DREAD: Risk assessment model
Encyclopedia
DREAD is part of a system for classifying computer security
threats
used at Microsoft. It provides a mnemonic
for risk rating security threats using five categories.
The categories are:
The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat model
ing, but is now used more broadly.
When a given threat is assessed using DREAD, each category is given a rating. For example, 3 for high, 2 for medium, 1 for low and 0 for none. The sum of all ratings for a given exploit can be used to prioritize among different exploits.
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
threats
Threat (computer)
In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and thus cause possible harm.A threat can be either "intentional" or "accidental" In Computer security a threat is a possible danger that might exploit a vulnerability to breach security and...
used at Microsoft. It provides a mnemonic
Mnemonic
A mnemonic , or mnemonic device, is any learning technique that aids memory. To improve long term memory, mnemonic systems are used to make memorization easier. Commonly encountered mnemonics are often verbal, such as a very short poem or a special word used to help a person remember something,...
for risk rating security threats using five categories.
The categories are:
- Damage - how bad would an attack be?
- Reproducibility - how easy it is to reproduce the attack?
- Exploitability - how much work is it to launch the attack?
- Affected users - how many people will be impacted?
- Discoverability - how easy it is to discover the threat?
The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat model
Threat model
Threat modeling has two distinct, but related, meanings in computer security. The first is a description of the security issues the designer cares about...
ing, but is now used more broadly.
When a given threat is assessed using DREAD, each category is given a rating. For example, 3 for high, 2 for medium, 1 for low and 0 for none. The sum of all ratings for a given exploit can be used to prioritize among different exploits.