{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T21:23:01Z","timestamp":1770240181100,"version":"3.49.0"},"reference-count":128,"publisher":"Association for Computing Machinery (ACM)","issue":"FSE","license":[{"start":{"date-parts":[[2024,7,12]],"date-time":"2024-07-12T00:00:00Z","timestamp":1720742400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Proc. ACM Softw. Eng."],"published-print":{"date-parts":[[2024,7,12]]},"abstract":"\n Cybersecurity concerns of Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT security guidelines to protect their citizens and customers by providing recommendations on the development and operation of IoT systems. While these guidelines are being adopted,\n e.g<\/jats:italic>\n . by US federal contractors, their content and merits have not been critically examined. Specifically, we do not know what topics and recommendations they cover and their effectiveness at preventing real-world IoT failures.\n <\/jats:p>\n In this paper, we address these gaps through a qualitative study of guidelines. We collect 142 IoT cybersecurity guidelines and sample them for recommendations until reaching saturation at 25 guidelines. From the resulting 958 unique recommendations, we iteratively develop a hierarchical taxonomy following grounded theory coding principles and study the guidelines\u2019 comprehensiveness. In addition, we evaluate the actionability and specificity of each recommendation and match recommendations to CVEs and security failures in the news they can prevent. We report that: (1) Each guideline has gaps in its topic coverage and comprehensiveness; (2) 87.2% recommendations are actionable and 38.7% recommendations can prevent specific threats; and (3) although the union of the guidelines mitigates all 17 of the failures from our news stories corpus, 21% of the CVEs evade the guidelines. In summary, we report shortcomings in each guideline\u2019s depth and breadth, but as a whole they address major security issues.<\/jats:p>","DOI":"10.1145\/3660770","type":"journal-article","created":{"date-parts":[[2024,7,12]],"date-time":"2024-07-12T10:22:09Z","timestamp":1720779729000},"page":"1400-1423","source":"Crossref","is-referenced-by-count":1,"title":["On the Contents and Utility of IoT Cybersecurity Guidelines"],"prefix":"10.1145","volume":"1","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-1741-5531","authenticated-orcid":false,"given":"Jesse","family":"Chen","sequence":"first","affiliation":[{"name":"University of Arizona, Tucson, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6191-1180","authenticated-orcid":false,"given":"Dharun","family":"Anandayuvaraj","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2495-686X","authenticated-orcid":false,"given":"James C.","family":"Davis","sequence":"additional","affiliation":[{"name":"Purdue University, West Lafayette, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1258-6470","authenticated-orcid":false,"given":"Sazzadur","family":"Rahaman","sequence":"additional","affiliation":[{"name":"University of Arizona, Tucson, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,7,12]]},"reference":[{"key":"e_1_3_2_2_2","unstructured":"[n. d.]. Cybersecurity Labelling Scheme (CLS). https:\/\/www.csa.gov.sg\/our-programmes\/certification-and-labelling-schemes\/cybersecurity-labelling-scheme Accessed: 2023."},{"key":"e_1_3_2_3_2","unstructured":"1998. Federal Register of Legislation - Privacy Act 1988. https:\/\/www.legislation.gov.au\/C2004A03712\/2014-03-12\/text. Accessed: 2024."},{"key":"e_1_3_2_4_2","unstructured":"2009. ISO 26262. https:\/\/saemobilus.sae.org\/content\/2009-01-0758\/. Accessed: 2023."},{"key":"e_1_3_2_5_2","unstructured":"2010. IEC 61508. https:\/\/webstore.iec.ch\/publication\/5515. Accessed: 2023."},{"key":"e_1_3_2_6_2","unstructured":"2013. PA DSS v3.0 Requirements and Security Assessment Procedures. https:\/\/listings.pcisecuritystandards.org\/minisite\/en\/docs\/PA-DSS_v3.pdf. Accessed: 2023."},{"key":"e_1_3_2_7_2","unstructured":"2015. Hackers Remotely Kill a Jeep on a Highway. Accessed: 2022."},{"key":"e_1_3_2_8_2","unstructured":"2018. Bill Text - SB-327 Information privacy: connected devices. https:\/\/leginfo.legislature.ca.gov\/faces\/billTextClient.xhtml?bill_id=201720180SB327 Accessed: 2023."