Another source of security requirements/user stories comes from the various laws and compliance mandates that govern your product. Even though many compliance frameworks have been slow to identify IoT-specific controls, there are some rules and documentation to take notice of, depending on where your IoT product will be deployed.
For example, in the United States, draft IoT security legislation is working its way through the government, and in Europe ENISA has released its baseline security requirements for the IoT. Each of these may end up becoming mandated minimum standards for your IoT product in the future.
Pay attention to them now, and use them as sources of requirements for your product security ...