There is research in these areas, although there is not a huge amount yet. Many researchers were heavily into cloud security, privacy, risk and trust, and traditionally thought of IoT as "small beer". However, as we have seen from recent hacks of IoT systems, the bad guys have realised that because many users have thought of IoT as "small beer", they have failed to seriously think about the security of their devices. As a result, it is estimated that over 1.2 million devices have now been infected with the Mirai virus. With just over 150,000 hacked IoT devices such as routers, cameras and digital recorders, attackers used these to perpetrate a DDoS attack that hit 660Gbps to take the website of cyber-crime blogger Brian Krebs offline in September, and an attack allegedly from the same source took down Dyn's DNS system, with a DDoS attack that recorded a high attack speed of over 990 Gbps. Just last week, the same source was alleged to have take a whole country offline - Liberia. Attackers often are not interested in what they can get from small systems, but they are very interested in grabbing the free resources to construct a bot-net that they can use at huge scale to wreak havoc elsewhere. It won't be too long before they start trying to blackmail large corporates not to take their systems down using massively scaled DDoS attacks.
This is certainly getting the attention of a lot more security researchers, so I would expect to see a lot more papers coming out over the next few years. There are also a number of IoT conferences that have sprung up recently, with some element of focus on IoT security issues. My own area of research is cloud security and privacy, and cloud being a natural facilitator of the IoT and the Big Data it is capable of generating, the IoT is a natural extension to my publishing pipeline. I have a few papers and articles due out within the next few months, which you will be able to download from ResearchGate. I also have an interest in Risk, and there are also a few of these papers in the pipeline too.
Most of my published work so far is on key management issues to be addressed for good cloud security and privacy by company management. My current focus is nowshifting to technical vulnerabilities, followed by the impact of the threat environment itself. Some 10 years after cloud really got going, and there are a lot of security holes yet to be filled. This is a far more challenging area than traditional distributed systems, and the imminent EU legislation on General Data Protection Regulation enters into application on 25th May 2018 after a two-year transition period. Fines are draconian, and few business users will be ready to comply by that date, let alone cloud users.
So, it will become a research area of great interest over the next few year.