IoT and Cyber-Physical Systems (CPS) face shared security and privacy risks across six dimensions—hardware, network, operating system, software, data, and user—yet lack a holistic, stack-wide risk assessment framework. Method: We propose the first full-stack joint risk assessment framework, grounded in a unified security and privacy architecture model that characterizes both IoT and CPS as “physical devices integrated with communication/execution modules and cyberspace.” Our approach combines cross-layer risk modeling, architectural abstraction comparison, and case-driven analysis. Contribution/Results: We empirically validate the framework on real-world systems—including an air quality monitoring network, smart plugs, and building automation systems—identifying critical bottlenecks such as low-cost protection mechanisms and trustworthy OS support. The framework establishes a scalable, structured security assessment paradigm for heterogeneous intelligent IoT-CPS systems, enabling systematic identification and mitigation of cross-cutting threats.

: The concepts of Internet of Things (IoT) and Cyber Physical Systems (CPS) are closely related to each other. IoT is often used to refer to small interconnected devices like those in smart home while CPS often refers to large interconnected devices like industry machines and smart cars. In this paper, we present a unified view of IoT and CPS: from the perspective of network architecture, IoT and CPS are similar. In both IoT and CPS, networking/communication modules are attached to original dumb things so that those dumb things become smart and can be integrated into cyber space. If needed, actuators can also be integrated with a thing so as to control the thing. With this unified view, we can perform risk assessment of an IoT/CPS system from six factors, hardware, networking, operating system (OS), software, data and human. To illustrate the use of such risk analysis framework, we analyze an air quality monitoring network, smart home using smart plugs and building automation system (BAS). We also discuss challenges such as cost and secure OS in IoT security.