},{"key":"e_1_3_2_9_2","unstructured":"2018. California Consumer Privacy Act of 2018. https:\/\/www.oag.ca.gov\/privacy\/ccpa. Accessed: 2024."},{"key":"e_1_3_2_10_2","unstructured":"2018. General Data Protection Regulation - Official Legal Text. https:\/\/gdpr-info.eu\/. Accessed: 2024."},{"key":"e_1_3_2_11_2","unstructured":"2018. PCI DSS v3.2.1 Quick Reference Guide. Accessed: 2023."},{"key":"e_1_3_2_12_2","unstructured":"2019. HB2395 2019 Regular Session - Oregon Legislative Information System. https:\/\/olis.oregonlegislature.gov\/liz\/2019R1\/Measures\/Overview\/HB2395 Accessed: 2023."},{"key":"e_1_3_2_13_2","unstructured":"2019. Security News This Week: Hackers Found a Freaky New Way to Kill Your Car. https:\/\/www.wired.com\/story\/car-hacking-biometric-database-security-roundup\/. Accessed: 2022."},{"key":"e_1_3_2_14_2","unstructured":"2020. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-29440. Accessed: 2022."},{"key":"e_1_3_2_15_2","unstructured":"2020. H.R.1668 - 116th Congress (2019-2020): IoT Cybersecurity Improvement Act of 2020. https:\/\/www.congress.gov\/bill\/116th-congress\/house-bill\/1668. Accessed: 2023."},{"key":"e_1_3_2_16_2","unstructured":"2020. Mapping Security & Privacy in the Internet of Things. https:\/\/iotsecuritymapping.uk\/. Accessed: 2022."},{"key":"e_1_3_2_17_2","unstructured":"2021. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-33218. Accessed: 2022."},{"key":"e_1_3_2_18_2","unstructured":"2021. https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-27943. Accessed: 2022."},{"key":"e_1_3_2_19_2","unstructured":"2021. HB 2307 Consumer Data Protection Act; establishes a framework for controlling and processing personal data. https:\/\/lis.virginia.gov\/cgi-bin\/legp604.exe?212+sum+HB2307 Accessed: 2023."},{"key":"e_1_3_2_20_2","unstructured":"2022. Cyber Resilience Act | Shaping Europe\u2019s digital future. https:\/\/digital-strategy.ec.europa.eu\/en\/library\/cyber-resilience-act Accessed: 2023."},{"key":"e_1_3_2_21_2","unstructured":"2022. Mirai Botnet DDos Attack: What is the Mirai Botnet? https:\/\/www.avast.com\/c-mirai#topic-4. Accessed: 2022."},{"key":"e_1_3_2_22_2","unstructured":"2023. OT cybersecurity solutions for power generation. https:\/\/www.ge.com\/gas-power\/products\/digital-and-controls\/cybersecurity. Accessed: 2023."},{"key":"e_1_3_2_23_2","unstructured":"2023. The UK Product Security and Telecommunications Infrastructure (Product Security) regime. https:\/\/www.gov.uk\/government\/publications\/the-uk-product-security-and-telecommunications-infrastructure-product-security-regime Accessed: 2023."},{"key":"e_1_3_2_24_2","unstructured":"2023. Virginia Consumer Data Protection Act of 2023. https:\/\/law.lis.virginia.gov\/vacode\/title59.1\/chapter53\/. Accessed: 2024."},{"key":"e_1_3_2_25_2","unstructured":"2024. https:\/\/github.com\/jessechen09\/fse2024-66-on-the-contents-and-utility-of-IoT-cybersecurity-guidelines"},{"key":"e_1_3_2_26_2","unstructured":"20XX author = Microsoft note = Accessed: 2022. Evaluating Your IoT Security."},{"key":"e_1_3_2_27_2","doi-asserted-by":"crossref","unstructured":"Hezam Akram Abdul-Ghani and Dimitri Konstantas. 2019. A Comprehensive Study of Security and Privacy Guidelines Threats and Countermeasures: An IoT Perspective. Journal of Sensor and Actuator Networks (2019).","DOI":"10.3390\/jsan8020022"},{"key":"e_1_3_2_28_2","doi-asserted-by":"crossref","unstructured":"Hezam Akram Abdulghani Niels Alexander Nijdam Anastasija Collen and Dimitri Konstantas. 2019. A Study on Security and Privacy Guidelines Countermeasures Threats: IoT Data at Rest Perspective. Symmetry (2019).","DOI":"10.3390\/sym11060774"},{"key":"e_1_3_2_29_2","doi-asserted-by":"crossref","unstructured":"Omar Alrawi et al. 2019. SoK: Security Evaluation of Home-Based IoT Deployments. In IEEE S&P. 1362\u20131380.","DOI":"10.1109\/SP.2019.00013"},{"key":"e_1_3_2_30_2","doi-asserted-by":"crossref","unstructured":"Dharun Anandayuvaraj and James C Davis. 2022. Reflecting on Recurring Failures in IoT Development. In International Conference on Automated Software Engineering (ASE).","DOI":"10.1145\/3551349.3559545"},{"key":"e_1_3_2_31_2","doi-asserted-by":"crossref","DOI":"10.1201\/9781003119784","volume-title":"Enterprise Digital Transformation: Technology, Tools, and Use Cases","author":"Augustine P.","year":"2022","unstructured":"P. Augustine, P. Raj, and S. Munirathinam. 