Prerequisites
- Threat identification is complete: all TARA records have stakeholder, CIAx property, damage scenario, threat scenario, and threat path populated (see Identify Threats)
Steps
1. Switch to the “2. Assess Feasibility” view
Select 2. Assess Feasibility from the view dropdown. This view exposes the five attack factor columns alongside the computed feasibility result:
| Column | Field ID | Description |
|---|
| TIME | attackTime | Elapsed time to complete the attack |
| EXP | attackExpertise | Specialist expertise required |
| KNOW | attackKnowledge | Knowledge of the target system required |
| WOO | attackWoo | Window of opportunity (access constraints) |
| EQP | attackEquipment | Equipment or tooling required |
| Feasibility | taraFeasibility | Auto-computed from the five factors |
2. Score each factor for the first TARA record
Click each factor cell and select a value from the dropdown. The available values and their numeric weights are:
TIME (attackTime):
| Value | Score |
|---|
| Less than or equal to 1 day | 0 |
| Less than or equal to 1 week | 1 |
| Less than or equal to 1 month | 4 |
| Less than or equal to 6 months | 17 |
| Greater than 6 months | 19 |
attackExpertise):
| Value | Score |
|---|
| Layman | 0 |
| Proficient | 3 |
| Expert | 6 |
| Multiple Experts | 8 |
attackKnowledge):
| Value | Score |
|---|
| Public | 0 |
| Restricted | 3 |
| Confidential | 7 |
| Strictly Confidential | 11 |
attackWoo):
| Value | Score |
|---|
| Unlimited | 0 |
| Easy | 1 |
| Moderate | 4 |
| Difficult | 10 |
attackEquipment):
| Value | Score |
|---|
| Standard | 0 |
| Specialized | 4 |
| Bespoke | 7 |
| Multiple Bespoke | 9 |
3. Review the computed Feasibility
Once all five factors are set, the feasibilityFormula automatically computes the aggregate score and classifies it:
| Sum Range | Feasibility Level | Color |
|---|
| 0 — 13 | High (easy to attack) | Red |
| 14 — 19 | Medium | Amber |
| 20 — 24 | Low | Green |
| 25+ | Very Low (hard to attack) | Green |
feasibilityDecorator applies color coding to the Feasibility cell for immediate visual feedback.
The formula returns null if any factor is empty. The Feasibility column remains blank until all five inputs are provided. Do not skip factors — each one contributes to the ISO-aligned scoring.
4. Repeat for all TARA records
Score each row individually. Consider the specific threat path when rating factors — the same threat scenario may have different feasibility scores depending on the attack vector.
TARA records with the same threat scenario often share similar feasibility profiles. Use the Risksheet’s collapse/expand at the Threat Scenario level to review groups of related records, then score individual threat paths within each group.
5. Review the overall distribution
Collapse the Risksheet to the Stakeholder or Damage Scenario level to see a summary view. The rowHeaderVerdict decorator colors row headers based on the eventual verdict, giving a quick visual scan even before impact is assessed.
Check for outliers:
- All High feasibility: Double-check if scores are too conservative. Not every attack is trivially easy.
- All Very Low feasibility: Verify that you are not overestimating attacker barriers. Remote attacks on connected systems often have lower time and equipment requirements than expected.
Verification
Next Step
Proceed to Assess Risk Verdict using the “3. Risk Assessment” view, where you will set the impact level and the verdict will be auto-computed from the impact-feasibility matrix.
See Also
