Insight: Integrated Attack Tree in Residual Risk Management Framework

About the Authors and This Research

The lead author, Jeremy Bryans, is a senior researcher at Loughborough University in the United Kingdom, specializing in formal verification methods for safety-critical embedded systems and automotive cybersecurity. With an h-index of 23 and over 1,748 cumulative citations, Bryans carries substantial authority in the field of automotive embedded system security and formal risk analysis. Co-author Hesamaldin Jadidbonab contributes practical cybersecurity analysis experience (h-index: 7, 121 citations), while Ahmed Nawaz Khan brings engineering depth to the cyber-physical systems (CPS) risk assessment framework.

The team addresses a gap that practitioners working with ISO/SAE 21434 frequently encounter but rarely discuss in structured terms: after an organization deploys cybersecurity defenses, what quantifiable residual risk remains, and how should that residual risk be tracked dynamically across a system's lifecycle? This question is especially pertinent for Taiwan's automotive suppliers who have completed an initial TISAX assessment and now face the challenge of maintaining compliance over a three-year validity period.

Integrated Attack Trees: Moving Beyond Single-Subsystem Risk Boundaries

The paper's central methodological contribution is the construction of an integrated attack tree that merges the independent attack trees of multiple subsystems within a cyber-physical system into a unified, system-level risk view. Conventional Threat Analysis and Risk Assessment (TARA) methodologies—as currently practiced by most Tier 1 and Tier 2 automotive suppliers—tend to evaluate each ECU or functional module in isolation. While this satisfies the baseline requirements of ISO/SAE 21434 at the component level, it systematically misses attack paths that traverse subsystem interfaces.

Core Finding 1: The Integrated Framework Satisfies Over 75% of Industry Risk Management Requirements

Using Adaptive Cruise Control (ACC) and Adaptive Light Control (ALC) as real-world case studies, the authors demonstrate that their integrated integrated attack tree methodology identifies cross-system attack vectors that remain invisible in single-subsystem analyses. A flow graph model is then applied to calculate residual risk values both before and after defensive measures are deployed. When benchmarked against a comprehensive set of requirements drawn from the academic and industry literature on risk management frameworks, the proposed methodology satisfies more than 75% of all listed requirements—a meaningful threshold that establishes this as a production-grade, not merely theoretical, approach.

For Taiwan's automotive suppliers, this 75% validation figure matters in a very practical sense: European and Japanese OEM customers increasingly require suppliers to demonstrate not just that TARA was performed, but that the TARA methodology can account for cross-subsystem interactions. An integrated attack tree report is a direct response to this demand.

Core Finding 2: Residual Risk Must Be Quantified and Re-evaluated After Each Defensive Update

A particularly actionable insight from this paper is the explicit requirement to recalculate residual risk values every time a defensive measure is added, modified, or removed. ISO/SAE 21434 Chapter 15 specifies post-development cybersecurity monitoring and incident response obligations, but does not prescribe granular operational steps for residual risk re-evaluation. Bryans et al. fill this gap by defining a step-by-step process that maps defensive deployments to updated flow graph calculations, generating a timestamped residual risk record that constitutes an auditable compliance trail.

This dynamic tracking approach aligns closely with the December 2025 joint guidance issued by CISA and international partners (including Australia) on safely integrating AI into operational technology (OT) environments—which similarly emphasized continuous monitoring over static, point-in-time assessments. The convergence of academic methodology and regulatory guidance reinforces that residual risk management is becoming a universal expectation across safety-critical industries.

Implications for Taiwan's Automotive Supply Chain

Taiwan's position in the global automotive supply chain has grown considerably more complex over the past three years. The United Nations Economic Commission for Europe's WP.29 Working Party has made UN-R155 (requiring a certified Cybersecurity Management System, or CSMS) a condition for vehicle type approval in the EU. Japan has followed with mandatory CSMS requirements, explicitly stating that vehicles without verified CSMS cannot be sold in the domestic market. ISO/SAE 21434, published in 2021, is now widely recognized as the technical standard underpinning these regulatory requirements.

For Taiwanese Tier 1 and Tier 2 suppliers, the practical consequence is a two-stage compliance challenge. The first stage—obtaining TISAX certification or demonstrating ISO/SAE 21434 conformity—is increasingly well understood. The second stage—maintaining and updating that conformity as products evolve, architectures change, and new vulnerabilities emerge—is where most Taiwanese suppliers currently lack structured processes. The integrated residual risk management framework proposed by Bryans et al. directly addresses this second stage, providing a methodology that can be embedded into ongoing CSMS operations rather than reserved for periodic assessments.

Taiwan's automotive component manufacturers targeting the European and Japanese markets should note that OEM supplier audits are evolving from document-review exercises toward evidence-based assessments of whether the CSMS is actually functioning. A supplier that can present timestamped, cross-subsystem residual risk records—produced through a methodology aligned with ISO/SAE 21434 and validated against industry benchmarks—will be substantially better positioned than one that presents a static TARA report from the initial product design phase.

