The RAID approach has been developed to identify and mitigate threats for an ITS system. The approach consists of three steps. The first step described the deployment scenario and identifies the risks involved. The second step defines mitigation actions for the most important risks, and the third step formulates recommendations. Only step one is presented in this appendix, the other two steps have been given in the main report (section 5.2)
C.1 Step 1: Risk identification
The risk analysis follows a scenario based approach in order to be able to define proper mitigation actions in relation to the context or the environment. Therefore the deployment scenario has to be determined before the analysis can be started with. When this scenario is clear, the threats that come along with it can be identified.
C.1.1 Deployment scenario
The deployment scenario consists of four elements; the geographical scope, the main trends for ITS development planning, the level of cooperation, and the time horizon. Another important part of the deployment scenario is the relation of Intelligent Navigation with the HD Traffic developed by however the scope will only be the Dutch network. The reason for choosing this scope is that the aim of the project is to put the Intelligent Navigation system aside the HD Traffic system. This system operates on the Dutch network as well and will be expanding to the United Kingdom in the near future. Since most of the popular navigation systems operate internationally, the scope has not many other options than do the same.
ITS development: trends, services
The Intelligent Navigation system is focused on the improvement of efficiency of the transport network as well as on disseminating real-time information to end-user. The improvement of efficiency of the transport network is focused on by distributing traffic more evenly on the network.
To be able to distribute traffic this way, real-time information has to be disseminated to the end-user.
Level of cooperation (public-private)
The project is executed completely by parties in the private sector. First there is the company that develops the system, next there are the component producers and the information provider. At first this information is delivered by both a telecom provider and the road operator. This is to calibrate the accuracy of data provided by the telecom provider. After this calibration period, only the telecom provider will deliver the real-time information.
Time horizon
Because the Intelligent Navigation system will have to compete with the HD Traffic system by TomTom, it will be hard to gain market share. Therefore 10% market share is aimed at within one year after implementation of the system. Than five years after implementation a marker share of
BIJLAGEN Intelligent Transport Systems 2, University of Twente | Group 4 – K. Kant & S. Beumer 47 25% has to be reached in order to have sufficient funds to continue business. The market that is
meant here is the market for the concerned system. It is assumed that this system will result in a product line that will evolve in the upcoming years. Therefore a time horizon of five years becomes relevant.
C.1.2 Threat assessment
Considering this deployment scenario, the threats can be identified. A list of threats is composed and each of them is assessed. The assessment consists of a description of the threat, its consequences, probability of occurrence, and level of impact. Combining the last two aspects results in a rating. For the red and orange rated risks a mitigation strategy is presented in the main report. A complete list of all the threats is given below.
1. Hardware fails system not used
The hardware that is put in the system could fail due to some different causes. There could be a virus, a manufacturing failure, or a loss of power. The consequence of this threat is that the system will not be used, because it does not work. Eventually, if this happens too many times, bad publicity will harm the product and or company.
The probability of occurrence is low since hardware failure is not every day business anymore. A lot of systems depend on hardware and that is why hardware has such high performance. The level of impact however is high, because when the system does not function, it has no use. The objective is that the system is being used after all.
2. Software fails system used wrongly / not used at all
The software that is put in the system, and updated regularly, could fail due to some different causes as well. This failure could be caused by a design fault, or a virus that gains access. The consequence of this threat is that the system will not function at all, or function incorrectly. Incorrect use of the system could be a result, which is a threat on its own.
The probability of occurrence is low for the same reason that applied for hardware failure. Although software failure occurs a lot more than hardware failure, it still does not happen often. The level of impact is high again as well, but maybe even higher. Software failure does not always lead to system failure; it can lead to changes in the system as well. It for example can give wrong information.
3. Energy supply fails system shuts down
The systems energy supply could be cut off. The connection to the in-car battery could be lost, or the in-car battery could run out of power itself. The battery of the system itself could run out of power as well. The consequence of this threat is that the system shuts down and the user cannot use the system any longer.
The probability of occurrence is low because to become a problem for the system, both external and internal energy supply would have to fail at the same time. The level of impact is medium because the user can easily change the internal battery. The external energy supply can be recharged easily as well. This threat does no bring permanent damage to the system.
