Human-based Prevention

Human-based Prevention refers to strategies that reduce risks by influencing the actions, cognition, and decision-making of stakeholders. It originates from crime prevention theories and is applied in automotive cybersecurity to address vulnerabilities arising from human factors. According to ISO/SAE 21434, threat analysis and risk assessment (TARA) must account for human factors, including intentional insider threats and unintentional errors. This approach complements technical measures like encryption and intrusion detection by addressing the socio-technical nature of modern vehicles. In the context of GDPR and Taiwan's Personal Data Protection Act, human-based prevention is critical for preventing data-related security breaches caused by staff negligence or social engineering attacks. It differs from standard awareness training by being integrated into the system' design phase, ensuring that human factors are managed as a core component of the vehicle's security architecture.

Implementation follows three key steps: First, Stakeholder Behavior Modeling—identifying the roles, risks, and interactions of all stakeholders (e.g., drivers, technicians, developers). Second, Control Pattern Integration—embedding human-centric controls into the vehicle's lifecycle, such as multi-factor authentication for diagnostic access or role-based access control (RBAC) for software updates. Third, Continuous Monitoring and Feedback—using telematics data to detect anomalous human-driven behaviors. For example, a European OEM implemented human-centric design patterns in their ADAS update process, reducing unauthorized-access-related incidents by 35% within 12 months. Key Performance Indicators (KPIs) include the reduction in human-error-related security incidents and the-compliance rate with ISO/SAE 21434 Clause 15. The goal is to achieve a measurable reduction in the residual risk-adjusted by human factors during the risk assessment process.

Taiwan enterprises typically face three challenges: First, the 'Technical-Centric Bias'—engineering teams often prioritize code-based solutions over human factors. This can be overcome by integrating human factors into the TARA process as a mandatory step in the V-model development process. Second, 'Resource Constraints'—small to medium enterprises (SMEs) may lack the expertise to model complex human behaviors. The solution is to adopt standardized design patterns (e.g., from the AutoSec Design Patterns research) to save time and costs. Third, 'Cultural Resistance'—employees may view human-centric controls as intrusive. This requires change management strategies, including clear communication on the 'why' behind each control and demonstrating the benefit to employee safety. A phased approach—starting with a pilot on one vehicle program before scaling—is recommended to manage the transition effectively.

Winners Consulting Services Co., Ltd. specializes in Human-based Prevention for Taiwan enterprises, delivering compliant management systems within 90 days. We have assisted over 100 clients in aligning with ISO/SAE 21434, TISAX, and GDPR requirements. Our approach combines technical expertise with practical implementation strategies tailored to the unique needs of the Taiwanese automotive supply chain. Request a free mechanism diagnosis: https://winners.com.tw/contact