What Is the DREAD Model?

DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis

March 9, 2022
| Threat Intelligence
By 2025, the global cost of cybercrime is projected to reach an estimated $10.5 trillion (INTRUSION, Inc., 2020). With 30,000 websites hacked every day (Bulao, 2022), companies of all sizes need to prioritize cybersecurity. As the prevalence and costs of cybercrime skyrocket, organizations have developed a variety of methods to model cyberthreats and assess cybersecurity risks and vulnerabilities. One of these risk analysis methodologies is DREAD, a threat modeling framework created by Microsoft (Meier et al., 2003). Although Microsoft has since abandoned the model, citing concerns about its subjectivity (Shostack, 2008), it’s still in use today by small businesses, Fortune 500 companies, and the military.

What Is the DREAD Model?

The DREAD model quantitatively assesses the severity of a cyberthreat using a scaled rating system that assigns numerical values to risk categories. The DREAD model has five categories (Meier et al., 2003):
  • Damage: Understand the potential damage a particular threat is capable of causing.
  • Reproducibility: Identify how easy it is to replicate an attack.
  • Exploitability: Analyze the system’s vulnerabilities to ascertain susceptibility to cyberattacks.
  • Affected Users: Calculate how many users would be affected by a cyberattack.
  • Discoverability: Determine how easy it is to discover vulnerable points in the system infrastructure.
The DREAD model enables analysts to rate, compare, and prioritize the severity of threats by assigning a given issue a rating between 0 and 10 in each of the above categories. The final rating, calculated as the average of these category ratings, indicates the overall severity of the risk. 

Damage Potential: How Much Damage Could the Attack Cause?

  • 0: No damage
  • 5: Information disclosure
  • 8: Non-sensitive user data related to individuals or employer compromised
  • 9: Non-sensitive administrative data compromised
  • 10: Destruction of an information system; data or application unavailability

Reproducibility: How Easily Can the Attack Be Reproduced?

  • 0: Difficult or impossible 
  • 5: Complex 
  • 7.5: Easy 
  • 10: Very easy 

Exploitability: What’s Required to Launch the Attack?

  • 2.5: Advanced programming and networking skills
  • 5: Available attack tools 
  • 9: Web application proxies 
  • 10: Web browser 

Affected Users: How Many People Would the Attack Affect?

  • 0: No users 
  • 2.5: Individual user 
  • 6: Few users 
  • 8: Administrative users 
  • 10: All users 

Discoverability: How Easy Is the Vulnerability to Discover?

  • 0: Hard to discover the vulnerability
  • 5: HTTP requests can uncover the vulnerability
  • 8: Vulnerability found in the public domain
  • 10: Vulnerability found in  web address bar or form

Overall Threat Rating

The overall threat rating is calculated by summing the scores obtained across these five key areas. The risk severity categories for a threat are as follows:

  • Critical (40–50): Critical vulnerability; address immediately.
  • High (25–39): Severe vulnerability; consider for review and resolution soon.
  • Medium (11–24): Moderate risk; review after addressing severe and critical risks.
  • Low (1–10): Low risk to infrastructure and data.

Cyberthreat modeling using the DREAD framework is customizable based on your needs. However, to successfully apply a subjective risk analysis framework like the DREAD model, you need extensive cybersecurity expertise to ensure that your analysis of cyberthreats is accurate. Without up-to-date domain knowledge, you risk missing crucial information about system vulnerabilities and potential attack vectors. 

EC-Council’s Certified Threat Intelligence Analyst (C|TIA) certification program can provide you with the knowledge base and practical skills you need to progress in your cybersecurity career. The program leverages insights from industry professionals to create one of the most robust and informative threat intelligence training courses in the cybersecurity industry.


Bulao, J. (2022, January 4). How many cyber attacks happen per day in 2021? TechJury. https://techjury.net/blog/how-many-cyber-attacks-per-day/

INTRUSION, Inc. (2020, November 18). https://www.globenewswire.com/news-release/2020/11/18/2129432/0/en/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html [Press release]. Globe Newswire. https://www.globenewswire.com/news-release/2020/11/18/2129432/0/en/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html

Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., & Murukan, A. (2003). Improving web application security: Threats and countermeasures. Microsoft Corporation. https://docs.microsoft.com/en-us/previous-versions/msp-n-p/ff649874(v=pandp.10)

Shostack, A. (2008, December 1). Hi David, we found that there were lots of arguments around DREAD, and that different people selected very different numbers [Comment on the online forum post Do you use DREAD as it is?]. Microsoft Security Development Lifecycle (SDL) Forum. https://social.msdn.microsoft.com/Forums/en-US/c601e0ca-5f38-4a07-8a46-40e4adcbc293/do-you-use-dread-as-it-is?forum=sdlprocess

Share this Article
You may also like
Recent Articles
Become a Certified Threat Intelligence Analyst (C|TIA)

"*" indicates required fields