Skip to main content

Prerequisites

  • The Stakeholder Catalog document exists at Risks/StakeholderCatalog with stakeholder work items
  • The Threat Scenario Catalog document exists at Risks/ThreatScenarioCatalog with threatScenario work items
  • At least one TARA Risksheet module is open

How Shared Catalogs Work

The TARA solution uses Risksheet itemLink columns to connect TARA records to shared catalog items. When you click a catalog-linked cell, a picker dropdown appears showing items from the catalog document, filtered by a queryFactory.
CatalogColumnLink RoleQuery FactorySource Document
StakeholdersstakeholderhasStakeholderstakeholderQuery (type:stakeholder)Risks/StakeholderCatalog
Threat ScenariosthreatScenariohasThreatScenariothreatScenarioQuery (type:threatScenario)Risks/ThreatScenarioCatalog
diagram

Steps

1. Select a Stakeholder from the Catalog

In the 1. Identify Threats view (or any view showing the stakeholder column):
  1. Click the Stakeholder cell on a TARA record row
  2. A picker dropdown appears showing all items from the Stakeholder Catalog
  3. Select the appropriate stakeholder (e.g., “Vehicle Owner”, “Backend Server”)
  4. A hasStakeholder link is automatically created between the TARA record and the selected stakeholder work item
The stakeholder is the top level (Level 1) of the Risksheet hierarchy, grouping all threats that affect the same entity.

2. Select a Threat Scenario from the Catalog

In the same view:
  1. Click the Threat Scenario cell on a TARA record row
  2. A picker dropdown appears showing all items from the Threat Scenario Catalog
  3. Select the matching threat scenario
  4. A hasThreatScenario link is automatically created
The threat scenario is Level 4 in the Risksheet hierarchy. Multiple TARA records can reference the same threat scenario with different threat paths.
The same threat scenario (e.g., “Remote exploitation via diagnostic port”) can be reused across multiple TARA modules targeting different system elements. This ensures consistent naming and enables cross-module reporting.

3. Add New Items to a Catalog

If a needed stakeholder or threat scenario does not exist in the catalog:
  1. Navigate to the catalog document (Risks/StakeholderCatalog or Risks/ThreatScenarioCatalog)
  2. Create a new work item of the appropriate type (stakeholder or threatScenario)
  3. Fill in the title and description
  4. Return to your TARA Risksheet — the new item will appear in the picker dropdown
Only create catalog items in the designated catalog documents. If you create a stakeholder or threatScenario work item elsewhere, it will still appear in the picker (since the queryFactory filters by type, not by document), but it will not be managed centrally.
The Cybersecurity Goal column also uses an itemLink with cybersecurityGoalQuery (type:cybersecurityGoal), but it is not restricted to a specific catalog document. Goals can come from any space in the project.
  1. Click the Cybersecurity Goal cell in the 4. Risk Treatment view
  2. Select from all available cybersecurityGoal work items in the project
  3. A hasCybersecurityGoal link is created
You should now see:
  • Stakeholder names displayed in the first column with consistent naming across all TARA records
  • Threat scenario names in the fourth column, with each scenario potentially referenced by multiple records
  • Clicking any linked item navigates to the catalog work item for reference

Benefits of Shared Catalogs

  • Consistency: All TARA modules use the same stakeholder and threat scenario names
  • Reuse: Define a threat scenario once, reference it from multiple modules and attack paths
  • Central maintenance: Update a threat scenario title or description in one place; all referencing TARA records reflect the change
  • Reporting: The TARA Summary Report and Cybersecurity Case dashboards aggregate data across all modules using consistent catalog references

See Also