CyberROAD : a cybersecurity risk assessment ontology for automotive domain aligned with ISO/SAE 21434:2021
(2025) In Journal of Information Security and Applications 90.- Abstract
- The automotive domain is becoming increasingly complex through the integration of new technologies. As a result, cybersecurity is recognized as a pressing issue. This study focuses on the ISO/SAE 21434:2021 standard for road vehicles cybersecurity engineering, evaluating the effectiveness of the standard’s risk assessment approach. The standard suggests a set of assessment steps, and previous research has shown that practitioners often face challenges during assessment execution. The absence of clear, structured guidelines within the standard leads to different interpretations, resulting in inconsistent assessment approaches. This inconsistency makes it difficult to compare and measure the quality of the assessments. Our study uses design... (More)
- The automotive domain is becoming increasingly complex through the integration of new technologies. As a result, cybersecurity is recognized as a pressing issue. This study focuses on the ISO/SAE 21434:2021 standard for road vehicles cybersecurity engineering, evaluating the effectiveness of the standard’s risk assessment approach. The standard suggests a set of assessment steps, and previous research has shown that practitioners often face challenges during assessment execution. The absence of clear, structured guidelines within the standard leads to different interpretations, resulting in inconsistent assessment approaches. This inconsistency makes it difficult to compare and measure the quality of the assessments. Our study uses design science methodology to create a new cybersecurity risk assessment ontology in the automotive domain, describing the relationships and interdependencies between cybersecurity risk assessment activities, stakeholders, and work packages. The ontology model is evaluated in a case study at a leading automotive systems supplier to validate the model’s suitability for developing a cybersecurity risk assessment method. The findings indicate that the ontology model provides an improved understanding of the underlying risk assessment activities and allows for a structured method for extracting procedural steps according to the standard. This systematic approach increases the cybersecurity risk assessment conformity and the consistency of assessment results. In conclusion, this paper gives valuable insights and actionable recommendations for stakeholders, researchers, and organizations seeking to improve the cybersecurity risk assessment process in the automotive domain. (Less)
Please use this url to cite or link to this publication:
https://lup.lub.lu.se/record/c30febf7-1f0c-48d6-bdbf-b07931ace273
- author
- Khalil, Karim LU ; Gehrmann, Christian LU and Vogel, Günther
- organization
- publishing date
- 2025-05
- type
- Contribution to journal
- publication status
- published
- subject
- keywords
- Cybersecurity risk assessment, Ontology, SO/SAE 21434:2021, Automotive domain, Threat analysis and risk assessment, TARA, Design science research method
- in
- Journal of Information Security and Applications
- volume
- 90
- article number
- 104015
- pages
- 19 pages
- publisher
- Elsevier
- external identifiers
-
- scopus:86000361848
- ISSN
- 2214-2126
- DOI
- 10.1016/j.jisa.2025.104015
- language
- English
- LU publication?
- yes
- id
- c30febf7-1f0c-48d6-bdbf-b07931ace273
- date added to LUP
- 2025-05-29 13:29:33
- date last changed
- 2025-06-03 10:59:54
@article{c30febf7-1f0c-48d6-bdbf-b07931ace273,
abstract = {{The automotive domain is becoming increasingly complex through the integration of new technologies. As a result, cybersecurity is recognized as a pressing issue. This study focuses on the ISO/SAE 21434:2021 standard for road vehicles cybersecurity engineering, evaluating the effectiveness of the standard’s risk assessment approach. The standard suggests a set of assessment steps, and previous research has shown that practitioners often face challenges during assessment execution. The absence of clear, structured guidelines within the standard leads to different interpretations, resulting in inconsistent assessment approaches. This inconsistency makes it difficult to compare and measure the quality of the assessments. Our study uses design science methodology to create a new cybersecurity risk assessment ontology in the automotive domain, describing the relationships and interdependencies between cybersecurity risk assessment activities, stakeholders, and work packages. The ontology model is evaluated in a case study at a leading automotive systems supplier to validate the model’s suitability for developing a cybersecurity risk assessment method. The findings indicate that the ontology model provides an improved understanding of the underlying risk assessment activities and allows for a structured method for extracting procedural steps according to the standard. This systematic approach increases the cybersecurity risk assessment conformity and the consistency of assessment results. In conclusion, this paper gives valuable insights and actionable recommendations for stakeholders, researchers, and organizations seeking to improve the cybersecurity risk assessment process in the automotive domain.}},
author = {{Khalil, Karim and Gehrmann, Christian and Vogel, Günther}},
issn = {{2214-2126}},
keywords = {{Cybersecurity risk assessment; Ontology; SO/SAE 21434:2021; Automotive domain; Threat analysis and risk assessment; TARA; Design science research method}},
language = {{eng}},
publisher = {{Elsevier}},
series = {{Journal of Information Security and Applications}},
title = {{CyberROAD : a cybersecurity risk assessment ontology for automotive domain aligned with ISO/SAE 21434:2021}},
url = {{http://dx.doi.org/10.1016/j.jisa.2025.104015}},
doi = {{10.1016/j.jisa.2025.104015}},
volume = {{90}},
year = {{2025}},
}