A Comprehensive Risk Management Approach to Information Security in Intelligent Transport Systems 11-04-01-0003

Connected vehicles and intelligent transportation systems are currently evolving into highly interconnected digital environments. Due to the interconnectivity of different systems and complex communication flows, a joint risk analysis for combining safety and security from a system perspective does not yet exist. We introduce a novel method for joint risk assessment in the automotive sector as a combination of the Diamond Model, Failure Mode and Effects Analysis (FMEA), and Factor Analysis of Information Risk (FAIR). These methods have been sequentially composed, which results in a comprehensive risk management approach to information security in an intelligent transport system (ITS). The Diamond Model serves to identify and structurally describe threats and scenarios, the widely accepted FMEA provides threat analysis by identifying possible error combinations, and FAIR provides a quantitative estimation of probabilities for the frequency and magnitude of risk events. We present the methodology and its step-by-step application on a practice-oriented automotive use case. As a result of this risk management approach, we can finally provide quantitative values from FAIR instead of a qualitative categorization, enabling a more accurate assessment of risks and prioritization of their mitigation. Simultaneously, the FMEA ensures complete risk identification at a component level. The approach is transparent, reusable, and can be adjusted to new estimations or insights easily and at any time, thus addressing the complexity and diversity of services in the transportation domain.