Skip to main content

Prerequisites

  • Risk verdicts have been assessed for all TARA records (Verdict 1-5 computed)
  • Cybersecurity Goal work items exist in the project (if treating by Reducing or Avoiding)
  • You understand the four treatment choices: Reducing, Avoiding, Sharing, Retaining

Steps

1. Open the Risk Treatment View

Switch to the 4. Risk Treatment view in your TARA Risksheet. This view exposes the full treatment context:
Column GroupColumns
Threat contextstakeholder, ciaxProperty, damageScenario, threatScenario, threatPath
Risk assessmenttaraImpact, taraFeasibility, taraVerdict
TreatmenttreatmentChoice, treatmentStatus
GoalscybersecurityGoal, goalCal, taraClaims
Controlstask (Control ID), taskTitle (Control name)

2. Select a Treatment Choice

For each TARA record, click the Choice (treatmentChoice) cell and select one of the four ISO/SAE 21434 treatment strategies: diagram
ChoiceWhen to UseRequired Action
ReducingApply controls to lower risk to acceptable levelLink a cybersecurity goal + risk controls
AvoidingEliminate the threat source entirely from the designLink a cybersecurity goal
SharingTransfer risk to another party (supplier, insurer)Document a cybersecurity claim
RetainingAccept the residual risk with justificationDocument a cybersecurity claim
When treatmentChoice is Reducing or Avoiding:
  1. Click the Cybersecurity Goal (cybersecurityGoal) cell
  2. Select an existing cybersecurity goal from the picker (filtered by cybersecurityGoalQuery to show only cybersecurityGoal type items)
  3. Set the CAL (goalCal) level for the linked goal directly in the Risksheet
If you select Reducing or Avoiding but do not link a goal, the goalHighlight decorator shows an orange outline with a “Goal required” hint on the Cybersecurity Goal cell. This validation enforces ISO/SAE 21434 compliance.
The calDecorator validates that the assigned CAL meets the minimum required by the verdict:
VerdictMinimum CAL Required
5 (Critical)CAL 4
4 (High)CAL 3
3 (Medium)CAL 2
1-2 (Low)CAL 1
If the CAL is too low, a red warning badge appears showing the required minimum.

4. Document Claims (for Sharing or Retaining)

When treatmentChoice is Sharing or Retaining:
  1. Click the Claims (taraClaims) cell
  2. Enter the justification text explaining why the risk is being shared or retained
If you select Sharing or Retaining but leave the Claims field empty, the claimHighlight decorator shows an orange outline with a “Claim required” hint. Every treatment decision must have either a goal or a claim.
For Retaining, document the rationale clearly — for example: “Risk accepted: attack requires >6 months elapsed time with multiple bespoke equipment, yielding negligible financial damage.” This text serves as audit evidence for ISO/SAE 21434 compliance.

5. Create Risk Controls (for Reducing)

For records treated by Reducing, create risk control work items:
  1. Use the Control ID (task) column to create or link a riskControl work item
  2. The mitigates link role is automatically created between the risk control and the TARA record
  3. The Control (taskTitle) column displays the linked risk control’s title
Set the riskControlType field on each risk control to classify it:
  • Inherent Safety Design — eliminate vulnerability by design
  • Protective Measure — add security mechanism (encryption, authentication)
  • Information for Safety — provide warnings or user guidance

6. Set Treatment Status

Update the Status (treatmentStatus) cell to track implementation progress:
StatusMeaning
PlannedTreatment identified but not yet started
OngoingImplementation in progress
CompletedTreatment fully implemented

7. Verify Completeness

Scan the Risk Treatment view for orange-outlined cells. You should now see:
  • No orange outlines on the Cybersecurity Goal column (all Reducing/Avoiding records have goals linked)
  • No orange outlines on the Claims column (all Sharing/Retaining records have justification text)
  • All records have a treatmentChoice value selected
  • Risk controls are linked for Reducing treatments

See Also