DREAD (risk assessment model)

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations it was abandoned by its creators [1]. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat modeling, but it was discovered that the ratings are not very consistent and are subject to debate. It was out of use at Microsoft by 2008.[2]

When a given threat is assessed using DREAD, each category is given a rating from 1 to 10.[3]The sum of all ratings for a given issue can be used to prioritize among different issues.

Discoverability debate

Some security experts feel that including the "Discoverability" element as the last D rewards security through obscurity, so some organizations have either moved to a DREAD-D "DREAD minus D" scale (which omits Discoverability) or always assume that Discoverability is at its maximum rating.[4][5]

gollark: I mean in general palaiologos doesn't really like anyone else using "their stuff". Consider the whole ridiculousness with the decompressor, pte being utterly private, and I think the private slightly better mersenne twister thing.
gollark: I think you just have a weirdly strong negative reaction to anyone else using your stuff.
gollark: Under hub maybe.
gollark: This is how I have been led to believe interviews operate, yes.
gollark: I suppose I could add things about my interests.

See also
  • Cyber security and countermeasure
  • STRIDE – another mnemonic for security threats

References
  1. Experiences Threat Modeling at Microsoft, Adam Shostack
  2. "Do you use DREAD as it is?". Archived from the original on 2016-03-06. Retrieved 2014-09-08.
  3. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD OpenStack Security OSSA/Metrics DREAD
  4. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration OpenStack Security OSSA/Metrics DREAD Calibration: "Discoverability always assumed to be 10"
  5. https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD OWASP Threat Risk Modeling: DREAD: "Discoverability will often be set to 10 by convention"


This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.