The Effects of Cyber Readiness and Response on Human Trust in Self Driving Cars

Abstract

Self driving cars (SDC) are potentially set to revolutionise the automotive industry. Despite the promise of a plethora of purported benefits (e.g. fewer road traffic accidents, better traffic flow; lower emissions), one key concern relates to the potential for SDCs and their connected infrastructure to be cyber attacked. Aside from material losses, an adverse cyber experience is likely to undermine human trust – with trust being a key contributing factor to the uptake and use of automated technology such as SDCs.Many studies have projected the different types of cyber attacks an SDC could fall victim to [1]. Concerns about the consequences of cyber attacks for e.g. users, other road users, manufacturers, legislators, legal experts, and governments have also been raised. Procedural and technical solutions have been proposed to tackle the SDC-cyber security challenge, which includes the proposition of rankings for SDCs GPS system vulnerabilities [2].Nonetheless, it is inevitable that threat actors will compromise an SDC system(s) through either exploited vulnerabilities and/or user error. It is crucial that such an event(s) does not erode trust (e.g. leading to misuse or even disuse) if the long-term benefits of this technology are to be reaped. Therefore, the study explores whether the capability and obligation from a SDC company (who are most likely to be blamed when an attack happens) to manage a cyber attack – with regards to its readiness and response activities – impacts trust in SDC technology.Using a cutting-edge AV Simulation Driving Simulator and simulation software generated animations (SCANeR Studio) embedded into an online survey, participants watch a futuristic driving scenario where the SDC executes a variety of successful driving manoeuvres before the system falls victim to an unspecified cyber-attack. Self-reported trust is measured after each successful manoeuvre as well as following the cyber attack. The experiment follows a 3x2 – 6 condition design – manipulated between participants. In each condition, all participants are shown the same driving scenario. The independent variables (IVs) consist of the information given to the participant before and after watching the scenario: IV1 being the SDCs cyber readiness (low/medium/high) and IV2, the SDCs company’s response to the incident (positive/negative). Before watching the scenario, information about cars status (including its cyber readiness) is provided. After watching the scenario and experiencing the cyber attack, participants are provided with text detailing how the SDC company responded to the cyber attack. The key prediction is that a company with higher cyber maturity (i.e. has a high level of cyber readiness and responds positively to the incident) will be trusted more than a company/companies with lower cyber security considerations. Currently the experiment is in progress and findings and details on the implications will be presented in the paper. Future research will involve exploring the boundary conditions of the effects and extending to physiological as well as subjective measures of trust.References: [1] Phama, M. & Xiongb, K. (2021) A survey on security attacks and defense techniques for connected and autonomous vehicles, Computers & Security, 109(1), 1-29. https://doi.org/10.1016/j.cose.2021.102269[2] Sheehan, B., Murphy, F., Mullins, M., Ryan, C. (2019) Connected and autonomous vehicles: A cyber-risk classification framework. Transportation Research Part A: Policy and Practice. 124(1), 523-536. https://doi.org/10.1016/j.tra.2018.06.033The work is part of a PhD funded project by the EPSRC IDTH in Cyber Security Analytics. It is also part of an ESRC-JST (Economic & Social Research Council - Japan Science & Technology Agency) project grant reference: ES/T007079/1, Prof Morgan is UK PI : Rule of Law in the Age of AI: Principles of Distributive Liability for Multi-Agent Societies.