2022. Enterprise Digital Transformation: Technology, Tools, and Use Cases. CRC Press."},{"key":"e_1_3_2_32_2","doi-asserted-by":"crossref","DOI":"10.1017\/CBO9780511617898","volume-title":"Mixed method data collection strategies","author":"Axinn William G","year":"2006","unstructured":"William G Axinn and Lisa D Pearce. 2006. Mixed method data collection strategies. Cambridge University Press."},{"key":"e_1_3_2_33_2","doi-asserted-by":"crossref","unstructured":"Zeineb Baba-Cheikh Ghizlane El-Boussaidi Julien Gascon-Samson Hafedh Mili and Yann-Ga\u00ebl Gu\u00e9h\u00e9neuc. 2020. A preliminary study of open-source IoT development frameworks. In IEEE\/ACM ICSE. 679\u2013686.","DOI":"10.1145\/3387940.3392198"},{"key":"e_1_3_2_34_2","doi-asserted-by":"crossref","unstructured":"Gina R Bai Brian Clee Nischal Shrestha Carl Chapman Cimone Wright and Kathryn T Stolee. 2019. Exploring tools and strategies used during regular expression composition tasks. In IEEE\/ACM ICPC\u201919. 197\u2013208.","DOI":"10.1109\/ICPC.2019.00039"},{"key":"e_1_3_2_35_2","doi-asserted-by":"crossref","unstructured":"David Barrera Christopher Bellman and Paul C van Oorschot. 2022. Security Best Practices: A Critical Analysis Using IoT as a Case Study. ACM Transactions on Privacy and Security (2022).","DOI":"10.1145\/3563392"},{"key":"e_1_3_2_36_2","doi-asserted-by":"crossref","unstructured":"Adam Beautement et al. 2008. The compliance budget: managing security behaviour in organisations. In ACM NSPW.","DOI":"10.1145\/1595676.1595684"},{"key":"e_1_3_2_37_2","doi-asserted-by":"crossref","unstructured":"Christopher Bellman and Paul C van Oorschot. 2023. Systematic analysis and comparison of security advice as datasets. Computers & Security (2023).","DOI":"10.1016\/j.cose.2022.102989"},{"key":"e_1_3_2_38_2","unstructured":"J Beyer S Jacob E Lii L Osburn S Pierson C Quirk D Su and C Tanaka. 2023. U.S. Federal and State Regulation of Internet of Things (IoT) Devices."},{"key":"e_1_3_2_39_2","doi-asserted-by":"crossref","unstructured":"Ivano Bongiovanni Karen Renaud Humphrey Brydon Renette Blignaut and Angelo Cavallo. 2022. A quantification mechanism for assessing adherence to information security governance guidelines. Info & Computer Security (2022).","DOI":"10.1108\/ICS-08-2021-0112"},{"key":"e_1_3_2_40_2","doi-asserted-by":"crossref","first-page":"277","DOI":"10.1109\/ICSM.2008.4658076","volume-title":"2008 IEEE International conference on software maintenance","author":"Boogerd Cathal","year":"2008","unstructured":"Cathal Boogerd and Leon Moonen. 2008. Assessing the value of coding standards: An empirical study. In 2008 IEEE International conference on software maintenance. IEEE, 277\u2013286."},{"key":"e_1_3_2_41_2","doi-asserted-by":"crossref","unstructured":"Brian Bourke. 2014. Positionality: Reflecting on the research process. The qualitative report 19 33 (2014) 1\u20139.","DOI":"10.46743\/2160-3715\/2014.1026"},{"key":"e_1_3_2_42_2","doi-asserted-by":"crossref","unstructured":"Glenn A Bowen. 2008. Naturalistic inquiry and the saturation concept: a research note. Qualitative research (2008).","DOI":"10.1177\/1468794107085301"},{"key":"e_1_3_2_43_2","unstructured":"Jasmine Bowers et al. 2017. Regulators mount up! analysis of privacy policies for mobile money services. In SOUPS."},{"key":"e_1_3_2_44_2","unstructured":"BullGuard. 20XX. Consumer Guide to the Internet of Things. Accessed: 2022."},{"key":"e_1_3_2_45_2","volume-title":"Constructing grounded theory","author":"Charmaz Kathy","year":"2014","unstructured":"Kathy Charmaz. 2014. Constructing grounded theory. Sage."},{"key":"e_1_3_2_46_2","doi-asserted-by":"crossref","unstructured":"Marta Chmiel Mateusz Korona Fryderyk Kozio\u0142 Krzysztof Szczypiorski and Mariusz Rawski. 2021. Discussion on IoT Security Recommendations against the State-of-the-Art Solutions. Electronics (2021).","DOI":"10.3390\/electronics10151814"},{"key":"e_1_3_2_47_2","unstructured":"Cloud Security Alliance. 2017. Observations and Recommendations on Connected Vehicle Security. Accessed: 2022."},{"key":"e_1_3_2_48_2","unstructured":"Cloud Security Alliance et al. 2016. Cyber Security Guidelines for Smart City Technology Adoption. Accessed: 2022."