Securing the Road Ahead: Supporting Decision Making in Automotive Cybersecurity Risk Treatment

Abstract

In the automotive industry, as in most other sectors, risk management is essential for maintaining a balanced security posture while ensuring reasonable cybersecurity spending. ISO 21434 clearly defines the process for automotive Threat Analysis and Risk Assessment (TARA) for identifying cybersecurity risks. However, it lacks detailed guidance on subsequent risk treatment decision-making, leading to a lack of reproducibility and transparency in automotive projects. To address this issue, we propose a framework that defines a structured decision-making process and provides guidance for experts on suitable cybersecurity control sets. Our framework evaluates all potential control options based on their cost-effectiveness, aiming to mitigate high risks to an acceptable level. Through a case study and interviews with six industry experts, we assessed its feasibility and iteratively refined the framework based on the experts’ feedback