CRASHED: Cyber risk assessment for smart home electronic devices

Con en s lis s a ailable a ScienceDi ec
Jou nal o In o ma ion Secu i y and Applica ions
jou nal homepage: www.else ie .com/loca e/jisa
CRASHED: Cybe isk assessmen o sma home elec onic de ices
Geo gios Papa isa,∗, Apos olis Za as a,b, A is eidis Fa ao a,c, Ch is os Xenakis a,c
aDepa men o Digi al Sys ems, Uni e si y o Pi aeus, Pi aeus, G eece
bFounda ion o Resea ch and Technology – Hellas, He aklion, G eece
cInQbi Inno a ions SRL, Bucha es , Romania
A R T I C L E I N F O
Keywo ds:
Cybe isk assessmen
Risk calcula ion
Sma home
MITRE ATT&CK
CAPEC
A B S T R A C T
The apid p oli e a ion o In e ne o Things (IoT) echnology has en iched mode n households wi h sma
home de ices, enhancing con enience, bu simul aneously inc easing ulne abili y o cybe h ea s. This
pape in oduces CRASHED, an inno a i e cybe isk assessmen me hodology speci ically designed o sma
home ecosys ems. Compa ed o exis ing app oaches, CRASHED in eg a es he MITRE ATT&CK and CAPEC
amewo ks o sys ema ically iden i y and analyze h ea s, ulne abili ies, and po en ial impac s. By employing
de ice-speci ic p o iling, quan i a i e me ics, and sophis ica ed weigh ing mechanisms, i deli e s a mul ilay-
e ed assessmen o cybe isks ha accoun s o asse c i icali y and h ea se e i y, dis inguishing i om
con en ional me hods lacking such g anula i y. The no el y o CRASHED lies in i s comp ehensi e e alua ion
o sys emic ulne abili ies and domes ic epe cussions. Case s udies on a ious sma home con igu a ions
demons a e i s e ec i eness in modeling, analyzing, and mi iga ing isks compa ed o exis ing amewo ks.
This wo k ep esen s a signi ican ad ancemen in sa egua ding sma home en i onmen s, unde sco ing he
u gen need o specialized cybe isk assessmen models in ou in e connec ed e a. The p oposed me hodology
no only enhances h ea de ec ion and esponse, bu also add esses c i ical gaps in ulne abili y da abases
and isk calcula ion p ocesses, o e ing a ans o ma i e solu ion o he e ol ing challenges o sma home
cybe secu i y.
1. In oduc ion
The apid ad ancemen o sma home echnologies has unda-
men ally ans o med he way indi iduals in e ac wi h hei li ing
spaces, ushe ing in a new e a o con enience, e iciency, and seamless
connec i i y. These inno a ions, d i en by he In e ne o Things (IoT),
encompass many de ices: sma he mos a s ha op imize ene gy con-
sump ion, secu i y came as ha p o ide eal- ime moni o ing, sma
locks ha enhance home secu i y, and oice-ac i a ed assis an s ha
s eamline daily asks. The global sma home ma ke is p ojec ed o
each $537.01 billion by 2030, unde sco ing he g owing adop ion o
hese de ices [1]. Wha we e once op ional upg ades ha e become
indispensable componen s o mode n homes, e olu ionizing daily li -
ing [2,3]. Howe e , he widesp ead in eg a ion o sma de ices also
in oduces an expanding ange o cybe isks. These de ices become
inc easingly in e connec ed and deeply embedded in c i ical household
unc ions, c ea ing po en ial en y poin s o cybe c iminals. The ul-
ne abili ies wi hin hese sys ems can be exploi ed, leading o se e e
consequences such as b eaches o p i acy, comp omised sa e y, and
inancial losses [4].
∗Co esponding au ho .
E-mail add ess: [email p o ec ed] (G. Papa is).
Howe e , in eg a ing digi al echnology in o households has aced
nume ous challenges. The likelihood o cybe a acks a ge ing esiden-
ial p ope ies has inc eased wi h he g owing p e alence o elec onic
gadge s in homes [5]. These a acks ange om unau ho ized access
o pe sonal and inancial in o ma ion o manipula ing elec onic de-
ices in esiden ial se ings. Such ac i i ies pose signi ican h ea s o
indi iduals’ p i acy and sa e y; hese a e ealis ic, no hypo he ical,
scena ios. Fo ins ance, hacke s ha e exploi ed sma home ne wo ks,
enabling hem o con ol ligh ing sys ems, locks, and secu i y cam-
e as [6]. Ano he no able ins ance in ol ed cybe a acks on sma
homes ha allowed hacke s o ake con ol o a baby moni o , using
i o spy on he amily and e en communica e wi h he child h ough
he de ice [7,8]. Addi ionally, a DDoS a ack disabled he sma hea ing
sys em o wo housing apa men s in Finland, lea ing esiden s in he
cold [9]. Fu he mo e, cybe secu i y expe s ha e disco e ed me hods
o gain oo access o Xiaomi acuum obo s by exploi ing hei lida
senso s [10,11]—and so on.
Se e al ac o s signi ican ly con ibu e o he ulne abili ies o
sma homes o cybe a acks, c ea ing a complex landscape o po en ial
isks. One p ima y issue is ha many IoT de ices lack obus secu i y
h ps://doi.o g/10.1016/j.jisa.2025.104054
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
A ailable online 18 Ap il 2025
2214-2126/© 2025 The Au ho s. Published by Else ie L d. This is an open access a icle unde he CC BY license ( h p://c ea i ecommons.o g/licenses/by/4.0/ ).
G. Papa is e al.
measu es. I is wo h men ioning he e ha in his wo k, we use he
e ms IoT de ices and sma home de ices in e changeably, as bo h
e e o he same concep o his pape . P e ious esea ch [12] has
shown ha cybe c iminals can easily a ge many o hese de ices due
o hei ma ginal secu i y ea u es. Manu ac u e s o en p io i ize cos
and con enience o e obus secu i y p o ocols, esul ing in de ices
ha hacke s can easily comp omise. Common laws, such as weak
enc yp ion s anda ds, ha dcoded passwo ds, and a lack o egula
secu i y upda es, expose sma home de ices o unau ho ized access
and manipula ion. Beyond hese echnical sho comings, use beha io
plays a c ucial ole in sma home secu i y [13,14]. Many use s lack
su icien knowledge abou he po en ial dange s associa ed wi h sma
home echnology and o en unde es ima e he impo ance o cybe se-
cu i y. This lack o awa eness leads o poo secu i y p ac ices, such
as using weak o de aul passwo ds, ailing o upda e de ice i mwa e
egula ly, and neglec ing o con igu e secu i y se ings app op ia ely.
These o e sigh s make i easie o a acke s o b each sma home
ne wo ks and gain con ol o e connec ed de ices.
Gi en he inc easing equency o cybe a acks a ge ing sma
homes [15] and he po en ially se e e consequences o hese a acks,
he e is an u gen need o ho ough e alua ions o he h ea s posed by
cybe ulne abili ies. As sma home adop ion con inues o g ow, he
complexi y and in e connec i i y o de ices wi hin hese en i onmen s
p esen en y poin s o hacke s. Thus, iden i ying ulne abili ies wi hin
sma home ne wo ks is a c i ical i s s ep in o i ying hem agains
po en ial h ea s. A comp ehensi e analysis o he de ices, communi-
ca ion p o ocols, and o e all design o he sma home ecosys em is
equi ed o iden i y any secu i y ulne abili ies ha could be exploi ed
by malicious ac o s [16]. E alua ing he po en ial epe cussions o
cybe isks is also c ucial. A success ul cybe a ack on a sma home
could esul in a wide ange o ad e se ou comes, including unau-
ho ized access o pe sonal da a, inancial loss, and conce ns abou
physical sa e y, such as ampe ing wi h secu i y sys ems o emo ely
manipula ing household appliances [17].
Sa egua ding sma homes om cybe in usions is essen ial due
o hei g owing in eg a ion in o con empo a y li e. Cybe isk assess-
men s p o ide a comp ehensi e app oach o p o ec ing digi al homes
and hei occupan s om he po en ially ca as ophic consequences o
cybe c ime. Consequen ly, conduc ing ho ough e alua ions o cybe
h ea s is impe a i e, emphasizing he need o ongoing esea ch and
ad ancemen in sma home cybe secu i y. Al hough adi ional cy-
be isk assessmen me hodologies a e e ec i e o con en ional IT
in as uc u e, hey o en all sho when applied o sma homes.
The complexi y o IoT de ices, hei decen alized na u e, and he
di e se ange o p o ocols and s anda ds hey employ p esen unique
challenges ha equi e inno a i e isk assessmen app oaches [18].
Fu he mo e, he secu i y isks associa ed wi h sma homes a e signi -
ican ; cybe a acks can lead o p i acy b eaches, inancial losses, and
e en physical ha m. Finally, exis ing me hodologies lack he in eg a ion
o ulne abili y da abases in he isk calcula ion p ocess. Mo eo e ,
hey ail o inco po a e mechanisms o applying weigh ed adjus men s
o assess he impac o h ea s on asse s. These signi ican gaps highligh
he u gen need o inno a i e solu ions ha speci ically add ess secu-
i y and p i acy conce ns in sma homes by le e aging ulne abili y
da abases and inco po a ing adjus men mechanisms o measu e he
impac o cybe h ea s p ecisely.
This a icle add esses he a o emen ioned gaps by p esen ing
CRASHED, an inno a i e cybe isk assessmen me hodology ha an-
scends adi ional app oaches, aiming o model and analyze cybe isks
in sma homes.1 CRASHED is designed o esea che s and analys s
in e es ed in sma home sys ems, aiming o enhance hei unde s and-
ing and easoning abou he cybe h ea s impac ing hese sys ems.
1The sou ce code o CRASHED can be ound a h ps://gi hub.com/
UniPiSSL/CRASHED.
Ou me hodology employs he MITRE ATT&CK [19] and CAPEC [20]
amewo ks o e ec i ely iden i y h ea s and ulne abili ies in sma
de ices wi hin a sma home. By le e aging de ice p o iling, CRASHED
igo ously assesses he collec i e impac o iden i ied h ea s om bo h
a sys emic and domes ic pe spec i e, adop ing a holis ic app oach
o he sma home en i onmen . The calcula ion o h ea impac is
based on mul iple ac o s and he use o quan i a i e me ics. The
no el y o he p oposed me hodology lies in i s abili y o calcula e he
impac o a h ea on an asse , ac o ing in he asse ’s c i icali y and
he h ea ’s weigh . These wo de ini ions p o ide bo h lexibili y and
p ecision in isk calcula ion, aligning wi h he unique cha ac e is ics
o sma homes. To he bes o ou knowledge, CRASHED is he only
me hodology ha in eg a es bo h MITRE ATT&CK and CAPEC.
In summa y, we make he ollowing main con ibu ions:
•We in oduce a no el cybe isk assessmen me hodology,
CRASHED, which le e ages he MITRE ATT&CK and CAPEC
amewo ks o add ess secu i y and p i acy issues simul ane-
ously. The me hodology g ounds isk calcula ions in ulne abili y
da abases and employs a weigh ing o mula.
•We assess he e icacy o ou p oposed me hodology in a sma
home en i onmen equipped wi h wel e sma de ices. Addi-
ionally, we e alua e wo dis inc sma home scena ios, each
comp ising a unique subse o six de ices.
