{"id":5846,"date":"2022-03-09T23:59:50","date_gmt":"2022-03-09T23:59:50","guid":{"rendered":"https:\/\/the7.io\/elementor-main\/?p=5846"},"modified":"2025-09-26T07:49:12","modified_gmt":"2025-09-26T07:49:12","slug":"dread-threat-modeling-intro","status":"publish","type":"post","link":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/","title":{"rendered":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"5846\" class=\"elementor elementor-5846\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-27d78b5 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"27d78b5\" data-element_type=\"section\" data-e-type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-no\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f7e0370\" data-id=\"f7e0370\" data-element_type=\"column\" data-e-type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b237685 elementor-widget elementor-widget-text-editor\" data-id=\"b237685\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p>By 2025, the global cost of cybercrime is projected to reach an estimated\u202f<a href=\"https:\/\/www.globenewswire.com\/news-release\/2020\/11\/18\/2129432\/0\/en\/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html#:~:text=Every%20U.S.%20business%20is%20under%20cyberattack&amp;text=18%2C%202020%20(GLOBE%20NEWSWIRE),%243%20trillion%20USD%20in%202015.\" target=\"_blank\" rel=\"noopener\">$10.5 trillion\u202f<\/a>(INTRUSION, Inc., 2020). With 30,000 websites hacked every day (Bulao, 2022), companies of all sizes need to prioritize cybersecurity.<\/p><p>As the prevalence and costs of cybercrime skyrocket, organizations have developed a variety of methods to model cyberthreats and assess cybersecurity risks and vulnerabilities.\u202fOne of these risk analysis methodologies is DREAD, a <a href=\"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/what-is-cyber-threat-intelligence\/\">threat modeling framework created by<\/a> Microsoft (Meier et al., 2003). Although Microsoft has since abandoned the model, citing concerns about its subjectivity (Shostack, 2008), it\u2019s still in use today by small businesses, Fortune 500 companies, and the military.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-1b052a6 elementor-widget elementor-widget-text-editor\" data-id=\"1b052a6\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>What Is the DREAD Model? <\/h2>The DREAD model quantitatively assesses the severity of a cyberthreat using a scaled rating system that assigns numerical values to risk categories. The DREAD model has five categories (Meier et al., 2003): \n<ul><li>\n<strong>Damage:<\/strong> Understand the potential damage a particular threat is capable of causing. <\/li>\n<li>\n<strong>Reproducibility:<\/strong> Identify how easy it is to replicate an attack. <\/li>\n<li>\n<strong>Exploitability:<\/strong> Analyze the system&#8217;s vulnerabilities to ascertain susceptibility to cyberattacks. <\/li>\n<li>\n<strong>Affected Users:<\/strong> Calculate how many users would be affected by a cyberattack. \n<\/li>\n<li>\n<strong>Discoverability:<\/strong> Determine how easy it is to discover vulnerable points in the system infrastructure. <\/li>\n<\/ul>\n\n\nThe DREAD model enables analysts to rate, compare, and prioritize the severity of threats by assigning a given issue a rating between 0 and 10 in each of the above categories. The final rating, calculated as the average of these category ratings, indicates the overall severity of the risk.\u202f \t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-2f1b690 elementor-widget elementor-widget-text-editor\" data-id=\"2f1b690\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Damage Potential: How Much Damage Could the Attack Cause?<\/h2><ul><li>0: No damage<\/li><li>5: Information disclosure<\/li><li>8: Non-sensitive user data related to individuals or employer compromised<\/li><li>9: Non-sensitive administrative data compromised<\/li><li>10: Destruction of an information system; data\u202for application unavailability<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-46f15c1 elementor-widget elementor-widget-text-editor\" data-id=\"46f15c1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Reproducibility: How Easily Can the Attack Be Reproduced?<\/h2><ul><li>0: Difficult or impossible\u202f<\/li><li>5: Complex\u202f<\/li><li>7.5: Easy\u202f<\/li><li>10: Very easy\u202f<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-8ba3c26 elementor-widget elementor-widget-text-editor\" data-id=\"8ba3c26\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Exploitability: What&#8217;s Required to Launch the Attack?<\/h2><ul><li>2.5: Advanced programming and networking skills<\/li><li>5: Available attack tools\u202f<\/li><li>9: Web application proxies\u202f<\/li><li>10: Web browser\u202f<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-3aac247 elementor-widget elementor-widget-text-editor\" data-id=\"3aac247\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Affected Users: How Many People Would the Attack Affect?<\/h2><ul><li>0: No users\u202f<\/li><li>2.5: Individual user\u202f<\/li><li>6: Few users\u202f<\/li><li>8: Administrative users\u202f<\/li><li>10: All users\u202f<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-63c65a1 elementor-widget elementor-widget-text-editor\" data-id=\"63c65a1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Discoverability: How Easy Is the Vulnerability to Discover?