Heuristic Risk Treatment for ISO/SAE 21434 Development Projects

Due to new technologies for connectivity, automotive systems shift from a closed to an open system approach. Therefore, automotive systems have a rising demand for security, letting security be an upcoming field in research and practice. Also, the newly published process standard ISO/SAE 21434 demands adjustments in the development process to address cybersecurity. The unique characteristics of automotive systems leave many approaches from other system types inapplicable. This work concentrates on the risk treatment step in the cybersecurity development process. Due to the vast amount of differing terminology, we see the need to define a flexible taxonomy adaptable to several system types and used in systems with normative references. We use this taxonomy to develop a heuristic approach for risk treatment based on a distinct terminology for security requirements. The presented method is extendable to include several trade-off points.