},{"issue":"6","key":"e_1_3_2_49_2","doi-asserted-by":"crossref","first-page":"865","DOI":"10.1007\/s002679900073","article-title":"Environmental reporting by the Fortune 50 firms.","volume":"21","author":"Davis-Walling Paige","year":"1997","unstructured":"Paige Davis-Walling and Stuart A Batterman. 1997. Environmental reporting by the Fortune 50 firms. Environmental Management 21, 6 (1997), 865.","journal-title":"Environmental Management"},{"key":"e_1_3_2_50_2","doi-asserted-by":"crossref","unstructured":"Andrea Di Sorbo et al. 2019. Exploiting natural language structures in software informal documentation. IEEE TSE (2019) 1587\u20131604.","DOI":"10.1109\/TSE.2019.2930519"},{"key":"e_1_3_2_51_2","doi-asserted-by":"crossref","unstructured":"Andrea Di Sorbo Harald C Gall et al. 2016. What would users change in my app? summarizing app reviews for recommending software changes. In ACM FSE. 499\u2013510.","DOI":"10.1145\/2950290.2950299"},{"key":"e_1_3_2_52_2","doi-asserted-by":"crossref","unstructured":"Steve Easterbrook Janice SingerMargaret-Anne Storey and Daniela Damian. 2008. Selecting empirical methods for software engineering research. Guide to advanced empirical software engineering (2008) 285\u2013311.","DOI":"10.1007\/978-1-84800-044-5_11"},{"key":"e_1_3_2_53_2","unstructured":"ENISA. 2017. Baseline Security Recommendations for IoT. Accessed: 2022."},{"key":"e_1_3_2_54_2","unstructured":"J\u00e9r\u00f4me Euzenat Pavel Shvaiko et al. 2007. Ontology matching. Vol. 18. Springer."},{"key":"e_1_3_2_55_2","doi-asserted-by":"crossref","unstructured":"Davide Falessi et al. 2018. Empirical software engineering experts on the use of students and professionals in experiments. Empirical Software Engineering 23 (2018) 452\u2013489.","DOI":"10.1007\/s10664-017-9523-3"},{"key":"e_1_3_2_56_2","doi-asserted-by":"crossref","unstructured":"Earlence Fernandes et al. 2016. Security Analysis of Emerging Smart Home Applications. In IEEE S&P. 636\u2013654.","DOI":"10.1109\/SP.2016.44"},{"key":"e_1_3_2_57_2","doi-asserted-by":"crossref","unstructured":"Antonino Ferraiuolo Roya Behjati Tommaso Santoro and Ben Laurie. 2022. Policy transparency: Authorization logic meets general transparency to prove software supply chain integrity. In ACM SCORED\u201922. 3\u201313.","DOI":"10.1145\/3560835.3564549"},{"key":"e_1_3_2_58_2","doi-asserted-by":"crossref","unstructured":"Vasiliki Foufi et al. 2019. Mining of Textual Health Information from Reddit: Analysis of Chronic Diseases With Extracted Entities and Their Relations. Journal of Medical Internet Research (2019).","DOI":"10.2196\/preprints.12876"},{"key":"e_1_3_2_59_2","doi-asserted-by":"crossref","unstructured":"Jill J. Francis et al. 2010. What is an adequate sample size? Operationalising data saturation for theory-based interview studies. Psychology & Health 25 10 (2010) 1229\u20131245.","DOI":"10.1080\/08870440903194015"},{"key":"e_1_3_2_60_2","unstructured":"Isabel O Gallegos Ryan A Rossi Joe Barrow Md Mehrab Tanjim Sungchul Kim Franck Dernoncourt Tong Yu Ruiyi Zhang and Nesreen K Ahmed. 2023. Bias and fairness in large language models: A survey. arXiv preprint (2023)."},{"key":"e_1_3_2_61_2","doi-asserted-by":"crossref","unstructured":"Barney Glaser and Anselm Strauss. 2017. Discovery of grounded theory: Strategies for qualitative research.","DOI":"10.4324\/9780203793206"},{"key":"e_1_3_2_62_2","unstructured":"Global Forum on Cyber Expertise. 2019. Internet of Things Security GFCE Global Good Practices. Accessed: 2022."},{"key":"e_1_3_2_63_2","doi-asserted-by":"crossref","unstructured":"Nikhil Krishna Gopalakrishna et al. 2022. \u201cIf security is required\u201d: Engineering and Security Practices for Machine Learning-based IoT Devices. In IEEE\/ACM SERP4IoT@ICSE. 1\u20138.","DOI":"10.1145\/3528227.3528565"},{"key":"e_1_3_2_64_2","unstructured":"Hamza Harkous Kassem FawazR\u00e9mi Lebret Florian Schaub Kang G Shin and Karl Aberer. 2018. Polisis: Automated analysis and presentation of privacy policies using deep learning. In USENIX Security. 531\u2013548."},{"key":"e_1_3_2_65_2","unstructured":"Sk Adnan Hassan Zainab Aamir Dongyoon Lee James C Davis and Francisco Servant. 2022. Improving Developers\u2019 Understanding of Regex Denial of Service Tools through Anti-Patterns and Fix Strategies. In IEEE S&P\u201922. 1313\u20131330."