Overview The Security Threat Assessment Risksheet is a specialized risk analysis template designed for DO-326A compliance. It follows a structured workflow for identifying threats using STRIDE categories, assessing threat likelihood and impact, allocating security controls (countermeasures), and tracking residual risk through Security Assurance Levels (SAL).
Risksheet Structure The Security Threat Assessment Risksheet contains 15 columns organized into 5 header groups :
Header Group Columns Purpose Asset System Element, Attack Surface Identify what is being threatened Threat STRIDE Category, Title, Description Classify and describe the threat Initial Assessment Likelihood, Impact, SAL Evaluate pre-mitigation risk Controls Countermeasure ID, Title, Status Allocate security countermeasures Residual Likelihood, Impact, SAL Verify post-mitigation risk
Hierarchy The risksheet uses a 3-level hierarchy :
System Element — Top-level system element being assessed (e.g., “Flight Control Computer”)Threat Category — STRIDE threat type grouping (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)Attack Scenario — Specific threat instance with details
Column Reference Asset Group Column Type Values Description System Element Item Link systemElement work items The system element being threatened. Links to the decomposed system hierarchy. Attack Surface Text Free text Identifies the specific attack surface or interface (e.g., “ARINC 429 data bus”, “Power supply input”, “Software update port”).
Threat Group Column Type Values Description STRIDE Category Enumeration Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege STRIDE threat classification per DO-326A methodology. Title Text Free text Short threat description (e.g., “Unauthorized data injection into sensor inputs”). Description Text Long text Detailed threat narrative explaining attack method, preconditions, and potential impact.
Initial Assessment Group Column Type Default Description Likelihood Enumeration Unlikely Probability of threat exploitation: Unlikely , Possible , Likely , Almost Certain . Impact Enumeration Negligible Consequence severity if threat succeeds: Negligible , Minor , Major , Catastrophic . SAL (Initial) Formula Auto-calculated Security Assurance Level (0–3) computed from Likelihood × Impact 4×4 matrix. See SAL Auto-Calculation below.
Controls Group Column Type Default Description Countermeasure ID Item Link riskControl work items Links to the security control (countermeasure) that mitigates this threat. Countermeasure Title Text Auto-populated from link Name of the countermeasure (e.g., “Data validation on sensor inputs”, “Encryption of flight data”). Status Enumeration Open Implementation status: Open , In Progress , Implemented , Verified .
Residual Group Column Type Default Description Likelihood (Residual) Enumeration Unlikely Post-mitigation threat likelihood after countermeasures are applied. Impact (Residual) Enumeration Negligible Post-mitigation impact assessment. SAL (Residual) Formula Auto-calculated Post-mitigation SAL computed from residual Likelihood × Impact. Typically lower than Initial SAL if controls are effective.
The Security Assurance Level is automatically calculated from a 4×4 likelihood-impact matrix:
// Likelihood levels: Unlikely (1), Possible (2), Likely (3), Almost Certain (4) // Impact levels: Negligible (1), Minor (2), Major (3), Catastrophic (4) SAL Matrix : ┌──────────────┬───────┬───────┬───────┬──────────────┐ │ Likelihood \ │ Neg . │ Minor │ Major │ Catastrophic │ │ Impact │ ( 1 ) │ ( 2 ) │ ( 3 ) │ ( 4 ) │ ├──────────────┼───────┼───────┼───────┼──────────────┤ │ Unlikely ( 1 ) │ SAL - 0 │ SAL - 0 │ SAL - 1 │ SAL - 2 │ │ Possible ( 2 ) │ SAL - 0 │ SAL - 1 │ SAL - 2 │ SAL - 3 │ │ Likely ( 3 ) │ SAL - 1 │ SAL - 2 │ SAL - 3 │ SAL - 3 │ │ Almost ( 4 ) │ SAL - 2 │ SAL - 3 │ SAL - 3 │ SAL - 3 │ └──────────────┴───────┴───────┴───────┴──────────────┘ SAL - 0 : Green ( Lowest assurance required ) SAL - 1 : Yellow ( Moderate assurance ) SAL - 2 : Orange ( High assurance ) SAL - 3 : Red ( Highest assurance required )
The formula automatically updates when Likelihood or Impact values change, enabling real-time risk re-assessment as countermeasures are added.
Views The Security Threat Assessment Risksheet provides 5 guided workflow views :
View Focus Use Case Full Analysis All columns visible Comprehensive threat analysis with all data Identify Threats Asset + Threat groups Threat discovery and characterization phase Initial Assessment Asset + Threat + Initial Assessment groups Risk scoring and countermeasure prioritization Security Controls Initial SAL + Controls + Residual Countermeasure allocation and tracking Residual Assessment Initial vs. Residual Assessment Risk mitigation effectiveness verification
These views parallel the FMEA step-by-step workflow but are adapted for security context per DO-326A threat assessment methodology.