•We compa e CRASHED wi h exis ing app oaches and amewo ks
o assessing cybe secu i y isks in sma homes.
The emainde o he a icle is s uc u ed as ollows: Sec ion 2
p o ides an o e iew o he backg ound, ocusing on embedded de ices
o sma homes and he associa ed cybe secu i y challenges. In Sec-
ion 3, we p esen he s akeholde oles in sma home cybe secu i y.
Sec ion 4 in oduces CRASHED, ou p oposed cybe isk assessmen
me hodology o sma homes. Sec ion 5 is dedica ed o he e alua ion
o CRASHED, while Sec ion 6 add esses i s limi a ions and sugges s
di ec ions o u u e esea ch. In Sec ion 7, we compa e CRASHED wi h
ela ed app oaches. Finally, Sec ion 8 concludes his a icle.
2. Backg ound
This sec ion p o ides an analy ical o e iew o he MITRE ATT&CK
and CAPEC amewo ks, ounda ional elemen s o ou p oposed cy-
be isk me hodology. We hen p esen a ca alog o commonly used
sma home de ices, ollowed by an examina ion o he cybe secu i y
challenges associa ed wi h sma home en i onmen s.
2.1. MITRE ATT&CK
The MITRE ATT&CK amewo k is a publicly accessible eposi-
o y o in o ma ion ha ou lines he ac ics and s a egies employed
by cybe ad e sa ies. I s pu pose is o p o ide a sha ed ocabula y
among de ende s, enabling hem o unde s and and e ec i ely coun e
e ol ing h ea s. The amewo k de ails common ac ics, echniques,
and p ocedu es used by a acke s, acili a ing he o mula ion o e -
ec i e de ensi e s a egies and h ea models. This esou ce is eadily
accessible o a ious s akeholde s, including he co po a e sec o , go -
e nmen en i ies, and he cybe secu i y communi y, hus p omo ing
dis inc h ea models and app oaches. The s uc u ed o ma o MITRE
ATT&CK enhances he signi icance o h ea epo ing by o ganizing
beha io s beyond con en ional indica o s. This amewo k is ounda-
ional o c ea ing a ge ed h ea models and me hodologies in a ious
sec o s, which include indus y, go e nmen , and he cybe secu i y
p oduc and se ice communi y.
As an ex ensi e eposi o y, he MITRE ATT&CK amewo k ep e-
sen s he ac ics and p ocedu es employed by cybe a acke s and se es
as a uni ying amewo k o de ende s o comp ehend and add ess
e ol ing h ea s, es ablishing a sha ed ocabula y. In con as o o he
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
2
G. Papa is e al.
analogous amewo ks, such as he Tac ics, Techniques, and P ocedu es
(TTPs) [21], MITRE ATT&CK delinea es p e alen ac ics, echniques,
and p ocedu es employed by cybe a acke s, enabling he o mula ion
o e ec i e de ensi e s a egies and h ea models. Fu he mo e, he
MITRE ATT&CK is accessible wi hou cha ge o a ious en i ies, includ-
ing he business sec o , go e nmen , and he cybe secu i y communi y.
This accessibili y aids in he ad ancemen o a ge ed h ea models and
me hods. Unlike o he amewo ks, such as he Cybe Kill Chain [22],
which emphasize o e a ching ac ics and s ages o an a ack, MITRE
ATT&CK o e s a comp ehensi e compila ion o echniques ca ego ized
by ac ics wi hou p esc ibing a p ede e mined sequence o ac ions.
This cha ac e is ic ende s MITRE ATT&CK a mo e adap able and
ex ensi ely employed esou ce wi hin he cybe secu i y domain.
In his a icle, we le e age MITRE ATT&CK by u ilizing a ious
p ocedu es o de ec and analyze po en ial h ea s a ge ing e e y
sma home componen . Speci ically, we examine each asse ’s classi-
ica ion and use i o iden i y h ea s by e e encing he echniques and
sub- echniques in he associa ed MITRE ATT&CK ma ix (Sec ion 4.2).
2.2. CAPEC
The Common A ack Pa e n Enume a ion and Classi ica ion (CAPEC)
amewo k [20] is a undamen al axonomy in cybe secu i y, o e -
ing a well-o ganized and comp ehensi e collec ion o common a ack
pa e ns ad e sa ies use. Each en y p o ides a de ailed desc ip ion
o speci ic me hodologies, clea ly explaining h ea ac o s’ ac ions,
ac ics, and s a egies. The p ima y objec i e o CAPEC is o acili-
a e a comp ehensi e unde s anding o cybe isks by sys ema ically
classi ying a ack pa e ns. This o ganized sys em enables iden i ying,
classi ying, and analyzing a ack scena ios, signi ican ly con ibu ing o
decision-making p ocesses o add ess e ol ing cybe h ea s.
The CAPEC amewo k p o ides a s uc u ed axonomy o known
a ack pa e ns. Each a ack pa e n is uniquely iden i ied by a CAPEC
ID and is accompanied by a de ailed name and desc ip ion. The a ibu es
o a CAPEC a ack pa e n include: (𝑖) A ack P e equisi es: Speci ies
he necessa y condi ions o he a ack’s success; (𝑖𝑖) Typical Se e i y:
Indica es he po en ial impac i he a ack is execu ed; (𝑖𝑖𝑖) Likelihood
o A ack: Es ima es he equency o po en ial a acks; (𝑖𝑣) Execu-
ion Flow: Ou lines he sequence o ac ions in ol ed in he a ack;
(𝑣) Rela ed Weaknesses: Re e ences speci ic so wa e weaknesses h ough
Common Weakness Enume a ion (CWE); (𝑣𝑖) Resou ces: Enume a es
he ools, knowledge, and physical esou ces equi ed o he a ack;
(𝑣𝑖𝑖) Mi iga ions: Sugges s s a egies and ools o p e en ing, de ec ing,
and mi iga ing he a ack; (𝑣𝑖𝑖𝑖) Example Ins ances: P o ides eal-wo ld
occu ences o he a ack; (𝑖𝑥) Rela ed A ack Pa e ns: Demons a es
connec ions o o he simila pa e ns; (𝑥) Taxonomy Mappings: Re e ences
o he ele an amewo ks, such as he MITRE ATT&CK amewo k.
In his a icle, we u ilize he axonomy mappings a ibu e o es-
ablish a co ela ion be ween he iden i ied h ea on an asse and
he ela ed a ack pa e n o CAPEC. This mapping allows us o de-
e mine he likelihood and associa ed ulne abili ies o he h ea ,
p o iding aluable insigh s in o calcula ing he cybe isk o he asse
(Sec ion 4.5).
2.3. Embedded de ices o sma homes
Sma home de ices a e mode n ad ancemen s ha boos com o ,
secu i y, and ene gy e iciency by using specialized ha dwa e in e-
g a ed in o esiden ial en i onmen s. These de ices include embedded
so wa e designed o speci ic pu poses. Al hough some ca ego ies o
hese de ices may o e lap, i is beyond he scope o his pape o
classi y hem in o igid ca ego ies. Ins ead, we aim o assess hei cybe
isk based on hei assigned ca ego y. He e is a non-exhaus i e lis
o ypical embedded de ices someone may encoun e in sma homes,
illus a ing ou isk assessmen app oach.
Sma Ligh ing. These sys ems a e ad anced ligh ing solu ions ha
can be con olled emo ely and au oma ically o imp o e a home’s
ambiance, educe ene gy consump ion, and inc ease con enience. Ex-
amples include Sma Bulbs and Sma Ligh Swi ches.
Sma The mos a s. These In e ne -connec ed de ices allow emo e
empe a u e con ol h ough a web in e ace, oice commands, o a
sma phone applica ion. No able examples include he Nes The mos a
and he Ecobee Sma The mos a .
Sma Secu i y. These sys ems consis o in e connec ed de ices de-
signed o enhance home p o ec ion. They may include Sma Came as,
Sma Doo bells, and Sma Ala ms.
Sma Appliances. Equipped wi h ad anced senso s, ne wo king ca-
pabili ies, and in e ac i e con ol mechanisms, hese appliances allow
use s o manage home en i onmen s and op imize ene gy consump ion.
Examples include Sma Re ige a o s, Sma O ens, and Sma Washing
Machines.
Sma En e ainmen . These de ices o e high-quali y media expe-
iences h ough In e ne connec i i y and emo e o oice con ol.
Common de ices in his ca ego y include Sma TVs, Sma Speake s,
and Sma P ojec o s.
Sma Heal h. These In e ne -connec ed ools a e used o ack heal h
me ics, p o ide medical moni o ing, and deli e ailo ed heal h in-
sigh s. Examples include Sma Scales, Sma Blood P essu e Moni o s,
and Sma Ai Pu i ie s.
Sma Pe Ca e. These de ices assis pe owne s in managing and
moni o ing hei pe s’ heal h, ac i i y, and sa e y. Examples include
Sma Feede s and Sma Li e Boxes.
Sma Cleaning. These inno a i e gadge s au oma e and enhance he
e iciency o cleaning p ocesses. They can communica e wi h o he
sma home sys ems o p o ide sophis ica ed cleaning se ices, such as
Robo Vacuums and Robo Mops.
Sma Wa e Leak and Smoke De ec o s. Designed o de ec and ale
esiden s o wa e leaks and smoke, hese de ices help p e en damage
and cos ly epai s. Examples include he LeakSma Wa e Leak De ec ion
Ki , Sma Things Wa e Leak Senso , and Google Nes P o ec .
Sma Ga dening. These de ices use senso s, au oma ion, and con-
nec i i y o help homeowne s main ain hei ga dens e icien ly. They
moni o soil condi ions, con ol i iga ion, and p o ide ca e ecommen-
da ions, con ibu ing o heal hy plan g ow h. Examples include Sma
I iga ion Con olle s and Sma Mois u e Senso s.
2.4. Cybe secu i y challenges in sma homes
Despi e he signi ican con enience o e ed by sma homes, cha ac-
e ized by hei ne wo ked de ices and sys ems, hey p esen nume ous
cybe secu i y challenges. These challenges s em om he complex and
in e connec ed na u e o sma home en i onmen s, whe e a ious
de ices and sys ems mus wo k seamlessly oge he . As he adop ion
o sma home echnology con inues o g ow, add essing hese cybe -
secu i y challenges becomes inc easingly c i ical o ensu e he sa e y
and p i acy o use s. We ca ego ize hese challenges as ollows.
CH1 – De ice P oli e a ion and In e connec i i y. Sma homes, cha -
ac e ized by in eg a ing nume ous de ices such as he mos a s, cam-
e as, doo locks, ligh ing sys ems, and oice assis an s, p esen sub-
s an ial cybe secu i y challenges. The in e connec i i y o hese de ices
inc eases he po en ial en y poin s o malicious a acke s. Each de-
ice’s unique secu i y p o ocols and ulne abili ies u he complica e
he main enance o a secu e ne wo k, he eby ele a ing cybe isk [4,
23].
CH2 – Inconsis en and Inaccessible Cybe secu i y S anda ds. A majo
obs acle is he lack o s anda dized cybe secu i y measu es applica-
ble ac oss a ious de ice ypes and manu ac u e s [24]. Nume ous
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
3
G. Papa is e al.
companies p oduce sma home de ices wi h a ying le els o com-
mi men o da a p o ec ion, leading o weak links wi hin he sma
home ecosys em. Insu icien cybe secu i y measu es, such as de aul
passwo ds o inadequa e da a enc yp ion, can ende de ices ulne -
able o cybe a acks, jeopa dizing he en i e ne wo k. Fu he mo e,
a signi ican obs acle o enhancing sma home cybe secu i y is he
academic communi y’s lack o ee access o ele an cybe secu i y
s anda ds documen s [25]. Some o he mos impo an s anda ds a e
only accessible unde ce ain es ic ions, such as paymen , making i
challenging o access hem o esea ch p ojec s.
