DREAD is acronym for
DREAD is a risk rating model that is used in Threat Modeling exercise.
It has certain issues as pointed out into David LeBlanc’s Web Log.
However this is still used by many people with their own understanding of providing weight-age. You may use following mathematical model as described on to OWASP website:
DREAD modeling influences the thinking behind setting the risk rating, and is also used directly to sort the risks. The DREAD algorithm, shown below, is used to compute a risk value, which is an average of all five categories.
Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
The calculation always produces a number between 0 and 10; the higher the number, the more serious the risk.
Here are some examples of how to quantify the DREAD categories.
If a threat exploit occurs, how much damage will be caused?
0 = Nothing
5 = Individual user data is compromised or affected.
10 = Complete system or data destruction
How easy is it to reproduce the threat exploit?
0 = Very hard or impossible, even for administrators of the application.
5 = One or two steps required, may need to be an authorized user.
10 = Just a web browser and the address bar is sufficient, without authentication.
What is needed to exploit this threat?
0 = Advanced programming and networking knowledge, with custom or advanced attack tools.
5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools.
10 = Just a web browser
How many users will be affected?
0 = None
5 = Some users, but not all
10 = All users
How easy is it to discover this threat?
0 = Very hard to impossible; requires source code or administrative access.
5 = Can figure it out by guessing or by monitoring network traces.
9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.
10 = The information is visible in the web browser address bar or in a form.
When performing a security review of an existing application, Discoverability will often be set to 10 by convention, as it is assumed the threat issues will be discovered.
Using DREAD can be difficult at first. It may be helpful to think of Damage Potential and Affected Users in terms of Impact, while thinking of Reproducibility, Exploitability, and Discoverability in terms of Probability. Using the Impact vs Probability approach (which follows best practices such as defined in NIST-800-30), I would alter the formula to make the Impact score equal to the Probability score. Otherwise the probability scores have more weight in the total.
Read Threat Modeling - Practice Guide to understand how to use DREAD during Threat Modeling exercise.