|
| Category | Subcategory | Method | Brief description | Characteristics | Coanalysis |
|
| Formula-based | Asset-based | EVITA method [4] | EVITA is a part of a European commission-funded research project (EVITA: E-safety vehicle intrusion protected applications). | In EVITA, security threats are classified from different perspectives: operations, security, privacy, and finance. EVITA is a suitable approach for concept evaluation but requires too many details for classification. | Yes |
| HEAVENS [3] | HEAVENS is a method for threat analysis and risk assessment of automotive electronic and electrical systems. | The STRIDE threat modeling approach brings additional support structuring for the estimation of threat scenarios. It has a wide range of applicability and can be applied to passenger cars and commercial vehicles. | Yes |
| OCTAVE | OCTAVE stands for operationally critical threat, asset, and vulnerability evaluation. | It is flexible, tailorable, and repeatable. | No |
| BRA [5, 6] | BRA is a lightweight qualitative open license risk assessment. | It is fast and convenient but is relatively rudimentary, and it is difficult for it to conduct an overall threat assessment of complex systems. | No |
| SHIELD [5, 6] | SHIELD is a method for assessing the security, privacy, and dependability of embedded systems. | It considers security, privacy, and dependability. | No |
| TVRA [10] | Threat, vulnerability, and risk analysis (TVRA) identifies assets in the system and their associated threats by modeling the likelihood and impact of attacks. | It provides the possibility for a more detailed analysis of threats. | No |
| SGM [8] | This method is based on security guide words, which allow a structured identification of possible attack scenarios. | It is easy to use and can reduce the workload of analysts. | Yes |
| US2 [11] | This method uses a simple quantitative scheme to simultaneously assess security risks and security threats. | The quantitative method of US2 is less complicated and requires less analytical work. | Yes |
| Policy-based security modeling [9] | This method is a strategy-based security modeling method, which uses a configurable strategy engine to apply new strategies to deal with serious threats. | This method allows the strategy to be updated to deal with new threats; otherwise, the product may need to be redesigned to alleviate the problems under the traditional method. | No |
| NHTSA [7] | This method uses a threat matrix in the technical report of the US National Highway Traffic Safety Administration (NHTSA). | It can display the system intuitively. | No |
| SW vulnerability analysis | The method could find vulnerabilities in codes. | The software code of the known software structure can be checked to prevent potential vulnerabilities, but this method is aimed at the software development level, so it is not suitable for the early development stage. | No |
| SAHARA [12] | SAHARA (security-aware hazard analysis and risk assessment) is an expansion of the inductive analysis method called hazard analysis and risk assessment (HARA) and encompasses threats of the STRIDE threat model. | It is able to quantify the possibility and impact of threats. | Yes |
| Vulnerability-based | CVSS | CVSS captures the main attributes of vulnerabilities and generates numerical and textual forms of scores representing the severity of the vulnerabilities. | CVSS provides vulnerability priority and an open framework. | No |
| FMVEA [13] | FMVEA is based on the FMEA and extends the standard approach with security-related threat modes. | This method can identify the frequency and probability of threat modes. | Yes |
| CHASSIS [14] | CHASSIS is a systematic method for an information system to analyze safety and security interactively by using HAZOP guide words. | CHASSIS can easier adapt to different scenarios and environments and is more suitable for dynamic system analysis, but it depends too much on expert knowledge. | Yes |
| ANP matrix [15] | The ANP matrix method allows a combined risk assessment that considers dependencies and conflicts among attributes. This approach provides risk assessment results for different dependability attributes. | It considers the relationship between failures and threats and the impact of propagation and can reduce the number of design iterations. | Yes |
| Cyber kill chain [16] | The cyber kill chain consists of seven levels. The seven levels are reconnaissance, weaponization, delivery, utilization, installation, command and control, and target action. | This methodology is good at analyzing cyberattacks, threats, or vulnerabilities related to the automotive industry. | No |
| VeRA [17] | Vehicle risk analysis (VeRA) is suitable for assessing the risk of attacks to autonomous vehicles and connected autonomous vehicles. VeRA is the first task that considers human capabilities and vehicle automation levels when assessing safety risks. | It can reduce the time required for the risk assessment process. | No |
| NIST SP 800-30 [22] | This method is proposed in NIST SP 800-30 and can be used to identify, estimate, and prioritize various risks for security-critical targets. | Security-critical systems are considered. | No |
| Attacker-based | Threat Agent Risk Assessment [20] | The threat modeling was carried out with the support of domain experts and the project manager responsible for the Threat Agent Risk Assessment method in Intel’s Security Department. | It has clear organization, is easy to understand and operate, and is able to adapt according to the dynamic structure. | No |
| SAM [19] | SAM is a proposal to extend the attachment of EAST-ADL with the security modeling function, which is not covered by the current existing language specifications. | The SAM method clarifies the difference between security modeling and functional safety modeling. The language specification is defined for the security abstract model of the automobile system modeling environment. | Yes |
| Bayesian Stackelberg game [21] | This method is a resource-aware Bayesian Stackelberg game whose goal is to provide IDS with the best detection load distribution strategy for the set of RSUs monitored in the transportation network, while maximizing detection of multiple types driven by advanced persistent threats. | This method only needs to solve a mixed integer linear program (MILP) and does not need to solve a set of linear programs proposed by other solutions, so it can further improve the performance. | No |
| SARA [18] | SARA is a systematic threat analysis and risk assessment framework, including improved threat models, new attack methods, asset maps, attackers' participation in the attack tree, and new driving system observation indicators. | SARA provides a framework for security experts to participate in the security process. | Yes |
|
