Skip to main content

Prerequisites

  • A Polarion project with threat and countermeasure work item types defined
  • A Risksheet configuration file attached to your document (see Find Configuration Files)
  • Familiarity with the six STRIDE threat categories

Step 1: Define Threat Data Types

Configure the dataTypes section in your risksheet.json to use threat-specific work item types. STRIDE analysis uses a threat work item as the primary risk type and countermeasures as downstream tasks: 
{
  "dataTypes": {
    "risk": {
      "type": "threat",
      "role": "has_threat"
    },
    "task": {
      "type": "countermeasure",
      "role": "mitigates_threat",
      "showInMenu": true
    }
  }
}
Risksheet is fully configurable and does not require specific work item types — use whatever types your project defines. The type and role values must match your Polarion project configuration.

Step 2: Configure STRIDE Category Enumerations

Define the six STRIDE threat categories as an enumeration in your configuration: 
{
  "enums": {
    "strideCategory": [
      { "id": "S", "name": "Spoofing", "description": "Impersonating something or someone" },
      { "id": "T", "name": "Tampering", "description": "Modifying data or code" },
      { "id": "R", "name": "Repudiation", "description": "Claiming to have not performed an action" },
      { "id": "I", "name": "Information Disclosure", "description": "Exposing information to unauthorized users" },
      { "id": "D", "name": "Denial of Service", "description": "Denying or degrading service" },
      { "id": "E", "name": "Elevation of Privilege", "description": "Gaining unauthorized capabilities" }
    ]
  }
}
STRIDE CategoryThreat TypeSecurity Property Violated
SpoofingIdentityAuthentication
TamperingData integrityIntegrity
RepudiationNon-repudiationNon-repudiation
Information DisclosureConfidentialityConfidentiality
Denial of ServiceAvailabilityAvailability
Elevation of PrivilegeAuthorizationAuthorization

Step 3: Set Up Rating Scales

Define severity and likelihood ratings appropriate for cybersecurity threat assessment: 
{
  "ratings": {
    "threatSeverity": [
      { "id": "1", "name": "Low", "description": "Minimal impact on system security" },
      { "id": "2", "name": "Medium", "description": "Limited security impact, contained" },
      { "id": "3", "name": "High", "description": "Significant security breach" },
      { "id": "4", "name": "Critical", "description": "Complete system compromise" }
    ],
    "threatLikelihood": [
      { "id": "1", "name": "Unlikely", "description": "Requires specialized knowledge and access" },
      { "id": "2", "name": "Possible", "description": "Feasible with moderate effort" },
      { "id": "3", "name": "Likely", "description": "Known attack vectors exist" },
      { "id": "4", "name": "Almost Certain", "description": "Actively exploited in the wild" }
    ]
  }
}

Step 4: Configure STRIDE Columns

Set up the column layout to capture threat details, STRIDE classification, risk assessment, and countermeasures: 
{
  "columns": [
    { "binding": "title", "header": "Threat Description", "width": 250 },
    { "binding": "strideCategory", "header": "STRIDE", "type": "enum:strideCategory", "width": 140 },
    { "binding": "asset", "header": "Asset", "width": 150 },
    { "binding": "attackVector", "header": "Attack Vector", "width": 200 },
    { "binding": "threatSeverity", "header": "Severity", "type": "rating:threatSeverity", "width": 100 },
    { "binding": "threatLikelihood", "header": "Likelihood", "type": "rating:threatLikelihood", "width": 100 },
    { "binding": "riskLevel", "header": "Risk Level", "formula": "threatRisk", "width": 100 },
    { "binding": "countermeasureId", "header": "Countermeasure", "type": "taskLink", "width": 150 },
    { "binding": "countermeasureStatus", "header": "CM Status", "type": "taskAttrib", "width": 120 }
  ]
}

Step 5: Add Threat Risk Formula

Define a formulas entry that calculates threat risk level from severity and likelihood: 
{
  "formulas": {
    "threatRisk": "function(info){ var s = info.item['threatSeverity']; var l = info.item['threatLikelihood']; if (!s || !l) return null; return s * l; }"
  }
}
diagram

Step 6: Apply Conditional Formatting

Add cellDecorators to visually distinguish threat risk levels with color coding: 
{
  "cellDecorators": {
    "threatRiskDecorator": "function(info){ var val = info.value; $(info.cell).toggleClass('rpn1', val > 0 && val <= 4); $(info.cell).toggleClass('rpn2', val > 4 && val <= 9); $(info.cell).toggleClass('rpn3', val > 9); }"
  },
  "styles": {
    ".rpn1": { "background-color": "#eaf5e9 !important", "color": "#1d5f20 !important" },
    ".rpn2": { "background-color": "#fff3d2 !important", "color": "#735602 !important" },
    ".rpn3": { "background-color": "#f8eae7 !important", "color": "#ab1c00 !important" }
  }
}
This maps risk levels to three tiers: low (1—4, green), medium (5—9, yellow), and high (10+, red).
You can have multiple Risksheet configurations in the same project — for example, a STRIDE threat analysis alongside an FMEA safety analysis. Each LiveDoc document has its own risksheet.json attachment with independent configuration.
STRIDE analysis configuration uses the same Risksheet engine as FMEA and HARA. Verify that the specific work item types, link roles, and custom fields are defined in your Polarion project before deploying the configuration.

Verification

After saving your configuration:
  1. Open the Risksheet in the configured LiveDoc document
  2. Create a new threat item — verify the STRIDE category dropdown shows all six categories
  3. Select severity and likelihood ratings — confirm the risk level formula calculates automatically
  4. Add a countermeasure — verify it appears as a downstream task with the configured link role
  5. Check that conditional formatting highlights risk levels with the correct color bands
You should now see a Risksheet grid tailored for STRIDE threat analysis with category classification, risk scoring, color-coded risk levels, and linked countermeasures.

See Also

Support TicketsSource Code
  • risksheet.json
  • PolarionAppConfigManager.java
  • RisksheetProjectProperties.java
  • DefaultTraceProvider.java
  • ComparisonManager.ts