IEEE Technology and Society Magazine - Winter 2014 - 77

individually controlled and tailored
options, namely personal deliberate choices in design, can represent
a step forward in achieving a higher
level of trust. The presentation of a
potential framework to achieve this
goal is the focus of the next section
of this paper.

A Model-Based Framework
to Build Trust in IoT
Our proposal to enable trustworthy
deployment, adoption, and acceptance of IoT systems by citizens is to
use a framework called SecKit, which
is Model-based Security Toolkit to
address security aspects of distributed
systems [16]. With the support of
SecKit, citizens can adopt a collaborative approach to address issues such
as privacy, agency and data protection, where each one is able to manage security relevant aspects. This
scenario is depicted in Fig. 1.
Citizens are able to specify trust
relations with a set of known identities, analyze their risks, and adopt
enforceable context-based policy
rules. From a citizen's perspective,
rules derived from policies can act
as automated reasons of trust levels
to combine or assess trust in specific
situations or as direct enforceable
self-protection countermeasures to
address risky situations. All these
issues enable building of general trust
and confidence on the safe use of the
IoT systems. In our approach, citizens/users share not only recommendations of trust relationships, but also
templates for policy rules and risk
models for common threat scenarios.
SecKit supports integrated
modeling of the IoT system design
and runtime viewpoints in order
to specify security aspects including risks and requirements, trust
issues, and enforceable security
policy rules with complex conditions. Using SecKit trust relationships can be specified, managed,
and exchanged between citizens
using a flexible aspect-based trust
model. The final goal is to build
citizens confidence with respect to
the protection of their data, safety

and above all their autonomy and
agency with respect to any types
of operations performed by the
devices or any other objects with
which they interact in the IoT.
Trust is specified in SecKit considering measurable direct and indirect trust relations from a trustor
perspective with respect to a trustee
scope [4]. Direct trust relations may
be simply arbitrary or based on
previous experiences or evidence,
which can be calculated using a
formally defined logic or algorithm
encoded in a policy. Indirect trust
relations may be based on recommendations from one entity, or on
the reputation considering recommendations from a pre-defined number of other entities using a specific
combination strategy (e.g. weighted
consensus). Trust relations can also
be specified considering a particular trustee scope and trust aspect.
A trustee scope can be an intrinsic
dispositional belief without considering a particular entity or context,
system trust on a set of other entities
that represent a particular system
(i.e. a composite entity), or situational trust focusing on a particular
identifiable entity taking into consideration all context situations or
only a specific situation.
Assessing these different types
of trust relationships helps with
the decision process and on the
consideration of different intrinsic
human behaviors. For example,

IEEE TECHNOLOGY AND SOCIETY MAGAZINE

Known
Identities

citizens with an optimistic dispositional trust belief may choose to
adopt a more risky behavior in the
absence of any evidence. However,
it is important to provide adequate
guidance and to make sure the
risks are understood.
Trust aspects represent the specific behavior or feature of the trustee
that is considered. A restaurant may
be trusted at a high level to serve good
food but at a low level for the care on
the customer relationships. Measuring these levels of trust can be done
using different approaches; in our
model we adopt a belief approach
from Subjective Logic [17] where
trust relations represent a combined
measurement of belief, disbelief,
and a level of uncertainty. This is the
most natural approach for humans
since in many situations it is impossible to be completely certain about
the possible outcomes. SecKit takes
all these nuances of trust modeling
into consideration, and provides an
integrated framework implementation to support the specification and
reasoning about trust.
Fig. 2 shows the Graphical User
Interface (GUI) of SecKit that list
all the known identities and the
associated trust relationships for
each identity, considering the target trust aspect. In this example the
target trustee is the "Weather Station (Indoor)," which is considered
untrustworthy with respect to the
enforcement of privacy preferences

Trust
Relations

Knowledge
Exchange
Citizen
Risks

Policy
Rules

Community

Fig.1. Crowd-source citizen security.

WINTER 2014

Table of Contents for the Digital Edition of IEEE Technology and Society Magazine - Winter 2014