> ## Documentation Index
> Fetch the complete documentation index at: https://learn.nextedy.com/llms.txt
> Use this file to discover all available pages before exploring further.

# TARA Configuration Example

> A complete Threat Analysis and Risk Assessment (TARA) configuration following ISO/SAE 21434 for automotive cybersecurity.

export const LastReviewed = ({date}) => {
  if (!date) return null;
  const formatted = new Date(`${date}T00:00:00Z`).toLocaleDateString("en-US", {
    year: "numeric",
    month: "long",
    day: "numeric",
    timeZone: "UTC"
  });
  return <p className="mt-10 text-sm text-gray-400 dark:text-zinc-500 not-prose">
      Last reviewed on {formatted}
    </p>;
};

**Industry context:** ISO/SAE 21434 requires automotive manufacturers to perform systematic threat analysis for connected vehicle systems. The TARA methodology identifies cybersecurity threats, scores attack feasibility using weighted factors, computes risk verdicts, and tracks treatment decisions with traceability to cybersecurity goals, requirements, and test cases.

<Frame>
  <img src="https://mintcdn.com/none-17b4493f/yWl5nA2D0IzEnZC1/risksheet/diagrams/reference/examples/tara-example/diagram-1.svg?fit=max&auto=format&n=yWl5nA2D0IzEnZC1&q=85&s=a927545c41f0122cf35fc49c03d60eeb" alt="diagram" style={{ maxWidth: "700px", width: "100%" }} width="700" height="340" data-path="risksheet/diagrams/reference/examples/tara-example/diagram-1.svg" />
</Frame>

## Levels Configuration

Five levels define the merge hierarchy. Rows merge vertically so parent cells span their children automatically. Each level specifies a `name` (display name shown in the navigation/zoom menu), a `controlColumn` (determines merge boundaries), and a `zoomColumn` (the column that expands or collapses the level).

```yaml theme={null}
levels:
  - name: Stakeholder
    controlColumn: stakeholder
    zoomColumn: stakeholder
  - name: CIAx Property
    controlColumn: ciaxProperty
    zoomColumn: ciaxProperty
  - name: Damage Scenario
    controlColumn: damageScenario
    zoomColumn: damageScenario
  - name: Threat Scenario
    controlColumn: threatScenario
    zoomColumn: threatScenario
  - name: Threat Path
    controlColumn: systemItemId
    zoomColumn: threatPath
```

## Column Definitions

Key columns binding to TARA work item fields. The `headerCss` property assigns column group coloring via CSS classes defined in the styles section.

```yaml theme={null}
columns:
  - id: stakeholder
    bindings: stakeholder
    header: Stakeholder
    headerCss: headThreat
    width: 150
  - id: ciaxProperty
    bindings: ciaxProperty
    header: CIAx
    headerCss: headThreat
    width: 120
  - id: damageScenario
    bindings: damageScenario
    header: Damage Scenario
    headerCss: headThreat
    width: 200
  - id: threatScenario
    bindings: threatScenario
    header: Threat Scenario
    headerCss: headThreat
    width: 200
  - id: threatPath
    bindings: threatPath
    header: Threat Path
    headerCss: headThreat
    width: 200
  - id: attackTime
    bindings: attackTime
    header: Time
    headerCss: headFeasibility
    width: 100
  - id: attackExpertise
    bindings: attackExpertise
    header: Expertise
    headerCss: headFeasibility
    width: 100
  - id: attackKnowledge
    bindings: attackKnowledge
    header: Knowledge
    headerCss: headFeasibility
    width: 100
  - id: attackWoo
    bindings: attackWoo
    header: Window of Opp.
    headerCss: headFeasibility
    width: 100
  - id: attackEquipment
    bindings: attackEquipment
    header: Equipment
    headerCss: headFeasibility
    width: 100
  - id: taraFeasibility
    bindings: taraFeasibility
    header: Feasibility
    headerCss: headFeasibility
    formula: feasibilityFormula
    width: 110
  - id: taraImpact
    bindings: taraImpact
    header: Impact
    headerCss: headRisk
    width: 100
  - id: taraVerdict
    bindings: taraVerdict
    header: Verdict
    headerCss: headRisk
    formula: verdictFormula
    width: 80
  - id: treatmentChoice
    bindings: treatmentChoice
    header: Treatment
    headerCss: headTreatment
    width: 120
  - id: cybersecurityGoal
    bindings: cybersecurityGoal
    header: Cybersecurity Goal
    headerCss: headGoal
    type: itemLink
    width: 180
```

## Formulas

<AccordionGroup>
  <Accordion title="Feasibility Weighted Sum">
    Five attack factors (Time, Expertise, Knowledge, Window of Opportunity, Equipment) are scored on weighted scales and summed. The total maps to a feasibility level per ISO/SAE 21434 Annex G.

