The 5-Step Workflow
Each step corresponds to a dedicated Risksheet view that shows only the columns relevant to that phase:- Identify Threats and Damage Scenarios — View “1. Identify Threats”: Select stakeholders from the catalog, choose CIAx properties, describe damage scenarios, link threat scenarios, and specify threat paths
- Score Attack Feasibility — View “2. Assess Feasibility”: Rate the five EVITA attack potential factors (TIME, EXP, KNOW, WOO, EQP) and review the auto-computed feasibility level
- Assess Risk Verdict — View “3. Risk Assessment”: Set impact levels (Severe/Major/Moderate/Negligible) and review the auto-computed verdict (1-5)
- Define Risk Treatment — View “4. Risk Treatment”: Choose a strategy (Reducing, Avoiding, Sharing, or Retaining), link Cybersecurity Goals or write claims, and create risk controls
- Link Requirements and Verification — View “5. Req & Verification”: Verify that risk controls have linked requirements and test cases
Additional Workflows
- Use Shared Threat Scenario and Stakeholder Catalogs — Manage and extend the centralized catalogs used across all TARA modules
Prerequisites
Before starting the TARA analysis workflow, ensure you have:- A system element hierarchy defined in the SYSTEM-ELEMENTS document
- A TARA module created and linked to the target system element
- Entries in the Stakeholder Catalog and Threat Scenario Catalog
Related Concepts
- Attack Feasibility Scoring (EVITA) — Understanding the 5-factor scoring method
- Risk Verdict Matrix — How impact and feasibility produce the verdict
- Cybersecurity Case and Assurance Argument — How analysis results feed the compliance case