The DREAD Risk Assessment Model

By : 6clicks
DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations, it was abandoned by its creators.It provides a mnemonic for risk rating security threats using five categories.
In stock

Details

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations, it was abandoned by its creators.It provides a mnemonic for risk rating security threats using five categories.

DREAD scores five categories, which are summed together and divided by five, the result is a score from 0-10 where 0 indicates no impact and 10 is the worst possible outcome:

Risk = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

Describing Vulnerability Scores

We expect the impact of a vulnerability to be described in the following way:

Potential for: Tampering, Escalation
Category Score Rationale
Damage 6 Significant Disruption
Reproducability 8 Code path is easily understood, condition exists as standard
Exploitability 2 Very hard to exploit without specific conditions
Affected Users 8 All cloud compute users
Discoverability 10 Discoverability always assumed to be 10
DREAD SCORE: 31/5 = 6.2 - Important, fix as a priority

Score Categories / Recommendations

The seemingly natural next step here would be to catagorize vulnerabilities based on the DREAD score, perhaps 0-3 would be "Trivial, fix in next release" whereas 8-10 may be "Critical, fix immediately". It's not 100% clear that catagorizing in this way should be the responsibility of the VMT. By producing a DREAD score the VMT has told deployers what the vulnerability is likely to affect and how severely it will do so as well as providing a mechanism to compare one vulnerability against another.

These scores will also provide value for security analysis over time, better catagorization of vulnerabilities (through STRIDE) and scoring of impact (through DREAD) will allow the community to view which particular areas of design and implementation seem to be the worst from a security standpoint.

Getting Started

Click "Book a demo" and our team will provide you with an overview of our content library within the 6clicks GRC platform.

More Information

More Information
Jurisdiction All
Type Project