Cybersecurity concerns of Internet of Things (IoT) devices and infrastructure are growing each year. In response, organizations worldwide have published IoT security guidelines to protect their citizens and customers by providing recommendations on the development and operation of IoT systems. While these guidelines are being adopted, e.g. by US federal contractors, their content and merits have not been critically examined. Specifically, we do not know what topics and recommendations they cover and their effectiveness at preventing real-world IoT failures. In this paper, we address these gaps through a qualitative study of guidelines. We collect 142 IoT cybersecurity guidelines and sample them for recommendations until reaching saturation at 25 guidelines. From the resulting 958 unique recommendations, we iteratively develop a hierarchical taxonomy following grounded theory coding principles and study the guidelines' comprehensiveness. In addition, we evaluate the actionability and specificity of each recommendation and match recommendations to CVEs and security failures in the news they can prevent. We report that: (1) Each guideline has gaps in its topic coverage and comprehensiveness; (2) 87.2% recommendations are actionable and 38.7% recommendations can prevent specific threats; and (3) although the union of the guidelines mitigates all 17 of the failures from our news stories corpus, 21% of the CVEs evade the guidelines. In summary, we report shortcomings in each guideline's depth and breadth, but as a whole they address major security issues.

翻译：物联网设备及基础设施的网络安全问题逐年加剧。为此，全球各组织已发布物联网安全指南，通过提供物联网系统开发与运营的建议来保护其公民与客户。尽管这些指南正被采纳（例如美国联邦承包商），但其内容与价值尚未得到严格审视。具体而言，我们尚不清楚这些指南涵盖的主题与建议内容，以及其在预防现实世界物联网故障方面的有效性。本文通过指南的定性研究填补上述空白。我们收集了142份物联网网络安全指南，并对建议内容进行抽样分析，直至在25份指南达到理论饱和。基于最终获得的958条独立建议，我们遵循扎根理论编码原则迭代构建了层次化分类体系，并评估了指南的全面性。此外，我们评估了每条建议的可操作性及具体性，并将建议与可预防的CVE漏洞及新闻报道中的安全事件进行匹配。研究发现：（1）每份指南在主题覆盖与完整性方面均存在盲区；（2）87.2%的建议具有可操作性，38.7%的建议能预防特定威胁；（3）尽管指南合集可缓解新闻案例库中全部17起安全事件，但仍有21%的CVE漏洞未被指南覆盖。综上所述，每份指南在深度与广度上均存在不足，但整体而言它们仍能应对主要安全问题。