025.1.5.

[30] "Improvement of Internet of Things (IoT) interference based on pre-coding techniques over 5G networks," Mesopotamian Journal of CyberSecurity , vol. 5, no. 1, pp. 11–22, 2025, doi: 10.58496/MJCS/2025/002.

[31] "Internet of Things for smart building security: Leveraging a blockchain for enhanced IoT security," Mesopotamian Journal of CyberSecurity , vol. 5, no. 1, pp. 187–201, 2025, doi: 10.58496/MJCS/2025/013.

[32] "An innovative method of malicious code injection attacks on websites," Applied Data Science and Analysis , vol. 2024, pp. 39–51, 2024, doi: 10.58496/ADSA/2024/005.

[33] S. Y. Mohammed and M. Aljanabi, "From text to threat detection: The power of NLP in cybersecurity," SHIFRA , vol. 2024, pp. 1–7, 2024, doi: 10.70470/SHIFRA/2024/001.

[34] M. M. Abdulrahman, A. D. Abbood, and B. A. Attea, "Exploring signed social networks: Algorithms for community detection and structure analysis," KHWARIZMIA , vol. 2023, pp. 37–45, 2023, doi: 10.70470/KHWARIZMIA/2023/004.

[35] "A real-time intrusion detection system for DoS/DDoS attack classification in IoT networks using KNN-neural network hybrid technique," Babylonian Journal of Internet of Things , vol. 2024, pp. 60–69, 2024, doi: 10.58496/BJIoT/2024/008.

[36] "Smart wearables powered by AI transforming human activity recognition," Babylonian Journal of Artificial Intelligence , vol. 2024, pp. 128–133, 2024, doi: 10.58496/BJAI/2024/014.

[37] I. I. Al Barazanchi and W. Hashim, "Enhancing IoT device security through blockchain technology: A decentralized approach," SHIFRA , vol. 2023, pp. 10–16, 2023, doi: 10.70470/SHIFRA/2023/002.

[38] A. K. Bhardwaj, P. Dutta, and P. Chintale, "Securing container images through automated vulnerability detection in shift-left CI/CD pipelines," Babylonian Journal of Networking , vol. 2024, pp. 162–170, 2024, doi: 10.58496/BJN/2024/016.

[39] Y. Yang, H. Wang, C. Ji, and Y. Niu, "Artificial intelligence-driven diagnostic systems for early detection of diabetic retinopathy: Integrating retinal imaging and clinical data," SHIFAA , vol. 2023, pp. 83–90, 2023, doi: 10.70470/SHIFAA/2023/010.

[40] O. Aljumaiah, W. Jiang, S. R. Addula, and M. A. Almaiah, "Analyzing cybersecurity risks and threats in IT infrastructure based on NIST framework," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 2, pp. 12–26, 2025.

[41] M. Riyadh Alboalebrah and S. Al-augby, "Unveiling the causes of fatal road accidents in Iraq: An association rule mining approach using the Apriori algorithm," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 2, pp. 1–11, 2025, doi: 10.63180/jcsra.thestap.2025.2.1.

[42] R. Almanasir, D. Al-solomon, S. Indrawes, M. A. Amin Almaiah, U. Islam, and M. Alshar’e, "Classification of threats and countermeasures of cloud computing," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 2, pp. 27–42, 2025, doi: 10.63180/jcsra.thestap.2025.2.3.

[43] A. AlShuaibi, M. W. Arshad, and M. Maayah, "A hybrid genetic algorithm and hidden Markov model-based hashing technique for robust data security," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 3, pp. 42–56, May 2025.

[44] B. Almelehy, M. Ahmad, G. Nassreddine, M. Maayah, and A. Achanta, "Analytical analysis of cyber threats and defense mechanisms for web application security," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 3, pp. 57–76, 2025.

[45] G. Lippi, M. Aljawarneh, Q. Al-Na’amneh, R. Hazaymih, and L. D. Dhomeja, "Security and privacy challenges and solutions in autonomous driving systems: A comprehensive review," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 3, pp. 23–41, 2025.

[46] M. A. Almedires, A. Elkhalil, and M. Amin, "Adversarial attack detection in industrial control systems using LSTM-based intrusion detection and black-box defense strategies," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 3, pp. 4–22, 2025.

[47] S. Ang, M. Ho, S. Huy, and M. Janarthanan, "Utilizing IDS and IPS to improve cybersecurity monitoring process," Journal of Cyber Security and Risk Auditing , vol. 2025, no. 3, pp. 77–88, Jul. 2025.

Similar Articles

You may also start an advanced similarity search for this article.