CH3 – Da a P i acy Conce ns. Sma home de ices collec subs an-
ial amoun s o p i a e and sensi i e da a, including daily ou ines,
p e e ences, secu i y codes, and came a oo age [26]. P o ec ing his
da a om unau ho ized access and main aining i s con iden iali y is
c ucial, as da a b eaches o unau ho ized da a collec ion can lead o
se e e p i acy iola ions [27–29]. The cybe secu i y o sma homes
la gely depends on he use s who main ain hem. Howe e , many use s
a e unawa e o bes p ac ices o secu ing hei sma homes, o en
using weak passwo ds, ailing o change de aul se ings, and neglec ing
so wa e upda es.
CH4 – In eg a ion wi h Legacy Sys ems. Sma homes equen ly in-
co po a e new de ices in o p e-exis ing ne wo k in as uc u es no
o iginally designed o mee con empo a y cybe secu i y s anda ds. This
in eg a ion p ocess can inad e en ly in oduce secu i y ulne abili ies.
De eloped be o e mode n cybe secu i y p ac ices, legacy sys ems a e
pa icula ly suscep ible o cybe a acks when in e aced wi h new,
po en ially insecu e de ices. Consequen ly, he amalgama ion o old
and new echnologies can c ea e a he e ogeneous ne wo k en i onmen
whe e ou da ed p o ocols and insu icien secu i y measu es open he
sys em o a ious cybe h ea s, such as unau ho ized access, da a
b eaches, and malwa e in ec ions [30,31]. This highligh s he c i i-
cal need o a comp ehensi e e iew and upg ade o cybe secu i y
measu es o ensu e sma home ecosys ems’ sa e and secu e ope a ion.
CH5 – Physical Secu i y Th ea s. Physical secu i y, o en o e looked,
is equally essen ial in main aining he in eg i y o sma home sys-
ems [32,33]. Se e e cybe secu i y b eaches can occu i unau ho ized
indi iduals gain physical access o sma home echnology. Fo in-
s ance, in ude s can con ol a ious connec ed de ices o disable
c i ical secu i y ea u es i hey access a sma home’s ou e . This could
lead o signi ican secu i y isks, including unau ho ized su eillance,
da a he , and he dis up ion o essen ial se ices. The e o e, ensu ing
obus physical secu i y measu es, such as secu e housing o ne wo k
equipmen and con olled access o key componen s, is c ucial in
sa egua ding he o e all cybe secu i y o sma home en i onmen s.
CH6 – Ne wo k Secu i y. The home ne wo k is a c i ical componen o
a sma home secu i y sys em, in e connec ing all sma de ices wi hin
he household. Vulne abili ies wi hin he home ne wo k, such as inse-
cu e Wi-Fi con igu a ions o suscep ible ou e s, can expose he en i e
sma home ecosys em o cybe a acks [28,34]. These ulne abili ies
can be exploi ed o gain unau ho ized access, po en ially comp omising
he secu i y and p i acy o all connec ed de ices. Consequen ly, ensu -
ing a secu e home ne wo k se up, including s ong enc yp ion, egula
i mwa e upda es, and obus passwo ds, is i al o p o ec he sma
home ecosys em om po en ial cybe h ea s and a acks.
3. Di e en oles in sma home cybe secu i y
The cybe isk assessmen o a sma home in ol es wo p ima y
ac o s, each wi h a dis inc ole. The i s is he cybe secu i y p o es-
sionals who u ilize he CRASHED me hodology o p o ec and o i y
sma homes agains cybe h ea s, ensu ing p i acy, sa e y, and unc-
ionali y. The second is he cybe a acke s who exploi ulne abili ies
o malicious pu poses, posing signi ican isks o homeowne s. The
ollowing sec ions analyze he assump ions and cons ain s o hese
ac o s in he applica ion o he CRASHED me hodology.
3.1. Cybe secu i y p o essionals
Cybe secu i y p o essionals a e assumed o ha e compiled a com-
p ehensi e and accu a e in en o y o all sma home de ices. P e-
cise h ea iden i ica ion and mi iga ion equi e access o up- o-da e
da abases o known ulne abili ies and Common Vulne abili ies and Ex-
posu es (CVEs) speci ic o hese de ices. S anda dized amewo ks such
as MITRE ATT&CK, CAPEC, and CWE a e e ec i e ools o iden i ying
and analyzing h ea s and ulne abili ies, p o iding a s uc u ed ap-
p oach o unde s anding he echniques and me hods ad e sa ies migh
employ agains sma home de ices. Fu he mo e, hese de ices a e
assumed o ope a e wi hin ypical sma home en i onmen s, adhe ing
o common usage pa e ns, homeowne beha io s, and ne wo k con-
igu a ions. This assump ion acili a es he c ea ion o ealis ic h ea
scena ios. The connec i i y and in e ope abili y o sma home de ices,
o ming an in eg a ed ne wo k ha communica es h ough s anda d
p o ocols, a e also assumed, as his in e connec edness is i al o he
e ec i e managemen and secu i y o he sma home ecosys em.
Wi hin hese assump ions, he scope o CRASHED is es ic ed o
sma de ices commonly ound in esiden ial se ings, excluding spe-
cialized o comme cial sma de ices ins alled in indus ial o en e -
p ise en i onmen s. The p oposed cybe isk assessmen me hodology
also elies on publicly a ailable da a ega ding ulne abili ies and
a ack pa e ns, excluding p op ie a y o undisclosed ulne abili ies
om his e alua ion. Homeowne s a e assumed o comply wi h ec-
ommended cybe secu i y p ac ices, such as egula upda es and p ope
de ice con igu a ion; howe e , he model accoun s o non-compliance,
which could in oduce addi ional cybe isks. Finally, CRASHED p i-
ma ily ocuses on cybe h ea s, delibe a ely excluding physical secu-
i y measu es, as malicious ac o s’ physical access o sma de ices is
conside ed an ex e nal ac o beyond he scope o his assessmen .
3.2. Ad e sa y
I is assumed ha ad e sa ies ha e access o a wide ange o
esou ces and ools, including ad anced hacking u ili ies, malwa e, and
exploi ki s, which a e o en ob ainable ia he da k web o h ough
open-sou ce pene a ion es ing amewo ks like Me asploi [35] and
Nmap [36]. These esou ces enable a acke s o conduc highly so-
phis ica ed and a ge ed cybe ope a ions. Fu he mo e, hese a acke s
possess high echnical expe ise, including a deep unde s anding o
ne wo king p o ocols, enc yp ion echniques, and so wa e ulne abil-
i ies. Such expe ise allows hem o e e se-enginee i mwa e, bypass
secu i y mechanisms, and de elop cus om exploi s.
Addi ionally, ad e sa ies a e p esumed o be pe sis en and adap -
able, capable o execu ing p olonged campaigns and employing ad-
anced ac ics such as spea phishing, social enginee ing, and le e aging
ze o-day ulne abili ies. They a e also assumed o possess an in-dep h
knowledge o sma home a chi ec u es, including de ice in e connec-
i i y, common communica ion p o ocols (e.g., Zigbee, Z-Wa e, Wi-Fi),
and ypical use con igu a ions. This knowledge assis s hem in iden i-
ying c i ical ulne abili ies and po en ial en y poin s wi hin he sma
home ecosys em.
Unde hese assump ions, ad e sa ies ha e limi ed physical ac-
cess o sma home de ices and, he e o e, ely p ima ily on emo e
exploi a ion echniques. They mus also con end wi h ad anced de ec-
ion and esponse mechanisms, including in usion de ec ion sys ems
(IDS), anomaly de ec ion, and au oma ed secu i y upda es, which can
apidly iden i y and neu alize malicious ac i i ies. The swi deploy-
men o cybe secu i y pa ches and upda es by manu ac u e s u he
cons ains he window o oppo uni y o exploi ing known ulne abil-
i ies. Finally, esou ce limi a ions, pa icula ly ega ding he ime and
compu ing powe a ailable o cybe a acke s, impose cons ain s ha
ende complex, esou ce-in ensi e a acks less easible.
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
4
G. Papa is e al.
Fig. 1. CRASHED me hodology.
3.3. A no so hypo he ical scena io
Suppose an ad e sa y gains unau ho ized access o a sma home’s
in eg a ed sys em by exploi ing ne wo k ulne abili ies o o ches a e
a coo dina ed a ack. The ad e sa y begins by disabling he sma
smoke de ec o s, ende ing hem unable o de ec smoke o i e. Con-
cu en ly, he ad e sa y deac i a es he sma ala m sys em, ensu ing
he homeowne emains unawa e o any impending dange . Wi h hese
c i ical sa e y sys ems comp omised, he ad e sa y emo ely ac i a es
he sma o en, delibe a ely se ing i o an ex emely high empe -
a u e, po en ially causing a i e. In his scena io, he sma home —
once he alded as he epi ome o mode n con enience and secu i y —
becomes a se ious sa e y isk unde he con ol o a malicious en i y.
While such a scena io migh ha e seemed like science ic ion jus
a ew yea s ago, oday i ep esen s a genuine h ea , unde sco ing
he u gen need o a comp ehensi e cybe isk assessmen me hod-
ology speci ically ailo ed o sma homes [37–40]. The e o e, we
p opose CRASHED as a cybe isk assessmen ool ha adop s a holis ic
app oach, conside ing he sma na u e o de ices and he po en ial
impac s o a b each on he en i e home en i onmen .
4. Me hodology
In his sec ion, we p esen CRASHED, a cybe isk assessmen
me hodology, which consis s o i e s eps: (𝑖) Asse Iden i ica ion,
(𝑖𝑖) Th ea Iden i ica ion and Analysis, (𝑖𝑖𝑖) Vulne abili y Assessmen ,
(𝑖𝑣) Impac Assessmen , and (𝑣) Risk Measu emen and Analysis. Fig. 1
illus a es he s eps o he p oposed me hodology, as well as he inpu s
and ou pu s associa ed wi h each s ep. CRASHED o e s signi ican
ad an ages o e exis ing cybe isk assessmen me hodologies, such as
OCTAVE [41].
Fi s ly, i p o ides a mo e g anula and ailo ed app oach o he
unique en i onmen o sma homes by ca ego izing asse s in o classes,
each wi h dis inc h ea p o iles and ulne abili ies. This classi i-
ca ion acili a es a mo e p ecise h ea iden i ica ion and mapping
p ocess using he MITRE ATT&CK amewo k [19], which is mo e cu -
en and comp ehensi e compa ed o OCTAVE’s b oade , less speci ic
h ea modeling. Fu he mo e, he p oposed me hodology in eg a es
he CAPEC [20] and CWE [42] amewo ks o a de ailed weakness
analysis, enhancing he accu acy o ulne abili y assessmen s.
