ArticlePDF Available

Cybersecurity Regulations for Automated Vehicles: A Conceptual Model Demonstrating the "Tragedy of the Commons"

Authors:

Abstract

The integration of various stakeholders in the advancement of Automated Vehicles (AVs) has given rise to a range of technical, legal, and social challenges. Among these challenges, deterring cyber-criminal activities through the implementation of robust cybersecurity protocols and regulations stands out as the most urgent. Although individual stakeholders possess a solid understanding of cybersecurity regulations, there is a lack of a comprehensive decision-making tool that can dynamically visualise the macro-level implications of the AVs Cyber Regulatory Framework (CRF) among Intelligent Transportation System (ITS) stakeholders. To bridge this knowledge gap, this study employs the Causal Loop Diagram (CLD) to dynamically evaluate the progress of interdisciplinary ITS stakeholders in cyber-regulatory advancements. The CLD framework formulates the "tragedy of the commons" system archetype, wherein stakeholders prioritise their self-interests in enhancing cybersecurity, making decisions based on their specific needs without fully considering the potential consequences for others, AV adoption, and the long-term implications for CRF. The findings highlight three key leverage points for decision-makers to focus on. Firstly, establishing a CRF grounded in automakers' innovation is crucial. Secondly, sharing risks and addressing negative externalities associated with underinvestment and knowledge asymmetries in cybersecurity are essential. Lastly, capitalising on the vast amount of AV-generated data in AV operations and urban planning holds significant potential. Moreover, achieving an effective CRF requires striking a delicate balance among four factors: i) managing the limitations on data accessibility for AV automakers and ITS service providers; ii) establishing appropriate thresholds for regulatory command and control; iii) ensuring the safeguarding of automakers' business investments; and iv) protecting consumers' data privacy.
ScienceDirect
Available online at www.sciencedirect.com
Transportation Research Procedia 82 (2025) 3729–3751
2352-1465 © 2024 The Authors. Published by ELSEVIER B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientific committee of the 16th World Conference on Transport Research
10.1016/j.trpro.2024.12.019
Keywords: Transport policy; Governance; Safety Evaluation; Driverless cars; Risk assessment; Cyber risks.
* Corresponding author.
E-mail address: s3680269@student.rmit.edu.au
World Conference on Transport Research - WCTR 2023 Montreal 17-21 July 2023
Cybersecurity Regulations for Automated Vehicles: A Conceptual
Model Demonstrating the "Tragedy of the Commons"
*Shah Khalid Khana,b, Nirajan Shiwakotib, Peter Stasinopoulosb, Matthew Warrena,c
aCentre for Cyber Security Research & Innovation, RMIT University, Melbourne, Australia,
bSTEM, RMIT University Melbourne, Australia,
cRMIT University Australia & University of Johannesburg South Africa
Abstract
The integration of various stakeholders in the advancement of Automated Vehicles (AVs) has given rise to a range of technical,
legal, and social challenges. Among these challenges, deterring cyber-criminal activities through the implementation of robust
cybersecurity protocols and regulations stands out as the most urgent. Although individual stakeholders possess a solid
understanding of cybersecurity regulations, there is a lack of a comprehensive decision-making tool that can dynamically visualise
the macro-level implications of the AVs Cyber Regulatory Framework (CRF) among Intelligent Transportation System (ITS)
stakeholders. To bridge this knowledge gap, this study employs the Causal Loop Diagram (CLD) to dynamically evaluate the
progress of interdisciplinary ITS stakeholders in cyber-regulatory advancements. The CLD framework formulates the "tragedy of
the commons" system archetype, wherein stakeholders prioritise their self-interests in enhancing cybersecurity, making decisions
based on their specific needs without fully considering the potential consequences for others, AV adoption, and the long-term
implications for CRF.
The findings highlight three key leverage points for decision-makers to focus on. Firstly, establishing a CRF grounded in
automakers' innovation is crucial. Secondly, sharing risks and addressing negative externalities associated with underinvestment
and knowledge asymmetries in cybersecurity are essential. Lastly, capitalising on the vast amount of AV-generated data in AV
operations and urban planning holds significant potential. Moreover, achieving an effective CRF requires striking a delicate balance
among four factors: i) managing the limitations on data accessibility for AV automakers and ITS service providers; ii) establishing
appropriate thresholds for regulatory command and control; iii) ensuring the safeguarding of automakers' business investments;
and iv) protecting consumers' data privacy.
© 2024 The Authors. Published by ELSEVIER B.V.
This is an open access article under the CC BY-NC-ND license (https://creativecommons.org/licenses/by-nc-nd/4.0)
Peer-review under responsibility of the scientic committee of the 16th World Conference on Transport Research
3730 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
1. Introduction
Intelligent Transportation Systems (ITS) offer advanced strategies to coordinate transportation infrastructure,
promoting improved road mobility, safety, and environmental sustainability. The key facilitator is widespread
connectivity, enabling real-time data flow, controls, and commands among stakeholders involved in ITS operations
[1]. The main driving force behind ITS advancement lies in the roll-out of Automated Vehicles (AVs). AVs operate
on a spectrum of automation stages, categorised from Level 0 till Level 5 [2]. The Level 0 represents human-driven
vehicles, while Level 5 signifies fully automated vehicles.
The shift from electromechanical towards electronic and software-driven systems is fundamental to AVs. For instance,
an AV's software can be incredibly complex, with estimates reaching 100 million lines of code [1]. The projected data
deluge from AVs a staggering 2500 gigabytes per hour from 200 sensors [3]-attracts data miners who see
opportunities in areas like predictive maintenance innovative infrastructure services, and pay-as-you-drive insurance.
By 2030, global revenue from automobile data monetisation is anticipated to reach $450 billion to $750 billion [4].
The advent of digital transformation, accompanied by the integration of various stakeholders in AV operations, has
given rise to technological, legal, and social complexities. The foremost obstacle lies in effectively addressing criminal
activities in both digital and physical domains. This requires the implementation of robust cybersecurity standards for
AVs and, more significantly, the creation of a Cyber Regulatory Framework (CRF) to guarantee thorough
comprehensive with these standards.
Existing legal frameworks are inadequate when faced with the disruptive nature of AV technology. Ambiguity
surrounds the issue of product liability, particularly in cases involving AVs at Levels 45 (on-vehicle computer
control) and their involvement in accidents or malfunctions. It remains unclear who should be held accountable for
liability claims arising from such incidents. Should the responsibility lie with the automakers, the consumers for failing
to comply with on-vehicle computer instructions, or the ITS service providers for not ensuring robust connectivity?
Similarly, the emergence of AVs also challenges the traditional model of mandatory third-party insurance. A shift
towards a product liability model might be necessary to address potential accident scenarios. However, insurance
companies express scepticism, primarily due to the potential complexities arising from mixed traffic scenarios
involving both conventional vehicles and AVs [5]. Furthermore, the thorough surveillance conducted by AV sensors
–Radars, Lidars and Camerasraises concerns about privacy infringement for nearby individuals and bystanders.
Observing body movements and biosignals (non-verbal communication) can enable the identification of individuals
[6]. Notably, there is currently a lack of a formal consent process or legal framework for collecting and sharing such
bystander data.
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3731
1.1. Scope, Objective, and study's contribution
The regulation of AVs has emerged as a critical area of focus for academic research and the automotive industry.
However, there is a lack of studies considering the dynamic interactions and feedback effects among the various
components of ITS. These studies fail to provide an integrated and comprehensive conception of the crucial role that
ITS stakeholders play in formulating the CRF for AVs. It is important to note that the CRF may have unexpected
outcomes and potentially have negative ethical implications for AV users' privacy. Additionally, it may have legal
ramifications under data protection and privacy laws [7]. For example, automakers and ITS infrastructure use of
Personally Identifiable Information (PII) is a major source of concern for AV users [8].
Furthermore, ensuring the protection of the intellectual property of AV automakers within data flows is of utmost
importance. Beyond privacy concerns, several other data-related issues demand clarification. These include
determining the storage location and duration of AV data, defining appropriate access privileges, and addressing the
ownership and control of consumer data after the vehicle is sold.Several critical questions remain regarding AV data:
its security against cyberattacks and admissibility in court and the lack of clear regulations from government and
service providers on its utilisation for road safety and ITS development of AV data for ITS development and road
safety.
To summarise, the AVs-CRF is distinguished by its history-dependent, adaptive, counter-intuitive, and policy-
resistant characteristics, which result in dynamically complex behaviour [9]. The evolving nature of cyber-attacks
necessitates a dynamic approach to AVs-CRF formulation for securing AVs-operation in a shared digital environment
[7]. Although individual ITS stakeholders possess a solid comprehension of cybersecurity protocols, there is a lack of
a comprehensive decision-making tool that can dynamically visualise the macro-level implications of the AVs-CRF
among ITS stakeholders.
