Configuration aspects

The method configuration is split up in three main parts:

  • Impact model: defines security properties, impact levels, stakeholder, impact categories and impact options.
  • Feasibility model: defines attack feasibility levels (AFL), feasibility options and attack feasibility table.
  • Risk model: defines risk levels, risk matrix, risk treatments, propagation operations and feasibility and impact combinators.

You can access it from the project navigation:

Note: If using attack vector or CVSS-based rating, the feasibility model cannot be modified. Instead, the factors are based on CVSS 3.0 and are limited to: attack vector (AV), attack complexity (AC), privileges required (PR), user interaction (UI).

Impact model

The Impact Model is a requisite element of the Method Configuration that defines the security properties, impact levels, impact categories, impact options as well as stakeholders. The rating values which are configured and declared in each element are not static, they are customizable in order to meet your internal requirements. The following properties can be configured:

  • Security properties
  • Impact levels
  • Stakeholders
  • Impact categories
  • Impact scaling options
  • Impact options

Security properties

Security Properties such as Confidentiality, Integrity, Availability, Authenticity, Authorization and Non-Repudiability can be configured in this section. Its primary focus is the balanced protection of these attributes while maintaining a focus on efficient policy implementation, all without impeding organization productivity. The configuration of the security properties is editable within this section, just simply hit ???Enter??? and a new line will appear to add any other category (e.g. authenticity) and type in the name and descriptive title.

Impact levels

The Impact Levels capture the potential effect resulting from a compromise of the impact categories, by default expressed as a value of negligible, moderate, major and severe. The magnitude of harm that can be expected to result from the consequences of threatening impact categories, e.g. safety, financial, operational, or privacy. These values are not static; thus, you can modify them according to your own requirements. You may specify a name, descriptive title as well as a numeric borderline value for the specific impact levels. The color can be adjusted in the inspector per impact level.

Stakeholders

Stakeholders such as the road users, OEMs or business units on which the impact implies can be declared in this chapter. This prepares for analyzing risks per stakeholder while only maintaining a single TARA. You can fine-tune the stakeholders as needed.

Impact categories

The Impact Categories reflect the area of impact and/or physical harm associated with a damage scenario. The damage scenarios must be assessed against potential adverse consequences to stakeholders in the independent impact categories of safety, financial, operational, and privacy (SFOP) which is the minimum set of categories based on the ISO 21434 standard regulation. If further impact categories are considered beyond SFOP, then those categories must be documented. While SFOP are core categories used to rate impact on the road user, additional categories can be defined here.

Impact scaling options

In case more than one item or component is impacted, you can scale accordingly in damage scenarios based on the following scaling options. The impact scaling options can be extended and consist of a name, descriptive title and the numeric scaling factor which shall be applied.

Impact options

Impact Options declare what options per category are applicable when rating damage scenarios. Furthermore, a category is assigned to one ore many stakeholders. The declared ratings are visible once you click on the + to expand the view as visualized in the image below. An impact option consists of a name, descriptive title and a numeric value. The numeric value is used to conclude to one of the declared impact levels per damage scenario.

Feasibility model

The Feasibility Model is an important part of the Method Configuration and contains the Attack Feasibility Levels (AFLs), the Feasibility Options and the Attack Feasibility Table. The following properties can be configured:

  • Attack Feasibility Levels (AFLs)
  • Feasibility Option
  • Attack Feasibility Table

Attack feasibility levels

AFLs show the potential feasibility level that can result from an attack. By default, the four levels Very Low, Low, Medium and High are defined. In general, lower values have a more critical impact on the AFL, however this can be modified if required. Furthermore, you can rename, expand or even change the threshold values of each level. You can add more AFLs with a simple enter. Make sure that your cursor is in an existing AFL. The image below shows the default AFLs:

Feasibility options

Feasibility Options are the evaluation criteria for AFLs. The Security Analyst already includes the following categories by default:

The categories and values which are already configured are not static, they are customizable in order to meet your internal requirements. That means you can delete or add further categories and you can configure the corresponding levels according to your needs.

Attack feasibility table

In addition to an initial attack feasibility assessment, Security Analyst also offers the possibility to perform consecutive attack feasibility assessments. The final attack feasibility combines the initial attack feasibility and the consecutive attack feasibility. This is obtained using the following table:

The table shown above is stored by default in the Security Analyst. The Attack Feasibility Table can also be personalised by simply overwriting the existing values.

Risk model

The Risk Model is a requisite element of the Method Configuration that defines the risk levels, risk matrix and propagation / aggregation options. The following properties can be configured:

  • Risk levels
  • Risk matrix
  • Risk treatment options
  • Propagation operations

Risk Levels

In this section you can define your set of risk levels that shall be used in the corresponding risk analysis. By default, we start with 5 risk levels, aligned with the ISO/SAE 21434. You may add new levels and rename them. The color can be adjusted in the risk level’s inspector.

Risk Matrix

The risk matrix defines how attack feasibility and impact conclude to a risk level. The attack feasibility definitions originate from the feasibility model. Impact level definitions originate from the impact model.

Risk Treatment Options

For each identified risk you may want to decide for a appropriate risk treatment option. The available options can be configured here. As a starting point, the following options are available:

Propagation Operations

In this chapter you may tailor the propagation related properties to your needs. Whenever you make changes in this section, make sure to apply the method configuration via the tool bar button in order to apply the changes to your TARA:

The following properties can be configured:

  • Feasibility combinators

Feasibility combinators can be created or adjusted here. The default “Acc” accumulates the options and impact transformations.

  • Impact combinators

Impact combinators can be created or adjusted here. The default “Max” takes the maximum out of all rated impact categories.

  • Default feasibility combinator

Select the active / default combinator which shall be used in your TARA

  • Default impact cobinator

Select the active / default combinator which shall be used in your TARA

  • Propagation operations

Define the semantics and name of your propagation operations. (e.g. rename the “may” operator to “or”)

  • Default propagation operations

Define the propagation operation which shall be created when introducing new elements via assistants