DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis
What Is the DREAD Model?The DREAD model quantitatively assesses the severity of a cyberthreat using a scaled rating system that assigns numerical values to risk categories. The DREAD model has five categories (Meier et al., 2003):
- Damage: Understand the potential damage a particular threat is capable of causing.
- Reproducibility: Identify how easy it is to replicate an attack.
- Exploitability: Analyze the system’s vulnerabilities to ascertain susceptibility to cyberattacks.
- Affected Users: Calculate how many users would be affected by a cyberattack.
- Discoverability: Determine how easy it is to discover vulnerable points in the system infrastructure.
Damage Potential: How Much Damage Could the Attack Cause?
- 0: No damage
- 5: Information disclosure
- 8: Non-sensitive user data related to individuals or employer compromised
- 9: Non-sensitive administrative data compromised
- 10: Destruction of an information system; data or application unavailability
Reproducibility: How Easily Can the Attack Be Reproduced?
- 0: Difficult or impossible
- 5: Complex
- 7.5: Easy
- 10: Very easy
Exploitability: What’s Required to Launch the Attack?
- 2.5: Advanced programming and networking skills
- 5: Available attack tools
- 9: Web application proxies
- 10: Web browser
Affected Users: How Many People Would the Attack Affect?
- 0: No users
- 2.5: Individual user
- 6: Few users
- 8: Administrative users
- 10: All users
Discoverability: How Easy Is the Vulnerability to Discover?
- 0: Hard to discover the vulnerability
- 5: HTTP requests can uncover the vulnerability
- 8: Vulnerability found in the public domain
- 10: Vulnerability found in web address bar or form
Overall Threat Rating
The overall threat rating is calculated by summing the scores obtained across these five key areas. The risk severity categories for a threat are as follows:
- Critical (40–50): Critical vulnerability; address immediately.
- High (25–39): Severe vulnerability; consider for review and resolution soon.
- Medium (11–24): Moderate risk; review after addressing severe and critical risks.
- Low (1–10): Low risk to infrastructure and data.
Cyberthreat modeling using the DREAD framework is customizable based on your needs. However, to successfully apply a subjective risk analysis framework like the DREAD model, you need extensive cybersecurity expertise to ensure that your analysis of cyberthreats is accurate. Without up-to-date domain knowledge, you risk missing crucial information about system vulnerabilities and potential attack vectors.
EC-Council’s Certified Threat Intelligence Analyst (C|TIA) certification program can provide you with the knowledge base and practical skills you need to progress in your cybersecurity career. The program leverages insights from industry professionals to create one of the most robust and informative threat intelligence training courses in the cybersecurity industry.
Bulao, J. (2022, January 4). How many cyber attacks happen per day in 2021? TechJury. https://techjury.net/blog/how-many-cyber-attacks-per-day/
INTRUSION, Inc. (2020, November 18). https://www.globenewswire.com/news-release/2020/11/18/2129432/0/en/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html [Press release]. Globe Newswire. https://www.globenewswire.com/news-release/2020/11/18/2129432/0/en/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html
Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving web application security: Threats and countermeasures. Microsoft Corporation. https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649874(v=pandp.10)
Shostack, A. (2008, December 1). Hi David, we found that there were lots of arguments around DREAD, and that different people selected very different numbers [Comment on the online forum post Do you use DREAD as it is?]. Microsoft Security Development Lifecycle (SDL) Forum. https://social.msdn.microsoft.com/Forums/en-US/c601e0ca-5f38-4a07-8a46-40e4adcbc293/do-you-use-dread-as-it-is?forum=sdlprocess