Values
| ID | Label | Sort Order | Description |
|---|---|---|---|
avoiding | Avoiding | 0 | Eliminates the risk entirely by removing the threat source or vulnerability. No residual risk remains. Highest-effort but most complete mitigation. |
reducing | Reducing | 1 | Applies security controls to lower the risk to an acceptable level. The risk still exists but is mitigated within tolerance. Most common treatment in practice. |
sharing | Sharing | 2 | Transfers or shares risk responsibility with another party (e.g., supplier, customer, insurer) via contractual agreement. Risk is not eliminated but ownership is redistributed. |
retaining | Retaining | 3 | Accepts the residual risk after an informed decision. No additional controls are applied. Requires explicit sign-off and documented justification. |
Treatment Validation Rules
The Risksheet enforces completeness requirements based on the selected treatment choice through two cell decorators:| Treatment Choice | Required Action | Enforced By | Warning Text |
|---|---|---|---|
avoiding | Link a Cybersecurity Goal | goalHighlight decorator | ”Goal required” |
reducing | Link a Cybersecurity Goal | goalHighlight decorator | ”Goal required” |
sharing | Enter a justification in taraClaims | claimHighlight decorator | ”Claim required” |
retaining | Enter a justification in taraClaims | claimHighlight decorator | ”Claim required” |
.treatmentMissing CSS class and a .missing-hint text overlay.
Field Binding
| Property | Value |
|---|---|
| Field ID | treatmentChoice |
| Work Item Type | taraRecord |
| Enum ID | taraRecord-treatmentChoice |
| Field Type | Enum (single-select) |
treatmentChoice field is a custom field on the TARA Record work item type.
Risksheet Usage
ThetreatmentChoice column in the Risksheet Configuration:
- Uses the
taraRecord-treatmentChoiceenum for value selection - Participates in the
goalHighlightandclaimHighlightdecorator logic to enforce ISO/SAE 21434 treatment completeness - Appears in the following views:
Overview4. Risk Treatment
ISO/SAE 21434 Alignment
The four treatment options correspond to ISO/SAE 21434 Table 9 risk treatment strategies:| Enum Value | ISO/SAE 21434 Strategy | Clause Reference |
|---|---|---|
avoiding | Risk Avoidance | Clause 15.5 |
reducing | Risk Reduction | Clause 15.5 |
sharing | Risk Sharing | Clause 5.4 |
retaining | Risk Retention | Clause 15.5 |
Lucene Queries
Related Enumerations
- Treatment Status — tracks implementation progress of the chosen treatment
- Risk Control Type — classification of controls used when
reducingoravoiding - Cybersecurity Assurance Levels (CAL) — assurance tier assigned to cybersecurity goals linked from treatment
- TARA Impact Levels — input to verdict that drives treatment decisions
- TARA Feasibility Levels — input to verdict that drives treatment decisions
Configuration Notes
- Sort order (0-3) maps from the most complete risk elimination (
avoiding) to passive acceptance (retaining), reflecting a descending preference for risk elimination completeness. - No
noneorpendingvalue exists. The field is empty until the analyst makes a treatment decision, which may be enforced as a workflow requirement before document approval. - When
reducingis selected, the analyst should also link Risk Control work items via the task column in the Risksheet. The risk control is connected to the TARA Record through themitigateslink role. - When
retainingis selected, ISO/SAE 21434 requires documented justification. ThetaraClaimsfield captures this justification, and theclaimHighlightdecorator enforces its presence.