DREAD
DREAD is a mnemonic for risk rating using 5 categories.
- created by Microsoft
- pretty much abandoned
- asks what the likelihood of an attack is and what damage it would cause
- effective model for evaluating the impact of an attack
- analysis rates each risk category on scale 1-10
- scores are totaled to provide an overall score
Components
- Damage
- How much damage would/did an attack cause?
- Reproducibility
- How easy is it for an attacker to reproduce this attack?
- Exploitability
- How much effort is required to execute the attack?
- Affected Users
- How many users will be impacted?
- Discoverability
- How easy is it to discover the threat?
- + Detection
- How hard to is it to detect for defenders?