To bridge this knowledge gap, this work provides the scope of AV-based ITS stakeholders in the context of the
regulatory regime. It conducts a dynamic analysis of how these stakeholders' potential regulations may affect the long-
term AVs-CRF. The work contributes to the AV literature by developing AVs cybersecurity conceptual model and
scenario analysis tool for the long-term impact of CRF on AV adoption. This approach will prevent regulatory overlap,
emphasise the crucial factors that facilitate or hinder the adoption of AVs in response to possible regulatory
modifications, and demonstrate the unintended or negative consequences that different ITS stakeholders may have on
the CRF.
This research uses a Causal Loop Diagram (CLD) to examine how advancements in cybersecurity regulations for ITS
affect different stakeholders. The CLD highlights a potential issue where stakeholders prioritise their cybersecurity
needs, potentially hindering the broader adoption of AVs and the development of a robust AV-CRF in the long run.
By identifying these underlying dynamics, the CLD helps us understand how to best design effective regulations for
3732 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
AV cybersecurity.
2. Background: AVs-CRF is a complicated, dynamic endeavour
Regulations have historically been pivotal in ensuring safe and efficient transportation. For example, initially
considered a novelty, seatbelts have become a universal and life-saving feature in every vehicle. Similarly, all
government mandates, airbags, antilock brakes, and emission standards have significantly improved vehicle safety
and environmental impact [10]. The advent of digital transformation in transportation, with various stakeholders
involved in AV operations, necessitates a robust CRF. These frameworks could safeguard AV operation activities in
both the physical and digital domains while protecting business interests and prioritising consumer privacy.
Cybersecurity regulation can be viewed as a set of goals aimed at ensuring cyber-safe operations within ITS and the
procedures necessary to achieve cybersecurity compliance [1]. Essentially, the key factor influencing the need for
infrastructure transformation in ITS is the content of regulations made at both national and international levels. These
regulations determine how AVs will be integrated and the extent of vehicle autonomy permitted [11]. As AV
intelligence advances, the legal landscape becomes more complex and dynamic.
CRFs can be crucial in shaping AVs' innovation process and implementation. Well-defined regulations can create a
safe and predictable environment for AV development by mitigating security concerns and fostering investment [12].
Standardising communication protocols and data formats through regulations can promote interoperability and
broader technology adoption. These frameworks establish a roadmap for automakers and tech companies, outlining
manufacturer responsibilities, setting high safety benchmarks, defining ethical principles for onboard decision-making
systems, and addressing potential liability issues in case of accidents. Moreover, governments can use CRFs to
incentivise research and development in areas critical for AVs, such as cybersecurity and ethical considerations.
However, overly restrictive regulations can hinder innovation by limiting the development and implementation of AV
technology [13].
Therefore, AVs-CRF is a complicated, dynamic endeavour involving various stakeholders. As Figure 1 shows,
stakeholders like infrastructure providers, automakers, policymakers, and the public all have roles in AV operations
[7, 14]. Let's take Victoria, Australia, as an example. Here, the Department of Transport sets regulations, while
companies like Telstra (connectivity service provider) and Lexus-Australia (automaker) collaborate on trials (e.g.,
ACV2) that explore the safety benefits of V2X technology [15]. These trials help inform future policy decisions by
Transport Safety Victoria, a government agency. Data from databases like VISTA/Data VIC also helps strategically
develop the transportation network. Finally, the Victorian Managed Insurance Authority manages insurance and risk
for AVs. Finally, the ultimate beneficiaries, or affecters, are consumers and the general public. At the moment, there
is a disconnect between stakeholders [16]. For example, it may become unclear to AV developers whether current
legal frameworks apply to developing or rolling out a new product (AV). At the same time, regulators may be unsure
when an emerging technology warrants normative reform. An integrated dynamic approach to CRF development is
critical to reducing such uncertainty.
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3733
Figure 1. Stakeholders in AV-based Intelligent Transportation System.
3. Methodology
Determining and establishing a robust AVs-CRF is a significant challenge. Addressing this entails numerous
interlinked aspects of diverse nature, absent of empirical data. Developing future insights amid such uncertainty is an
alternate strategy. In this study, we have chosen to utilise a Causal Loop Diagram (CLD) to evaluate the cybersecurity
of self-driving cars at SAE Level 4 or higher, following a functional pathway defined by SAE-International [2]. The
variables and their correlation in the CLD rely on established innovation theory and a meta-investigative quantitative
review of literature post-2010, sourced from a range of places, including academic databases, books, PhD theses, and
reliable business surveys, bolstered by forward and backward snowballing [17]. This resulted in identifying key AV-
based ITS stakeholders (automakers, consumers and ITS infrastructure service providers)
The researchers' prior contributions to cyber breaches against AVs [1], cybersecurity evaluation frameworks for AVs
[7, 18], and empirical examination of perceived cyber barriers to CAV roll-out [19-25] enabled to reconstruct the
interrelations of various cybersecurity factors and served as the foundation for the present study. Other essential
elements, such as trust within the AV supply chain, are outside the scope of this paper. The selection is primarily
motivated by the requirement for a restricted boundary for assessing a limited number of variables and non-geographic
nature of the SD model; however, these aspects warrant further study.
3.1. The rationale for using Causal Loop Diagram
AV technology is evolving, enabling dynamic complexities. The various components that facilitate AVs-CRF
3734 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
protection are interlinked, feedback-driven, and non-linear; a change in a single parameter triggers further behaviour,
leading to a new scenario that affects subsequent decisions. Numerous components affecting the AVs-CRF of AVs
are interdependent and feedback-driven; altering one parameter triggers cascading effects that influence future
decisions. Second, AV-CRF is a chain; the other links in the chain determine the strength of each link. The robustness
of technological components, human threats, and consumer cyber-behaviour are just a few of the links in the chain
that make up AVs cybersecurity [7]."Nested complexity" exists when a well-organised governing system (ITS) and
regulatory framework (regulators) manage a physical system (AV) that is confronted with contemporary challenges.
Dynamic facets of AVs cybersecurity could be investigated by Agent-Based Modelling, simulation-based models
[26], queueing theory, risk assessment,and threat analysis [27], or security domain STRIDE approaches [28].
However, unidirectional models are incapable of comprehending illogical and paradoxical behaviour and applying
these methods to large and complex systems is challenging. It is deficient in inter-avenue feedback and design
scenarios, especially when data is scarce.
Therefore, system thinking provides a valuable framework for comprehending and understanding challenges when
managing AVs cybersecurity dynamically at the system level (including numerous ITS stakeholders) and formulating
CRF. By emphasising both the behaviour of systems and the feedback processes that underpin such behaviours, CLD
is a highly effective technique derived from system theory to consider emergent long-term behaviours and indirect
consequences and has become a widely applicable school of systems [29]. The SD approaches have been employed
to analyse and assess diverse complex systems, including those relating to the security of information [26];
cybersecurity [30]; highway congestion [31]; innovation implementation [32]; urban growth and decline trends [33];
and CAVs adoption [9, 34, 35].
4. Development of the Causal Loop Diagram
The two key terms in system dynamics are "system" and "system change" [29]. The system is a functional whole made
up of a number of components that work together to perform functions that are not obvious from the functioning of
the individual component actors [36]. The AV-based ITS system requires the collaboration of multiple stakeholders
(automakers, communication service providers, and consumers). For example, the AV operation is unattainable
without interactive coordination with ITS communication service providers.
CLD use simple building blocks: nodes and edges. Nodes represent the key factors in a system, while edges show
how these factors influence each other. These influences can be positive (both factors move in the same direction) or
negative (one-factor increases as the other decreases). CLDs are particularly useful for identifying two key types of
feedback loops: reinforcing and balancing. Reinforcing loops amplify changes, where an increase in one factor leads
to changes that cause a further increase in the first factor. Balancing loops, on the other hand, act like thermostats,
where an increase in one factor triggers changes that ultimately push it back down. The loops come together to form
a system archetype that is based on heuristics and describes situations that arise as a result of recurring mechanisms
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3735
but are applicable to a wide range of domains and industries [37]. Archetypes have several applications, including
serving as templates for new structural patterns, stimulating new theories, and aiding in behaviour prediction [38].
The arrow with two small lines indicates the presence of a delay in the CLD.
Figure 2 depicts a conceptual CLD that highlights the three key stakeholders influencing the AV-CRF: Automakers
(S1), ITS infrastructure service providers (S2), and Consumers/Public (S3). These stakeholders interact through
various feedback loops that influence the development of the CRF. The relationships between these stakeholders
(independent variables) and their impact on the CRF (dependent variable) are described in detail in the following
subsections and summarised in Table 1.The direction of the influence can be positive (reinforcing) or negative
(inhibiting). For example, S1's cyber-readiness (independent variable) has a positive causal relationship with S1's
cyber-regulatory advancement (dependent variable). This means that as S1's cyber-readiness increases, its ability to
influence the development of the CRF in a cyber-secure direction also increases (both nodes move in the same
direction).The uncertainty rating in Table 1 is derived from a synthesis of available literature and logical conjecture
due to the lack of empirical evidence.
