Smart cities are urban spaces characterized by the widespread use of Information and Communication Technologies (ICTs). They intend to improve political-economic efficiency and support human and social development, thus improving the quality of life of its citizens. According to Toli and Murtagh [1], a city is considered “smart” when there are drivers of sustainable eco-economic growth, a high quality of life, and conscious management of natural resources through participatory and democratic governance. Several drivers of smart cities include investments in technological infrastructure, investments in human capital, and social investments. In addition, other aspects that should be considered when classifying cities as smart include urban mobility, commitment to environmental issues, and social issues ^[2][3][4][5][2,3,4,5]. In summary, smart cities use technology and innovation to improve the quality of life of their inhabitants, increase the economic value generated in that community, and promote environmental sustainability.

Smart cities focus on the provision of a set of initiatives, actions, and services, in various areas of applicability in cities that aim to optimize and improve the well-being of their populations, both in terms of health and the environment. In broad terms, the goal of smart cities is to dynamically optimize the city to provide a set of actions and services for a more inclusive and sustainable city ^[6][7][6,7]. The main role that ICTs can assume is to integrate information systems services from each domain of activity of a city, such as health, education, transportation, energy, water, and waste management, to provide public services to citizens in a more efficient and ubiquitous way [8]. Furthermore, ICT plays a role in the incorporation and integration of various complex systems at the level of technological infrastructure, social structures, politics, and human behavior ^[9][10][9,10].

At the same time, the role of ICT for businesses, citizens, and civil society to create, invent, and experiment new things to improve and optimize the quality of life in cities is also widely known and accepted. However, taking into account the exposure of digital services and support services of the various domains through communication networks and the use of ICT, it is important to consider the identification of risks and challenges associated with smart cities, to reduce or mitigate these risks, namely in different sectors of activity, such as industrial control systems, intelligent transportation systems, Internet of Things (IoT), and digital health (e-health), in addition to other areas of intervention of cities. The literature ^[11][12][11,12] recognizes that cybersecurity and data privacy issues have become increasingly relevant, questionable, and challenging, both for citizens and for technology companies that provide digital services who are aware of the problem of cybercrime and cyberterrorism.

Cybersecurity plays a key role in smart cities due to the increasing interconnectivity and widespread use of ICT [13]. In smart cities, systems and devices are networked to collect data, monitor infrastructures, optimize services, and improve citizens’ quality of life. However, this connectivity exposes cities to a range of cyber threats, making data and infrastructure security critical. Systematic literature reviews performed by Kim et al. [14] and Gracias et al. [15] in the field of smart cities have identified cybersecurity as a key factor for the implementation of a smart city. Furthermore, studies in the area have sought to characterize the various security risks considering theoretical models for identifying vulnerabilities ^{[16][17][18][19][20]}[16,17,18,19,20] and empirical scenarios considering several smart cities such as Dubai, Barcelona, Shanghai, and Como ^{[21][22][23][24]}[21,22,23,24].

