Petar Radanliev ^1* David De Roure ¹ Carsten Maple ² Jason Nurse ³ Razvan Nicolescu ⁴ Uchenn D. Ani ⁵

• ¹ University of Oxford, Oxford, United Kingdom
• ² University of Warwick, Coventry, West Midlands, United Kingdom
• ³ University of Kent, Canterbury, Kent, United Kingdom
• ⁴ University College London, London, England, United Kingdom
• ⁵ Keele University, Keele, United Kingdom

Internet-of-Things (IoT) refers to low-memory connected devices used in various new technologies, including drones, autonomous machines, and robotics. The article aims to understand better cyber risks in low-memory devices and the challenges in IoT risk management. The article includes a critical reflection on current risk methods and their level of appropriateness for IoT. We present a dependency model tailored in context towards current challenges in data strategies and make recommendations for the cybersecurity community. The model can be used for cyber risk estimation and assessment and generic risk impact assessment. The model is developed for cyber risk insurance for new technologies (e.g., drones, robots). Still, practitioners can apply it to estimate and assess cyber risks in organisations and enterprises. Furthermore, this paper critically discusses why risk assessment and management are crucial in this domain and what open questions on IoT risk assessment and risk management remain areas for further research. The paper then presents a more holistic understanding of cyber risks in the IoT. We explain how the industry can use new risk assessment, and management approaches to deal with the challenges posed by emerging IoT cyber risks. We explain how these approaches influence policy on cyber risk and data strategy. We also present a new approach for cyber risk assessment that incorporates IoT risks through dependency modelling. The paper describes why this approach is well suited to estimate IoT risks.