Systematic Analysis and Comparison of Security Advice as Datasets

A long list of documents have been offered as security advice, codes of practice, and security guidelines for building and using security products, including Internet of Things (IoT) devices. To date, little or no systematic analysis has been carried out on the advice datasets themselves. Towards addressing this, with IoT as a case study, we begin with an informal analysis of two documents offering advice related to IoT security -- the ETSI Provisions and the UK DCMS Guidelines -- and then carry out what we believe is the first systematic analysis of these advice datasets. Our analysis explains in what ways the ETSI Provisions are a positive evolution of the UK DCMS Guidelines. We also suggest aspects of security advice warranting special attention by those offering security advice. Such parties may find the systematic analysis method, which categorizes advice into predefined categories, to be of general interest beyond IoT itself.