2. Information Security

2.1. Information Security

In recent years, the potential and actual impacts of security threats in cyberspace have become evident due to several incidents with direct repercussions on the security of countries and citizens ^[25][26][27][27,28,29]. Digital technologies and cyberspace are not only resources and space where one can do better and more efficiently what was once difficult, time-consuming, and costly to do. As argued by Lippert and Cloutier ^[28][30], this new reality has created the potential to significantly alter the influence of different groups or actors in the international and national, social, or business scenes. Information systems, digital communication, and the surrounding digital environment are key elements for successful decision-making processes that aim to produce informed decisions on critical and sensitive issues. To maintain sustainable and competitive infrastructures, which are vital to the survival of nations around the world, there has been a drive to invest in mechanisms and processes that derive from the need to make every possible effort to ensure secure digital resources. Authors such as Knell ^[29][31] and Pereira et al. ^[30][32] emphasize that the world is highly interconnected, with resources interconnected with structures and networks on a global scale. Therefore, one of the main concerns to ensure a secure protection and safeguarding of information has been the security of information systems, public and private, and their information, which is essential to support the activities of organizations. It also emerges that information security is also vital to building and maintaining customer trust. Consumers are increasingly concerned about the privacy and protection of their personal data. Bleier et al. ^[31][33] argue that by demonstrating a serious commitment to information security, organizations can gain customer trust and establish lasting relationships. This is also an important element in the context of smart city adoption, in which the relationships established also manifest themselves in the inclusion of new services in smart cities. Information security addresses multiple domains. The importance of information security can be understood in different aspects. Information security must ensure the confidentiality of data, preventing sensitive information from falling into the wrong hands. This is especially critical when it comes to personal data, financial information, trade secrets, or government information. Based in a literature review, Rath and Kumar ^[32][35] have concluded that a breach of confidentiality can lead to serious consequences such as identity theft, financial loss, or reputational damage. Information security also aims to ensure data integrity (i.e., its accuracy, completeness, and consistency over time). It is essential that information is not altered in an unauthorized or accidental way, ensuring that it remains reliable and accurate. A lack of data integrity can lead to wrong decisions, errors in processes, and loss of confidence in the information ^[33][36]. Finally, information security must ensure that data and systems are available when needed. This implies protecting information against technical failures, cyber-attacks, or natural disasters that may compromise data availability. In their work exploring the relationship between availability and other security issues, Qadir and Quadri ^[34][37] have realized that a lack of availability can cause business disruptions, lost productivity, and financial losses. Information security, data science, and technology are interconnected domains. Data science involves the extraction of knowledge and insights from data. It encompasses a wide range of techniques, including data collection, data cleaning, data analysis, data visualization, machine learning, and statistical modeling ^[35][36][38,39]. Technology serves as the foundation for both information security and data science. Technological advancements have enabled the rapid growth of digital data and the development of sophisticated tools and algorithms to process and analyze it. Key technological components that support information security and data science include big data platforms, cloud computing, artificial intelligence, machine learning, cryptography, and networking and communication. Hazim and Khan ^[37][40] provide several examples of the use of the cloud in organizations and pointed out that cloud services have revolutionized data storage, accessibility, and processing. They provide scalable infrastructure to accommodate large datasets and host data science applications and security solutions. Cloud service providers maintain vast data centers with a wide array of servers, storage, and networking resources. They can allocate and reallocate these resources dynamically based on demand. According to Brataas et al. ^[38][41], this allows users to scale up (add more resources) or scale down (remove excess resources) as needed, without having to invest in physical hardware themselves. Furthermore, cloud platforms offer elasticity, which means they can automatically adjust resources in response to varying workloads. During periods of high demand, the cloud can rapidly provision additional resources, and during low-demand periods, it can release unneeded resources. Biswas et al. ^[39][42] state that dynamic scaling ensures efficient resource utilization and cost-effectiveness. Cloud computing and machine learning are two powerful technologies that can be effectively combined to leverage their respective strengths. The integration of machine learning with cloud computing enables scalable and flexible solutions for processing and analyzing large datasets, building sophisticated models, and deploying AI-powered applications ^[40][43]. Machine learning tasks often require significant computational resources, especially for training complex models. Peng et al. ^[41][44] provide a vision regarding the parallel computing programming mode in the context of cloud computing and argue that it has enabled distributed computing, which can significantly speed up the training process by distributing the workload across multiple servers or nodes. This parallel processing capability can be relevant when training complex models on large datasets.

