Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Using DREAD Risk Rating Model for Threat Modeling Exercise

Published on: 8/15/2014
Topic: Web Application Security
DREAD is a risk rating model that is used in Threat Modeling exercise.

Using DREAD Risk Rating Model along with STRIDE Model can be very helpful in understanding Threat influence and to priotize threats based on Risk Value assigned to each threat using DREAD Model.

What is DREAD?

DREAD is acronym for
DAMAGE
REPRODUCIBILITY
EXPLOITABILITY
AFFECTED USERS
DISCOVERABILITY

DREAD is a risk rating model that is used in Threat Modeling exercise.

It has certain issues as pointed out into David LeBlanc’s Web Log.

However this is still used by many people with their own understanding of providing weight-age. You may use following mathematical model as described on to OWASP website:

DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.
Here are some examples of how to quantify the DREAD categories.

Damage Potential
If a threat exploit occurs, how much damage will be caused?
0 = Nothing
5 = Individual user data is compromised or affected.
10 = Complete system or data destruction

Reproducibility
How easy is it to reproduce the threat exploit?
0 = Very hard or impossible, even for administrators of the application.
5 = One or two steps required, may need to be an authorized user.
10 = Just a web browser and the address bar is sufficient, without authentication.

Exploitability
What is needed to exploit this threat?
0 = Advanced programming and networking knowledge, with custom or advanced attack tools.
5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools.
10 = Just a web browser

Affected Users
How many users will be affected?
0 = None
5 = Some users, but not all
10 = All users

Discoverability
How easy is it to discover this threat?
0 = Very hard to impossible; requires source code or administrative access.
5 = Can figure it out by guessing or by monitoring network traces.
9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.
10 = The information is visible in the web browser address bar or in a form.


When performing a security review of an existing application, Discoverability will often be set to 10 by convention, as it is assumed the threat issues will be discovered.

Using DREAD can be difficult at first. It may be helpful to think of Damage Potential and Affected Users in terms of Impact, while thinking of Reproducibility, Exploitability, and Discoverability in terms of Probability. Using the Impact vs Probability approach (which follows best practices such as defined in NIST-800-30), I would alter the formula to make the Impact score equal to the Probability score. Otherwise the probability scores have more weight in the total.


Read Threat Modeling - Practice Guide to understand how to use DREAD during Threat Modeling exercise.


[Show All Sections]