This report uses the ATIS Security Architectural Risk Analysis (ARA) to establish a framework for assessing a generic IoT asset’s cybersecurity risk. That asset might be an application, a service, or something else. Its primary function might be to collect and manipulate data, or it might be to perform some task, simple or complicated. It might be a standalone device, or it might work in coordinated fashion with a few or many other applications, services, or machines. It might be a low-level spoke in a wheel, or it might be a critical component of some vast mechanism. As an IoT “thing,” it could be nearly anything, and for the purpose of this analysis, exactly what it is does not matter. It is simply “the asset.” A companion presentation (in PDF form) describing the ARA process in a presentation format can be found here.