3. Security Risks in Smart Cities

2.2. Security Risks in Smart Cities

ICT plays a key role in the development of smart cities, which combine infrastructure, architecture, objects, and people to improve processes and address social, economic, and environmental problems. Several technologies such as cloud, big data, artificial intelligence, blockchain, and IoT are found in smart cities. Nastjuk et al. ^[42][45] advocate that the use of emerging technologies is an enabler of innovation in the context of smart cities, and that it is not limited to the technological perspective of cities, but enables the creation of a smart environment, smart governance, and smart economy. Given the above, it can be inferred that there is no smart city without technology and innovation, as these are the factors that differentiate it from an ordinary city ^[43][46]. Necessarily, the adoption of new technologies and the high interconnectivity between them and humans makes smart cities vulnerable to various cyber threats ^[44][45][47,48]. Therefore, protecting the infrastructure, systems, and data from malicious activities is essential to ensure the security, privacy, and reliability of smart city services. Accordingly, there is a need to explore and know mitigation strategies that can address these challenges. It is important to highlight that the security and privacy challenges of smart cities are not new and that many of them already exist in the isolated use of each of their technologies, but that they now assume a greater impact in the interconnected context of smart cities. The infrastructure of a smart city is composed of thousands of devices and applications that aim to improve processes and bring benefits to citizens. However, the use of these applications and systems can bring several problems related to security and privacy. Elliott and Soifer ^[46][49] and Federspiel et al. ^[47][50] refer to the vulnerabilities that occur by adopting smart systems based on artificial intelligence, as they not only collect a wide variety of sensitive information from people and their social circles, but also control city facilities and influence citizens’ lives. In a smart city, security is looked at in the general component by covering all the features of the city, but it is also included in all the aspects that make it up. Studies by Ghazizadeh et al. ^[48][52] use an extended version of the Technology Acceptance Model (TAM) to demonstrate that security is a key factor in technology acceptance. Thus, safety encompasses more than just technical factors, having a strong human-dependent aspect, also including subjective factors related to the perception of individuals ^[49][53]. Consequently, the existence of objective and subjective dimensions of security is assumed. Cybersecurity plays a key role in protecting critical infrastructure, which includes systems and assets that are essential to the functioning of society and the economy. This infrastructure can include power grids, transportation networks, water treatment facilities, communication systems, and more. Protecting these vital components from cyber threats is critical to prevent the disruptions, unauthorized access, or sabotage that can affect citywide operations ^[50][54]. The privacy by design approach advocated in studies such as Drev and Delak’s ^[51][55] and Romanou’s ^[52][56] is essential in smart cities that must be supported by a secure architecture and design. Therefore, cybersecurity considerations should be integrated into the architecture and design of critical infrastructure systems from the outset. This involves following the best security practices, conducting risk assessments, and implementing appropriate security controls ^[53][54][57,58]. Protecting data privacy is another area of concern in smart cities’ environments. Smart cities generate massive amounts of data from sensors, surveillance systems, and connected devices. These data often contain sensitive information about individuals, including their locations, behaviors, and personal preferences. Data encryption is a fundamental technique used to secure data in transit and at rest. In smart cities, sensitive data such as personal information, financial records, and surveillance footage should be encrypted to prevent unauthorized access or interception by malicious actors ^[55][59]. The importance of data minimization and anonymization is associated with the appearance of data encryption. Daoudagh et al. ^[56][60] recommend that smart cities should practice data minimization, collecting only the necessary data to fulfill their functions and reducing the risk associated with storing excessive personal information. Furthermore, smart cities must implement robust access controls to restrict access to sensitive systems and data. This involves implementing secure authentication mechanisms such as multi-factor authentication and role-based access control (RBAC) to ensure that only authorized individuals can access specific data ^[57][61]. Additionally, smart cities must incorporate secure communication mechanisms. Communication between devices and systems within a smart city’s infrastructure should be secured to prevent eavesdropping or tampering. IoT devices are the backbone of smart cities, enabling connectivity and data exchange among various systems and devices. However, these devices are often vulnerable to cyber-attacks due to their limited security measures ^[58][63]. Consequently, robust cybersecurity practices are needed to secure IoT devices, including implementing secure authentication, encryption, and regular software updates to prevent unauthorized access or control. Several approaches are proposed in the literature to increase the security of IoT devices. Implementing robust authentication mechanisms such as multi-factor authentication (MFA) is proposed by Ometov et al. ^[59][64] to ensure that only authorized users or devices can access the IoT devices. This helps prevent unauthorized access and protects against brute-force attacks. The adoption of secure communication protocols such as Transport Layer Security (TLS) or Secure Shell (SSH) to encrypt data transmitted between IoT devices and the backend systems is proposed by Paul et al. ^[60][65]. This prevents the eavesdropping of and tampering with sensitive information. Regular firmware updates are recommended by Gong et al. ^[61][66] to keep the firmware of IoT devices up to date by applying regular security patches and updates provided by the manufacturers. This helps address vulnerabilities and ensures that devices are protected against known security risks. Finally, Prazeres et al. ^[62][67] employ an approach using test data from different datasets to suggest the implementation of network segmentation to isolate IoT devices from other critical infrastructure systems. This way, even if one device is compromised, it will not provide direct access to the entire network, reducing the potential impact of an attack. Effective cybersecurity in smart cities requires collaboration among various stakeholders, which may include government authorities, urban planners, industry partners, community and citizen groups, and academic and research institutions, among others. As it is advocated by Clement et al. ^[63][68], the sharing of information, best practices, and establishing partnerships can help develop comprehensive cybersecurity strategies and responses to emerging threats. Public awareness and education are another pillar of cybersecurity in smart cities. At this level, Williamson ^[64][69] states that citizens should be informed about potential risks, advised on secure practices, and encouraged to report any suspicious activities. It is advocated that building a culture of cybersecurity awareness can help prevent attacks and ensure the collective security of the smart city ecosystem.