4.1. AV cyber regulatory advancement
Different facets of the CRF can enable regulatory advancements [39]. Data protection regulations, for instance, ensure
the safe handling of personal and vehicle data, which can address privacy risks and foster trust among consumers,
ultimately encouraging broader adoption of AVs [40], subsequently establishing a regulatory environment that
incentivises responsible development within the automaker industry. Similarly, cybersecurity standards for ITS
infrastructure service providers are another crucial aspect of the CRF [41]. These standards promote advancements in
secure communication protocols and data encryption methods, leading to a more secure and trustworthy AV
ecosystem. Additionally, compliance requirements for automated driving systems ensure AVs' safe and ethical
operation, fostering long-term public and regulatory trust. Well-defined compliance requirements provide a clear
understanding of AVs' expected performance and safety standards, facilitating the development and deployment of
reliable and trustworthy automated vehicles. A robust CRF encourages innovation within the AV industry, as
manufacturers confident in their security measures are more likely to develop new features and capabilities.
Nonetheless, prioritising automotive cybersecurity and boosting the cyber resilience of infrastructure providers and
the general public can significantly accelerate progress towards a revitalised regulatory landscape [42].
3736 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
Figure 2. The system architecture of the Causal Loop Diagram.
4.2. Stakeholder 1 (S1): Automaker's cyber readiness
Theoretical Characterisation: The increasingly complex software and interconnected nature of AVs have created a
fertile ground for new vendors to enter the AV supply chain, catering to the specialised needs of this rapidly evolving
market [1]. These vendors primarily offer design and engineering services adding another layer of complexity to
AVs cybersecurity. Therefore, developing industrial safety authorisation standards holds great potential for enhancing
the cybersecurity of AVs [43].Additionally, there is a need for regulations in the AV automotive service sector,
covering aspects such as crash repairs and regular maintenance. Furthermore, personnel within the OEM industry
should strive for higher standards in AV cybersecurity.
Promoting automotive cyber-readiness impacts both automakers' regulatory landscape and the overall security of AVs.
Automakers may help establish industry-wide standards by focusing on cyber-readiness, ensuring consistent and
comprehensive cybersecurity measures, such as BSI [44] and ISO/SAE 21434:2021 [45] or ANCAP ratings. Cyber-
readiness ensures compliance with existing and emerging regulations, helping to avoid legal penalties and maintain
operational licenses. Additionally, it ensures the secure management of the vast amounts of data generated by AVs,
safeguarding it from unauthorised access and tampering. Furthermore, cyber-readiness fosters innovation within the
AV industry, as manufacturers confident in their security measures are more likely to develop new features and
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3737
capabilities. This leads to advancements in AV technology and broader adoption. Ultimately, promoting automotive
cyber-readiness creates a safer, more secure environment for automakers, benefiting consumers, manufacturers, and
regulatory bodies alike and fostering AVs' cyber-readiness [46], as outlined in Table 1.
4.3. Stakeholder 2 (S2): ITS infrastructure service providers' cyber readiness
Theoretical Characterisation: Because the ITS infrastructure plays a pivotal role in managing AVs, robust security
measures are crucial to shield it from potential cyberattacks. Therefore, it is imperative to implement robust
cybersecurity measures and establish relevant laws to mitigate these risks. The overarching goal is to establish a secure
connection and maintain adequate Quality of Service (QoS) standards to ensure AVs' smooth and optimal functioning
[47].
The latest update to ISO 26262 expands its scope to encompass not just cars but also trucks, buses, trailers, semitrailers,
and motorcycles. This revision boasts a richer vocabulary, clearer objectives, and guidance on managing safety issues
that may arise. It also incorporates cybersecurity considerations, reflects advancements in hardware architecture, and
outlines procedures for evaluating hardware components [48]. While there are established standards for these
technologies, the critical research requirement is ensuring policy readiness to facilitate the utilisation and testing of
AV functionalities. The focus is on developing the necessary policies and protocols to effectively deploy and evaluate
AV capabilities.
Network Operator Centre (NOC) readiness: The data generated by AVs presents various inherent challenges [43],
encompassing aspects such as intellectual property, import and export regulations, cross-border data transfer, privacy,
and security. Hence, the development of a centralised NOC and its policy preparedness are crucial. The NOC will
manage AV data flow, define retention periods, and control access for authorised entities while ensuring data security
through vendor oversight, consumer protection measures, and data anonymisation practices, all with regulations
governing encryption, security audits, and third-party involvement. The NOC will also oversee communication
performance against key metrics (KPIs) to ensure robust data exchange. While existing data security standards (like
those from the British Standards Institute or Australia's Privacy Principles) and high-level policies (like Australia's
Cyber Security Strategy) [49] provide a foundation, principle-based laws are needed for AVs and the NOC. These
regulations will establish protocols for reporting cyberattacks, disclosing potential threats (like malware or network
weaknesses), and ensuring data security.
The successful operation of AVs relies heavily on the security of the underlying ITS infrastructure [1]. AVs are
vulnerable to sophisticated cyber-attacks that compromise their sensors, communication systems, and decision-
making processes [50, 51]. ITS infrastructure, potentially managed by service providers, encompasses communication
networks, data centres, and other critical systems that facilitate data exchange and control between AVs and the
environment. Enhancing the cyber-readiness of ITS infrastructure service providers would pave the way for
3738 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
revitalising the regulatory landscape and ultimately result in enhanced AV cyber-readiness [52]. Infrastructure
improvements, particularly in connectivity, ensure a more secure and reliable operational environment for AVs,
fostering innovation and public trust in the technology [20].Consequently, enhancing the cyber-readiness of ITS
infrastructure service providers would pave the way for revitalising the regulatory landscape and eventually result in
enhanced AV cyber-readiness, as outlined in Table 1.
4.4. Stakeholder 3 (S3): Consumers and public cyber readiness
Theoretical Characterisation: Consumer protection policies play a crucial role in ensuring the successful adoption
of AVs by fostering consumer confidence and mitigating potential risks associated with cyber breaches. A clear
delineation of legal rights and responsibilities is essential for AV customers. The objectives of AV consumer policies
encompass managing consumer information, educating consumers about AV cybersecurity, and facilitating AV
simulation-based and real-world test-ride events. The potential impact of new regulations aimed at safeguarding AV
cybersecurity, including the regulation of automated driving, privacy considerations, especially regarding PII, and
legal obligations for "consumers" or owners of automated cars, must be carefully examined [53].
As public understanding of AVs and cybersecurity knowledge increases, the perception of cyber threats as a barrier
to adoption becomes more significant [19]. A recent study by Khan, et al. [21] assessed consumer perceptions,
revealing that a significant portion (80%) believes cybersecurity regulations are crucial for AVs. This view likely
stems from the perception (shared by 67%) that such regulations would enhance overall AV safety. Similarly, digital
labels for AVs could empower users with clear information about their vehicle's security level, fostering trust and
informed decision-making [54]. Additionally, increased public transparency sheds light on the real-world implications
of cybersecurity vulnerabilities, enabling regulators to tailor regulations that address those specific concerns. By
understanding their role in maintaining AV cybersecurity, consumers can actively contribute to a safer environment
for everyone. For instance, by recognising and reporting suspicious activity related to AVs, the public provides
valuable data for regulators and researchers. A more informed public pushes for stricter regulations, fostering a more
secure AV ecosystem. This ultimately benefits the overall AV cyber regulatory framework, leading to a future where
AVs can operate safely and reliably, as outlined in Table 1. Nevertheless, AVs collect a wide range of user data,
including biometrics and inferred states, raising privacy, security, and safety concerns. Regulations should address
consumer data rights, cybersecurity responsibilities, insurance, ethical behaviour, licensing, and road user behaviour
for both AVs and conventional vehicles.
4.5. Common Resource: AVs Adopters
The widespread adoption of AVs is vital to advancing ITS and reinforcing cybersecurity. Regarding the adoption
process, the Bass Diffusion Model (BDM) provides a comprehensive explanation for the penetration of AVs,
encompassing both imitation and innovation-based adoption. Two essential parameters of BDM are: i) the
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3739
effectiveness of persuading potential adopters, known as the coefficient of innovation, and ii) the product's
attractiveness [29, 55]. Therefore, AV adapters are a common resource in formulating CRF. As AVs become more
prevalent, regulations and policies will need to adapt. This widespread adoption offers opportunities to understand
human behavior and build trust with consumers [54. However, increased connectivity and tracking raise cybersecurity
concerns as criminals exploit new vulnerabilities.
A constrained "regulated wisdom," i.e., an optimal trade-off between stringent cybersecurity algorithms, consumer
privacy protection, and automaker intellectual property protection, can enhance AV adaptation in the long term.