Winners Consulting Services' Perspective and Action Recommendations

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) assists Taiwan's automotive supply chain in achieving TISAX certification, implementing ISO/SAE 21434, and meeting UNECE WP.29 UN-R155 CSMS requirements. Based on the insights from Bryans et al. (2023), we recommend the following three-stage approach for Taiwanese automotive suppliers:

1. Cross-Subsystem TARA Integration Assessment: Begin by mapping your product's ECU architecture and identifying all functional interfaces between subsystems. Construct an integrated attack tree that reveals cross-subsystem attack paths invisible in conventional component-level TARA. This integrated view directly supports ISO/SAE 21434 compliance documentation and accelerates OEM customer review cycles by presenting a defensible, system-level risk perspective.
2. Residual Risk Dynamic Tracking Mechanism: Establish a formal process for recalculating residual risk values each time a defensive measure is deployed, updated, or removed. Align this process with ISO/SAE 21434 Chapter 15 post-development monitoring obligations. Maintain timestamped residual risk records as the primary evidence base for TISAX reassessment cycles (typically required every three years) and for responding to OEM audit inquiries.
3. CSMS Operational Integration: Embed the integrated residual risk management framework into your existing CSMS operating procedures, including staff training, documentation system updates, and quarterly review cadences. This ensures that UNECE WP.29 UN-R155's requirement for a continuously effective CSMS is met not just at the time of initial assessment, but throughout the product lifecycle. Most Taiwanese suppliers can complete this integration within 7 to 12 months with structured external support.

Frequently Asked Questions

How does an integrated attack tree differ from a standard attack tree in the context of ISO/SAE 21434 TARA?

A standard attack tree analyzes threats to a single system component or ECU in isolation, which satisfies ISO/SAE 21434's minimum TARA requirements at the item level. An integrated attack tree, as defined by Bryans et al. (2023), merges multiple subsystem attack trees into a unified system-level view, revealing cross-subsystem attack paths that are structurally invisible in component-level analyses. For example, a vulnerability in an ACC sensor could be exploited through an ALC interface in ways that neither subsystem's individual attack tree would capture. The integrated approach enables analysts to calculate residual risk across the entire vehicle system after each defensive update, producing a more complete and auditable risk record. For Taiwan's Tier 1 suppliers submitting TARA documentation to European OEM customers, the integrated approach meets a higher standard of evidence that is increasingly expected in supplier audits.

What are the most common residual risk management compliance gaps Taiwan suppliers face during TISAX reassessment?

The most common gap is the absence of a structured post-certification risk tracking process. Many Taiwanese suppliers treat TISAX certification as a project endpoint, but the three-year validity period requires demonstrable evidence that the CSMS has been actively maintained. ISO/SAE 21434 Chapter 15 mandates post-development cybersecurity monitoring, which includes tracking changes to system architecture, new vulnerability disclosures, and updates to defensive measures—all of which trigger the need for residual risk re-evaluation. Suppliers that lack timestamped residual risk records and documented CSMS review cycles frequently receive findings during reassessment audits related to "CSMS not continuously operational." Establishing a semi-annual residual risk review cadence, aligned with the integrated attack tree framework, is the most effective way to close this gap before the reassessment cycle begins.

What are the core TISAX requirements, and how long does it realistically take for a Taiwanese supplier to achieve certification?

TISAX (Trusted Information Security Assessment Exchange) is the automotive industry's information security assessment framework, developed by the German Association of the Automotive Industry (VDA) as an extension of ISO/IEC 27001 with automotive-specific requirements covering vehicle cybersecurity (aligned with ISO/SAE 21434), prototype protection, and connected vehicle data handling. Suppliers typically target Assessment Level 2 (AL2), which requires an on-site audit by an accredited assessment body. For Taiwanese suppliers with an existing ISO 27001 certification and basic automotive cybersecurity practices, gap remediation and assessment preparation typically takes 4 to 6 months. For suppliers building an ISMS from scratch, the realistic timeline is 9 to 12 months. Winners Consulting Services recommends starting with a VDA ISA self-assessment to quantify the gap before committing resources to a structured preparation program.

How should a mid-sized Taiwanese automotive supplier evaluate the cost and benefit of implementing an integrated attack tree analysis?

The primary cost components of an integrated attack tree implementation are professional consulting hours (typically 55–65% of total cost), internal staff training (15–20%), and tooling or software licenses (10–20%). For a Tier 2 supplier with a product portfolio covering 2 to 3 ECU modules, the initial integrated attack tree construction and documentation typically requires 6 to 10 weeks of structured effort. The benefit case is increasingly clear: European and Japanese OEM supplier audits now routinely request cross-subsystem TARA documentation, and suppliers who can provide this evidence gain a measurable competitive advantage in new business bids. Early adopters among Taiwan's automotive component manufacturers report that the differentiation benefit becomes quantifiable within 12 to 18 months of implementation, through both retained business and new contract wins with OEM customers who use TISAX compliance as a qualification criterion.

Why should Taiwanese automotive companies engage Winners Consulting Services for Automotive Cybersecurity (AUTO) advisory?

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) combines automotive engineering domain knowledge with regulatory compliance expertise in ISO/SAE 21434, TISAX, and UNECE WP.29 UN-R155—a combination that distinguishes us from general information security consultancies. Our consulting team has hands-on experience translating academic methodologies, such as the integrated attack tree framework discussed in this article, into practical TARA documentation that satisfies OEM customer audit requirements. We offer a complimentary automotive cybersecurity mechanism diagnostic that helps Taiwanese suppliers prioritize compliance gaps before committing to a full implementation program, ensuring resources are directed where they will have the greatest regulatory and commercial impact. Our structured programs are designed to bring most Taiwanese automotive suppliers to TISAX readiness within 7 to 12 months.

日本語版

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、2023年に発表された重要な学術研究に注目しています。この研究は、複数のサブシステムにまたがる統合型アタックツリー手法を活用した「統合型残余リスク管理フレームワーク」を提案しており、業界の主要リスク管理フレームワーク要件の75%以上を満たすことが実証されています。ISO/SAE 21434規格への適合、TISAX認証の取得、そしてUNECE WP.29（UN-R155）のサイバーセキュリティ管理システム（CSMS）要件を満たそうとする台湾の自動車サプライヤーにとって、実践的かつ規格整合的なアプローチを提供するものです。