Week 6 - Risk Mitigation

What are the four impact types defined in ISO/SAE 21434?

Safety, Financial, Operational, Privacy.

What are the four risk treatment options in ISO/SAE 21434?

1. Avoid - eliminate the feature or component to prevent risk

2. Reduce - apply security controls to lower the likelihood or impact

3. Transfer/Share - the risk to another entity

4. Accept - agree to live with the risk (along with any further appropriate measures such as monitoring)

What are the 2 natures of risk?

1. risk as potential threats

2. risk as uncertainty

How does ISO/SAE 21434 define "risk as potential threats"?

• Considers threats that are “definable, identifiable, immediate and often connected to specific threatening actors”

• Specific, identifiable, and tied to actors

• Example: hackers exploiting a known vulnerability

How does ISO/SAE 21434 define "risk as uncertainty"?

• Treats risks as systemic and inherent, with an emphasis on socio-technical vulnerability leading to greater extent and acceptance of the unknown

• Systemic, complex, and not always predictable

• Example: unknown vulnerabilities in merging tech

What is residual risk?

the risk that remains even after mitigation

Distinction between safety and security?

• Security-critical: involves protecting data and information (e.g. driver privacy, fraud prevention)

• Safety-critical: involves preventing physical harm

Give an example of a system that is security-critical but not safety-critical

An in-vehicle entertainment system handling personal data.

Give an example of a system that is both security-critical and safety-critical.

An Autonomous Emergency Braking (AEB) system.

How does the Cambridge Taxonomy of Business Risks categorise broad types of risk?

1. financial

2. geopolitical

3. technology

4. environmental

5. social

6. governance