},{"key":"e_1_3_2_66_2","doi-asserted-by":"crossref","unstructured":"Eugenio Herrera-Berg Tom\u00e1s Vergara Browne Pablo Le\u00f3n-Villagr\u00e1 Marc-Llu\u00eds Vives and Cristian Buc Calderon. 2023. Large Language Models are biased to overestimate profoundness. arXiv preprint (2023).","DOI":"10.18653\/v1\/2023.emnlp-main.599"},{"key":"e_1_3_2_67_2","doi-asserted-by":"crossref","unstructured":"Rashina Hoda et al. 2017. Becoming agile: a grounded theory of agile transitions in practice. In IEEE\/ACM ICSE.","DOI":"10.1109\/ICSE.2017.21"},{"key":"e_1_3_2_68_2","doi-asserted-by":"crossref","unstructured":"Alexander Homann Lisa Grabinger Florian Hauser and J\u00fcrgen Mottok. 2023. An Eye Tracking Study on MISRA C Coding Guidelines. In Proceedings of the 5th European Conference on Software Engineering Education. 130\u2013137.","DOI":"10.1145\/3593663.3593671"},{"key":"e_1_3_2_69_2","unstructured":"IEEE. 2017. Internet of Things (IoT) Security Best Practices. Accessed: 2022."},{"key":"e_1_3_2_70_2","unstructured":"Industry IoT Consortium. 2019. IoT SMM Practitioner\u2019s Guide. Accessed: 2022."},{"key":"e_1_3_2_71_2","unstructured":"International Standards Organization (ISO). 2023. Standards. https:\/\/www.iso.org\/standards.html"},{"key":"e_1_3_2_72_2","unstructured":"IoT Alliance Australia. 2016. Internet of Things Security Guideline. Accessed: 2022."},{"key":"e_1_3_2_73_2","unstructured":"IoT Security Foundation. 2021. IoT Security Assurance Framework. Accessed: 2022."},{"key":"e_1_3_2_74_2","doi-asserted-by":"crossref","unstructured":"Nili Itzik Iris Reinhartz-Berger and Yair Wand. 2015. Variability analysis of requirements: Considering behavioral differences and reflecting stakeholders\u2019 perspectives. IEEE TSE (2015) 687\u2013706.","DOI":"10.1109\/TSE.2015.2512599"},{"key":"e_1_3_2_75_2","unstructured":"Japan Information-technology Promotion Agency. 2017. Guidance for Practice Regarding \u201cIoT Safety\/Security Development Guidelines\u201d. Accessed: 2022."},{"key":"e_1_3_2_76_2","doi-asserted-by":"crossref","unstructured":"\u00d6mer Kafali James Jones Michael Petruso Laurie Williams and Munindar P. Singh. 2017. How Good Is a Security Policy against Real Breaches? A HIPAA Case Study. In IEEE\/ACM ICSE. 530\u2013540.","DOI":"10.1109\/ICSE.2017.55"},{"key":"e_1_3_2_77_2","doi-asserted-by":"crossref","unstructured":"In Lee and Kyoochun Lee. 2015. The Internet of Things (IoT): Applications Investments and Challenges for Enterprises. Business Horizons (2015).","DOI":"10.1016\/j.bushor.2015.03.008"},{"key":"e_1_3_2_78_2","unstructured":"Qian Li et al. 2022. A Survey on Deep Learning Event Extraction: Approaches and Applications. IEEE TNNLS (2022)."},{"key":"e_1_3_2_79_2","unstructured":"Sam Lucero et al. 2016. IoT platforms: enabling the Internet of Things. White paper (2016)."},{"key":"e_1_3_2_80_2","first-page":"460","volume-title":"IEEE\/ACM ICSE","author":"Makhshari Amir","year":"2021","unstructured":"Amir Makhshari and Ali Mesbah. 2021. IoT Bugs and Development Challenges. In IEEE\/ACM ICSE. IEEE, 460\u2013472."},{"key":"e_1_3_2_81_2","unstructured":"Sunil Manandhar Kaushal Kafle Benjamin Andow Kapil Singh and Adwait Nadkarni. 2022. Smart Home Privacy Policies Demystified: A Study of Availability Content and Coverage. In USENIX Security. 3521\u20133538."},{"key":"e_1_3_2_82_2","doi-asserted-by":"crossref","unstructured":"CJ Mann. 2003. Observational research methods. Research design II: cohort cross sectional and case-control studies. Emergency medicine journal 20 1 (2003) 54\u201360.","DOI":"10.1136\/emj.20.1.54"},{"key":"e_1_3_2_83_2","doi-asserted-by":"crossref","unstructured":"Zainab Masood Rashina Hoda and Kelly Blincoe. 2020. Real world scrum a grounded theory of variations in practice. IEEE TSE (2020) 1579\u20131591.","DOI":"10.1109\/TSE.2020.3025317"},{"key":"e_1_3_2_84_2","doi-asserted-by":"crossref","unstructured":"Mary L McHugh. 2012. Interrater reliability: the kappa statistic. Biochemia medica 22 3 (2012) 276\u2013282.","DOI":"10.11613\/BM.2012.031"},{"key":"e_1_3_2_85_2","doi-asserted-by":"crossref","unstructured":"Andr\u00e9 N Meyer et al. 2019. Today was a good day: The daily life of software developers. IEEE TSE (2019) 863\u2013880.","DOI":"10.1109\/TSE.2019.2904957"},{"key":"e_1_3_2_86_2","unstructured":"Alireza Moghaddam. 