The road not taken yet: a review of cyber security risks in mobility-as-a-service (MaaS) ecosystems and a research agenda

This paper identifies the state-of-the-art key aspects for the development of mobility-as-a-service (MaaS) ecosystems and provides evidence on the importance of cyber security which has been broadly overlooked in the literature. The analysis is carried out in three stages: (i) a literature review, (ii) a presentation of expert workshop findings, and (iii) a synthesis of both findings to develop a research agenda on cyber security aspects of MaaS ecosystems. The review identifies and bridges the gap between two strands of MaaS literature: the studies that focus on the factors that drive the development of MaaS, and those that create narratives of future MaaS scenarios. The analysis employs the Business Model Canvas to synthesise important factors that underline the development of MaaS in a 7-dimension matrix. This matrix is then used to assess to what extent the available MaaS scenarios cover such dimensions, showing that the literature has overlooked the incentives for users, incentives for MaaS providers, public governance and cyber security elements of the MaaS development. Finally, this paper synthesises the findings from the review of the literature and an expert workshop to develop a research agenda to characterise and analyse the role of incentives to influence the individuals' and organisations' data sharing preferences and emerging cyber security risks in MaaS ecosystems, which will be of interest to both scholars and policymakers. Only through explicit consideration of data-sharing behaviours and risks across individuals and organisations that MaaS ecosystems can support the transition to a net-zero economy.