The me hodology also employs quan i a i e isk calcula ion mea-
su es, inco po a ing speci ic likelihood and impac me ics. This en-
su es a igo ous and sys ema ic isk measu emen p ocess, signi ican ly
imp o ing OCTAVE’s mo e quali a i e, subjec i e isk assessmen ap-
p oach. By le e aging eal-wo ld da a om op-selling sma home
de ices and hei known ulne abili ies, he p oposed me hodology
p o ides a ealis ic and p ac ical assessmen ha aligns closely wi h he
dynamic na u e o sma home en i onmen s. This alignmen esul s in
a mo e e ec i e and ac ionable isk mi iga ion s a egy.
Las ly, he CRASHED me hodology e ec i ely add esses he mul-
i ace ed cybe secu i y challenges in sma homes (as discussed in
Sec ion 2.4). The p oli e a ion o de ices and hei in e connec i i y
(CH1) a e managed by oolname’s sys ema ic h ea assessmen ac oss
a wide ange o sma de ices, le e aging he MITRE ATT&CK and
CAPEC amewo ks o ensu e ha ulne abili ies unique o highly
in e connec ed en i onmen s a e ho oughly iden i ied. CRASHED also
add esses inconsis en cybe secu i y s anda ds (CH2) by applying a
uni ied app oach o h ea iden i ica ion and ulne abili y assessmen ,
i espec i e o he manu ac u e o de ice-speci ic secu i y p o ocols,
he eby b idging secu i y gaps ac oss a ious p oduc s. Da a p i acy
conce ns (CH3) a e mi iga ed by ocusing on h ea s ha could comp o-
mise sensi i e pe sonal in o ma ion, ensu ing secu e da a low ac oss
sma de ices.
Addi ionally, CRASHED accoun s o he in eg a ion o legacy sys-
ems (CH4), which o en lack mode n cybe secu i y ea u es, by inco -
po a ing adap i e isk assessmen s ha conside he ulne abili ies o
olde echnologies. Physical secu i y conside a ions (CH5) a e also in-
cluded, ecognizing ha cybe h ea s can eme ge om physical access
o sma de ices. Mo eo e , oolname’s comp ehensi e ne wo k secu-
i y analysis ensu es ha weaknesses in de ice communica ions and
ne wo k p o ocols (CH6) a e p omp ly iden i ied. This mul i-laye ed
app oach enables CRASHED o p o ide a obus amewo k ha ad-
d esses he complex and e ol ing cybe secu i y challenges in sma
home en i onmen s.
A cybe secu i y isk assessmen me hodology o sma homes, such
as he CRASHED, ha handles sensi i e use da a mus adhe e o
he ollowing key p i acy equi emen s o sa egua d he homeowne ’s
iden i y:
S1. Da a Minimiza ion: The me hodology should collec and u ilize
only he minimal amoun o in o ma ion necessa y o compu e he
o e all isk. This app oach educes he likelihood o p i acy iola ions
ha could expose sensi i e homeowne da a (e.g., CVEs associa ed wi h
speci ic sma -home de ices), po en ially enabling a ge ed cybe a -
acks. Minimizing da a also limi s he isk ha he me hodology’s use s
(e.g., cybe -insu ance unde w i e s) may hemsel es become a ge s o
cybe a acks.
S2. Da a Sha ing: The da a employed in he cybe secu i y isk assess-
men should no be dissemina ed o hi d pa ies, e en hose wi hin
he cybe secu i y isk ecosys em, he eby p ese ing con iden iali y and
p e en ing unau ho ized use.
S3. Use Anonymi y in De ice Usage: The de ice-le el cybe secu i y
isk analysis should be pe o med unde condi ions ha app oxima e
pseudonymi y. Such measu es educe he likelihood ha he home-
owne can be iden i ied h ough he de ice’s associa ed CVEs o usage
pa e ns.
S4. Da a O igin Ve i ica ion: The me hodology mus e i y ha all
da a u ilized in he cybe secu i y isk assessmen is sou ced om a
us ed and alida ed en i onmen . This ensu es he me hodology’s
in eg i y and p o ec s agains mal unc ion o misbeha io a ising om
spoo ed o malicious inpu s designed o mislead he analysis.
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
5

G. Papa is e al.
4.1. Asse iden i ica ion and classi ica ion
The p oposed cybe isk assessmen me hodology o sma homes
begins wi h a c i ical i s phase: iden i ying and classi ying asse s.
This phase in ol es a ho ough in en o y o all asse s wi hin a sma
home en i onmen and hen ca ego izing hem in o dis inc g oups
based on hei unc ions and oles. This s uc u ed app oach ensu es
a comp ehensi e unde s anding o he componen s o a sma home,
which is essen ial o e ec i e h ea de ec ion, ulne abili y assess-
men , and isk e alua ion. The ca ego iza ion p ocess delinea es h ee
p ima y classes: (𝑖) Elec onics & Con olle s, (𝑖𝑖) Senso s, and (𝑖𝑖𝑖) Gadge s
& Appliances.
The Elec onics & Con olle s class encompasses he co e componen s
ha o m he backbone o a sma home ne wo k. These asse s a e
i al o seamless in eg a ion, e icien managemen , and e ec i e com-
munica ion among he a ious sma de ices. Key componen s in his
class include ne wo k ou e s and ga eways, such as home ou e s and
Wi-Fi ex ende s, which a e c ucial o managing in e ne connec i i y
and enabling communica ion be ween sma de ices. Sma hubs and
con olle s ac as cen al uni s ha o e see and egula e a ious sma
home gadge s, acili a ing seamless communica ion and au oma ion.
Addi ionally, sma came as a e pi o al in his ca ego y, se ing as
essen ial su eillance and secu i y moni o ing ools, p o iding bo h
li e and eco ded ideo eeds. Sma doo bells wi h ideo and audio
capabili ies enhance secu i y by allowing esiden s o moni o and
communica e wi h isi o s emo ely. This class also includes sma TVs,
which o e in e ne access and ad anced ea u es such as s eaming
se ices, oice con ol, and in eg a ion wi h home au oma ion sys ems.
Mo eo e , sma home assis an s like Amazon Echo o Google Home
use oice commands o con ol o he sma de ices, espond o que ies,
and p o ide in o ma ion. Finally, sma phones and able s a e pe sonal
in e aces o con olling and moni o ing sma home sys ems.
The Senso s class includes all de ices capable o de ec ing and
epo ing on a ious en i onmen al condi ions. These echnologies en-
able he au oma ion and op imiza ion o a sma home’s en i onmen .
A key asse in his ca ego y is sma ligh ing, which includes in elligen
ligh ing sys ems ha can be emo ely con olled and p og ammed o
ene gy e iciency and con enience. Addi ionally, sma he mos a s a e
de ices ha egula e hea ing and cooling sys ems, op imizing ene gy
usage based on occupancy le els and indi idual use p e e ences. An-
o he c i ical de ice in his ca ego y is he sma wa e leak senso ,
which de ec s wa e leaks and po en ial looding isks, he eby p e-
en ing damage. Mo eo e , in elligen i iga ion con olle s manage
wa e ing schedules o lawns and ga dens, ensu ing e icien wa e use.
Finally, sma homes could use in elligen mois u e senso s o moni o
soil mois u e le els, main aining op imal soil condi ions.
The Gadge s & Appliances class comp ises a di e se ange o sma
de ices designed o enhance li es yle, con enience, and en e ainmen
wi hin a sma home. These de ices o en se e as in e aces wi h o he
sma home sys ems o p o ide a seamless use expe ience. C i ical
asse s in his class include sma appliances, such as sma e ige a o s,
sma washing machines, and sma o ens, which o e ad anced ea-
u es like emo e con ol, diagnos ics, and ene gy managemen . Sma
speake s and oice assis an s a e also impo an , p o iding households
access o in o ma ion, music, and home au oma ion ea u es h ough
oice commands. Fo enhanced en e ainmen , sma p ojec o s can be
pai ed wi h o he sma home de ices o p ojec ideo con en . Ano he
no able de ice in his class is he sma pe ca e sys em, which includes
sma eede s and pe came as ha allow o he moni o ing and ca e
o pe s.
By ca ego izing sma home asse s in o hese classes, we es ablish a
clea amewo k o analyzing he po en ial cybe isks associa ed wi h
each ype o de ice. This classi ica ion no only aids in iden i ying and
unde s anding he unique cha ac e is ics and unc ions o each asse bu
also acili a es a ge ed h ea iden i ica ion, ulne abili y assessmen ,
and isk analysis in subsequen s eps o he me hodology. The ou come
o he asse iden i ica ion and classi ica ion phase in he p oposed cybe
isk assessmen o sma homes is an Asse s In en o y, which includes
all sma home asse s ca ego ized in o one o he a o emen ioned
classes. This in en o y se es as a ounda ional elemen o he nex
s ep.
4.2. Th ea iden i ica ion and analysis
The p ima y objec i e o his s ep is o sys ema ically iden i y po en-
ial h ea s a ge ing he a ious sma de ices wi hin a sma home and
o assess he likelihood o each h ea . By u ilizing he s uc u ed h ea
modeling amewo ks o MITRE ATT&CK ma ices and CAPEC, his s ep
ensu es a comp ehensi e and igo ous app oach o h ea de ec ion.
This p ocess begins wi h he Asse s In en o y gene a ed du ing he
Asse Iden i ica ion and Classi ica ion s ep, whe e each asse is classi ied
in o one o h ee a o emen ioned classes: (𝑖) Elec onics & Con olle s,
(𝑖𝑖) Senso s, and (𝑖𝑖𝑖) Gadge s & Appliances. Classi ying asse s in o hese
classes is pi o al, as i de e mines he ele an MITRE ATT&CK ma ix
o h ea iden i ica ion and analysis. Each class o asse s is mapped
o a speci ic MITRE ATT&CK ma ix, which p o ides a de ailed lis o
ad e sa ial echniques ele an o ha ca ego y. Ou model equa es he
echniques lis ed in he MITRE ATT&CK ma ices o po en ial h ea s.
Fo asse s ca ego ized unde he Elec onics & Con olle s class, el-
e an h ea s a e de i ed om he En e p ise Ma ix o MITRE ATT&CK.
No ice ha he e may be co ne cases in which he a o emen ioned
s a emen does no hold. Howe e , o he majo i y o he cases his
s a emen is ue. This ma ix add esses h ea s associa ed wi h en e -
p ise en i onmen s, which apply o de ices o ming he co e in as uc-
u e o a sma home ne wo k. Fo asse s in he Senso s class, h ea s
a e mapped om he ICS Ma ix o MITRE ATT&CK, which ocuses on
h ea s speci ic o indus ial con ol en i onmen s, aligning well wi h
he ope a ional echnologies and en i onmen al moni o ing unc ions
o sma senso s. Finally, o asse s wi hin he Gadge s & Appliances
class, he Mobile Ma ix o MITRE ATT&CK is u ilized, iden i ying
h ea s ela ed o pe sonal gadge s and appliances ha o en in e ace
wi h mobile echnologies.
In his s ep, each sma de ice in he Asse s In en o y is ho oughly
analyzed agains he co esponding MITRE ATT&CK ma ix based on i s
classi ica ion. Po en ial h ea s a e iden i ied by mapping each de ice o
he ele an ad e sa ial echniques wi hin he app op ia e ma ix. Fo
ins ance, a sma came a om he Elec onics & Con olle s class is e al-
ua ed agains h ea s om he En e p ise Ma ix, iden i ying isks such
as unau ho ized access, da a ex il a ion, o i mwa e manipula ion.