2006. Coding issues in grounded theory. Issues in educational research 16 1 (2006) 52\u201366."},{"key":"e_1_3_2_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2020.2987780"},{"issue":"4","key":"e_1_3_2_88_2","doi-asserted-by":"crossref","first-page":"215","DOI":"10.1002\/csr.26","article-title":"Scoring corporate environmental and sustainability reports using GRI 2000, ISO 14031 and other criteria.","volume":"9","author":"Morhardt J Emil","year":"2002","unstructured":"J Emil Morhardt et al. 2002. Scoring corporate environmental and sustainability reports using GRI 2000, ISO 14031 and other criteria. Corporate social responsibility and environmental management 9, 4 (2002), 215\u2013233.","journal-title":"Corporate social responsibility and environmental management"},{"key":"e_1_3_2_89_2","doi-asserted-by":"crossref","unstructured":"Sendhil Mullainathan and Andrei Shleifer. 2002. Media Bias. (2002).","DOI":"10.3386\/w9295"},{"key":"e_1_3_2_90_2","unstructured":"National Institute of Standards and Technology. 2021. IoT Device Cybersecurity Guidance for the Federal Government: Establishing IoT Device Cybersecurity Requirements. Accessed: 2022."},{"key":"e_1_3_2_91_2","unstructured":"National Institute of Standards and Technology (NIST). 2020. Foundational cybersecurity activities for IoT device manufacturers. Technical Report."},{"key":"e_1_3_2_92_2","unstructured":"National Institute of Standards and Technology (NIST). 2020. IoT device cybersecurity capability core baseline. Technical Report."},{"key":"e_1_3_2_93_2","unstructured":"Lorenzo Neil Harshini Sri Ramulu Yasemin Acar and Bradley Reaves. 2023. Who comes up with this stuff? interviewing authors to understand how they produce security advice. In Nineteenth Symposium on Usable Privacy and Security (SOUPS 2023). 283\u2013299."},{"key":"e_1_3_2_94_2","doi-asserted-by":"publisher","DOI":"10.1145\/2163.358092"},{"issue":"1","key":"e_1_3_2_95_2","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1007\/s11219-012-9190-y","article-title":"Critical success factors taxonomy for software process deployment.","volume":"22","author":"Or\u00e9 Sussy Bayona","year":"2014","unstructured":"Sussy Bayona Or\u00e9, Jos\u00e9 A. Calvo-Manzano, Gonzalo Cuevas Agust\u00edn, and Tom\u00e1s San Feliu Gilabert. 2014. Critical success factors taxonomy for software process deployment. Softw. Qual. J. 22, 1 (2014), 21\u201348.","journal-title":"Softw. Qual. J."},{"key":"e_1_3_2_96_2","doi-asserted-by":"crossref","first-page":"949","DOI":"10.1007\/s00267-008-9269-1","article-title":"Assessing the evolution of sustainability reporting in the mining sector.","volume":"43","author":"Perez Fabiana","year":"2009","unstructured":"Fabiana Perez and Luis E Sanchez. 2009. Assessing the evolution of sustainability reporting in the mining sector. Environmental management 43 (2009), 949\u2013961.","journal-title":"Environmental management"},{"key":"e_1_3_2_97_2","doi-asserted-by":"crossref","unstructured":"Sazzadur Rahaman Gang Wang and Danfeng Daphne Yao. 2019. Security Certification in Payment Card Industry: Testbeds Measurements and Recommendations. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security CCS 2019 London UK November 11-15 2019 Lorenzo Cavallaro Johannes Kinder XiaoFeng Wang and Jonathan Katz (Eds.). ACM 481\u2013498.","DOI":"10.1145\/3319535.3363195"},{"key":"e_1_3_2_98_2","unstructured":"Marija Rakic-Skokovic. 2017. Guidelines for Overcoming some IoT Security Issues. In IS. 4\u20136."},{"key":"e_1_3_2_99_2","unstructured":"Elissa M Redmiles et al. 2020. A comprehensive quality evaluation of security and privacy advice on the web. In USENIX Security. 89\u2013108."},{"key":"e_1_3_2_100_2","doi-asserted-by":"crossref","unstructured":"Irwin Reyes et al. 2018. \u201cWon\u2019t somebody think of the children?\u201d examining COPPA compliance at scale. In PETS.","DOI":"10.1515\/popets-2018-0021"},{"issue":"2","key":"e_1_3_2_101_2","doi-asserted-by":"crossref","first-page":"225","DOI":"10.1123\/jtpe.2017-0084","article-title":"A practical guide to collaborative qualitative data analysis.","volume":"37","author":"Richards K Andrew R","year":"2018","unstructured":"K Andrew R Richards and Michael A Hemphill. 