In this paper, a novel model for the cyber-security analysis of Level 3 (L3) Automated Driving (AD) systems is proposed by integrating aspects of functional safety. The model is built based on the state-of-the-art framework for cyber security analysis, known as Threat Analysis and Risk Assessment (TARA), which quantifies the likelihood and the impact of attack and combines them in order to derive an attack risk value. The novelty lies in the bespoke integration of the impact calculation, which incorporates the notion of controllability of an attack by the AD system and/or by the driver. The proposed model is applied for the Urban Chauffeur and the Highway Chauffeur AD system functions, providing insights into the security risk in a wide area of distinct operational design domains as defined by SAE J3016. Remote attack surfaces (e.g., modifications of road infrastructure) are also taken into account in the analysis.