    ```javascript theme={null}
    function(info) {
      var scoreMap = {
        'lte1d':0,  'lte1w':1,  'lte1mo':4,  'lte6mo':17, 'gt6mo':19,   // TIME
        'layman':0, 'proficient':3, 'expert':6, 'multipleExperts':8,      // EXP
        'public':0, 'restricted':3, 'confidential':7, 'strictlyConfidential':11, // KNOW
        'unlimited':0, 'easy':1, 'moderate':4, 'difficult':10,            // WoO
        'standard':0, 'specialized':4, 'bespoke':7, 'multBespoke':9      // EQP
      };
      var t = info.item['attackTime'];
      var e = info.item['attackExpertise'];
      var k = info.item['attackKnowledge'];
      var w = info.item['attackWoo'];
      var q = info.item['attackEquipment'];
      if (!t || !e || !k || !w || !q) return null;
      var sum = (scoreMap[t]||0) + (scoreMap[e]||0) + (scoreMap[k]||0)
              + (scoreMap[w]||0) + (scoreMap[q]||0);
      if (sum <= 13) return 'high';
      if (sum <= 19) return 'medium';
      if (sum <= 24) return 'low';
      return 'veryLow';
    }
    ```

    | Sum Range | Feasibility Level |
    | --------- | ----------------- |
    | 0 -- 13   | High              |
    | 14 -- 19  | Medium            |
    | 20 -- 24  | Low               |
    | 25+       | Very Low          |
  </Accordion>

  <Accordion title="Risk Verdict Matrix">
    Combines impact (damage severity) and feasibility (attack likelihood) into a 1-5 verdict using the ISO/SAE 21434 risk matrix.

    ```javascript theme={null}
    function(info) {
      var impact = info.item['taraImpact'];
      var feasibility = info.item['taraFeasibility'];
      if (!impact || !feasibility) return null;
      var matrix = {
        'severe':     { 'veryLow':3, 'low':4, 'medium':5, 'high':5 },
        'major':      { 'veryLow':2, 'low':3, 'medium':4, 'high':5 },
        'moderate':   { 'veryLow':1, 'low':2, 'medium':3, 'high':4 },
        'negligible': { 'veryLow':1, 'low':1, 'medium':1, 'high':1 }
      };
      var row = matrix[impact];
      if (!row) return null;
      return row[feasibility] || null;
    }
    ```

    |                | Very Low | Low | Medium | High |
    | -------------- | -------- | --- | ------ | ---- |
    | **Severe**     | 3        | 4   | 5      | 5    |
    | **Major**      | 2        | 3   | 4      | 5    |
    | **Moderate**   | 1        | 2   | 3      | 4    |
    | **Negligible** | 1        | 1   | 1      | 1    |
  </Accordion>
</AccordionGroup>

## Cell Decorators

<AccordionGroup>
  <Accordion title="Row Header Coloring by Verdict">
    The leftmost row header automatically colors based on the verdict level, providing immediate visual risk indication without needing to scroll to the verdict column.

    ```yaml theme={null}
    rowHeaderVerdict: |
      function(info) {
        var v = parseInt(info.item['taraVerdict']);
        $(info.cell).toggleClass('verdict1', v === 1);
        $(info.cell).toggleClass('verdict2', v === 2);
        $(info.cell).toggleClass('verdict3', v === 3);
        $(info.cell).toggleClass('verdict4', v === 4);
        $(info.cell).toggleClass('verdict5', v === 5);
      }
    ```
  </Accordion>

  <Accordion title="Treatment Validation">
    Highlights cells orange when a reducing or avoiding treatment is selected but no cybersecurity goal has been linked -- ensuring analysts don't skip the goal assignment step.

    ```yaml theme={null}
    goalHighlight: |
      function(info) {
        var t = info.item['treatmentChoice'];
        var val = info.value;
        var need = (t === 'reducing' || t === 'avoiding');
        var empty = !val || val === '';
        $(info.cell).toggleClass('treatmentMissing', need && empty);
        if (need && empty) {
          $(info.cell).append('<span class="missing-hint">Goal required</span>');
        }
      }
    ```
  </Accordion>
</AccordionGroup>