4. Receiver gets wrong GPS position system calculates wrong route
The system uses GPS data to determine the present location of the vehicle. This is the origin from where the navigation system calculates a route. The GPS position the system receives could be missing or wrong for some reasons. The consequence of this threat is that the system cannot calculate a route or it calculates a wrong route.
The probability of occurrence is low because GPS is a very stable application. If the connection with GPS is made, it can be wrong some meters. Any bigger divergence is unlikely. The level of impact is high because the basic objective of the system is to help drivers navigate. If the assumption of the route is based on a wrong present position, it cannot present a proper route.
BIJLAGEN Intelligent Transport Systems 2, University of Twente | Group 4 – K. Kant & S. Beumer 48 5. System has wrong maps system does not function correctly
The system uses maps to determine the route from a point of origin towards a destination. These maps could be wrong or outdated. The system could be using the maps in a wrong way as well. The consequence of this threat is that the system is unable to navigate and cannot function correctly.
The probability of occurrence is medium because the maps used by navigation systems are not always updated that well. The chance maps are wrongly updated is smaller. The level of impact is medium, because it can give a lot of irritation to the driver. They assume they are buying a modern system, but still the system does not function correctly.
6. Access to maps fails system does not function correctly
The system uses maps to determine the route from a point of origin towards a destination. Access to these maps could fail because of an internal or external error. The consequence of this threat is that the system is unable to navigate and thus cannot function correctly.
The probability of occurrence is low because the maps are integrated in the system and an important segment of it. The communication lines between the several segments are very unlikely to fail. The level of impact is medium because the driver will get a warning. This way the user is informed about the error. He will however be disappointed his device does not function correctly.
7. System is too expensive no development / no sales
If the development of the system is too expensive, a higher selling price is needed to cover all the costs. A selling price that is too high, without the need to cover high development cost is part of this threat as well. The consequence of this threat is that the system will not be easily sold. If sales stay behind the net income for the company will be negative. Eventually the product will not be sold anymore.
Probability of occurrence is medium because however the competition forces us to ask a lower price, the development costs have to be paid for. It is hard to say what people would be willing to pay for the system. The level of impact is high because the system is not used.
8. System offers only limited benefits for user system is not used
If the system offers only limited benefits for users, they will not use the system any longer and advice other drivers not to buy the system. Essentially, if there is too less benefit, the system will be considered useless. The consequence of this threat is that sales will decrease and fade away.
Eventually profit will decrease as well.
The probability of occurrence is low because all important elements are implemented. The features other navigation systems have as well as the innovational dynamic aspect. The level of impact is medium, because when someone would like another feature, this will result in disappointment.
9. Bad publicity decrease in sales
Consumers that are disappointed or caused damage by the system can harm the company by accusing them. Consumer organizations can bring out negative reviews of the product. The consequence of this threat is that sales will decrease caused by negative image developments.
The probability of occurrence is high because it even happened to TomTom when they introduced their HD Traffic system. A new company introducing a similar product on the market will draw attention as well. Any minor mistake will be enlarged probably. The level of impact is high as well because image is very important for a company putting a system as this one on the market. Any bad publicity therefore is very unlikely.
10. Competitors maintain too big market share not enough profit
TomTom already has a similar product on the market and has the biggest market share at the moment. The goal is to decrease their market share by introducing a new product with which own market share is gained. The threat is that this will not happen and that TomTom maintains a too big market share. The consequence of this threat is that fewer products are sold and it becomes a risk that TomTom rules the company out or takes it over.
BIJLAGEN Intelligent Transport Systems 2, University of Twente | Group 4 – K. Kant & S. Beumer 49 The probability of occurrence is high because it is hard to compete with TomTom. They have
competition from other companies, but are a very large and aggressive player on the market. The tendency of TomTom is to be self supporting for all sub-systems. They plan to take over TeleAtlas for example to implement in their operations. This way they maintain their market share at a very high level. The level of impact is medium because doing business while competing with TomTom is expected to be hard. If the moment comes where TomTom takes over the company it is a signal that the company does pretty well. If however the company goes bankrupt, the objective is not reached.
11. Regulations brought up by public authorities adjustments needed
The system could not comply with instructions and regulations brought up by public authorities.
These instructions or regulations could for example be on the design of the interface. The consequence of this threat is that the company will not get permission to sell the system on the market or has to make adjustments before getting permission.
The probability of occurrence is medium because personal data from users is used in the system.
