Cybersecurity concerns about Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT cybersecurity guidelines to protect their citizens and customers. These guidelines constrain the development of IoT systems, which include substantial software components both on-device and in the Cloud. While these guidelines are being widely adopted, e.g. by US federal contractors, their content and merits have not been critically examined. Two notable gaps are: (1) We do not know how these guidelines differ by the topics and details of their recommendations; and (2) We do not know how effective they are at mitigating real-world IoT failures. In this paper, we address these questions through an exploratory sequential mixed-method study of IoT cybersecurity guidelines. We collected a corpus of 142 general IoT cybersecurity guidelines, sampling them for recommendations until saturation was reached. From the resulting 958 unique recommendations, we iteratively developed a hierarchical taxonomy following grounded theory coding principles. We measured the guidelines' usefulness by asking novice engineers about the actionability of each recommendation, and by matching cybersecurity recommendations to the root causes of failures (CVEs and news stories). We report that: (1) Comparing guidelines to one another, each guideline has gaps in its topic coverage and comprehensiveness; and (2) Although 87.2% recommendations are actionable and the union of the guidelines mitigates all 17 of the failures from news stories, 21% of the CVEs apparently evade the guidelines. In summary, we report shortcomings in every guideline's depth and breadth, but as a whole they are capable of preventing security issues. Our results will help software engineers determine which and how many guidelines to study as they implement IoT systems.

翻译：针对物联网设备及基础设施的网络安全担忧每年都在加剧。为此，全球相关机构纷纷发布物联网网络安全指南，以保护民众与客户。这些指南约束了物联网系统的开发流程，此类系统包含设备端和云端的大量软件组件。尽管这些指南已被广泛采用（例如美国联邦承包商），但其内容与价值尚未得到严格审视。两大显著空白在于：（1）我们不清楚各指南在主题范围与建议细节上存在何种差异；（2）我们不了解它们在缓解真实物联网故障方面成效几何。本文通过探索性序贯混合方法研究物联网网络安全指南，试图回答上述问题。我们收集了142份通用物联网网络安全指南语料库，对建议内容持续采样直至理论饱和。基于此得到的958条独立建议，我们依据扎根理论编码原则迭代开发了层级分类体系。通过评估新手工程师对每条建议的可操作性认知，并将网络安全建议与故障根因（CVE漏洞与新闻报道）进行匹配，我们测算了指南的有效性。研究结果表明：（1）横向对比各指南，其在主题覆盖度与全面性上均存在缺失；（2）尽管87.2%的建议具备可操作性，且所有指南的并集可防范全部17个新闻报道中的故障案例，但仍有21%的CVE漏洞明显规避了现有指南。总结而言，我们发现每份指南在深度与广度上均有缺陷，但整体而言它们仍具备预防安全问题的能力。我们的研究成果将帮助软件工程师在实现物联网系统时确定需研读的指南种类与数量。