Cybersecurity Modelling for the Adoption and Deployment of Connected and Automated Vehicles

Modern-day Connected and Autonomous Vehicles (CAVs) with over 100 million code lines, running up-to a hundred Electronic Control Units, will create and exchange digital information with other vehicles and intelligent transport networks. Consequently, ubiquitous internal and external communication (controls, commands, and data) within all CAV-related nodes is inevitably the gatekeeper for smooth operation. Therefore, it is a primary vulnerable area for cyber-attacks that entails stringent and efficient measures in the form of "cybersecurity". However, there are some gaps in the literature concerning effective CAV cybersecurity. Firstly, a comprehensive literature review on cyber-attacks on CAVs, respective mitigation strategies, anticipated readiness, and future research directions is lacking. Secondly, no study has systematically investigated the public's perceptions of cyber risks and their relationship with CAV deployment and acceptance. Thirdly, there is a lack of knowledge regarding the anticipated cause-effect relationships and mechanisms of critical CAVs' cybersecurity avenues. Fourthly, CAVs cybersecurity is a complex dynamic challenge involving various interconnected factors of diverse nature that cannot be accomplished through hardware or software integration. It is characteristic of all system components involved in the CAV-based Intelligent Transportation Systems (ITS). There is no formal model that dynamically assesses CAVs' cybersecurity in a consolidated framework to address technology challenges, human threats, and public cybersecurity awareness. To address the above knowledge gaps, this study analyses critical areas for the roll-out and progression of CAVs in combating cyber-attacks. Specifically, we structured a holistic view of potentially critical avenues, which lies at the heart of CAV cybersecurity research. We synthesise their scope, focusing on ensuring effective CAVs deployment and reducing the probability of cyber-attack failures. To assess CAV cyber risks and public perception, this research examines the six dimensions of cyber barriers and measures their impact on CAV deployment using a sample of 2062 adults from the four Organization for Economic Cooperation and Development (OECD) nations (US, UK, New Zealand, and Australia). By examining the influence of different demographic categories on CAV adoption, this study contributes to understanding the perception of CAV cyber barriers: data privacy, CAV connectivity, ITS infrastructure, lack of cybersecurity regulations, CAVs cybersecurity understanding, and CAV cyber-insurance. In doing so, we add a comprehensive and fine-grained analysis of public and cyber obstacles, CAV acceptability, and policies to the literature on CAV deployment. The research explores the cyber-emulated risk elements that affect the public's acceptance of CAVs: cyberattacks, safety risk, connectivity risk, privacy risk, and performance risk. A conceptual model is built, and its validity is tested using Structural Equation Modelling. The study's empirical evidence establishes that perceived cyberattacks considerably influence CAV usage intent, albeit with a positive beta coefficient. This explains that, despite cybersecurity worries, individuals are ready to tolerate the technological risks involved with CAVs. However, it indirectly influences CAV use intention through safety, performance, and privacy risks, demonstrating a partial mediation. Cyberattacks raise concerns about safety, connectivity, privacy, and performance risks. Similarly, concerns about safety, privacy, and performance risks negatively influence customers' willingness to use CAVs. Similarly, this research developed a conceptual System Dynamics (SD) model to analyse cybersecurity in the complex, uncertain deployment of CAVs. Specifically, using a systematic theoretical approach, the SD model integrates six critical avenues and maps their respective parameters that either trigger or mitigate cyber-attacks in the operation of CAVs. These six avenues are: i) CAVs communication framework, ii) secured physical access, iii) human factors, iv) CAVs penetration, v) regulatory laws and policy framework, and iv) trust—across the CAVs-industry and among the public. Based on the conceptual model, various system archetypes are analysed. "Fixes that Fail", in which the upsurge in hacker capability is the unintended natural result of technology maturity, requires continuous efforts to combat it. The primary mitigation steps are human behaviour analysis, knowledge of motivations and characteristics of CAVs cyber-attackers, CAVs users and Original Equipment Manufacturers' education. "Shifting the burden", where policymakers counter the perceived cyber threats of hackers by updating legislation that also reduces CAVs adaptation by imitations, indicated the need for calculated regulatory and policy intervention. The "limits to success" triggered by CAVs' penetration increase the defended hacks to establish regulatory laws, improve trust, and develop more human analysis. However, it may also open caveats for cyber-crimes and alert that CAVs deployment to be alignment with the intended goals for enhancing cybersecurity. Moving forward, this study developed a quantitative SD model to address technology challenges (software risks, hardware constraints, network limitations, communication safety, and log files), human threats (hacker's capability, criminology theory), and public cybersecurity awareness. The model considers the interrelationships between these three pillars of ITS operation to predict emergent long-term behaviours and indirect effects. The proposed model's structure and behaviour are tested and used to perform scenario analyses by four functional metrics: hacking attempts, hacks defended, communication safety, and CAV adopters. The variations of these indicators as found in this study, highlight the enhancement techniques for a robust cyber framework. For instance, technological maturity increases communication safety's resistance to cyberattacks while simultaneously enhancing the capabilities of hackers, which may outweigh the benefits. To the best of the authors' knowledge, this research presented a comprehensive analysis of critical CAV cybersecurity research avenues, encompassing threat taxonomies, attack surfaces, and communication frameworks. It highlighted the limitations of conventional CPS cybersecurity approaches and offers counterstrategies for CAV cyber-attacks. Similarly, the research shifted the emphasis from CAV adoption to CAV operation, considering consumer perception. It pioneers examining the six dimensions of cyber barriers and their impact on CAV deployment, contributing to understanding data privacy, connectivity, infrastructure, regulations, cybersecurity comprehension, and cyber-insurance challenges. Additionally, for the first time, the research introduces a tool that quantifies cyber security risk outcomes and uncertainties in CAVs at the system level via a Stock-and-Flow Model (SFM). This novel system-thinking approach, analysing technological challenges, human threats, and public cybersecurity awareness interplay, provides a holistic understanding of CAVs' cybersecurity—a critical factor for anticipating emergent behaviours and indirect consequences in ITS operation.<p></p>