Simultaneously, AVs are the shared resource,allowing each stakeholder to frame their cybersecurity gainswithin the
AV-CRF. Furthermore, the long-term expansion of AVs' cyber regulatory framework will diminish the comparative
growth of cyber-regulatory advancement and stakeholders, as stated in Table 1.
Table 1: Factors influencing CRF in the Causal Loop diagram.
The concept of "readiness" in AV cybersecurity signifies a stakeholder's preparedness to address cyber threats
effectively [39, 56]. This preparedness is multifaceted and encompasses several key aspects: technical capabilities
(having the necessary tools to detect and respond to attacks), human resources (a skilled workforce to manage
cybersecurity risks), organisational processes (well-defined policies and incident response plans), and a strong
cybersecurity culture (awareness, vigilance, and continuous improvement). Achieving "readiness" is an ongoing
process that requires a multifaceted approach from different stakeholder groups.
Stakeholder groups can work towards readiness through specific strategies. Automakers (S1), for instance, can achieve
this by conducting regular risk assessments, integrating "security by design" principles throughout the entire AV
Independent Variable Dependent Variable
Uncertainty
Polarity
S1/S2/S3 cyber-readiness S1/S2/S3 cyber-regulatory advancement High +
S1/S2/S3 cyber-regulatory
advancement
S1/S2/S3 cyber-readiness High +
S1/S2/S3 cyber-regulatory
advancement
AVs-cyber regulatory framework High +
AVs-cyber regulatory
framework
AVs cyber-regulatory
advancement/stakeholder
High -
AVs cyber-regulatory
advancement/stakeholder
S1/S2/S3 cyber-regulatory advancement High +
3740 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
development life-cycle, managing cybersecurity risks within their supply chain, and establishing vulnerability
management programs to identify and address weaknesses in AV software and hardware [57]. Similarly, ITS
Infrastructure Providers (S2) can focus on security assessments of their infrastructure, implementing secure
communication protocols to protect data transmission, developing incident response plans, and collaborating with
other stakeholders to share best practices and establish industry-wide security standards. For consumers and the public
(S3), education campaigns promoting cybersecurity awareness and best practices are crucial. Transparency from
automakers and ITS providers regarding potential vulnerabilities and clear communication channels for reporting
suspicious activity is also essential.
5. Model Qualitative Analysis: Loops and System Archetype.
CLDs are a powerful tool for visualising complex systems, helping us understand how the regulations of different
stakeholders are interconnected in the realm of AV cybersecurity.Reinforcing loops #1, 2, and 3 generated from
CLD (Figure 2) and depicted in Figure 3 demonstrateshow stakeholders #1, 2, and 3 benefit from cyber-readiness
and increase their cyber-regulatory progress. The activity (readiness) of stakeholder #1 (S1) interacts with the
resources available, contributing to S1's results: advancements in cyber-regulation. S1's outcomes stimulate greater
S1 activity. S2 and S3 activities follow the same pattern; the more resources spent, the better the outcomes. This
pushes each stakeholder to devote more resources to their particular benefit and make choices based on their unique
interests. The process shown by balancing loops #1, #2, and #3 demonstrates that, as the AVs-CRF increase, the gain
per stakeholder will subsequently decline, as illustrated in Figure 3.This decline would result in a decline in each
stakeholder's regulatory progress and overall readiness.
a. Reinforcing loop #1
b. Reinforcing loop #2
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3741
c. Reinforcing loop #3
d. Balancing loop #1
b. Balancing loop #2
c. Balancing loop #3
Figure 3: Feedback loops in CLD
Holistic view: "Tragedy of the Commons system"archetype
CLDs are like visual maps that use simple diagrams to show how a complex system works. They help us identify the
most important factors and how they influence each other. These influences can create two main types of cycles:
reinforcing loops (where changes snowball) and balancing loops (where changes counteract each other) [58]. These
cycles are like recurring patterns found in many different situations, called archetypes [37]. By understanding these
archetypes, we can gain valuable insights into how the system might behave and its challenges [38]. Figure 4 shows
an example of an archetype called the "Tragedy of the Commons." This archetype highlights how solutions can
sometimes have unintended consequences, requiring further adjustments [59]. By analysing these archetypes, CLDs
can help us see the underlying dynamics of a system and inform the development of effective policies.
This archetype's setup is based on the combined mechanisms of reinforcing loops (R# 1, 2, and 3) and balancing loops
(B #1, 2, and 3). Individual entities seek to maximise their share performance to improve their readiness. In reaction
to a decrease in individual gains, the notion is that increased efforts would compensate for the falling rewards. This
method seems to be profitable in the short term. This arrangement is worse because whoever finds it out first, S1, S2,
3742 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
or S3, wins since they exhaust all the resources before the other. This arrangement is known as "all for one and none
for all." This is because the leverage for generating a solution does not reside with individual actors [60].
Figure 4: Holistic view-"Tragedy of the Commons " system archetype.
6. Discussion
6.1. Implications
Developing a strong CRF for AVs presents a golden opportunity. It can bridge the gap between the latest cybersecurity
research and real-world practices, safeguarding AVs from new cyber threats. However, regulating this rapidly
evolving technology is challenging. There is a mismatch between the speed of innovation and the ability to create
appropriate regulations due to the technical expertise needed. Policy resistance is the potential for an action to be
overcome by the system's (ITS) reaction to the intervention (AV deployment) [29].This study dynamically assesses
AV stakeholders' cyber-regulatory progress versus readiness and the long-term effect on AVs-CRF. AV stakeholders
include OEMs, technology partners, communication and cloud service providers, regulators and policymakers, road
and infrastructure authorities, and end-users. We have synthesised the CRF as a fundamental attribute of the entire
ITS.
Tragedy of the commons, a concept introduced by Garrett Hardin in 1968, describes how individual self-interest can
lead to the depletion of shared resources [61]. It demonstrated the absence of overall oversight or management
responsibility for a common resource (AV adopters) by a single governing authority. This phenomenon extends to
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3743
urban road settings, where it manifests in traffic congestion and air pollution [62]. According to a Harvard School of
Public Health study, urban air pollution triggers about 2,200 premature casualties a year in the United States [63];
more people utilising roads and highways to get to work causes traffic congestion and air congestion pollution. In
cities, the Tragedy unfolds during periods of "regulatory slippage," when government oversight declines, leaving
resources vulnerable to overuse and degradation [64]. Traditional solutions often follow a public-private dichotomy,
but collective action by user groups has emerged as an alternative approach. This has led to a shift in the government's
role from centralised management to an "enabling" one, supporting private actors in managing collective resources.
However, this approach raises normative concerns that require further attention from policymakers. Moreover, the
advent of autonomous vehicles may exacerbate this issue, potentially increasing congestion due to unoccupied
vehicles and selfish routing [65].
Stakeholder self-interest is a significant factor in AV-CRF. Developers and automakers, driven by competition,
intellectual property protection, and consumer trust, invest in cybersecurity to safeguard their reputation and products.
However, the intense competition can incentivise them to prioritise short-term cost reduction and faster time-to-market
strategies, potentially neglecting cybersecurity aspects [66].Similarly, ITS infrastructure service providers act in their
self-interest by ensuring the security and reliability of their services. Their focus on maintaining operational integrity,
complying with industry standards, and avoiding legal liabilities aligns with their interests.
For regulators, the concept of self-interest is more nuanced. While public safety is their primary concern, their
decisions can also be influenced by factors like career advancement, the regulatory environment, and their own
cognitive biases [67, 68]. Additionally, political pressures, industry lobbying, and resource limitations can further
impact their actions, potentially leading them to prioritise politically expedient or resource-efficient measures over
comprehensive, long-term cybersecurity solutions.
The need for ITS stakeholders to comprehend the Tragedy of the commons may result in more sustainable decisions
regarding cybersecurity regulations [69, 70].The communication infrastructure for AVs is still developing, and
addressing the inherent technological risks in CAV technology requires dynamic cybersecurity assessments for each
component of the AVs road infrastructure, both physical and digital. Digital road-side infrastructure will support V2X
and V2C communication, facilitated by numerous sensors, including in-roadway sensors, roadside units for wireless
communication technologies like DSRC and VANET, and the installation of fiber optic cables at roads and major
intersections. Additionally, securing traffic signs and road markings is crucial to prevent sensor manipulation,
spoofing of traffic signs, and the projection of phantom machine-readable traffic signs [71-73].
The data transparency of consumers' personally identifiable information in the operation of AVs would positively
impact users. However, vendors may be reluctant to implement this due to the potential disclosure of intellectual
property rights. Hence, it is imperative to implement suitable legislative and policy measures that foster a shared
3744 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
agreement among regulators, AV OEMs, ITS service providers, and AV users. These measures aim to balance
safeguarding privacy and ensuring data availability for AV service providers. It is essential to avoid approaches within
the AVs-CRF that may hinder the freedom of AV users, investors, and automakers. Therefore, identifying strategies
to avoid potential pitfalls becomes crucial [74].
