Despite increasing uptake, there are still many concerns as to the security of virtual assistant hubs (such as Google Nest and Amazon Alexa) in the home. Consumer fears have been somewhat exacerbated by widely-publicised privacy breaches, and the continued prevalence of high-profile attacks targeting IoT networks. Literature suggests a considerable knowledge gap between consumer understanding and the actual threat environment; furthermore, little work has been done to compare which threat modelling approach(es) would be most appropriate for these devices, in order to elucidate the threats which can then be communicated to consumers. There is therefore an opportunity to explore different threat modelling methodologies as applied to this context, and then use the findings to prototype a software aimed at educating consumers in an accessible manner. Five approaches (STRIDE, CVSS, Attack Trees (a.k.a. Threat Trees), LINDUNN GO, and Quantitative TMM) were compared as these were determined to be either the most prominent or potentially applicable to an IoT context. The key findings suggest that a combination of STRIDE and LINDUNN GO is optimal for elucidating threats under the pressures of a tight industry deadline cycle (with potential for elements of CVSS depending on time constraints), and that the trialled software prototype was effective at engaging consumers and educating about device security. Such findings are useful for IoT device manufacturers seeking to optimally model threats, or other stakeholders seeking ways to increase information security knowledge among consumers.

翻译：尽管虚拟助手中枢设备（如Google Nest和Amazon Alexa）在家庭中的普及率持续上升，但其安全性仍引发诸多担忧。广泛报道的隐私泄露事件以及针对物联网网络的高调攻击持续频发，在一定程度上加剧了消费者的恐慌。文献表明，消费者对威胁环境的理解与实际威胁环境之间存在显著认知差距；此外，目前鲜有研究比较何种威胁建模方法最适合此类设备，以明确可向消费者传达的威胁。因此，有必要探索适用于该场景的不同威胁建模方法，并利用研究结果构建一个旨在以通俗方式教育消费者的软件原型。研究比较了五种方法（STRIDE、CVSS、攻击树（亦称威胁树）、LINDUNN GO和定量TMM），因为这些方法被认为在物联网场景中最为突出或最具潜在适用性。关键研究发现表明，在紧张的行业开发周期压力下，结合使用STRIDE和LINDUNN GO是阐明威胁的最佳方案（且可根据时间限制加入CVSS的某些要素），而实验性软件原型在吸引消费者参与并普及设备安全知识方面效果显著。这些发现对于寻求最优威胁建模的物联网设备制造商，以及希望提升消费者信息安全意识的其他利益相关方具有重要参考价值。