Nex , we le e age he CAPEC da abase by selec ing ele an a -
ack pa e ns o each iden i ied h ea using he Taxonomy Mapping
a ibu e. Speci ically, o each h ea o each asse , we selec he a ack
pa e ns (CAPEC-ID) whose Taxonomy Mapping a ibu e includes he
iden i ied h ea . In CAPEC, each a ack pa e n is associa ed wi h
a likelihood a ibu e, which indica es he p obabili y o he a ack
occu ing, wi h possible alues o n/a, low, medium, and high. These
alues a e mapped o co esponding sco es: 0 o n/a, 0.25 o low,
0.5 o medium, and 0.75 o high. The likelihood o each iden i ied
h ea o an asse , deno ed as 𝐿 h ea , is hen calcula ed as he median
o he likelihoods om i s ela ed a ack pa e ns. Ma hema ically, his
is exp essed as:
𝐿 h ea =med(𝐿a ack pa e n 1,…, 𝐿a ack pa e n n)(1)
whe e 𝐿 h ea is he likelihood o he h ea o he asse ,
𝐿a ack pa e n 1,…, 𝐿a ack pa e n n a e he likelihoods o he ela ed a -
ack pa e ns, and 𝑛 is he o al numbe o co esponding a ack pa e ns
o he h ea .
The ou pu o he Th ea Iden i ica ion and Analysis s ep is a com-
p ehensi e lis o po en ial h ea s o each sma de ice, along wi h
he calcula ed likelihood o each h ea and he co esponding a ack
pa e ns. This de ailed h ea p o ile p o ides a ounda ional unde -
s anding o each asse ’s cybe secu i y challenges, enabling subsequen
s eps o ocus on ulne abili y assessmen and isk analysis wi h a
well-de ined unde s anding o he h ea landscape.
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
6
G. Papa is e al.
Table 1
Fac o s and sub ac o s o impac on sys ems (Hea ield e al. [43]).
Fac o Sub ac o
Cybe (C)
Con iden iali y (C-C)
In eg i y (C-I)
A ailabili y (C-A)
Non- equdia ion (C-NP)
Physical (P)
B each o physical p i acy (P-BPP)
Unau ho ized Ac ua ion (P-UA)
Inco ec Ac ua ion (P-IA)
Delayed Ac ua ion (P-DA)
P e en ed Ac ua ion (P-PA)
4.3. Vulne abili y assessmen
The Vulne abili y Assessmen s ep cons i u es he hi d c i ical s ep
in he cybe isk assessmen me hodology o sma homes. The p ima y
goal o his phase is o iden i y he ulne abili ies co esponding o
each h ea associa ed wi h an asse . This is acili a ed by le e aging
he CAPEC.
Speci ically, om he p eceding s ep o Th ea Iden i ica ion and
Analysis, i is es ablished ha each iden i ied h ea o an asse is
associa ed wi h a se o a ack pa e ns. In CAPEC, each a ack pa e n
is linked o a se o weaknesses, which, in ou model, a e conside ed
po en ial ulne abili ies. We de ine he se o ulne abili ies o each
h ea o an asse as he disc e e union o he ulne abili ies associa ed
wi h i s a ack pa e ns. Ma hema ically, his ela ionship is ep esen ed
as:
𝑉(𝑇𝑖) = ⋃
𝑗
𝑉(𝑃𝑖,𝑗 )(2)
whe e 𝑇𝑖 deno es each h ea o an asse , 𝑃𝑖,𝑗 ep esen s he se o
a ack pa e ns co esponding o each h ea 𝑇𝑖, 𝑉(𝑃𝑖,𝑗 ) deno es he se
o ulne abili ies o each a ack pa e n 𝑃𝑖,𝑗 , and 𝑉(𝑇𝑖) is he se o
ulne abili ies associa ed wi h each h ea , de ined as he union o he
ulne abili ies o i s a ack pa e ns.
The ou pu o he Vulne abili y Assessmen phase is a de ailed
p o ile o each h ea o an asse . This p o ile enume a es all iden i ied
ulne abili ies ela ed o he h ea , he eby p o iding a comp ehensi e
unde s anding o he po en ial secu i y gaps ha equi e mi iga ion.
4.4. Impac assessmen
The Impac Assessmen cons i u es he ou h s ep o he p oposed
Cybe Risk Assessmen Me hodology. The p ima y objec i e o his
s ep is o asce ain he po en ial impac o an iden i ied h ea on an
asse . The impac o a h ea on an asse is de e mined by ac o s. Ou
me hodology le e ages he axonomy classi ica ion o h ea s p oposed
by Hea ield e al. [43], es ima ing he impac s o hese h ea s based
on wo p ima y impac a eas o ac o s: Impac on Sys ems and Impac
on Domes ic Li e.
The Impac on Sys ems is di ided in o wo ac o s. The i s is he
Cybe (C), which e e s o he ou comes and implica ions a ising om
occu ences o e en s in he digi al ealm. This ac o is u he sub-
di ided in o he ollowing sub ac o s: Con iden iali y (C-C), In eg i y
(C-I), A ailabili y (C-A), and Non- epudia ion (C-NP). The second is he
(𝑖𝑖) Physical (P), which pe ains o he conc e e e ec s o consequences
impac ing he physical en i onmen , objec s, in as uc u e, o humans
due o speci ic e en s, si ua ions, o ac ions. This ac o is subdi ided
in o he ollowing sub ac o s: B each o Physical P i acy (P-BPP),
Unau ho ized Ac ua ion (P-UA), Inco ec Ac ua ion (P-IA), Delayed
Ac ua ion (P-DA), and P e en ed Ac ua ion (P-PA). Table 1 p esen s
he sub ac o s associa ed wi h each ac o unde Impac on Sys ems.
In u n, he Impac on Domes ic Li e is di ided in o h ee ac-
o s. The i s is he Di ec Consequences (DC), which e e s o he
consequences ha a ec he inancial aspec s, p oduc i i y, physical
Table 2
Fac o s and sub ac o s o impac on domes ic li e.
Fac o Sub ac o
Di ec Consequences (DC)
Financial (DC-F)
Voca ional (DC-V)
In asion o p i acy (DC-P)
Loss o Con ol (DC-LC)
Incon enience (DC-I)
Use Expe ience (UX)
Ins an ly No iceable (UX-N1)
No iceable o e ime (UX-N2)
No no iceable (UX-NN)
Emo ional (E)
App aisal (E-A)
Ac ion Tendencies (E-AT)
Bodily Symp oms (E-B)
Exp ession (E-E)
Subjec i e eeling (E-SF)
heal h, p i acy, o con ol o sma home de ices o esiden s. This
ac o is subdi ided in o he ollowing sub ac o s: Financial (DC-F),
Voca ional (DC-V), In asion o P i acy (DC-P), Loss o Con ol (DC-
LC), and Incon enience (DC-I). The second is he Use Expe ience (UX),
which e e s o he immedia e o long- e m impac o a h ea on
he use expe ience o he a ec ed sys ems. This ac o is subdi ided
in o he ollowing sub ac o s: Ins an ly No iceable (UX-N1), No iceable
O e Time (UX-N2), and No No iceable (UX-NN). The hi d is he
Emo ional (E), which e e s o consequences a ec ing bodily symp oms
o emo ional dis ess (e.g., he esiden ’s pe cep ion o losing con ol
and p i acy o educed capaci y o ca y ou daily pe sonal o p o es-
sional ac i i ies). This ac o is subdi ided in o he ollowing sub ac o s:
App aisal (E-A), Ac ion Tendencies (E-AT), Bodily Symp oms (E-B),
Exp ession (E-E), and Subjec i e Feeling (E-SF). Table 2 p esen s he
sub ac o s associa ed wi h each ac o unde Impac on Domes ic Li e.
Each ac o has a co esponding c i icali y me ic o each asse . The
c i icali y o a ac o o an asse (𝐶 ac o 𝑖𝑘 ) measu es how essen ial a
speci ic ac o is o he gi en asse . This measu e is de e mined by
conside ing he sub ac o s associa ed wi h he ac o and e alua ing
how many o hese sub ac o s a e c i ical o he asse . To calcula e he
c i icali y o a ac o o an asse , we use he ollowing equa ion:
𝐶 ac o 𝑖𝑘 =
𝑚c i ical sub ac o s𝑖𝑘
𝑛 o al sub ac o s𝑖𝑘
(3)
whe e 𝐶 ac o 𝑖𝑘
is he c i icali y o ac o 𝑘 o asse 𝑖. Simila ly,
𝑚c i ical sub ac o s𝑖𝑘
is he numbe o sub ac o s o ac o 𝑘 ha a e c i ical
o asse 𝑖, and 𝑛 o al sub ac o s𝑖𝑘
is he o al numbe o sub ac o s o ac o
𝑘.
The impac o a h ea on an asse due o a speci ic ac o (𝐼 ac o 𝑖𝑗𝑘 )
quan i ies how much a pa icula ac o in luences he o e all impac
o he h ea on he asse . This impac is de e mined by conside ing
h ee elemen s: he weigh o he h ea o he ac o , he exis ence o
he h ea o he ac o , and he c i icali y o he ac o o he asse . To
calcula e he impac o a h ea on an asse due o a ac o , we use he
ollowing equa ion:
𝐼 ac o 𝑖𝑗𝑘 =𝑊 ac o 𝑖𝑗𝑘 ×𝐸 ac o 𝑖𝑗𝑘 ×𝐶 ac o 𝑖𝑘 (4)
whe e 𝐼 ac o 𝑖𝑗𝑘
is he impac o h ea 𝑗 on asse 𝑖 due o ac o 𝑘,
𝑊 ac o 𝑖𝑗𝑘
is he weigh o h ea 𝑗 o ac o 𝑘 o asse 𝑖 ( ep esen ing he
ela i e impo ance o se e i y o he h ea conce ning he ac o , wi h
alues anging om 0 o 1), 𝐸 ac o 𝑖𝑗𝑘
is he exis ence o h ea 𝑗 o ac o
𝑘 o asse 𝑖 (indica ing whe he he h ea is p esen o applicable o
he ac o , wi h alues o 0 o 1), and 𝐶 ac o 𝑖𝑘
is he c i icali y o ac o
𝑘 o asse 𝑖 (quan i ying how essen ial he ac o is o he asse , based
on he a io o c i ical sub ac o s o he o al sub ac o s o he ac o ).
The impac o a h ea on an asse (𝐼 h ea 𝑖𝑗 ) ep esen s he o al
e ec ha a speci ic h ea has on he asse . This impac is de e mined
by conside ing he in luences o all ac o s associa ed wi h he h ea .
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
7
G. Papa is e al.
To calcula e he impac o a h ea on an asse , we use he ollowing
equa ion:
𝐼 h ea 𝑖𝑗 =
𝑃𝑖𝑗
∑
𝑘=1
𝐼 ac o 𝑖𝑗𝑘 (5)
whe e 𝐼 h ea 𝑖𝑗
is he impac o h ea 𝑗 on asse 𝑖, 𝑃𝑖𝑗 is he numbe o
ac o s in luencing he impac o h ea 𝑗 on asse 𝑖, and 𝐼 ac o 𝑖𝑗𝑘
is he
impac o h ea 𝑗 on asse 𝑖 due o ac o 𝑘. Addi ionally, he sum o
he weigh s o he h ea o he asse ’s ac o s (𝑊 ac o 𝑖𝑗𝑘 ) ep esen s he
o al con ibu ion o all indi idual ac o s in luencing he impac o a
h ea on an asse . This sum mus equal 1, ensu ing ha he weigh s a e
no malized and collec i ely accoun o he en i e impac o he h ea .
