[S1] Sepczuk and Kotulski [22] |
Risk assessment as a service for IdM authentication, applies ISO/IEC27005. |
Covers authentication process in IdM systems. |
Does not follow risk management standards. |
[S2] Wang et al. [31] |
Risk assessment for BC applications within China, follows the Chinese Classified Protection Cybersecurity (CPC) law. |
Based on national standards. It covers Bitcoin, Ethereum, and Hyperledger Fabric BCs and gives evaluation metrics and controls for P2P network, consensus, Distributed Ledger, and contract layers. |
It lacks main components of risk management. |
[S3] Kim et al. [32] |
Risk analysis for DID document in the W3C DID technical standards. |
Scenario-based risk analysis for DID authentication used to provide Self-Sovereign Identity technologies. |
Does not follow risk management standards. |
[S4] Vakhter et al. [45] |
Threat modelling and risk analysis for HIoT (miniaturized) applies NIST SP 800-30. |
Covers HIoT assets with a
focus on miniaturized HIoT, and gives risk analysis. |
Does not cover BC and IdM assets. |
[S5] Schlatt et al. [74] |
BC cybersecurity framework for BC. |
Covers the relations between stockholders (users, developers, attackers) in BC applications and the BC infrastructure. |
Lack of main components of risk management. |
[S6] Alzahrani et al. [81] |
Assessment model for BC-based electronic health records. |
Covers BC-based electronic health records and security and privacy risks. |
General assessment does not follow risk management standards. |
[S7] Psychoua et al. [90] |
Privacy risk assessment for HIoT (wearable). |
Covers privacy aspect with a focus on
Privacy by Design. |
Does not follow risk management standards and does not cover BC and IdM assets. |
[S8] Tseng et al. [91] |
Risk assessment for HIoT (wearable) using STRIDE and DREAD approaches. |
Covers HIoT assets. |
Does not follow risk management standards and does not cover BC and IdM assets. |
[S9] Cagnazzo et al. [92] |
Threat modelling for HIoT (mHealth) using STRIDE and DREAD approaches. |
Covers HIoT assets. |
Does not follow risk management standards and does not cover BC and IdM assets. |
[S10] Paul et al. [93] |
Risk management for HIoT applying ISO/IEC 80001-and AAMI TIR57. |
Proposes security risk management for HIoT(WBAN) and
reviews regulations/standards and security and privacy controls. |
Does not cover IdM and BC assets. |
[S11] Sheik et al. [94] |
Threat modelling for BC-IdM using the STRIDE approach. |
Covers BC-IdM. |
Does not follow risk management standards and does not cover HIoT assets and emerging BC-IdM standards, such as DID. |
[S12] A Shostack [100] |
General threat modelling methodology. |
Covers Security and Privacy. |
It is general and does not support short-term repetition processes. |
[S13] Bhardwaj et al. [107] |
Dynamic penetration test for SC-based applications. Applies OWASP top 10 vulnerabilities. |
Covers BC SC. |
Does not follow risk management standards and
only focuses on SC assets. |
[S14] Lv et al. [111] |
Static risk analysis for SCs in Hyperledger Fabric. |
Covers SC assets in Hyperledger Fabric. |
Does not follow risk management standards and only focus on SC assets. |
[S15]Wen et al. [115] |
BC cybersecurity framework. |
Covers attacks and countermeasures in a BC-layered framework. |
It lacks risk management main components. |
[S16] Naik et al. [116] |
Tree-based risk analysis for BC-IdM (SSI). |
Covers BC-IdM components, such as DID, and shows attack vectors. |
It does not follow risk management general standards and does cover HIoT assets. |
[S17] Konig et al. [117] |
Risk analysis for BC. |
Presents a BC-layered framework and shows the prerequisites for attacks. |
Does not follow risk management standards. |
[S18] Alsubaei et al. [118] |
Security risk assessment for HIoT (risk assessment as a service (tool) testing 260 attributes), and considers standards, such as HITECH Act, HIPPA, GDPR, PCEHR Act, ISO/iec27018, ISO/IEC 27034, AICPA, FIPS, GSMA,
MDD39/42/EEC, MDR2017/745, ISO/IEC80001, ISO14971, ISO13485, ISO/IEC22301, and ISO/IEC27001. |
Covers HIoTs. |
Does not follow risk management standards and does not cover IdM and BC aspects. |
[S19] Wang et al. [124] |
Uses Identified Security Attributes (ISA) framework for HIoT. |
Covers HIoT assets and gives systematic approach to evaluate security solutions and decision making. |
Does not follow risk management standards and does not cover BC and IdM assets. |
[S20] Lopatina et al. [137] |
Risk assessment for HIoT. |
Covers HIoT assets. |
Does not follow risk management standards and does not cover BC and IdM assets. |
[S21] Mallah et al. [138] |
Security risk assessment for BC-based transportation applications. Uses ISO31000 and
ISO27005. |
Covers BC Assets. |
Does not cover HIoT and IdM assets. |
[S22] Ruf et al. [139] |
Threat modelling for
BC-based industrial IoT applications. |
Covers BC assets and presents a case study. |
Only on-premise threat analysis, does not give details about threat modelling methods, and does not cover HIoT and IdM assets. |
[S23] Cha et al. [140] |
Security control framework for permissioned BC applications, and uses PCI-DSS, CIS controls, and ISO/IEC27001 and ISO/IEC 27002 standards. |
Covers controls in different layers. |
Does not cover the main security risk management phases. |
[S24] Morganti et al. [141] |
Risk assessment for BC technology, which follows NIST SP-800-30. |
Covers BC assets. |
Covers BC in general but does not cover HIoT and IdM assets. |
[S25] Homoliak et al. [142] |
Security reference architecture (SRA)-based risk assessment for BC technology, which uses ISO/IEC 15408 standards. |
Covers BC nodes (consensus, validating, lightweight), and gives detailed analysis of threats, vulnerabilities, and defences. |
Covers BC applications in general. |
[S26]Putz and Pernul [143] |
Threat modelling for Hyperledger Fabric BC. |
Covers BC assets and threat indicators in Hyperledger Fabric BC. |
It lacks the main components of security risk management. |
[S27] Zhao et al. [144] |
Risk analysis for BC technology communications. |
Presents a BC-layered framework. |
Does not follow risk management standards. |
[S28] Wilson et al. [145] |
Digital identity security framework for IdM in IoT systems. |
A stack model covers privacy in IdM. |
Does not follow risk management standards, and does cover HIoT and BC assets. |
[S29] Arias-Cabarcos et al. [146] |
Risk assessment for IdM, which uses multi-attribute utility theory (MAUT). |
Covers IdM physical and digital authentication aspects and gives quantitative evaluation for security and privacy. |
Does not follow risk management standards. |
[S30] Attaallah et al. [147] |
Risk assessment for HIoT. |
Covers the security requirements of HIoT. |
Does not follow risk management standards, does not cover IdM and BC assets, and lacks details. |
[S31] YIN et al. [148] |
Security risk management for HIoT, which applies ISO/IEC27005 standards. |
Presents a case study in a hospital. |
Lacks details and
does not cover BC and IdM assets. |