What You Will Achieve
By the end of this tutorial you will have:
- A new TARA risksheet module linked to a specific system element
- At least one TARA record with a stakeholder, CIAx property, and damage scenario
- Familiarity with the Risksheet column layout and views
Prerequisites
| Requirement | Details |
|---|
| TARA solution | Installed per Install the TARA Solution |
| System elements | At least one systemElement work item created |
| Catalogs | Stakeholder and Threat Scenario catalogs populated |
Steps
Step 1: Open the Risksheet Module List
- In the Polarion sidebar, click Risksheets.
- You will see a list of existing TARA modules (if any) and the CREATE button.
Step 2: Create a New TARA Module from Template
- Click CREATE.
- Select TARATemplate from the template list.
- Enter a document name following the convention
TARA-<SystemElementName> (e.g., TARA-Sensor-Fusion-ECU).
- The new module opens with the Risksheet interface and 4 heading rows from the template.
The new module is automatically created as a riskSpecification document type with the Risksheet tool.
Step 3: Set the System Element
- Open Document Properties (gear icon in the Risksheet toolbar or the document sidebar).
- Locate the System Element custom field (
systemElementId).
- Enter the work item ID of the target system element (e.g.,
TR-20527 for Sensor Fusion ECU).
- Save the document properties.
If you skip this step, the Risksheet top panel displays an amber warning: “Configuration Required: The System Element custom field is not set.” The module will still function, but it will not appear correctly in the System Element Navigator on dashboards.
Step 4: Understand the Risksheet Layout
The Risksheet displays columns organized into color-coded groups:
| Group | Color | Columns |
|---|
| Threat Identification | Purple | stakeholder, ciaxProperty, damageScenario, threatScenario, threatPath |
| Attack Feasibility | Blue | attackTime, attackExpertise, attackKnowledge, attackWoo, attackEquipment |
| Risk Assessment | Red | taraFeasibility, taraImpact, taraVerdict |
| Risk Treatment | Green | treatmentChoice, treatmentStatus |
| Cybersecurity Goal | Teal | cybersecurityGoal, goalCal |
| Claims | Gold | taraClaims |
| Controls & Verification | Light Purple | task, taskTitle, requirements, verification |
Step 5: Add Your First TARA Record
- Click the Add Row button (or use the keyboard shortcut) to create a new
taraRecord work item.
- In the Stakeholder column, click the dropdown picker. The picker queries the Stakeholder Catalog (
type:stakeholder) and lists available stakeholders. Select one.
- In the CIAx Property column, select a security property (e.g.,
integrity, availability, confidentiality).
- In the Damage Scenario column, type a description of the potential harm (e.g., “Spoofed sensor data causes incorrect braking decisions”).
- In the Threat Scenario column, click the dropdown picker. It queries the Threat Scenario Catalog (
type:threatScenario). Select a matching scenario.
- In the Threat Path column, describe the specific attack vector.
Step 6: Verify the Record
- Switch to the Overview view. You should see your record with the stakeholder, damage scenario, and threat scenario columns populated.
- The Description column auto-generates a summary from the fields you filled in.
- The Verdict column shows no value yet because Impact and Feasibility are not scored.
The Risksheet uses a 5-level hierarchy: Stakeholder > CIAx Property > Damage Scenario > Threat Scenario > Threat Path. When you add multiple records with the same stakeholder, they group together automatically.
Step 7: Save and Verify on the Dashboard
- Save the risksheet (changes auto-save, but confirm with the save indicator).
- Navigate to Risks Home. Your new TARA module should appear in the System Element Navigator, linked to the system element you configured.
- The TARA Report dashboard will now include your module in the verdict distribution (all records will show as “Unclassified” until you complete scoring).
Next Steps