2018. A practical guide to collaborative qualitative data analysis. Journal of Teaching in Physical education 37, 2 (2018), 225\u2013231.","journal-title":"Journal of Teaching in Physical education"},{"key":"e_1_3_2_102_2","doi-asserted-by":"crossref","first-page":"1893","DOI":"10.1007\/s11135-017-0574-8","article-title":"Saturation in qualitative research: exploring its conceptualization and operationalization.","volume":"52","author":"Saunders Benjamin","year":"2018","unstructured":"Benjamin Saunders et al. 2018. Saturation in qualitative research: exploring its conceptualization and operationalization. Quality & quantity 52 (2018), 1893\u20131907.","journal-title":"Quality & quantity"},{"key":"e_1_3_2_103_2","doi-asserted-by":"crossref","unstructured":"Todd Sedano Paul Ralph and C\u00e9cile P\u00e9raire. 2017. Software development waste. In 2017 IEEE\/ACM 39th International Conference on Software Engineering (ICSE). IEEE 130\u2013140.","DOI":"10.1109\/ICSE.2017.20"},{"key":"e_1_3_2_104_2","doi-asserted-by":"crossref","unstructured":"Junwoo Seo Kyoungmin Kim Mookyu Park Moosung Park and Kyungho Lee. 2018. An Analysis of Economic Impact on IoT Industry under GDPR. Mob. Inf. Syst. 2018 (2018) 1\u20136.","DOI":"10.1155\/2018\/6792028"},{"issue":"7","key":"e_1_3_2_105_2","first-page":"749","article-title":"Pros and cons of different sampling techniques.","volume":"3","author":"Sharma Gaganpreet","year":"2017","unstructured":"Gaganpreet Sharma. 2017. Pros and cons of different sampling techniques. International journal of applied research 3, 7 (2017), 749\u2013752.","journal-title":"International journal of applied research"},{"key":"e_1_3_2_106_2","unstructured":"Supreeth Shastri Vinay Banakar Melissa Wasserman Arun Kumar and Vijay Chidambaram. 2019. Understanding and benchmarking the impact of GDPR on database systems. arXiv preprint (2019)."},{"key":"e_1_3_2_107_2","doi-asserted-by":"crossref","unstructured":"Amit Kumar Sikder Giuseppe Petracca Hidayet Aksu Trent Jaeger and A Selcuk Uluagac. 2021. A survey on sensor-based threats and attacks to smart devices and applications. IEEE COMST (2021) 1125\u20131159.","DOI":"10.1109\/COMST.2021.3064507"},{"key":"e_1_3_2_108_2","unstructured":"Singapore Infocomm Media Development Authority. 2020. Internet of Things (IoT) Cyber Security Guide. Accessed: 2022."},{"issue":"2","key":"e_1_3_2_109_2","doi-asserted-by":"crossref","first-page":"64","DOI":"10.1109\/MC.2010.35","article-title":"Compliance with information security policies: An empirical investigation.","volume":"43","author":"Siponen Mikko","year":"2010","unstructured":"Mikko Siponen Seppo Pahnila and M Adam Mahmood. 2010. Compliance with information security policies: An empirical investigation. Computer 43, 2 (2010), 64\u201371.","journal-title":"Computer"},{"key":"e_1_3_2_110_2","doi-asserted-by":"crossref","unstructured":"Dag IK Sjoberg et al. 2002. Conducting realistic experiments in software engineering. In ACM ESEM. 17\u201326.","DOI":"10.1109\/ISESE.2002.1166921"},{"key":"e_1_3_2_111_2","doi-asserted-by":"crossref","unstructured":"Antonis Skouloudis Konstantinos Evangelinos and Fotis Kourmousis. 2009. Development of an evaluation methodology for triple bottom line reports using international standards on reporting. Environmental Management (2009).","DOI":"10.1007\/s00267-009-9305-9"},{"key":"e_1_3_2_112_2","doi-asserted-by":"crossref","unstructured":"Rock Stevens et al. 2020. Compliance Cautions: Investigating Security Issues Associated with US Digital-Security Standards. In NDSS.","DOI":"10.14722\/ndss.2020.24003"},{"key":"e_1_3_2_113_2","doi-asserted-by":"crossref","unstructured":"Klaas-Jan Stol Paul Ralph and Brian Fitzgerald. 2016. Grounded theory in software engineering research: a critical review and guidelines. (2016) 120\u2013131.","DOI":"10.1145\/2884781.2884833"},{"key":"e_1_3_2_114_2","unstructured":"Anselm Strauss and Juliet Corbin. 1998. Basics of qualitative research techniques. (1998)."},{"key":"e_1_3_2_115_2","article-title":"Projecting the growth and economic impact of the internet of things.","volume":"15","author":"Thierer Adam","year":"2015","unstructured":"Adam Thierer and Andrea Castillo. 2015. Projecting the growth and economic impact of the internet of things. George Mason University, Mercatus Center, June 15 (2015).","journal-title":"George Mason University, Mercatus Center, June"},{"key":"e_1_3_2_116_2","unstructured":"Trusted Computing Group. 