Regulations on this particular aspect as well as those for driving environments are eminent. The level of impact is medium because public authorities can delay the process. If adjustments are needed, this will cost time and money, but eventually the system will get on the market.
12. Differences between countries disaggregated implementation
The aim of the project is to eventually introduce the system on the European market. The threat is that there are too many different regulations and characteristics between the countries for a successful united implementation. The consequence of this threat is that a unified implementation is not feasible and a disaggregated way of implementation is needed.
The probability of occurrence is medium because the market that is aimed for eventually is Europe.
And within the European Union, there are quite some differences. These do however disappear every day. The level of impact is medium because they will probably delay the development and implementation. The cooperation however is growing within Europe.
13. No cooperation with phone company no dynamic traffic data
The traffic data should be collected using data from phone companies. If however these companies are not willing to cooperate in the project, this will not be possible. The consequence of this threat is that traffic data has to be collected traditionally by the road operator. In the Netherlands this is only done for major roads, and outside the Netherlands even this information is hard to retrieve.
The probability of occurrence is medium because a mobile phone company has to be willing to cooperate with a navigation system supplier that is just new on the market. This phone company has got to have many customers as well, for this gives the best result. The level of impact is high because when no mobile phone company is willing to cooperate, the system has fewer possibilities for real dynamic exist. The service will thus be less attractive.
14. System is used extensively congestion on alternative route
If the system is going to be used by every driver on the network, the possibility exists that everybody gets the advice to take an alternative route. The consequence of this threat is if every driver follows this advice, it is very likely that congestion will occur on that route as well.
The probability of occurrence is low because it is not expected that every driver on the network will be using the system. And not every driver will be choosing the alternative route either. The level of impact is medium because if it happens, new congestion comes into existence. Because of the dynamic traffic information, this congestion is taken into account when planning new routes.
15. Users do not choose alternative route special function gone
If the system notices an alternative route that is better than the present proposed route, it proposes the alternative route to the driver. The driver has the choice to follow the initially or the newly proposed route. The threat is that none of the drivers will follow the newly proposed route. The consequence of this threat is that the system is useless, because the main goal of it is not reached.
BIJLAGEN Intelligent Transport Systems 2, University of Twente | Group 4 – K. Kant & S. Beumer 50 The probability of occurrence is low because the second questionnaire that was held showed that
people are willing to change routes if it offers enough advantages. It is expected that this will be the case in reality as well. The level of impact is medium because if people do not choose the alternative route, they still can use the system. It looses however its’ special feature.
16. Access to traffic data fails special function gone
The system uses real time traffic data by using data from a mobile phone and road operator. Access to this data could fail for some reasons. The consequence of this threat is that the function the system is designed for does not function. The system will consequently be no different compared to normal navigation systems.
The probability of occurrence is medium because the information comes from an external database.
Communicating with external databases could fail occasionally. The level of impact is medium because if people can not choose the alternative route, they still can use the system. It looses however its’ special feature.
17. Traffic data altered during communication wrong route calculated
The system uses real time traffic data by using data from a mobile phone and road operator. This information could be altered during communication from the supplier to the system. The consequence of this threat is that the system calculates less optimal routes and drivers are misled.
The probability of occurrence is medium because the information comes from an external database.
During the communication things can happen to the data that change its content. The level of impact is medium because the data is updated every five minutes. Therefore if data is altered ones, the system will notice.
18. Bad information given to driver driver is confused / bad publicity
The interface is designed to give the driver the information he needs. This information supply could however be vague, or too complicated. The interface could give too much, too little, or no information at all for some reasons. This would be due to bad design, different preferences among users, or system failure. The consequence of this threat is that the driver is confused while driving.
Another consequence is bad publicity which causes fewer sales.
The probability of occurrence is low because all important elements are implemented. The features other navigation systems have as well as the innovational dynamic aspect. Besides, all features implemented in the system are considered important or very important in the first questionnaire.
The level of impact is low as well because all features can be shut down by the user himself.
19. Too much attention asked from driver accidents / bad publicity
The system is designed to assist the driver while navigating on the network. The system however could be taking too much attention from the driver for some reasons. The consequence of this threat is that accidents will occur, because drivers pay less attention to the other road users. Eventually this
The system is designed to assist the driver while navigating on the network. The system however could be taking too much attention from the driver for some reasons. The consequence of this threat is that accidents will occur, because drivers pay less attention to the other road users. Eventually this