Similarly, public awareness and preparedness in cyber security play a crucial role in strengthening the regulatory
framework for AVs. A cybersecurity-prepared public can significantly improve incident reporting and transparency
[46, 75].This public pressure can be a powerful driver for policy changes, pushing regulators to prioritise AV
cybersecurity and enact more robust standards. The cybersecurity and privacy risks embedded in CAVs require inter-
institutional cooperation [76].The literature underscores the necessity for collaboration among technology providers,
manufacturers, and public agencies to ensure safe AV integration while also highlighting the importance of public
awareness and perception in shaping regulatory frameworks and acceptance of AVs [20, 75].
Given the inherent uncertainty and technological risk associated with CAV technology, assessing the inherent and
potential technical risks associated with AV adoption is critical. This can be demonstrated in Figure 5: Quality of
Service vs. security provisions for AVs wireless technologies in terms of speed, latency, vulnerabilities, and security
performance evaluation metrics [77]. As V2X technology integrates with next-generation 5G and even 6G networks
[78, 79], new security and privacy challenges will emerge, necessitating a proactive security assessment. In a classic
"arms versus armour" technology race, Artificial Intelligence likely enables attacks to progress as rapidly as AI-
enabled defences. The increasing sophistication and resources available to hackers mean that the definition of adequate
or effective CRF for many organisations is constantly evolving [80].
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3745
Figure 5. V2X communication (Source: The authors' synthesis).
The government's critical role in AVs-CRF
The government has a critical role in shaping the future of AV technology, particularly through the CRF [46]. Firstly,
clear and comprehensive safety standards are needed for AVs. These standards should encompass both technical
performance, such as system reliability and redundancy, and ethical considerations, i.e., how AVs handle unexpected
situations or moral dilemmas [39]. Secondly, robust data privacy regulations are crucial [81], which could protect user
information collected by AVs, ensure responsible data handling practices, and foster transparency with the public.
Similarly, investing in ITS infrastructure upgrades is another key area. This should be done in collaboration with the
private sector to support seamless AV integration [81]. Infrastructure upgrades could include smart roadways,
communication networks, and standardised data formats. Finally, government incentives for research and
development can accelerate innovation and commercialisation of AV technology while encouraging responsible
development practices within the industry. While these actions present significant opportunities, the government also
faces challenges. Balancing the need for innovation with ensuring public safety remains paramount [82]. Keeping
pace with rapid technological advancements and developing adaptable regulations that can evolve alongside the
technology will be crucial.
The feedback loops and system archetypes in Figures 3 and 4need total supervision or administration by a single
governing body. AV deployment has far-reaching implications; it may have a favourable, adverse, or unknown effect
3746 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
on a number of industrial players, society, and, eventually, governments. Multiple countries with disparate legal
systems also impede the development of AVs-CRF. The legislative framework and government institutions all
contribute to creating an environment conducive to innovation by non-governmental entities. Khan, et al. [7]
introduced a conceptual model for assessing the cybersecurity of AVs and identified a "shifting the burden" system
archetype (underlying mechanisms across different application areas, with accompanying difficulties and
possibilities). "Shifting the burden," in which governments address perceived cyber vulnerabilities from hackers by
updating laws that also lower AV adaptability by imitation, demonstrates the need for careful regulatory and policy
responses. A standardised set of AVs-CRF developed in collaboration with the country's pioneers in AV deployment
will benefit both automakers and consumers. Communication in AVs, especially edge networks, requires specific
frequency ranges, i.e., bands that work effectively in all types of weather and traffic. Many nations throughout the
world struggle with inadequate spectrum coverage. As a result of the increasing use of AVs and the resulting need for
higher frequencies, the present capacity cannot keep up with the increased demand [83].
7. Future direction and limitations
Though the proposed paradigm is comprehensive, thorough, and rigorous, it has certain limitations. A comprehensive
analysis of every possible permutation is beyond the scope of this work; we acknowledge this as a valuable area for
future research. Future studies could focus on scenario-based modelling, which involves developing simulation
models to explore different deployment scenarios with various combinations of regulatory measures. These models
could assess the impact on innovation, determining whether certain combinations stifle innovation or incentivise
responsible development practices. Additionally, conducting in-depth case studies of existing CRFs in different
countries and stakeholder interest analysis for cybersecurity would benefit from a quantitative analysis. Analysing
how the interplay between various regulations has impacted factors such as safety records, public perception, and
industry growth could provide valuable insights. By exploring these future research directions, we can better
understand how regulatory frameworks can shape the CAV ecosystem in complex and potentially synergistic ways.
Although the current evaluation recognises limitations due to limited data, inherent uncertainties, and the adaptability
of cybersecurity regulations, plans offer a promising path towards a more rigorous assessment. We can gain a more
objective understanding of the model's effectiveness by gathering quantitative data through surveys with qualified
professionals and leveraging existing pilot programs like Australia's Austroads initiative [84]. However, qualitative
research methods might remain the primary approach for the foreseeable future until a critical mass of data is collected.
8. Conclusion
The inherent complexity of AV’s operation necessitates a nuanced approach to legal standard formulation, particularly
deterring cyber-criminal activities through the implementation of robust CRF. This study emphasises the importance
of a comprehensive CRF for AVs that identifies various stakeholders and defines their rights, privileges, and
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3747
responsibilities. Precise delineation of these parameters will significantly influence the challenges and opportunities
associated with AVs, guiding efforts to mitigate negative impacts while maximising positive ones. Striking a balance
between overly restrictive regulations and a lack of robust controls that compromise safety remains a challenge for
governments.
Our work leverages the CLD to assess the dynamic interplay between ITS stakeholders and their role in advancing
cyber-regulatory measures for AVs. The CLD framework highlights the potential for a "tragedy of the commons"
scenario, where stakeholders prioritise their cybersecurity interests over collective well-being. This can lead to
suboptimal outcomes for AV adaptation and long-term consequences for the entire AV-based ITS. However, we can
identify intervention points for successful system modifications by analysing the underlying structures exposed by the
CLD framework. Our findings illuminate the need for careful management of several key factors:
Balancing data accessibility: It is crucial to facilitate access to data for AV developers and ITS providers
while upholding data privacy.
Optimising regulatory control: Establishing appropriate levels of regulatory command and control ensures
safety without stifling innovation.
Balancing business interests and consumer privacy: Striking a balance between protecting automakers'
investments and fostering public trust through robust data privacy regulations is essential.
Nevertheless, a comprehensive understanding of the interconnected elements within a CRF is vital for its successful
implementation, ultimately fostering a secure and thriving environment for AVs.
References
[1] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and Y. Chen, "Cyber-attacks in the next-generation cars,
mitigation techniques, anticipated readiness and future directions," Accident Analysis & Prevention, vol. 148,
p. 105837, 2020.
[2] SAE-International, "Taxonomy and definitions for terms related to driving automation systems for on-road
motor vehicles," 2018.
[3] J. Dukarski, "Unsettled Legal Issues Facing Data in Autonomous, Connected, Electric, and Shared Vehicles,"
SAE Technical Paper, 2021.
[4] McKinsey, "Monetizing Car Data, New service business opportunities to create new customer benefits,"
https://www.mckinsey.com/~/media/mckinsey/industries/automotive%20and%20assembly/our%20insights/
monetizing%20car%20data/monetizing-car-data.ashx, accessed on July 22, 2022, 2016.
[5] M. Ryan, "The future of transportation: ethical, legal, social and economic impacts of self-driving vehicles
in the year 2025," vol. 26, no. 3, Science engineering ethics, pp. 1185-1208, 2020.
[6] M. R. Miller, F. Herrera, H. Jun, J. A. Landay, and J. N. Bailenson, "Personal identifiability of user tracking
data during observation of 360-degree VR video," Scientific Reports, vol. 10, no. 1, pp. 1-10, 2020.
[7] S. K. Khan, N. Shiwakoti, and P. Stasinopoulos, "A Conceptual System Dynamics Model for Cybersecurity
Assessment of Connected and Autonomous Vehicles," Accident Analysis & Prevention, 2021.
[8] D. J. Fagnant and K. Kockelman, "Preparing a nation for autonomous vehicles: opportunities, barriers and
policy recommendations," Transportation Research Part A: Policy Practice, vol. 77, pp. 167-181, 2015.
3748 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
[9] P. Stasinopoulos, N. Shiwakoti, and M. Beining, "Use-Stage life cycle Greenhouse Gas Emissions of the
Transition to an Autonomous Vehicle Fleet: A System Dynamics approach," Journal of Cleaner Production,
p. 123447, 2020.
[10] B. O'Neill, "Preventing passenger vehicle occupant injuries by vehicle designa historical perspective from
IIHS," Traffic injury prevention, vol. 10, no. 2, pp. 113-126, 2009.
