Threat Analysis and Risk Assessment (TARA) is an important capability and work product within the ISO SAE 21434 standard. TARA covers the risk evaluation and assessment methods, as well as the treatment and planning of identified risks. These methods are aligned with NIST SP-800-30 and ISO IEC 31010, which deal with attack feasibility and the likelihood and associated impacts. Your organization will need to standardize on a central process and method for assessing risk, which may involve tooling for calculation. Be sure to establish a common language when communicating risk in a policy or procedure, and define categories and apply numerical values to impacts, attack paths, and damage.
Your cyber security plan will be an important requirement for the proper composition of a TARA. Without a cyber security goal, your evident damage scenarios and risk treatment plans will have to be performed ad hoc and without a defined level of assurance. The output of a TARA will indicate a High, Medium, Low, or Very Low rating, but without proper definition of risk tolerances, caution, and established baselines, the organizational usefulness will be limited. While TARA may be seen as a minimum requirement for communicating road vehicle risk, it is truly a component that fits within cyber security assurance and your overall cyber security program.