The ollowing equa ion exp esses his:
𝑃𝑖𝑗
∑
𝑘=1
𝑊 ac o 𝑖𝑗𝑘 = 1 (6)
whe e 𝑃𝑖𝑗 is he numbe o ac o s in luencing he impac o h ea 𝑗 on
asse 𝑖, and 𝑊 ac o 𝑖𝑗𝑘
is he weigh o h ea 𝑗 o ac o 𝑘 o asse 𝑖.
4.5. Risk measu emen and analysis
Risk measu emen and analysis is he inal s ep in ou me hodology.
A e iden i ying asse s, along wi h hei co esponding h ea s and
ulne abili ies, his s ep is dedica ed o quan i a i e measu emen and
isk analysis.
Th ea o Asse Risk. The isk associa ed wi h a h ea o an asse
(𝑅 h ea 𝑖𝑗 ) quan i ies he po en ial loss o damage ha a speci ic h ea
could in lic on he asse . This isk is calcula ed by conside ing bo h he
likelihood o he h ea occu ing and i s impac on he asse . The isk
due o a h ea o an asse is de e mined using he ollowing equa ion:
𝑅 h ea 𝑖𝑗 =𝐿 h ea 𝑖𝑗 ×𝐼 h ea 𝑖𝑗 (7)
whe e 𝑅 h ea 𝑖𝑗
ep esen s he isk posed by h ea 𝑗 o asse 𝑖, 𝐿 h ea 𝑖𝑗
deno es he likelihood o h ea 𝑗 occu ing o asse 𝑖 — his e m
cap u es he p obabili y o equency o he h ea occu ing — and
𝐼 h ea 𝑖𝑗
signi ies he impac o h ea 𝑗 on asse 𝑖, quan i ying he
po en ial damage o loss ha could esul i he h ea ma e ializes.
Asse ’s Risk. The isk o an asse (𝑅asse 𝑖) encapsula es he o al po en-
ial loss o damage ha he asse migh incu due o a ious h ea s.
This o e all isk is de e mined by summing he isks posed by all
indi idual h ea s o he asse . The isk o an asse is compu ed using
he equa ion:
𝑅asse 𝑖=
𝑀𝑖
∑
𝑗=1
𝑅 h ea 𝑖𝑗 (8)
whe e 𝑅asse 𝑖
is he isk o asse 𝑖, 𝑀𝑖 is he numbe o h ea s o asse
𝑖, and 𝑅 h ea 𝑖𝑗
is he isk posed o asse 𝑖 by h ea 𝑗.
To no malize he isk o an asse , we i s calcula e he maximum
possible isk ha he asse could ace i all h ea s we e a hei highes
possible impac . This maximum isk is calcula ed using he equa ion:
𝑅max asse =𝑁×𝑅max h ea (9)
whe e 𝑅max asse ep esen s he maximum possible isk o an asse , 𝑁
is he maximum numbe o h ea s, and 𝑅max h ea is he maximum
possible isk o an asse due o a h ea . The isk o an asse is hen
no malized o a scale o 0 o 100 using he ollowing equa ion:
𝑅no malized asse 𝑖=𝑅asse 𝑖
𝑅max asse 𝑖
× 100 (10)
whe e 𝑅no malized asse 𝑖
is he no malized isk o asse 𝑖, 𝑅asse 𝑖
is he
isk o asse 𝑖, and 𝑅max asse 𝑖
is he maximum possible isk o asse 𝑖. A
no malized isk close o 0 indica es a low isk, whe eas a alue close
o 100 indica es a high isk.
Sma Home Risk. The isk o a sma home (𝑅Sma Home) ep esen s
he o al po en ial loss o damage ha he sma home migh expe ience
Table 3
Risk le el o m.
Risk le el 𝑅No malizedSma Home
LOW 0–25
MEDIUM 26–50
HIGH 51–75
CRITICAL 76–100
due o he isks associa ed wi h i s asse s. This o e all isk is de e mined
by summing he no malized isks o all indi idual asse s wi hin he
sma home. The isk o a sma home is calcula ed using he equa ion:
𝑅Sma Home =
𝑁
∑
𝑖=1
𝑅no malized asse 𝑖(11)
whe e 𝑅Sma Home deno es he o al isk o he sma home, 𝑁 is
he numbe o asse s in he sma home, and 𝑅no malized asse 𝑖
is he
no malized isk o asse 𝑖.
To no malize he isk o a sma home, we mus i s compu e he
maximum possible isk o he sma home, assuming all asse s a e a
hei highes possible isk. This is calcula ed using he equa ion:
𝑅MaxSma Home =𝑁×𝑅max asse (12)
whe e 𝑁 ep esen s he o al numbe o asse s in he sma home, and
𝑅max asse is he maximum possible isk o an asse wi hin he sma
home. The isk o he sma home is hen no malized o a scale o 0 o
100 using he ollowing equa ion:
𝑅No malizedSma Home =𝑅Sma Home
𝑅MaxSma Home
× 100 (13)
whe e 𝑅No malizedSma Home deno es he no malized isk o he sma
home, 𝑅Sma Home is he isk o he sma home, and 𝑅MaxSma Home is he
maximum possible isk o he sma home. A no malized isk close o
0 indica es low isk, while a alue close o 100 indica es high isk. The
no malized isk o sma home can also be ansla ed wi h he ollowing
quali a i e o m: 0 – 25 [LOW]; 26 – 50 [MEDIUM]; 51 – 75 [HIGH];
76 – 100 [CRITICAL] (see Table 3).
Addi ionally, an algo i hm has been de eloped o acili a e he isk
calcula ion o each asse , as de ailed in Algo i hm 1. This algo i hm
sys ema ically compu es he isk associa ed wi h each asse wi hin a
de ined se (Line 1), i e a ing h ough each asse o iden i y po en ial
h ea s (Lines 2–10). Ini ially, each asse is classi ied (Line 3), ollowed
by iden i ying associa ed h ea s (Line 4). Subsequen ly, he likelihood
o each iden i ied h ea is calcula ed using he CAPEC me hodology
(Line 6). Concu en ly, he impac o each h ea is assessed (Line 7).
The o e all isk o each h ea is hen compu ed by mul iplying he
likelihood and impac sco es (Line 8).
Algo i hm 1 CRASHED’s isk calcula ion
1: p ocedu e RiskCalcula e(asse s, CAPEC)
2: o each asse in asse s do
3: 𝑎𝑠𝑠𝑒𝑡 ←Classi y(𝑎𝑠𝑠𝑒𝑡)
4: 𝑡ℎ𝑟𝑒𝑎𝑡𝑠_𝑜𝑓_𝑎𝑠𝑠𝑒𝑡 ←Iden i yTh ea s(𝑎𝑠𝑠𝑒𝑡)
5: o each h ea in h ea s_o _asse do
6: 𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 ←Calcula eLikelihood(𝑡ℎ𝑟𝑒𝑎𝑡, 𝐶𝐴𝑃 𝐸𝐶)
7: 𝐼𝑚𝑝𝑎𝑐𝑡 ←Calcula eImpac (𝑡ℎ𝑟𝑒𝑎𝑡)
8: 𝑅𝑖𝑠𝑘 ←𝐿𝑖𝑘𝑒𝑙𝑖ℎ𝑜𝑜𝑑 ×𝐼𝑚𝑝𝑎𝑐𝑡
9: end o
10: end o
11: end p ocedu e
In a nu shell, he p oposed me hodology is in ended o guide cy-
be secu i y p o essionals h ough i s de ined s eps and le e age i s
ou comes o de e mine whe he a sma home is su icien ly exposed
o a gi en isk. I he agg ega ed isk assessmen esul alls in o he
high o c i ical isk ca ego y, he expe can decompose i by each
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
8
G. Papa is e al.
Fig. 2. Sma home and indica i e CVEs.
asse , e iew he indi idual isks, and p io i ize mi iga ion e o s ac-
co dingly. Essen ially, he cybe secu i y p o essional employs he Risk
Measu emen s ep o de e mine he no malized isk o he sma home
and classi y he o al isk le el as c i ical, high, medium, o low. In cases
whe e he o e all isk is iden i ied as c i ical o high, he p o essional
e u ns o he no malized isk alues o indi idual asse s and mi iga es
he highes isks i s , he eby educing he o e all isk o he sys em.
5. E alua ion
In his sec ion, we apply ou p oposed cybe isk assessmen me hod-
ology o a case s udy in ol ing a sma home equipped wi h commonly-
used sma de ices. The p ima y objec i e is o e alua e he isks posed
by cybe h ea s in a sma home en i onmen , wi h he ul ima e goal
o suppo ing e o s o manage hese isks.
5.1. Asse iden i ica ion and classi ica ion
A ypical sma home se up was conside ed o he e alua ion,
comp ising de ices om h ee p ima y ca ego ies: (𝑖) Elec onics &
Con olle s, (𝑖𝑖) Senso s, and (𝑖𝑖𝑖) Gadge s & Appliances. The Elec onics
& Con olle s ca ego y includes sma came as, sma doo bells, sma
ala ms, and sma TVs. The Senso s ca ego y includes sma ligh
swi ches, sma wa e leak senso s, sma i iga ion con olle s, and
sma mois u e senso s. The Gadge s & Appliances ca ego y includes
sma e ige a o s, sma washing machines, sma speake s, and sma
o ens. To ensu e a ealis ic e alua ion scena io, op-selling b ands o
sma de ices we e chosen wi hin each ca ego y. These de ices inhe i
he ulne abili ies and CVEs associa ed wi h hei espec i e b ands and
models, o e ing a comp ehensi e basis o assessing he cybe isks
inhe en in mode n sma home en i onmen s, as illus a ed in Fig. 2.
The Asse s In en o y se es as he ounda ion o he subsequen
s eps o CRASHED. Using his in en o y, we can iden i y he h ea s
and ulne abili ies associa ed wi h each asse and ul ima ely de e mine
he o al isk o he sma home. As men ioned in Sec ion 4, he o al
isk is calcula ed as he no malized sum o he indi idual isks o each
asse lis ed in he Asse s In en o y.
Inside View: I is wo h o be men ioned he e ha gi en he space
cons ain s and he p ima y ocus o his a icle on demons a ing
Table 4
Top-5 h ea s o he selec ed sma came a.
Th ea CAPEC-IDs Likelihood
Dynamic Linke Hijacking 13, 640 0.50
Impai Command His o y Logging 13 0.75
B u e Fo ce 49 0.50
P ocess Disco e y 573 0.25
Roo ki 552 0.50
Table 5
CWEs o he selec ed sma came a.
Th ea CWEs
Dynamic Linke Hikacking 15, 20, 73, 74, 114, 200, 285, 302, 353, 829
Impai Command His o y Logging 15, 20, 73, 74, 200, 285, 302, 353
B u e Fo ce 262, 263, 257, 654, 307, 308, 309, 521
P ocess Disco e y 200
Roo ki 284
ou me hodology a he han exhaus i ely lis ing all ulne abili ies o
e e y de ice, we will na ow ou ocus o a single de ice (i.e., a sma
came a) o he pu pose o illus a ing ou examples. Howe e , i is
impo an o no e ha he isk assessmen calcula ions will s ill en-
compass all de ices wi hin he sma home se up. This app oach allows
us o e ec i ely showcase he applica ion o ou me hodology wi hou
o e whelming he eade wi h ex ensi e de ails on each indi idual
de ice.
