Recommendations for improvements to Saeed’s thesis

Research Questions

- Research question 1: I would suggest to make this more focused. You should find one
domain, e.g. construction companies with specific IoT type of devices/applications and for
that domain find specific vulnerabilities and suggest specific characteristics/configuration of
a gateway to mitigate these threats. You should not simply repeat what you will find in the
literature, the gateway configuration/design should be your own work, based on the specific
setup of the domain you will select. Certainly you will rely on past knowledge, but you need
to be more specific on the mitigation measures, citing existing knowledge where
appropriate. That is why you need to first figure out the most important threats of the
specific domain so that you can tailor make your gateway for that scenario.

- Research question 2: Again here, you should take the specific domain that you have
selected and analyse the barriers of adoption of a security culture in IoT projects for that
specific domain.

One idea how to organise your work to make it more focused and to include the element of
originality/own contribution is to formulate a framework. This framework could, for
example, provide guidelines to someone to perform the risk assessment and requirements
analysis in a certain setup, choose solutions based on the analysis, etc. The framework
would be something that will have a process / life cycle so that users can apply it.

Questionnaire

It is not clear what the objective of this questionnaire is, whereas some questions are too
vague or general. I would suggest to redo the questionnaire with the following suggested
things to consider:

+ I suggest that the questionnaire should be target at IT proffessionals involved in

the specific IoT domain you have selected for your 2 research questions. Given the specific
domain, try to derive the following information from them: a) what vulnerabilities/threats
they foresee for their setup, b) what security measures they have taken to deal with those
vulnerabilities/threats, c) what problems did they have in setting up their IoT projects, d)
what barriers did they face, e) how they overcame those barriers

+ There should be more critical discussion on the results of the questionnaire

+ You should provide information like the characteristics of the participants, what is
their relationship with IoT (not only duration but are they personal end users (e.g. they own
a wearable) or they have implemented corporate projects, or are they providers of IoT
solutions?), how the survey was conducted (online survey, over the phone, interviews, focus
groups), who conducted the survey, was additional information (explanations) provided to
the responders, etc.
- A proof reading of the report needs to be done before submission, as there are several
spelling, grammar mistakes.

A few Additional Minor Issues

- Acronyms need to be either included in a separate section all together or explained in the
text

+ Page 26 PAN

+ Page 27 CoAP, MQTT, XMPP

- Referencing

+ Page 20: "According to an article of IETF journal..." You need to reference that
journal, not the paper that references that journal.

+ Page 22: "An article in IETF journal..." You need to reference that journal, not the
paper that references that journal.

+ Should include references for Bluetooth, Zigbee, Z-Wave, 6LoWPAN

+ Page 27 should include references for CoAP, MQTT, XMPP

+ Pages 57-58 should include references for IEEE 802.15.4