Security by design is not just a technical process. It consists of three main pillars:

     -      People
     -      Process
     -      technology.

All three equally contribute to an effective security strategy. While the threat analysis provides an in-depth analysis of security threats, the results only become valuable if one addresses the findings accordingly and hence increases the overall security of the architecture. To do so, one must not only select the most secure hardware or software, it is also important to design effective processes and train the people that are responsible for implementing these processes.

More information on security by design: From IoT to IoTrust

Constrained resources: IoT modules are usually low power and have low computational resources like RAM, ROM and processing power. Therefore security countermeasures have to fit into these small footprints on top of the required functionalities.

Uncontrolled environment: Typically IoT devices have to be 24x7 operational and their place of deployment are usually remote locations (not easy to access or even mobile or in open public area). Access to these locations may not be restricted by owners. The environment conditions can be harsh (cold, warm, humid, rainy etc). Thus, IoT devices have to be robust against these environmental factors.

Heterogenous devices: Usually IoT devices network or ecosystem is comprised of multiple vendors & solution providers. There is no uniform operation guidelines and interfaces may not be interoperable (often proprietary). Due to these heterogenous device profiles, operation & maintenance for device owners is very difficult.

Scalability: In addition to above mentioned challenges, scalability is another daunting aspect. Due to rapid change/improvement in technology, shorter time to market value, non-standard protocols & interfaces, IoT solutions are faced with shorter lifetimes. This means, customers cannot plan for a large scale deployment across multiple, wider geographical areas (due to the mentioned bottlenecks).

o     IoT solutions developers (system architects & engineers) 
o     Integrators & vendors 
o     End users / customers

What is at stake?
o     Loss of data
o     Loss of trust
o     Loss of assets
o     Loss of reputation

Stakeholders involved in implementing security by design are not limited to technical staff working on actual IT implementations. A good security analysis should also shed light on the relevance and importance of different identified threats to the organization. For instance compromise or modification of particular pieces of data might be acceptable, while other pieces are highly sensitive and should be protected by all means. As these are not necessarily only technical questions other stakeholders in the organization should be involved in the process.

o   Understanding the concept of security by design

o   Motivate performing a security analysis

This picture is taken from a scientific paper "On the Security and Privacy of Internet of Things Architectures and Systems" written by Emmanouil Vasilomanolakis, Joerg Daubert, Manisha Luthra , Vangelis Gazisy , Alex Wiesmaieryz and Panayotis Kikirasy (CASED / Telecooperation Lab & Technische Universitaet Darmstad)