5.2. Th ea iden i ica ion and analysis
A e iden i ying and classi ying he asse s o he sma home and
eco ding hem in he Asse s In en o y, he nex s ep is o iden i y he
h ea s associa ed wi h each asse and calcula e he likelihood o hese
h ea s. Following he me hodology ou lined in Sec ion 4.2, we i s
iden i y he h ea s based on he classi ica ion o each asse . Fo asse s
classi ied unde Elec onics & Con olle s all h ea s om he En e p ise
Ma ix o MITRE ATT&CK a e inhe i ed. Simila ly, asse s classi ied un-
de Senso s inhe i all h ea s om he ICS Ma ix o MITRE ATT&CK.
In he same way, asse s classi ied unde Gadge s & Appliances inhe i
all h ea s om he Mobile Ma ix o MITRE ATT&CK. Nex , o each
iden i ied h ea associa ed wi h he asse s, we selec he ele an a ack
pa e ns (CAPEC-ID) whose Taxonomy Mappings a ibu e con ains he
iden i ied h ea . Finally, he likelihood o each iden i ied h ea is
calcula ed acco ding o he me hodology desc ibed in Sec ion 4.2.
To p o ide an inside iew, we u ilize a speci ic de ice: a sma cam-
e a associa ed wi h se e al dis inc h ea s. While a simila analysis has
been conduc ed o all indi idual de ices, as men ioned in Sec ion 5.1,
we p esen only he sma came a analysis due o space cons ain s.
By examining Table 4, we ind ha he Roo ki h ea is mapped o
he Ins all Roo ki a ack pa e n (CAPEC-ID 552) in he Taxonomy
Mapping a ibu e, which has a likelihood o ‘‘Medium’’, co esponding
o a likelihood sco e o 0.5. Consequen ly, he likelihood o he Roo ki
h ea is de e mined o be 0.5. Simila ly, he Dynamic Linke Hijacking
h ea is mapped o wo a ack pa e ns in he Taxonomy Mapping
a ibu e: (𝑖) he Sub e ing En i onmen Va iable Values a ack pa e n
(CAPEC-ID 13), which has a ‘‘High’’ likelihood (i.e., 0.75), and (𝑖𝑖) he
Inclusion o Code in Exis ing P ocess a ack pa e n (CAPEC-ID 640),
which has a ‘‘Low’’ likelihood (i.e., 0.25). The e o e, he likelihood
o he Dynamic Linke Hijacking h ea is calcula ed as 0.5, which is
he median o he likelihood sco es o he wo a o emen ioned a ack
pa e ns.
5.3. Vulne abili y assessmen
A e iden i ying he comp ehensi e se o h ea s o he sma
home, he nex s ep in ol es de e mining he speci ic ulne abili ies
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
9
G. Papa is e al.
Table 13
Compa ison o di e en app oaches.
Wo ks Con ibu ion Secu i y
issues
P i acy
issues
Vulne abili ies da abases
@ Risk calcula ion
Weigh ed o mulas
@ Risk calcula ion Me hodologies
Bugeja e al. [46] F amewo k 73 3 7DREAD
Flo es e al. [47] Model 3737Bayesian
P u gess e al. [48] Model 737 7 n/a
Wang e al. [49] Me hod 737 7 STPA-FMEA
Pa k e al. [50] F amewo k 73 3 7FAIR
A a and Akleylek [51] Me hod 3737n/a
Collen and Nijdam [52] F amewo k 3 3 73n/a
Alalade e al. [53] Me hodology 737 7 LINDDUN PRO
Pa sons e al. [54] Model 3 3 7 7 n/a
Pandey e al. [55] Model 37 7 7 Nega i e o Posi i e
Wong ises e al. [56] Me hod 3737n/a
Jacobsson e al. [57] Empi ical e alua ion 3 3 3 7ISRA
Ali and Awad [33] Me hodology 3737OCTAVE Alleg o
CRASHED Me hodology 3 3 3 3 MITRE ATT&CK
s udy, highligh ing he signi icance o use educa ion, awa eness, and
p oac i e ac ion in he isk mi iga ion p ocess.
Pandey e al. [55] p o ide a isk assessmen model gene a ed om
he Nega i e o Posi i e me hod. Au oma ing he p ocess o h ea -
based isk assessmen , speci ically ailo ed o he con igu a ions o
sma homes, is he objec i e o he model o achie e his goal. Using
h ea - igge ed e alua ion scena ios ha ha e been buil , he u i-
liza ion o he calcula ion model is explained and demons a ed. The
cons uc ion o hese scena ios was accomplished by u ilizing a ech-
nology ha consis ed o analyzing his o ical e idence o da a exchange
wi hin he amewo k o sma homes.
Wong ises e al. [56] p opose a me hod o quan i ying secu i y
isks ha es ablishes a ce ain sma house’s secu i y by e alua ing
sma home de ices. In u n, his makes i possible o assess a sma
house’s secu i y le el. Faul T ee Analysis (FTA), which is he me hod-
ology ha is ypically applied in sys ems ha a e ega ded o be
mission-c i ical, se es as he ounda ion o hei me hod. A e de-
eloping a ulne abili y ee o a sma home, he au ho s applied
he inclusion-exclusion law o p obabili y o i in o de o asce ain
he amoun o isk. This wo k employs he CVSS, NVD, and CVE
ulne abili y da abases in he isk calcula ion phase.
A de ailed isk assessmen o a sma home au oma ion sys em was
ca ied ou by Jacobsson e al. [57]. The indings o his s udy high-
ligh ed he impo ance o inco po a ing secu i y and p i acy conce ns
in o he design phase o a sma home au oma ion sys em. The In o -
ma ion Secu i y Risk Analysis (ISRA) me hod is u ilized o assess he
ulne abili ies and h ea s associa ed wi h he sys em, he likelihood
ha hey will occu , and he po en ial consequences hey may ha e.
The esul s indica e ha he high isks a e associa ed wi h ei he he
human ac o o he so wa e componen s o he sys em, poin ing ou
ha he isks de i ed om he human ac o would equi e addi ional
conside a ion. In he isk calcula ion phase, his wo k employs he CVE
Vulne abili y da abase.
Ali and Awad [33] discuss he impo ance o conduc ing a com-
p ehensi e secu i y isk assessmen o IoT-based sma homes, high-
ligh ing he need o conside bo h cybe and physical secu i y aspec s.
They made use o he OCTAVE Alleg o app oach, and hey sugges ed
a numbe o di e en coun e measu es in o de o educe he de ec ed
secu i y isks and h ea s.
Table 13 compa es he ela ed wo k wi h he CRASHED. Wo ks
ha ha e a checkma k in he Secu i y Issues column indica e ha hei
p oposed isk assessmen s include he de ec ion o weaknesses in he
sma home, p ospec i e h ea s (such as hacke s o malwa e), and
he impac o hese h ea s making hei way in o he sma home.
Wo ks ha ha e a checkma k in he P i acy Issues column indica e ha
hei p oposed isk assessmen includes he analysis o da a li e cycle
managemen echniques, pe mission p ocesses, and da a minimiza ion
p ac ices. Wo ks wi h checkma ks in bo h columns, Secu i y Issues and
P i acy Issues, including he se o hem. The hi d and ou h columns
pe ain o he cha ac e is ics in ol ed in calcula ing isk. Wo ks wi h
checkma ks in he Vulne abili y Da abases @ Risk Calcula ion column
demons a e hei use o ulne abili y da abases o isk calcula ion,
while hose wi h checkma ks in he Weigh ed Fo mulas @ Risk Calcu-
la ion demons a e hei use o weigh s o isk measu emen . Based
on he Table 13, a signi ican gap exis s in he cybe isk assessmen
o sma homes, as he majo i y o wo ks do no u ilize hese cha -
ac e is ics. Las ly, he Me hodologies/F amewo ks column indica es isk
me hodologies o amewo ks ha con ibu ed o he p ocess o he
p oposed isk assessmen . Consequen ly, CRASHED is he sole cybe isk
assessmen me hodology ha le e ages MITRE ATT&CK and CAPEC
amewo ks and add esses secu i y and p i acy issues by basing he isk
calcula ion on ulne abili y bases and using a weigh ing o mula.
8. Conclusion
The inc easing in eg a ion o sma home de ices in o daily li e
has b ough abou unpa alleled con enience, ye i has also in oduced
signi ican cybe secu i y challenges ha demand immedia e a en ion.
This a icle in oduced CRASHED, a comp ehensi e cybe isk assess-
men me hodology speci ically designed o add ess he unique ul-
ne abili ies o sma home en i onmen s. By in eg a ing he MITRE
ATT&CK and CAPEC amewo ks, CRASHED p o ides a obus mech-
anism o iden i ying, analyzing, and quan i ying he isks posed by
cybe h ea s. The me hodology’s emphasis on de ice p o iling and he
holis ic assessmen o h ea s and ulne abili ies o e s a mo e p ecise
e alua ion o po en ial isks han adi ional app oaches. The case s udy
p esen ed alida es he e ec i eness o CRASHED in iden i ying c i ical
h ea s and o mula ing s a egies o mi iga e po en ial impac s on
sma homes. As sma home adop ion g ows, he need o ailo ed
cybe secu i y solu ions becomes inc easingly c i ical. CRASHED ills
his gap and se s a new s anda d o cybe isk assessmen in sma
home ecosys ems, pa ing he way o mo e secu e and esilien digi al
li ing en i onmen s.
CRediT au ho ship con ibu ion s a emen
Geo gios Papa is: W i ing – e iew & edi ing, W i ing – o igi-
nal d a , Visualiza ion, Valida ion, Supe ision, So wa e, Resou ces,
P ojec adminis a ion, Me hodology, In es iga ion, Funding acqui-
si ion, Fo mal analysis, Da a cu a ion, Concep ualiza ion. Apos olis
Za as: W i ing – e iew & edi ing, W i ing – o iginal d a , Visu-
aliza ion, Valida ion, Supe ision, So wa e, Resou ces, P ojec ad-
minis a ion, Me hodology, In es iga ion, Funding acquisi ion, Fo mal
analysis, Da a cu a ion, Concep ualiza ion. A is eidis Fa ao: W i ing
– e iew & edi ing, W i ing – o iginal d a , Visualiza ion, Valida ion,
Supe ision, So wa e, Resou ces, P ojec adminis a ion, Me hodology,
In es iga ion, Funding acquisi ion, Fo mal analysis, Da a cu a ion,
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
16

G. Papa is e al.
Concep ualiza ion. Ch is os Xenakis: W i ing – e iew & edi ing, W i -
ing – o iginal d a , Visualiza ion, Valida ion, Supe ision, So wa e,
Resou ces, P ojec adminis a ion, Me hodology, In es iga ion, Funding
acquisi ion, Fo mal analysis, Da a cu a ion, Concep ualiza ion.
Resea ch da a/code a ailabili y
The sou ce code is a ailable a h ps://gi hub.com/UniPiSSL/CRAS
HED.
Compliance wi h e hical s anda ds
This a icle does no con ain any s udies wi h human pa icipan s
o animals pe o med by any o he au ho s.
Decla a ion o Gene a i e AI and AI-assis ed echnologies in he
w i ing p ocess
Du ing he p epa a ion o his wo k he au ho s used G amma ly in
o de o imp o e language and eadabili y. A e using his ool/se ice,
he au ho s e iewed and edi ed he con en as needed and ake ull
esponsibili y o he con en o he publica ion.