2015. Guidance for Securing IoT Using TCG Technology. Accessed: 2022."},{"key":"e_1_3_2_117_2","unstructured":"UK Department of Digital Culture Media & Sport. 2018. Code of Practice for Consumer IoT Security. Accessed: 2022."},{"key":"e_1_3_2_118_2","unstructured":"US Chamber of Commerce. 2017. The IoT Revolution and Our Digital Security: Principles for IoT Security. Accessed: 2022."},{"key":"e_1_3_2_119_2","unstructured":"US Department of Homeland Security. 2016.Strategic Principles for Security the Internet of Things (IoT). Technical Report."},{"key":"e_1_3_2_120_2","doi-asserted-by":"crossref","unstructured":"Muhammad Usman et al. 2017. Taxonomies in software engineering: A Systematic mapping study and a revised taxonomy development method. Information and Software Technology (2017) 43\u201359.","DOI":"10.1016\/j.infsof.2017.01.006"},{"issue":"3","key":"e_1_3_2_121_2","doi-asserted-by":"crossref","first-page":"197","DOI":"10.1016\/j.bar.2007.05.004","article-title":"A comprehensive comparison of corporate environmental reporting and responsiveness.","volume":"39","author":"Staden Chris J van","year":"2007","unstructured":"Chris J van Staden and Jill Hooks. 2007. A comprehensive comparison of corporate environmental reporting and responsiveness. The British accounting review 39, 3 (2007), 197\u2013210.","journal-title":"The British accounting review"},{"key":"e_1_3_2_122_2","unstructured":"Swaathi Vetrivel et al. 2023. Examining Consumer Reviews to Understand Security and Privacy Issues in the Market of Smart Home Devices. In USENIX Security. 1523\u20131540."},{"key":"e_1_3_2_123_2","doi-asserted-by":"crossref","unstructured":"Roland Wies. 1995. Using a Classification of Management Policies for Policy Specification and Policy Transformation. In Integrated Network Management IV. Springer US 44\u201356.","DOI":"10.1007\/978-0-387-34890-2_4"},{"key":"e_1_3_2_124_2","unstructured":"Wind River Systems. 2016. Internet of Things Security Is More Challenging Than Cybersecurity. Accessed: 2022."},{"key":"e_1_3_2_125_2","unstructured":"Zhibiao Wu and Martha Palmer. 1994. Verb semantics and lexical selection. arXiv preprint cmp-lg\/9406033 (1994)."},{"key":"e_1_3_2_126_2","doi-asserted-by":"crossref","unstructured":"Xusheng Xiao Amit M. Paradkar Suresh Thummalapenta and Tao Xie. 2012. Automated extraction of security policies from natural-language software documents. In ACM FSE.","DOI":"10.1145\/2393596.2393608"},{"key":"e_1_3_2_127_2","doi-asserted-by":"crossref","unstructured":"Koen Yskout Riccardo Scandariato and Wouter Joosen. 2015. Do security patterns really help designers?. In IEEE\/ACM ICSE. 292\u2013302.","DOI":"10.1109\/ICSE.2015.49"},{"issue":"1","key":"e_1_3_2_128_2","doi-asserted-by":"crossref","first-page":"10","DOI":"10.1007\/s10515-021-00312-y","article-title":"RCM-extractor: an automated NLP-based approach for extracting a semi formal representation model from natural language requirements.","volume":"29","author":"Zaki-Ismail Aya","year":"2022","unstructured":"Aya Zaki-Ismail et al. 2022. RCM-extractor: an automated NLP-based approach for extracting a semi formal representation model from natural language requirements. Autom. Softw. Eng. 29, 1 (2022), 10.","journal-title":"Autom. Softw. Eng."},{"key":"e_1_3_2_129_2","doi-asserted-by":"crossref","unstructured":"Shenghua Zhou et al. 2020. Delineating Infrastructure Failure Interdependencies and Associated Stakeholders through News Mining: The Case of Hong Kong\u2019s Water Pipe Bursts. Journal of Management in Engineering (2020).","DOI":"10.1061\/(ASCE)ME.1943-5479.0000821"}],"container-title":["Proceedings of the ACM on Software Engineering"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3660770","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3660770","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,2,4]],"date-time":"2026-02-04T08:01:37Z","timestamp":1770192097000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3660770"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,12]]},"references-count":128,"journal-issue":{"issue":"FSE","published-print":{"date-parts":[[2024,7,12]]}},"alternative-id":["10.1145\/3660770"],"URL":"https:\/\/doi.org\/10.1145\/3660770","relation":{},"ISSN":["2994-970X"],"issn-type":[{"value":"2994-970X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,12]]}}}