DREAD (risk assessment model)

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and currently used by OpenStack and many other corporations. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat modeling, but it was discovered that the ratings are not very consistent and are subject to debate. It was out of use at Microsoft by 2008.[1]

When a given threat is assessed using DREAD, each category is given a rating. For example, 3 for high, 2 for medium, 1 for low and 0 for none. (Rating scales running from 0 to 10 are common.[2][3]) The sum of all ratings for a given exploit can be used to prioritize among different exploits.

Discoverability Debate

Some security experts feel that including the "Discoverability" element as the last D rewards Security through obscurity, so some organizations have either moved to a DREAD-D "DREAD minus D" scale (which omits Discoverability) or always assume that Discoverability is at its maximum rating.[4][5]

See also

External links

References

  1. Do you use DREAD as it is?
  2. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#DREAD OpenStack Security OSSA/Metrics DREAD
  3. https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD OWASP Threat Risk Modeling: DREAD
  4. https://wiki.openstack.org/wiki/Security/OSSA-Metrics#Calibration OpenStack Security OSSA/Metrics DREAD Calibration: "Discoverability always assumed to be 10"
  5. https://www.owasp.org/index.php/Threat_Risk_Modeling#DREAD OWASP Threat Risk Modeling: DREAD: "Discoverability will often be set to 10 by convention"


This article is issued from Wikipedia - version of the 8/23/2016. The text is available under the Creative Commons Attribution/Share Alike but additional terms may apply for the media files.