Decla a ion o compe ing in e es
The au ho s decla e no con lic o in e es .
Acknowledgmen s
This esea ch has ecei ed unding om Eu opean Commission’s
Ho izon Eu ope and Ho izon 2020 esea ch and inno a ion p og ams
unde g an ag eemen s No. 101082440 (CHRISS); No. 101095634
(ENTRUST); No. 101092702 (OASEES); No. 101120962 (RESCALE).
Sou ce code a ailabili y
The sou ce code is a ailable a h ps://gi hub.com/UniPiSSL/CRAS
HED.
Re e ences
[1] G and View Resea ch. Sma home ma ke size & ends. 2023, h ps:// b.gy/
w6x l8.
[2] Ko A-L, Pa inson C, Yano sky M, Kha chenko V. IoT-enabled sma li ing.
Technol Sma Fu u 2018;3–28.
[3] Ma ques G, Saini J, Du a M. IoT enabled compu e -aided sys ems o sma
buildings. Sp inge ; 2023.
[4] Hammi B, Zeadally S, Kha oun R, Nebhen J. Su ey on sma homes:
Vulne abili ies, isks, and coun e measu es. Compu Secu 2022;117:102677.
[5] Repo ZE. 65% o US households impac ed by cybe secu i y in he home secu i y
indus y s a is ics. 2024, h ps:// b.gy/yphuhw.
[6] New Yo k Times. Somebody’s wa ching: Hacke s b each ing home secu i y
came as. 2024, h ps:// b.gy/o1ajl0.
[7] News N. S ange hacks in o baby moni o , ells child, ‘I lo e you’. 2019,
h ps:// b.gy/a aem.
[8] No d VPN. Hacke e o izes amily by hijacking baby moni o . 2018, h ps:
// b.gy/ s680.
[9] Fo bes. Hacke s use ddos a ack o cu hea o apa men s. 2026, h ps:// b.gy/
8 mdw.
[10] Pami S, Dai Y, Tan SRX, Roy N, Han J. Spying wi h you obo acuum cleane :
Ea esd opping ia lida senso s. In: P oceedings o he 18 h con e ence on
embedded ne wo ked senso sys ems. 2020, p. 354–67.
[11] Kaspe sky. Xiaomi mi obo acuum cleane hacked. 2018, h ps:// b.gy/g eaka.
[12] Gö müş S, Aydın H, Ulu aş G. Secu i y o he in e ne o hings: A su ey o
exis ing mechanisms, p o ocols and open esea ch issues. J Fac Eng A chi Gazi
Uni 2018;33(4):1247–72.
[13] Yamauchi M, Ohsi a Y, Mu a a M, Ueda K, Ka o Y. Anomaly de ec ion o
sma home based on use beha io . In: 2019 IEEE in e na ional con e ence on
consume elec onics. ICCE, IEEE; 2019, p. 1–6.
[14] U B, McManus E, Pak Yong Ho M, Li man ML. P ac ical igge -ac ion
p og amming in he sma home. In: P oceedings o he SIGCHI con e ence on
human ac o s in compu ing sys ems. 2014, p. 803–12.
[15] Bi de ende . The 2024 IoT secu i y landscape epo . 2024, h ps:// b.gy/
7h95ho.
[16] Boeckl K, Boeckl K, Fagan M, Fishe W, Le ko i z N, Megas KN, Nadeau E,
O’Rou ke DG, Picca e a B, Sca one K. Conside a ions o managing in e ne
o hings (IoT) cybe secu i y and p i acy isks. US Depa men o Comme ce,
Na ional Ins i u e o S anda ds and Technology; 2019.
[17] Bugeja J, Jacobsson A, Da idsson P. On p i acy and secu i y challenges in
sma connec ed homes. In: 2016 Eu opean in elligence and secu i y in o ma ics
con e ence. EISIC, IEEE; 2016, p. 172–5.
[18] Kolias C, Kambou akis G, S a ou A, Voas J. DDoS in he IoT: Mi ai and o he
bo ne s. Compu e 2017;50(7):80–4.
[19] MITRE. MITRE ATT & CK, h ps://a ack.mi e.o g/.
[20] MITRE. CAPEC, h ps://capec.mi e.o g/index.h ml.
[21] NIST. Tac ics, Techniques, and P ocedu es (TTPs), h ps:// b.gy/2umu8q.
[22] Ma in L. The Cybe Kill Chain, h ps://lm .co/46AXLdz.
[23] Abiodun OI, Abiodun EO, Alawida M, Alkhawaldeh RS, A shad H. A e iew
on he secu i y o he in e ne o hings: Challenges and solu ions. Wi el Pe s
Commun 2021;119:2603–37.
[24] Bipa isan Policy Cen e . Sma homes and policy: Cybe secu i y isks and
adeo s. 2022, h ps:// b.gy/ 43z37.
[25] Wendzel S. How o inc ease he secu i y o sma buildings? Commun ACM
2016;59(5):47–9.
[26] Guh N, We h O, Blacha PPH, B ei ne MH. P i acy conce ns in he sma home
con ex . SN Appl Sci 2020;2:1–12.
[27] Hall F, Magla as L, Ai alio is T, Xago a is L, Kan za elou I. Sma homes:
Secu i y challenges and p i acy conce ns. 2020, a Xi p ep in a Xi :2010.
15394.
[28] Kuyucu MK, Bah iya Ş, İnce G. Secu i y and p i acy in he sma home: A
su ey o issues and mi iga ion s a egies. In: 2019 4 h in e na ional con e ence
on compu e science and enginee ing. UBMK, IEEE; 2019, p. 113–8.
[29] Zimme mann V, Ge be P, Ma ky K, Böck L, Ki chbuchne F. Assessing
use s’ p i acy and secu i y conce ns o sma home echnologies. I- Com
2019;18(3):197–216.
[30] Ansa i AM, Nazi M, Mus a a K. Sma homes app ulne abili ies, h ea s, and
solu ions: A sys ema ic li e a u e e iew. J Ne w Sys Manage 2024;32(2):29.
[31] IoT cybe secu i y: s eng hening de enses agains h ea s. Ame ican Public
Uni e si y, h ps:// b.gy/ 9xam0.
[32] Alshboul Y, Bsoul AAR, Al Zamil M, Sama ah S. Cybe secu i y o sma home
sys ems: Senso iden i y p o ec ion. J Ne w Sys Manage 2021;29(3):22.
[33] Ali B, Awad AI. Cybe and physical secu i y ulne abili y assessmen o
IoT-based sma homes. Senso s 2018;18(3):817.
[34] Touqee H, Zaman S, Amin R, Hussain M, Al-Tu jman F, Bilal M. Sma home
secu i y: Challenges, issues and solu ions a di e en IoT laye s. J Supe compu
2021;77(12):14053–89.
[35] Rapid7. Me asploi , h ps://www.me asploi .com.
[36] Nmap ORG. Nmap, h ps://nmap.o g.
[37] IoTAC. 8 a acks agains a sma home e e y 24 h. 2023, h ps:// b.gy/acooq4.
[38] Mic o T. Inside he sma home: IoT de ice h ea s and a ack scena ios. 2019,
h ps:// b.gy/1z6x5q.
[39] And ade RO, O iz-Ga cés I, Caza es M. Cybe secu i y a acks on sma home
du ing Co id-19 pandemic. In: 2020 ou h wo ld con e ence on sma ends in
sys ems, secu i y and sus ainabili y (wo ldS4). IEEE; 2020, p. 398–404.
[40] Ap ho pe N, Reisman D, Sunda esan S, Na ayanan A, Feams e N. Spying on he
sma home: P i acy a acks and de enses on enc yp ed IoT a ic. 2017, a Xi
p ep in a Xi :1708.05044.
[41] Albe s C, Do o ee A, S e ens J, Woody C. In oduc ion o he OCTAVE app oach.
Pi sbu gh, PA: Ca negie Mellon Uni e si y; 2003, p. 72–4.
[42] MITRE. Common weakness enume a ion. 2024, h ps://cwe.mi e.o g/.
[43] Hea ield R, Loukas G, Budimi S, Bezemskij A, Fon aine JR, Filippoupoli is A,
Roesch E. A axonomy o cybe -physical h ea s and impac in he sma home.
Compu Secu 2018;78:398–428.
[44] Akpan F, Bendiab G, Shiaeles S, Ka ampe idis S, Michaloliakos M. Cybe secu i y
challenges in he ma i ime sec o . Ne wo k 2022;2(1):123–38.
[45] Schinas O, Me zge D. Cybe -seawo hiness: A c i ical e iew o he li e a u e.
Ma Policy 2023;151:105592.
[46] Bugeja J, Jacobsson A, Da idsson P. PRASH: A amewo k o p i acy isk
analysis o sma homes. Senso s 2021;21(19):6399.
[47] Flo es M, He edia D, And ade R, Ib ahim M. Sma home IoT ne wo k isk
assessmen using Bayesian ne wo ks. En opy 2022;24(5):668.
[48] P u gess J, Nu se JR, Zhao J. A capabili y-o ien ed app oach o assessing p i acy
isk in sma home ecosys ems. In: Li ing in he in e ne o hings: cybe secu i y
o he ioT-2018. IET; 2018, p. 1–8.
[49] Wang Y, Zhang R, Zhang X, Zhang Y. P i acy isk assessmen o sma home
sys em based on a STPA–FMEA me hod. Senso s 2023;23(10):4664.
[50] Pa k M, Oh H, Lee K. Secu i y isk measu emen o in o ma ion leakage
in IoT-based sma homes om a si ua ional awa eness pe spec i e. Senso s
2019;19(9):2148.
[51] A a F, Akleylek S. A new me hod o ulne abili y and isk assessmen o IoT.
Compu Ne w 2023;237:110046.
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
17
G. Papa is e al.
[52] Collen A, Nijdam NA. Can I sleep sa ely in my sma home? A no el ame-
wo k on au oma ing dynamic isk assessmen in IoT en i onmen s. Elec onics
2022;11(7):1123.
[53] Alalade ED, Mahyoub M, Ma awy A. P i acy enginee ing in sma home
(SH) sys ems: A comp ehensi e p i acy h ea analysis and isk managemen
app oach. 2024, a Xi p ep in a Xi :2401.09519.
[54] Pa sons EK, Panaousis E, Loukas G. How secu e is home: Assessing human
suscep ibili y o IoT h ea s. In: P oceedings o he 24 h pan-hellenic con e ence
on in o ma ics. 2020, p. 64–71.
[55] Pandey P, Collen A, Nijdam N, Anagnos opoulos M, Ka sikas S, Kons an as D. To-
wa ds au oma ed h ea -based isk assessmen o cybe secu i y in sma homes.
In: P oceedings o he 18 h Eu opean con e ence on cybe wa a e and secu i y
(ECCWS 2019), Coimb a, Po ugal. 2019, p. 4–5.
[56] Wong ises C, Khu a A, Fall D, Kashiha a S. Faul ee analysis-based isk quan-
i ica ion o sma homes. In: 2017 2nd in e na ional con e ence on in o ma ion
echnology. INCIT, IEEE; 2017, p. 1–6.
[57] Jacobsson A, Bold M, Ca lsson B. A isk analysis o a sma home au oma ion
sys em. Fu u e Gene Compu Sys 2016;56:719–33.
Jou nal o In o ma ion Secu i y and Applica ions 91 (2025) 104054
18