[11] M. Wu, N. Wang, and K. F. Yuen, "Can autonomy level and anthropomorphic characteristics affect public
acceptance and trust towards shared autonomous vehicles?," Technological Forecasting Social Change, vol.
189, p. 122384, 2023.
[12] E. L. Smith, J. L. Webster, and A. L. Stumpf, "Autonomous Transport Innovation: the regulatory
environment of autonomous vehicles," 2021.
[13] R. Agrawal and L. Santarelli, "How Infrastructures, Social and Ethical issues and Governments are Affecting
the Expansion of Autonomous Vehicles?," Journal of Student Research, vol. 11, no. 2, 2022.
[14] G. Marletto, "Who will drive the transition to self-driving? A socio-technical analysis of the future impact of
automated vehicles," Technological Forecasting and Social Change, vol. 139, pp. 221-234, 2019.
[15] DoT, "Transport legislation and regulation," https://transport.vic.gov.au/about/legislation, vol. accessed on
July 22. 22, 2022.
[16] D. Morris, G. Madzudzo, and A. Garcia-Perez, "Cybersecurity threats in the auto industry: Tensions in the
knowledge environment," Technological Forecasting and Social Change, vol. 157, p. 120102, 2020.
[17] A. Hidalgo and J. Albors, "Innovation management techniques and tools: a review from theory and practice,"
R&D Management, vol. 38, no. 2, pp. 113-127, 2008.
[18] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and M. Warren, "Modelling cybersecurity regulations for
automated vehicles," Accident Analysis Prevention, vol. 186, p. 107054, 2023.
[19] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and M. Warren, "A multinational empirical study of perceived
cyber barriers to automated vehicles deployment," Scientific Reports, vol. 13, no. 1, p. 1842, 2023.
[20] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, Y. Chen, and M. Warren, "The impact of perceived cyber-risks
on automated vehicle acceptance: Insights from a survey of participants from the United States, the United
Kingdom, New Zealand, and Australia," Transport Policy, 2024.
[21] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, Y. Chen, and M. Warren, "Exploratory factor analysis for
cybersecurity regulation and consumer data in autonomous vehicle acceptance: Insights from four OECD
countries," Transportation Research Interdisciplinary Perspectives, vol. 25, p. 101084, 2024.
[22] Y. Chen, S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and K. Aghabayk, "Analysis of Australian public
acceptance of fully automated vehicles by extending technology acceptance model," Case studies on
transport policy, vol. 14, p. 101072, 2023.
[23] Y. Chen, S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and K. Aghabayk, "Integrating perceived safety and
socio-demographic factors in UTAUT model to explore Australians' intention to use fully automated
vehicles," Research in Transportation Business & Management, vol. 56, p. 101147, 2024.
[24] Y. Chen, N. Shiwakoti, P. Stasinopoulos, S. K. Khan, and K. Aghabayk, "Exploring the association between
socio‐demographic factors and public acceptance towards fully automated vehicles: Insights from a survey
in Australia," IET Intelligent Transport Systems, vol. 18, no. 1, pp. 154-172, 2024.
[25] N. S. Shah Khalid Khan, Peter Stasinopoulos, and Matthew Warren, "Driving a Safer Future: Exploring
Cross-Country Perspectives in Automated Vehicle Adoption by Considering Cyber Risks, Liability, and Data
Concerns."
[26] D. L. Nazareth and J. Choi, "A system dynamics model for information security management," Information
Management science, vol. 52, no. 1, pp. 123-134, 2015.
[27] D. Ward, I. Ibarra, and A. Ruddle, "Threat analysis and risk assessment in automotive cyber security," SAE
International Journal of Passenger Cars-Electronic Electrical Systems, vol. 6, no. 2013-01-1415, pp. 507-
513, 2013.
[28] G. Macher, H. Sporer, R. Berlach, E. Armengaud, and C. Kreiner, "SAHARA: a security-aware hazard and
risk analysis method," in 2015 Design, Automation & Test in Europe Conference & Exhibition (DATE),
2015: IEEE, pp. 621-624.
[29] J. Sterman, "Business Dynamics: Systems Thinking and Modeling for a Complex World McGraw Hill NY,"
2000.
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3749
[30] J. M. Sarriegi, J. Santos, J. M. Torres, D. Imizcoz, and A. L. Plandolit, "Modeling security management of
information systems: analysis of a ongoing practical case," in The 24th international conference of the system
dynamics society. Nijmegen, The Netherlands, 2006.
[31] M. R. Goodman, "Study notes in system dynamics Wright," ed: Allen Press, Cambridge, Mass, 1974.
[32] N. P. Repenning, "A simulation-based approach to understanding the dynamics of innovation
implementation," Organization science, vol. 13, no. 2, pp. 109-127, 2002.
[33] L. E. Alfeld and A. K. Graham, Introduction to urban dynamics. Wright-Allen Press, 1976.
[34] J. Stanford, "Possible futures for fully automated vehicles: using scenario planning and system dynamics to
grapple with uncertainty," Massachusetts Institute of Technology, 2015.
[35] S. Puylaert, M. Snelder, R. van Nes, and B. van Arem, "Mobility impacts of early forms of automated
driving–A system dynamic approach," Transport policy, vol. 72, pp. 171-179, 2018.
[36] G. B. Hirsch, R. Levine, and R. L. Miller, "Using system dynamics modeling to understand the impact of
social change initiatives," American Journal of community psychology, vol. 39, no. 3, pp. 239-253, 2007.
[37] E. Pruyt, "Small system dynamics models for big issues: Triple jump towards real-world complexity," 2013.
[38] D. H. Kim, Systems archetypes III: understanding patterns of behavior and delay. Pegasus Communications,
2000.
[39] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and M. Warren, "Cybersecurity regulatory challenges for
connected and automated vehiclesState-of-the-art and future directions," Transport policy, vol. 143, pp. 58-
71, 2023.
[40] I. Krontiris et al., "Autonomous vehicles: Data protection and ethical considerations," in Proceedings of the
4th ACM Computer Science in Cars Symposium, 2020, pp. 1-10.
[41] X. Sun, F. R. Yu, and P. Zhang, "A survey on cyber-security of connected and autonomous vehicles (CAVs),"
IEEE Transactions on Intelligent Transportation Systems, vol. 23, no. 7, pp. 6240-6259, 2021.
[42] I. T. F. P. Papers, "Safer Roads with Automated Vehicles?," https://www.oecd-ilibrary.org/transport/safer-
roads-with-automated-vehicles_b2881ccb-en, accessd on July 5, 2024, 2018.
[43] S. Liu, L. Liu, J. Tang, B. Yu, Y. Wang, and W. Shi, "Edge computing for autonomous driving: Opportunities
and challenges," Proceedings of the IEEE, vol. 107, no. 8, pp. 1697-1716, 2019.
[44] BSI, "Principles of Cyber Security for Connected and Automated Vehicles,"
https://www.gov.uk/government/publications/principles-of-cyber-security-for-connected-and-automated-
vehicles/the-key-principles-of-vehicle-cyber-security-for-connected-and-automated-vehicles, vol., accessed
on July 22, 2022, 2018.
[45] SAE, "ISO/SAE 21434:2021 Road vehicles Cybersecurity engineering,"
https://www.iso.org/standard/70918.html, vol. accessed on July 22, 2022, 2021.
[46] N. Kazimova, "AV Cybersecurity: Risks and Regulation," Available at SSRN 4647415, 2023.
[47] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and W. Matthew, "Security assessment in Vehicle-to-Everything
communications with the integration of 5G and 6G networks," presented at the 2021 International
Symposium on Computer Science and Intelligent Controls (ISCSIC), Singapore, 2021.
[48] ISO, "ISO Road Vehicles Functional Safety Part_1: Standard ISO 26262-1," in
https://www.iso.org/standard/68383.html, accessed on July 22, 2022, 2018, vol., accessed on Feb 4, 2022.
[49] Homeaffairs, "Australia’s Cyber Security Strategy 2020," https://www.homeaffairs.gov.au/about-us/our-
portfolios/cyber-security/strategy, no. accessed on July 22, 2022, 2021.
[50] A. Giannaros et al., "Autonomous vehicles: Sophisticated attacks, safety issues, challenges, open topics,
blockchain, and future directions," Journal of Cybersecurity and Privacy, vol. 3, no. 3, pp. 493-543, 2023.
[51] R. Quinonez, S. Safaoui, T. Summers, B. Thuraisingham, and A. A. Cardenas, "Shared reality: detecting
stealthy attacks against autonomous vehicles," in Proceedings of the 2th Workshop on CPS&IoT Security
and Privacy, 2021, pp. 15-26.
[52] O. Tengilimoglu, O. Carsten, and Z. Wadud, "Infrastructure requirements for the safe operation of automated
vehicles: Opinions from experts and stakeholders," Transport policy, vol. 133, pp. 209-222, 2023.
