CyberROAD: A cybersecurity risk assessment ontology for automotive domain aligned with ISO/SAE 21434:2021

Abstract

The automotive domain is becoming increasingly complex through the integration of new technologies. As a result, cybersecurity is recognized as a pressing issue. This study focuses on the ISO/SAE 21434:2021 standard for road vehicles cybersecurity engineering, evaluating the effectiveness of the standard’s risk assessment approach. The standard suggests a set of assessment steps, and previous research has shown that practitioners often face challenges during assessment execution. The absence of clear, structured guidelines within the standard leads to different interpretations, resulting in inconsistent assessment approaches. This inconsistency makes it difficult to compare and measure the quality of the assessments. Our study uses design science methodology to create a new cybersecurity risk assessment ontology in the automotive domain, describing the relationships and interdependencies between cybersecurity risk assessment activities, stakeholders, and work packages. The ontology model is evaluated in a case study at a leading automotive systems supplier to validate the model’s suitability for developing a cybersecurity risk assessment method. The findings indicate that the ontology model provides an improved understanding of the underlying risk assessment activities and allows for a structured method for extracting procedural steps according to the standard. This systematic approach increases the cybersecurity risk assessment conformity and the consistency of assessment results. In conclusion, this paper gives valuable insights and actionable recommendations for stakeholders, researchers, and organizations seeking to improve the cybersecurity risk assessment process in the automotive domain.