Skip to main content
Industry context: ISO/SAE 21434 requires automotive manufacturers to perform systematic threat analysis for connected vehicle systems. The TARA methodology identifies cybersecurity threats, scores attack feasibility using weighted factors, computes risk verdicts, and tracks treatment decisions with traceability to cybersecurity goals, requirements, and test cases.
diagram

Levels Configuration

Five levels define the merge hierarchy. Rows merge vertically so parent cells span their children automatically. Each level specifies a name (display name shown in the navigation/zoom menu), a controlColumn (determines merge boundaries), and a zoomColumn (the column that expands or collapses the level).

Column Definitions

Key columns binding to TARA work item fields. The headerCss property assigns column group coloring via CSS classes defined in the styles section.

Formulas

Five attack factors (Time, Expertise, Knowledge, Window of Opportunity, Equipment) are scored on weighted scales and summed. The total maps to a feasibility level per ISO/SAE 21434 Annex G.
Combines impact (damage severity) and feasibility (attack likelihood) into a 1-5 verdict using the ISO/SAE 21434 risk matrix.

Cell Decorators

The leftmost row header automatically colors based on the verdict level, providing immediate visual risk indication without needing to scroll to the verdict column.
Highlights cells orange when a reducing or avoiding treatment is selected but no cybersecurity goal has been linked — ensuring analysts don’t skip the goal assignment step.

Workflow Views

Seven views guide analysts through the TARA process step by step. Each view shows only the columns relevant to that assessment phase.

Styles

Color-coded column group headers for visual orientation. Each group uses a distinct color theme matching the TARA workflow phases.

Key Patterns

  • 5-level merge hierarchy — the deepest hierarchy available. Rows merge vertically so each parent cell spans its children, creating a structured tree without indentation.
  • Weighted sum feasibility — five attack factors are scored on non-linear scales and summed to determine feasibility level. This follows ISO/SAE 21434 Annex G methodology.
  • Matrix-based verdict — a 4x4 impact/feasibility lookup produces verdicts 1-5, avoiding arbitrary multiplication. The matrix is directly auditable.
  • Row header coloring — instant risk indication by coloring the leftmost header cell (green through red) without requiring the analyst to scroll to the verdict column.
  • Treatment validation — cell decorators enforce workflow rules. Reducing or avoiding treatments require a linked cybersecurity goal; retaining or sharing treatments require documented claims.
  • 7 phased workflow views — each view shows only the columns needed for that assessment step, reducing cognitive load and guiding analysts through the ISO/SAE 21434 process.
  • Server-rendered traceability — Velocity templates traverse the chain from risk controls through requirements to test cases, showing full verification coverage in a single column.

See Also

Last modified on July 10, 2026