An Ontology and Guidelines for Cybersecurity Risk Assessment in the Automotive Domain

Sammanfattning: This study aims to propose a knowledge base ontology for the ISO/SAE 21434 cybersecurity risk assessment activities in the automotive domain. The focus of the paper is to model how the standard views the tasks of Threat Analysis and Risk Assessment (TARA) and cybersecurity concept. The model is supported by practical knowledge gained from a design science activity at a major organization for supplying automotive solutions and components. The scope is limited to matters of methodology in systems security assessment. The meta-model shows concepts, relationships, and axioms describing the different activities, stakeholders, and inter-dependencies. Based on the model knowledge, an integrated approach of TARA guideline is created, describing the steps of each of the activities in which it has been adapted by the organization participating in an applied study. Additionally, to increase the efficiency of the human resources involved in the creation of the security artifacts, a proposal to utilize the model relationships and the guideline to automate recurring TARA tasks. Lessons learned from the applied study are presented. The study has adapted an evaluation strategy based on technical evaluation and user evaluation. The guideline was evaluated through gathering expert’s opinions in a qualitative approach. The ontology meta-model has been qualified for consistency through technical evaluation.