A conceptual system dynamics model for cybersecurity assessment of connected and autonomous vehicles.

Emerging Connected and Autonomous Vehicles (CAVs) technology have a ubiquitous communication framework. It poses security challenges in the form of cyber-attacks, prompting rigorous cybersecurity measures. There is a lack of knowledge on the anticipated cause-effect relationships and mechanisms of CAVs cybersecurity and the possible system behaviour, especially the unintended consequences. Therefore, this study aims to develop a conceptual System Dynamics (SD) model to analyse cybersecurity in the complex, uncertain deployment of CAVs. Specifically, the SD model integrates six critical avenues and maps their respective parameters that either trigger or mitigate cyber-attacks in the operation of CAVs using a systematic theoretical approach. These six avenues are: i) CAVs communication framework, ii) secured physical access, iii) human factors, iv) CAVs penetration, v) regulatory laws and policy framework, and iv) trust-across the CAVs-industry and among the public. Based on the conceptual model, various system archetypes are analysed. "Fixes that Fail", in which the upsurge in hacker capability is the unintended natural result of technology maturity, requires continuous efforts to combat it. The primary mitigation steps are human behaviour analysis, knowledge of motivations and characteristics of CAVs cyber-attackers, CAVs users and Original Equipment Manufacturers education. "Shifting the burden", where policymakers counter the perceived cyber threats of hackers by updating legislation that also reduces CAVs adaptation by imitations, indicated the need for calculated regulatory and policy intervention. The "limits to success" triggered by CAVs penetration increase the defended hacks to establish regulatory laws, improve trust, and develop more human analysis. However, it may also open up caveats for cyber-crimes and alert that CAVs deployment to be alignment with the intended goals for enhancing cybersecurity. The proposed model can support decision-making and training and stimulate the roadmap towards an optimized, self-regulating, and resilient cyber-safe CAV system.