## Workflow Views

Seven views guide analysts through the TARA process step by step. Each view shows only the columns relevant to that assessment phase.

```yaml theme={null}
views:
  - name: Overview
    defaultView: true
    columnIds:
      - stakeholder
      - damageScenario
      - threatScenario
      - taraImpact
      - taraFeasibility
      - taraVerdict
      - treatmentChoice
      - treatmentStatus
      - cybersecurityGoal
      - goalCal
      - taraClaims
      - description
  - name: 1. Identify Threats
    columnIds:
      - stakeholder
      - ciaxProperty
      - damageScenario
      - threatScenario
      - threatPath
      - description
  - name: 2. Assess Feasibility
    columnIds:
      - stakeholder
      - ciaxProperty
      - damageScenario
      - threatScenario
      - threatPath
      - attackTime
      - attackExpertise
      - attackKnowledge
      - attackWoo
      - attackEquipment
      - taraFeasibility
      - description
  - name: 3. Risk Assessment
    columnIds:
      - stakeholder
      - ciaxProperty
      - damageScenario
      - threatScenario
      - threatPath
      - taraImpact
      - taraFeasibility
      - taraVerdict
      - description
  - name: 4. Risk Treatment
    columnIds:
      - stakeholder
      - ciaxProperty
      - damageScenario
      - threatScenario
      - threatPath
      - taraImpact
      - taraFeasibility
      - taraVerdict
      - treatmentChoice
      - treatmentStatus
      - cybersecurityGoal
      - goalCal
      - taraClaims
      - task
      - taskTitle
      - description
  - name: 5. Req & Verification
    columnIds:
      - stakeholder
      - damageScenario
      - threatScenario
      - cybersecurityGoal
      - goalCal
      - task
      - taskTitle
      - requirements
      - verification
  - name: Full View
    columnIds:
      - "@all"
```

## Styles

Color-coded column group headers for visual orientation. Each group uses a distinct color theme matching the TARA workflow phases.

```yaml theme={null}
styles:
  ".firstRow .headThreat":      "{color: #6454B6; background-color: rgba(123, 97, 255, 0.12);}"
  ".firstRow .headFeasibility": "{color: #136CB9; background-color: rgba(96, 172, 238, 0.12);}"
  ".firstRow .headRisk":        "{background-color: #F8EBE8; color: #B5421C;}"
  ".firstRow .headTreatment":   "{background-color: rgba(62, 175, 63, 0.12); color: #2A792D;}"
  ".firstRow .headGoal":        "{color: #0e7490; background-color: rgba(14, 165, 190, 0.12);}"
  ".firstRow .headControls":    "{color: #136CB9; background-color: rgba(96, 172, 238, 0.12);}"
  ".verdict1": "{background-color: #eaf5e9 !important; color: #1d5f20 !important;}"
  ".verdict2": "{background-color: #c8e6c9 !important; color: #2e7d32 !important;}"
  ".verdict3": "{background-color: #fff3d2 !important; color: #735602 !important;}"
  ".verdict4": "{background-color: #ffe0b2 !important; color: #e65100 !important;}"
  ".verdict5": "{background-color: #f8eae7 !important; color: #ab1c00 !important;}"
```

## Key Patterns

* **5-level merge hierarchy** -- the deepest hierarchy available. Rows merge vertically so each parent cell spans its children, creating a structured tree without indentation.
* **Weighted sum feasibility** -- five attack factors are scored on non-linear scales and summed to determine feasibility level. This follows ISO/SAE 21434 Annex G methodology.
* **Matrix-based verdict** -- a 4x4 impact/feasibility lookup produces verdicts 1-5, avoiding arbitrary multiplication. The matrix is directly auditable.
* **Row header coloring** -- instant risk indication by coloring the leftmost header cell (green through red) without requiring the analyst to scroll to the verdict column.
* **Treatment validation** -- cell decorators enforce workflow rules. Reducing or avoiding treatments require a linked cybersecurity goal; retaining or sharing treatments require documented claims.
* **7 phased workflow views** -- each view shows only the columns needed for that assessment step, reducing cognitive load and guiding analysts through the ISO/SAE 21434 process.
* **Server-rendered traceability** -- Velocity templates traverse the chain from risk controls through requirements to test cases, showing full verification coverage in a single column.

## See Also

* [Levels Configuration](/risksheet/reference/levels-configuration) -- hierarchy merge behavior and level properties
* [Formula Syntax](/risksheet/reference/formulas/formula-syntax) -- JavaScript formula writing guide
* [Cell Decorators](/risksheet/reference/styling/cell-decorators) -- dynamic cell styling reference
* [Saved Views](/risksheet/reference/saved-views) -- view configuration and column visibility
* [Implement STRIDE Analysis](/risksheet/guides/risk-management/stride-analysis) -- related cybersecurity threat methodology guide
* [FMEA Example](/risksheet/reference/examples/fmea-example) -- alternative risk analysis methodology using RPN scoring

<LastReviewed date="2026-06-15" />