Risk Item Type All rows in the Security Threat Assessment Risksheet are work items of type securityThreat
Carries custom fields for threat classification, SAL tracking, and countermeasure linkage
Supports bidirectional linking to system elements (asset ownership) and risk controls (mitigation)
Enables cross-risksheet traceability between threat assessment and control plan
Integrates with compliance and audit workflows
Document Scope The Security Threat Assessment Risksheet is project-scoped — not element-scoped. Unlike SFMEA and DFMEA documents which are bound to specific system elements via systemElementId, the security threat analysis covers the entire system or subsystem as defined in the threat identification scope.
The exact mechanism for scoping threat analysis (whole system vs. subsystem) to specific risksheet instances depends on project configuration. Refer to your project’s Security Threat Analysis document instance to confirm the scope boundary (system vs. subsystem level).
Countermeasure Traceability Security countermeasures are tracked via the mitigates link role, connecting:
Security Threat (source) ← mitigates → Risk Control (target)
Each risk control can mitigate multiple threats. The Controls group displays:
Which countermeasure(s) address this threat
Implementation status (Open → In Progress → Implemented → Verified)
Whether the residual risk meets SAL target after control implementation
Configuration Interaction with System Elements The Security Threat Assessment document is configured with a systemElementId custom field (if scoped to a subsystem) or left empty (if project-scoped). The top panel uses this field to:
Display the threatened system element in breadcrumb navigation
Link to related design and functional documents for that element
Filter threat analysis views to the scoped system element
Confirm the scoping mechanism (element-scoped vs. project-scoped) in your Security Threat Template instance.
Integration with Compliance and Certification Security Threat Assessment data feeds into:
Compliance Matrix — DO-326A threat assessment evidence and control statusCertification Readiness Scorecard — SAL coverage percentage, residual risk distributionRisk Control Plan — Centralized view of all countermeasures across the projectSecurity Reports — STRIDE threat inventory, SAL heatmap, control effectiveness summary
Data Export and PDF The Security Threat Assessment Risksheet supports:
PDF Export — Professional risk report with all columns, threat descriptions, and control assignmentsExcel Export — Threat inventory for external review and stakeholder communicationAPI Access — Programmatic access to threat and control data via Polarion SOAP API
Security Threat Assessment is a mandatory activity for DO-326A (Airborne Cyber Security). Ensure all credible threats are identified and assessed, and that residual SAL levels meet certification requirements per your project’s DO-326A compliance plan.
Code: modules/RiskTemplates/SecurityThreatTemplate/attachments/risksheet.json (0.74) · modules/Risks/COMPLIANCE-001/module.xml, modules/Risks/MIL-STD-882E-HTS-001/module.xml, modules/Risks/SEC-THREAT-001/module.xml, modules/Risks/SFMEA-SUB-001/module.xml, modules/Risks/SFMEA-SUB-002/module.xml, modules/Risks/SFMEA-SUB-003/module.xml (0.70) · modules/RiskTemplates/RiskControlPlanTemplate/attachments/risksheet.json (0.68) · modules/RiskTemplates/PSSATemplate/attachments/risksheet.json (0.63) · modules/RiskTemplates/SSATemplate/attachments/risksheet.json (0.62) · modules/RiskTemplates/CCATemplate/attachments/risksheet.json (0.61) · datasets/sol-aero-ui-walkthrough/summary.md, navigation.md, dashboards/home-dashboard.md, dashboards/role-dashboards.md, dashboards/standards-compliance.md, risksheet-views/risksheet-views.md, work-item-types/data-model.md (0.59) · modules/RiskTemplates/FHATemplate/attachments/risksheet.json (0.58) · modules/RiskTemplates/DFMEATemplate/attachments/risksheetTopPanel.vm, SubSystem-FMEATemplate/attachments/risksheetTopPanel.vm, System-FMEATemplate/attachments/risksheetTopPanel.vm, PFMEATemplate/attachments/risksheetTopPanel.vm, HazardTrackingTemplate/attachments/risksheetTopPanel.vm, DFMEATemplate/attachments/risksheetPdfExport.vm, SubSystem-FMEATemplate/attachments/risksheetPdfExport.vm, System-FMEATemplate/attachments/risksheetPdfExport.vm, PFMEATemplate/attachments/risksheetPdfExport.vm (0.57) · modules/RiskTemplates/DFMEATemplate/attachments/risksheet.json (0.56)