[53] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and W. Matthew, "Dynamic assessment of regulation and policy
framework in the cybersecurity of Connected and Autonomous Vehicles," presented at the In Australasian
Transport Research Forum, ATRF 2021-Proceedings, 2021.
3750 Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751
[54] W. Z. Khan, M. K. Khan, H. Malik, and J. Almuhtadi, "Digital labels: Influencing consumers Trust and
raising cybersecurity awareness for adopting autonomous vehicles," in 2021 IEEE International Conference
on Consumer Electronics (ICCE), 2021: IEEE, pp. 1-4.
[55] F. M. Bass, "A new product growth for model consumer durables," Management science, vol. 15, no. 5, pp.
215-227, 1969.
[56] J. Han, Z. Ju, X. Chen, M. Yang, H. Zhang, and R. Huai, "Secure operations of connected and autonomous
vehicles," IEEE Transactions on Intelligent Vehicles, 2023.
[57] Z. Saeed, M. Masood, and M. U. Khan, "A review: Cybersecurity challenges and their solutions in connected
and autonomous vehicles (CAVs)," JAREE (Journal on Advanced Research in Electrical Engineering), vol.
7, no. 1, 2023.
[58] D. Wright and D. H. Meadows, Thinking in systems. Earthscan, 2008.
[59] G. Hardin, "The tragedy of the commons," in Green Planet Blues: Routledge, 2019, pp. 41-49.
[60] J. D. Sterman, "Sustaining sustainability: creating a systems science in a fragmented academy and polarized
world," in Sustainability science: Springer, 2012, pp. 21-58.
[61] B. M. Frischmann, A. Marciano, and G. B. Ramello, "Retrospectives: Tragedy of the commons after 50
years," Journal of Economic Perspectives, vol. 33, no. 4, pp. 211-228, 2019.
[62] R. Prieto Curiel, H. González Ramírez, and S. Bishop, "A ubiquitous collective tragedy in transport,"
Frontiers in Physics, vol. 10, p. 882371, 2022.
[63] HSPH, "Emissions from traffic congestion may shorten lives," https://www.hsph.harvard.edu/news/hsph-in-
the-news/air-pollution-traffic-levy-von-stackelberg/, vol. accessed on Aug 1 ,2022, 2011.
[64] S. R. Foster, "Collective action and the urban commons," Notre Dame L. Rev., vol. 87, p. 57, 2011.
[65] P. N. Brown, "A tragedy of autonomy. self-driving cars and urban congestion externalities," in 2019 57th
Annual Allerton Conference on Communication, Control, and Computing (Allerton), 2019: IEEE, pp. 981-
986.
[66] D. Morris, G. Madzudzo, and A. Garcia-Perez, "Cybersecurity and the auto industry: the growing challenges
presented by connected cars," International journal of automotive technology and management, vol. 18, no.
2, pp. 105-118, 2018.
[67] J. Petit, "Automated vehicles cybersecurity: Summary AVS’17 and stakeholder analysis," in Road Vehicle
Automation 5, 2019: Springer, pp. 171-181.
[68] S. E. Dudley and Z. Xie, "Designing a choice architecture for regulators," Public Administration Review, vol.
80, no. 1, pp. 151-156, 2020.
[69] J. Petit and S. E. Shladover, "Potential cyberattacks on automated vehicles," IEEE Transactions on Intelligent
transportation systems, vol. 16, no. 2, pp. 546-556, 2014.
[70] R. Gupta, S. Tanwar, N. Kumar, and S. Tyagi, "Blockchain-based security attack resilience schemes for
autonomous vehicles in industry 4.0: A systematic review," Computers & Electrical Engineering, vol. 86, p.
106717, 2020.
[71] J. Petit, B. Stottelaar, and M. Feiri, "Remote attacks on automated vehicles sensors: Experiments on camera
and lidar," Black Hat Europe, vol. 11, p. 2015, 2015.
[72] P. Wang, X. Wu, and X. He, "Modeling and analyzing cyberattack effects on connected automated vehicular
platoons," Transportation Research Part C: Emerging Technologies, vol. 115, p. 102625, 2020.
[73] B. Gurion, "Autonomous vehicles fooled by drones that project too-quick-for-humans road-signs," pp.
https://boingboing.net/2019/07/06/flickering-car-ghosts.html, 2019.
[74] C. Hodge, K. Hauck, S. Gupta, and J. C. Bennett, "Vehicle Cybersecurity Threats and Mitigation
Approaches," 2019.
[75] G. S. Nair and C. R. Bhat, "Sharing the road with autonomous vehicles: Perceived safety and regulatory
preferences," Transportation research part C: emerging technologies, vol. 122, p. 102885, 2021.
[76] N. Liu, A. Nikitas, and S. Parkinson, "Exploring expert perceptions about the cyber security and privacy of
Connected and Autonomous Vehicles: A thematic analysis approach," Transportation research part F:
traffic psychology and behaviour, vol. 75, pp. 66-86, 2020.
[77] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and M. Warren, "Security assessment in Vehicle-to-Everything
communications with the integration of 5G and 6G networks," in 2021 International Symposium on
Computer Science and Intelligent Controls (ISCSIC), 2021: IEEE, pp. 154-158.
Shah Khalid Khan et al. / Transportation Research Procedia 82 (2025) 3729–3751 3751
[78] A. R. Javed et al., "Future smart cities requirements, emerging technologies, applications, challenges, and
future aspects," Cities, vol. 129, p. 103794, 2022.
[79] S. K. Khan, "Mathematical framework for 5G‐UAV relay," Transactions on Emerging Telecommunications
Technologies, vol. 32, no. 3, p. e4194, 2021.
[80] CouncilLaw, "Strengthening Australia’s cyber security regulations and incentives," accessed on May 22,
2022, vol. https://www.lawcouncil.asn.au/publicassets/ea4a4407-0615-ec11-9440-
005056be13b5/4089%20-%20Strengthening%20cyber%20security.pdf, 2021.
[81] A. Taeihagh and H. S. M. Lim, "Governing autonomous vehicles: emerging responses for safety, liability,
privacy, cybersecurity, and industry risks," Transport reviews, vol. 39, no. 1, pp. 103-128, 2019.
[82] S. K. Khan, N. Shiwakoti, P. Stasinopoulos, and M. Warren, "Dynamic assessment of regulation and policy
framework in the cybersecurity of Connected and Autonomous Vehicles," in Proc. Australas. Transp. Res.
Forum (ATRF), 2021, pp. 1-14.
[83] D. Morris and G. Madzudzo, "Cybersecurity and the auto industry: the growing challenges presented by
connected cars," International Journal of Automotive Technology Management, vol. 18, no. 2, pp. 105-118,
2018.
[84] Austroads, "Austroads' Future Vehicles & Technology Program," Austroads, accessed on July 22, 2022, no.
https://austroads.com.au/drivers-and-vehicles/future-vehicles-and-technology/trials, 2021.
ResearchGate has not been able to resolve any citations for this publication.
Article
Full-text available
There is a significant lack of comprehensive research that systematically examines public perceptions of liability (related to cyber risks), consumer data, and how these factors influence the adoption of automated vehicles (AVs). To fill this knowledge gap, the authors' research used a survey of 2062 adults across Australia, New Zealand, the UK, and the US to develop a scale for Liability, Data concerns, Data sharing and Patching and updates. This analytical approach employed various statistical methods to analyze the data (summarizing, finding patterns, measuring relationships). The results indicate that 70% of respondents express concerns about AV liability based on cyber risks, highlighting a significant level of liability anxiety. Individuals with high liability concerns also exhibit heightened concerns about AV data, are less comfortable sharing AV data, and display lower intent to adopt AVs. Conversely, individuals comfortable with data sharing are more willing to engage in patching and express a greater intent to adopt AVs. Interestingly, individuals with AV data concerns do not exhibit a negative correlation with their intent to adopt AVs. Additionally, those willing for patches also show a stronger intent to adopt AVs, challenging the notion that software updates hinder AV adoption.
Article
Full-text available
Growing global research utilizes user acceptance models to investigate the public acceptance of automated vehicles (AVs). A growing body of literature suggests it is essential to recognize cultural differences that may influence people's decisions and the intention to use (AVs). While the influence of perceived safety on AVs adoption has been examined globally, it has often been overlooked in Australia. To address this knowledge gap, this study extended the Unified Theory of Acceptance and Use of Technology (UTAUT) model by incorporating perceived safety and socio-demographic factors in assessing behavioral intention for fully AVs in Australia. This study is the first in Australia to include perceived safety in the UTAUT model and look at how different factors like age, gender, experience, income, education, and travel habits affect people's intention to use technology. The model was evaluated with Structural Equation Modelling using a dataset of 804 respondents from Australia. Perceived Safety (PS) holds comparable importance to Social Influence (SI) and Facilitating Conditions (FC). Our analysis revealed that younger age groups exhibit a more substantial positive correlation between Performance Expectancy (PE) and Behavioral Intention (BI) compared to older age groups. Notably, there are significant distinctions in the impact of PS on BI between older and younger age groups, as well as between those with and without prior experience with AVs. Moreover, gender has a moderating effect akin to age in the PE-BI relationship. Our findings also reveal that age moderates the relationship between PE and BI, with younger individuals exhibiting less susceptibility to social influence compared to older counterparts. Gender also emerges as a moderator, affecting the relationship between FC and BI. Additionally, income moderates the relationships between both EE (Effort Expectancy) and FC with BI. However, qualifications do not significantly moderate the relationships between latent variables and BI. The multigroup analysis highlights a significant divergence in the influence of PE on BI between groups with no experience and experienced people. Additionally, the study shows that the higher-income group displays a lower coefficient of FC towards BI, potentially due to their pre-existing knowledge base. The findings from this study assist decision-makers by providing insights into public attitudes towards AVs by revealing the key factors influencing public acceptance.
