Source: .polarion/tracker/fields/taraRecord-taraFeasibility-enum.xml
Enum Values
| Enum ID | Label | Score Range | Sort Order | Description |
|---|
high | High | 0 - 13 | 0 | Attack is feasible with low effort. Easiest attacks. Most severe feasibility rating. |
medium | Medium | 14 - 19 | 1 | Attack is feasible with moderate effort. |
low | Low | 20 - 24 | 2 | Attack requires significant effort. |
veryLow | Very Low | 25+ | 3 | Attack requires exceptional effort. Hardest attacks. Most favorable from a security standpoint. |
“High” feasibility means the attack is easy to execute, not that security is high. Higher feasibility = higher risk. This is a common point of confusion — the rating measures attack potential, not defense strength.
Score Aggregation
The feasibilityFormula in the Risksheet computes the aggregate score by summing five factor values:
aggregate = attackTime + attackExpertise + attackKnowledge + attackWoo + attackEquipment
Factor Score Ranges
| Factor | Field ID | Min Score | Max Score |
|---|
| Elapsed Time | attackTime | 0 (lte1d) | 19 (gt6mo) |
| Specialist Expertise | attackExpertise | 0 (layman) | 8 (multipleExperts) |
| Knowledge of Item | attackKnowledge | 0 (public) | 11 (strictlyConfidential) |
| Window of Opportunity | attackWoo | 0 (unlimited) | 10 (difficult) |
| Equipment | attackEquipment | 0 (standard) | 9 (multBespoke) |
| Total Range | | 0 | 57 |
Threshold Boundaries
Score: 0 -------- 13 | 14 ------- 19 | 20 ------- 24 | 25 -------- 57
Level: HIGH | MEDIUM | LOW | VERY LOW
- 0-13 (High): Minimal effort required. Standard tools, public knowledge, short time.
- 14-19 (Medium): Moderate barriers. Some specialized knowledge or tools needed.
- 20-24 (Low): Significant barriers. Expert knowledge, restricted information, specialized equipment.
- 25+ (Very Low): Exceptional effort. Nation-state resources, multiple experts, bespoke equipment, extended timeframes.
Risksheet Integration
| Property | Value |
|---|
| Field ID | taraFeasibility |
| Column Header | Feasibility |
| Column Group | Risk Assessment (red: #F8EBE8) |
| Risksheet Level | 5 (Threat Path level) |
| Formula | feasibilityFormula (auto-computed from five factors) |
| Cell Decorator | feasibilityDecorator |
| Read-Only in Column | false (can be overridden manually) |
| Views | 2. Assess Feasibility, 3. Risk Assessment, 4. Risk Treatment, Overview |
| Read-Only in Form | Yes (editable only in Risksheet) |
Feasibility Decorator Styling
The feasibilityDecorator applies CSS classes based on the computed level:
| Feasibility Level | CSS Style | Visual |
|---|
| High | High (red) | Red background |
| Medium | Medium (amber) | Amber background |
| Low | Low (green) | Green background |
| Very Low | Very Low (green) | Green background |
Risk Verdict Matrix
Feasibility is the column axis in the verdict formula. Combined with TARA Impact, it produces the risk verdict (1-5):
| Impact \ Feasibility | Very Low | Low | Medium | High |
|---|
| Severe | 3 | 4 | 5 | 5 |
| Major | 2 | 3 | 4 | 5 |
| Moderate | 1 | 2 | 3 | 4 |
| Negligible | 1 | 1 | 1 | 1 |
Minimum CAL Mapping
The risk verdict derived from feasibility and impact determines the minimum required Cybersecurity Assurance Level (CAL):
| Verdict | Minimum CAL |
|---|
| 5 (Critical) | CAL 4 |
| 4 (High) | CAL 3 |
| 3 (Medium) | CAL 2 |
| 1-2 (Low/Negligible) | CAL 1 |
Scoring Examples
High Feasibility Example
| Factor | Selection | Score |
|---|
| TIME | <= 1 day | 0 |
| EXP | Layman | 0 |
| KNOW | Public | 0 |
| WOO | Unlimited | 0 |
| EQP | Standard | 0 |
| Total | | 0 |
| Result | | High |
Very Low Feasibility Example
| Factor | Selection | Score |
|---|
| TIME | > 6 months | 19 |
| EXP | Multiple Experts | 8 |
| KNOW | Strictly Confidential | 11 |
| WOO | Difficult | 10 |
| EQP | Multiple Bespoke | 9 |
| Total | | 57 |
| Result | | Very Low |
Related Pages
