Modelling cybersecurity regulations for automated vehicles

Technological advancements in Connected and Automated Vehicles (CAVs), particularly the integration of diverse stakeholder groups (communication service providers, road operators, automakers, repairers, CAV consumers, and the general public) and the pursuit of new economic opportunities, have resulted in the emer-gence of new technical, legal, and social challenges. The most pressing challenge is deterring criminal behaviour in both the physical and cyber realms through the adoption of CAV cybersecurity protocols and regulations. However, the literature lacks a systematic decision tool to analyze the impact of the potential cybersecurity regulations for dynamically interacting stakeholders, and to identify the leverage points to minimise the cyber-risks. To address this knowledge gap, this study uses systems theory to develop a dynamic modelling tool to analyze the indirect consequences of potential CAVs cybersecurity regulations in the medium to long term. It is hypothesized that CAVs Cybersecurity Regulatory Framework (CRF) is the property of the entire ITS stakeholders. The CRF is modelled using the System Dynamic based Stock-and-Flow-Model (SFM) technique. The SFM is founded on five critical pillars: the Cybersecurity Policy Stack, the Hacker's Capability, Logfiles, CAV Adopters, and intelligence-assisted traffic police. It is found that decision-makers should focus on three major leverage points: establishing a CRF grounded on automakers' innovation; sharing risks in eliminating negative externalities associated with underinvestment and knowledge asymmetries in cybersecurity; and capitalising on massive CAV-generated data in CAV operations. The formal integration of intelligence analysts and computer crime investigators to strengthen traffic police capabilities is pivotal. Recommendations for automakers include data-profiteering in CAV design, production, sales, marketing, safety enhancements and enabling consumer data transparency. Furthermore, CAVs-CRF necessitate a balanced approach to the trade-off between: i) data acces-sibility constraints on CAV automakers and ITS service providers; ii) regulator command and control thresholds; iii) automakers' business investment protection; and iv) consumers' data privacy guard.