Prerequisites
- TARA records exist with threat identification completed (stakeholder, CIAx, damage scenario, threat scenario, threat path)
- Attack feasibility has been scored for each record (all five factors: TIME, EXP, KNOW, WOO, EQP)
- The
taraFeasibility column shows a computed value (High, Medium, Low, or Very Low)
Steps
1. Open the Risk Assessment View
In your TARA Risksheet module, switch to the 3. Risk Assessment view from the view selector. This view displays the columns needed for risk verdict assessment:
| Column | Purpose |
|---|
stakeholder | Affected stakeholder |
ciaxProperty | Threatened security property |
damageScenario | Description of potential harm |
threatScenario | Linked threat scenario |
threatPath | Specific attack vector |
taraImpact | Impact level (you set this) |
taraFeasibility | Computed feasibility (read-only) |
taraVerdict | Computed verdict 1-5 (read-only) |
2. Set the Impact Level for Each Record
Click the Impact (taraImpact) cell for each TARA record and select the appropriate severity level:
| Impact Level | Description |
|---|
| Severe | Life-threatening or fatal injuries; severe legal/regulatory violation |
| Major | Severe injuries; significant regulatory consequences |
| Moderate | Light to moderate injuries; moderate consequences |
| Negligible | No injuries; negligible consequences |
Assess impact based on the damage scenario description. Consider safety, financial, operational, and privacy dimensions as defined in ISO/SAE 21434.
3. Review the Computed Verdict
Once both taraImpact and taraFeasibility are set, the verdictFormula automatically computes the taraVerdict score using this risk matrix:
4. Interpret the Verdict Color Coding
The verdictDecorator applies color coding to both the verdict cell and the row header (rowHeaderVerdict):
| Verdict | Color | Meaning | Action Required |
|---|
| 1 | Green (#4CAF50) | Negligible risk | No action needed |
| 2 | Light Green (#8BC34A) | Low risk | Acceptable |
| 3 | Amber (#FF9800) | Medium risk | Investigation required |
| 4 | Red (#f44336) | High risk | Controls required |
| 5 | Dark Red (#b71c1c) | Critical risk | Immediate action |
Both taraImpact and taraFeasibility must be set before the verdict computes. If either field is empty, the taraVerdict column remains blank.
5. Verify Your Results
Scan the row headers on the left side of the Risksheet. The rowHeaderVerdict decorator colors every row by its verdict, giving you a visual heat map of the entire module. You should now see:
- Green row headers for low-risk records (Verdict 1-2)
- Amber row headers for medium-risk records (Verdict 3)
- Red row headers for high-risk records (Verdict 4-5)
Use the Overview view to see the complete risk picture, including verdict, treatment choice, and cybersecurity goal columns side by side.
What Happens Next
Records with Verdict 4-5 require risk treatment. Proceed to Define Risk Treatment to select treatment strategies and link cybersecurity goals or document claims.
See Also
