The paper addresses the field of cybersecurity threats and risk evaluation with focus on the Internet of Things (IoT) where, for the
business and private users, it is extremely difficult to get a balanced picture about risk severity. The reasons are the amount of different data sources, lack of common methodology, and market orientation of the security reports. An important part of risk evaluation methodology is a risk classification. In the paper we overview a set of existing IoT risk classification methods regarding restrictions that they are either architecture or product oriented. We present an original risk classification method, combining the architectural and product views with the view of business risks on top of risk classification. Practical examples of use in the IoT domains of energy production and distribution and in eHealth are also given.