Article
Full-text available
No study has systematically investigated the public's perceptions of cybersecurity regulation, data generated by Autonomous Vehicles (AVs), and their relationship with the acceptance of AVs. To fill this knowledge gap, we conducted an exploratory study on public perceptions of cybersecurity regulation and consumer data in AVs acceptance by surveying nationally representative individuals from four OECD countries (US, UK, Australia, and New Zealand). A total of 2062 responses collected from the survey underwent Exploratory Factor Analysis (EFA) to examine constructs such as Cybersecurity Regulation, Data Sharing, Data Usage, Data Concerns, and intention to use AVs. Correlation analysis further explored the relationships between these constructs, while Mann-Whitney U and Kruskal-Wallis H tests assessed the significance of differences across participant groups. The empirical findings indicate that 80% of respondents agreed on the necessity of cybersecurity regulation for AV operations, with 67% perceiving it as a means to enhance AV safety. Surprisingly, 66% supported cybersecurity regulation despite the potential risk of exposing their personal information. Individuals who are more willing to share AV data also expressed a higher likelihood of using AVs. Furthermore, those who agreed more with cybersecurity regulations were more inclined to be compensated for their data transmission while expressing concerns about data storage and processing. Moreover, around 53% of participants feel they should be compensated for sharing their AV data, with 68% expressing concern about AVs' data storage and processing and 71% supporting the destruction of AV data post-sale. Regarding data privacy concerns, “In-vehicle Private Conversation” draws notable attention, rated very important or extremely important by 64% of the participants. The findings highlight the importance of cybersecurity regulation, data sharing, and data concerns in shaping individuals' intentions to use AVs, as well as the influence of socio-technological attributes.
Article
Full-text available
Fewer studies have investigated the factors affecting fully Automated Vehicles (AVs) acceptance and their association with demographics and travel behaviour in the Australian context. Evidence shows that public opinions and adoption towards AVs may vary by country. Therefore, this study aims to systematically explore the factors affecting public opinion towards fully AVs by conducting a survey in Australia. Specifically, the study examines seven key attributes (benefits/usefulness, ease of use, attitude, data privacy, willingness to pay more, social influence, and trust) towards the opinions of AVs and their association between demographic and travel behaviour. The results from 809 Australian responses show that Australians tend to have a positive attitude toward AVs. Age and years of driving experience are the two most important factors instead of travel characteristics (e.g. frequency of driving cars, travel time by car, and distance of driving cars). Being less exposed to automation technology is likely to be the main reason affecting the adoption of AVs for the two socio-demographic factors: age and years of driving experience. Males hold a relatively positive attitude towards AVs than females. Likewise, Australians are less likely to pay more for fully AVs than conventional vehicles. Data privacy is also concerning for Australians.
Article
Full-text available
The technological advancements of Connected and Automated Vehicles (CAVs) are outpacing the current regulatory regime, potentially resulting in a disconnect between legislators, technology, and CAV stakeholders. Although many studies explore the regulatory requirements of operations of CAVs, studies on regulatory challenges specific to the cybersecurity of CAVs are also emerging and receiving lots of attention among researchers and practitioners. However, studies providing an up-to-date synthesis and analysis on CAVs regulatory requirements specific to cyber-risk reduction or mitigation are almost non-existent in the literature. This study aims to overcome this limitation by presenting a comprehensive overview of the role of key Intelligent Transportation Systems (ITS) stakeholders in CAV's cybersecurity. These stakeholders include road operators, service providers, automakers, consumers, repairers, and the general public. The outcome of this review is an in-depth synthesis of CAV-based ITS stakeholders by visualising their scope in developing a Cybersecurity Regulatory Framework (CRF). The study demonstrated the compliance requirements for ITS communication service providers, regulatory standards for CAVs automakers, policy readiness for CAVs customers and the general public who interact with CAVs, and the role of the CAVs Network Operator Centre in regulating CAVs data flow. Moreover, the study illuminates several critical pathways necessary in future for synthesizing and forecasting the legal landscape of CAV-based transportation systems to integrate the regulatory framework for CAV stakeholders. The paper's findings and conclusions would assist policymakers in developing a comprehensive CRF.
Article
Full-text available
There has been an increasing trend in using user acceptance models to explore the public acceptance of automated vehicles (AVs) in different countries. Most of the previous studies have analysed perceived usefulness, behavioural attitude, subjective norms as well as perceived ease of use, but other important factors, such as trust and data privacy, have not been adequately considered. Likewise, public perceptions of fully AVs are limited in the literature as most studies focus on different levels of automation. This study aims to assess the behavioural intention to use fully AVs in Australia by extending the Technology Acceptance Model (TAM) that includes data privacy and trust in the TAM constructs. Based on a survey of 809 adult respondents from Australia, the model was evaluated with Structural Equation Modelling. The research revealed perceived trust and perceived data privacy is the first and second most important variable affecting the attitude, followed by perceived ease of use and usefulness. Perceived data privacy was discovered to positively impact attitude, perceived trust, perceived usefulness, perceived ease of use as well as behavioural intentions. The perceived trust mediated perceived data privacy on the attitudes in this study. Additionally, the two major variables in the proposed model – perceived trust and data privacy- affect attitudes of AVs significantly, with total effects being 0.637 and 0.604, respectively. Attitude is the most significant variable that correlates with behavioural intentions, which leads to acceptance of fully AVs. Multigroup analysis showed the gender, age and income related differences regarding the public acceptance of AVs. Several theoretical and practical implications are discussed in this paper.
Article
Full-text available
Autonomous vehicles (AVs), defined as vehicles capable of navigation and decision-making independent of human intervention, represent a revolutionary advancement in transportation technology. These vehicles operate by synthesizing an array of sophisticated technologies, including sensors, cameras, GPS, radar, light imaging detection and ranging (LiDAR), and advanced computing systems. These components work in concert to accurately perceive the vehicle’s environment, ensuring the capacity to make optimal decisions in real-time. At the heart of AV functionality lies the ability to facilitate intercommunication between vehicles and with critical road infrastructure—a characteristic that, while central to their efficacy, also renders them susceptible to cyber threats. The potential infiltration of these communication channels poses a severe threat, enabling the possibility of personal information theft or the introduction of malicious software that could compromise vehicle safety. This paper offers a comprehensive exploration of the current state of AV technology, particularly examining the intersection of autonomous vehicles and emotional intelligence. We delve into an extensive analysis of recent research on safety lapses and security vulnerabilities in autonomous vehicles, placing specific emphasis on the different types of cyber attacks to which they are susceptible. We further explore the various security solutions that have been proposed and implemented to address these threats. The discussion not only provides an overview of the existing challenges but also presents a pathway toward future research directions. This includes potential advancements in the AV field, the continued refinement of safety measures, and the development of more robust, resilient security mechanisms. Ultimately, this paper seeks to contribute to a deeper understanding of the safety and security landscape of autonomous vehicles, fostering discourse on the intricate balance between technological advancement and security in this rapidly evolving field.
Article
With features of collaborative interaction and autonomous decision-making, connected and autonomous vehicles (CAVs) offer a viable solution for a sustainable and efficient future of transportation. However, with the development of CAVs, questions have been raised about weaknesses in cybersecurity and autonomous driving capabilities. In particular, CAVs provide new opportunities for cyberattackers, posing a significant threat to future road and vehicle data security. Therefore, this paper provides a comprehensive analysis of the cybersecurity environment of CAVs. First, we propose a systematic classification of six security threats from cybersecurity principles: false data, information theft, privilege escalation, block communication, and time delay. We review the cybersecurity environment of CAVs from a lifecycle perspective, covering aspects from development to accident, and present the existing cybersecurity countermeasures. These involve security standards designation, verification and validation of vehicle networks, resilient strategies for self-defined driving, and attack detection and digital forensics. Finally, based on our systematic review, we propose a conceptual vehicle security operations center (VSOC) framework that provides valuable inspiration and references for future research and industrial applications for CAVs cybersecurity.