Why Attack Feasibility Matters
A threat scenario may describe catastrophic damage, but if the attack requires six months of effort by multiple experts using bespoke equipment, the practical risk is low. Feasibility scoring quantifies this attacker effort so that risk treatment resources are allocated where threats are both impactful and realistically achievable.
The taraFeasibility field is the output of this scoring process and feeds directly into the risk verdict matrix to produce the final risk verdict (1—5).
The Five EVITA Factors
Each TARA record is scored on five dimensions. Each dimension maps to an enumeration on the taraRecord work item type with predefined numeric weights aligned to ISO/SAE 21434 Annex G.
Factor Score Tables
Elapsed Time (attackTime)
| Enum Value | Label | Score |
|---|
lte1d | Less than or equal to 1 day | 0 |
lte1w | Less than or equal to 1 week | 1 |
lte1mo | Less than or equal to 1 month | 4 |
lte6mo | Less than or equal to 6 months | 17 |
gt6mo | Greater than 6 months | 19 |
Specialist Expertise (attackExpertise)
| Enum Value | Label | Score |
|---|
layman | Layman | 0 |
proficient | Proficient | 3 |
expert | Expert | 6 |
multipleExperts | Multiple Experts | 8 |
Knowledge of Item (attackKnowledge)
| Enum Value | Label | Score |
|---|
public | Public | 0 |
restricted | Restricted | 3 |
confidential | Confidential | 7 |
strictlyConfidential | Strictly Confidential | 11 |
Window of Opportunity (attackWoo)
| Enum Value | Label | Score |
|---|
unlimited | Unlimited | 0 |
easy | Easy | 1 |
moderate | Moderate | 4 |
difficult | Difficult | 10 |
Equipment (attackEquipment)
| Enum Value | Label | Score |
|---|
standard | Standard | 0 |
specialized | Specialized | 4 |
bespoke | Bespoke | 7 |
multBespoke | Multiple Bespoke | 9 |
feasibilityFormula in the Risksheet configuration sums all five factor scores and classifies the result:
| Sum Range | Feasibility Level | Interpretation |
|---|
| 0 — 13 | High | Attack is easy to carry out — low barrier |
| 14 — 19 | Medium | Attack requires moderate effort |
| 20 — 24 | Low | Attack requires significant effort |
| 25+ | Very Low | Attack is extremely difficult |
The scoring is inverted: a low total sum means the attack requires little time, expertise, knowledge, opportunity, and equipment — making it highly feasible. This matches the ISO/SAE 21434 Annex G convention.
The feasibilityFormula returns null if any of the five factor fields is empty. The taraFeasibility column will display blank until all inputs are provided. Complete all factor assessments before moving to the Risk Assessment view.
Visual Indicators in Risksheet
The feasibilityDecorator applies color coding to the Feasibility column:
- High — Red background (immediate attention)
- Medium — Amber background (review needed)
- Low / Very Low — Green background (acceptable)
The rowHeaderVerdict decorator also colors the entire row header based on the final verdict, providing a scan-friendly risk heatmap even when the Feasibility column is collapsed.
Relationship to the Verdict
Feasibility is one of two inputs to the risk verdict matrix. The other input is taraImpact (the severity of the damage scenario). Together they produce the taraVerdict score (1—5) that drives all downstream treatment decisions and CAL requirements.
See Also