<\/h2><ul><li>0: Hard to discover the vulnerability<\/li><li>5: HTTP requests can uncover the vulnerability<\/li><li>8: Vulnerability found in the public domain<\/li><li>10: Vulnerability found in\u202f web address bar or form<\/li><\/ul>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-43a30e1 elementor-widget elementor-widget-text-editor\" data-id=\"43a30e1\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<h2>Overall Threat Rating<\/h2><p>The overall threat rating is calculated by summing the scores obtained across these five key areas. The risk severity categories for a threat are as follows:<\/p><ul><li><strong>Critical (40\u201350):<\/strong> Critical vulnerability; address immediately.<\/li><li><strong>High (25\u201339):<\/strong> Severe vulnerability; consider for review and resolution soon.<\/li><li><strong>Medium (11\u201324):<\/strong> Moderate risk; review after addressing severe and critical risks.<\/li><li><strong>Low (1\u201310):<\/strong> Low risk to infrastructure and data.<\/li><\/ul><p>Cyberthreat modeling using the DREAD framework is customizable based on your needs. However, to successfully apply a subjective risk analysis framework like the DREAD model, you need extensive cybersecurity expertise to ensure that your analysis of cyberthreats is accurate. Without up-to-date domain knowledge, you risk missing crucial information about system vulnerabilities and potential attack vectors.\u202f<\/p><p>EC-Council\u2019s <a href=\"https:\/\/www.eccouncil.org\/train-certify\/certified-threat-intelligence-analyst-ctia\/\">Certified Threat Intelligence Analyst (CTIA)<\/a> certification program can provide you with the knowledge base and practical skills you need to progress in your cybersecurity career. The program leverages insights from industry professionals to create one of the most robust and informative threat intelligence training courses in the cybersecurity industry.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-48e9217 elementor-widget elementor-widget-text-editor\" data-id=\"48e9217\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>References <\/strong><\/p>\n<p>Bulao, J. (2022, January 4). How many cyber attacks happen per day in 2021? TechJury. <i>https:\/\/techjury.net\/blog\/how-many-cyber-attacks-per-day\/<\/i><\/p><p>INTRUSION, Inc. (2020, November 18). https:\/\/www.globenewswire.com\/news-release\/2020\/11\/18\/2129432\/0\/en\/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html [Press release]. Globe Newswire. <i>https:\/\/www.globenewswire.com\/news-release\/2020\/11\/18\/2129432\/0\/en\/Cybercrime-To-Cost-The-World-10-5-Trillion-Annually-By-2025.html <\/i><\/p>\n<p>Meier, J. D., Mackman, A., Dunner, M., Vasireddy, S., Escamilla, R., &amp; Murukan, A. (2003). Improving web application security: Threats and countermeasures. Microsoft Corporation. <i>https:\/\/docs.microsoft.com\/en-us\/previous-versions\/msp-n-p\/ff649874(v=pandp.10)<\/i><\/p>\n<p>Shostack, A. (2008, December 1). Hi David, we found that there were lots of arguments around DREAD, and that different people selected very different numbers [Comment on the online forum post Do you use DREAD as it is?]. Microsoft Security Development Lifecycle (SDL) Forum. <i>https:\/\/social.msdn.microsoft.com\/Forums\/en-US\/c601e0ca-5f38-4a07-8a46-40e4adcbc293\/do-you-use-dread-as-it-is?forum=sdlprocess<\/i><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>By 2025, the global cost of cybercrime is projected to reach an estimated\u202f$10.5 trillion\u202f(INTRUSION, Inc., 2020). With 30,000 websites hacked every day (Bulao, 2022), companies of all sizes need to prioritize cybersecurity. As the prevalence and costs of cybercrime skyrocket, organizations have developed a variety of methods to model cyberthreats and assess cybersecurity risks and&hellip;<\/p>\n","protected":false},"author":31,"featured_media":80944,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_eb_attr":"","footnotes":""},"categories":[12226],"tags":[],"class_list":{"0":"post-5846","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-threat-intelligence"},"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v20.13 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis | EC-Council<\/title>\n<meta name=\"description\" content=\"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis\" \/>\n<meta property=\"og:description\" content=\"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/\" \/>\n<meta property=\"og:site_name\" content=\"Cybersecurity Exchange\" \/>\n<meta property=\"article:published_time\" content=\"2022-03-09T23:59:50+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-09-26T07:49:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-feature-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"521\" \/>\n\t<meta property=\"og:image:height\" content=\"521\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"EC-Council\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"EC-Council\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/\"},\"author\":{\"name\":\"EC-Council\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#\\\/schema\\\/person\\\/1f49faedc5529f41f3b27a68d73232f0\"},\"headline\":\"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis\",\"datePublished\":\"2022-03-09T23:59:50+00:00\",\"dateModified\":\"2025-09-26T07:49:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/\"},\"wordCount\":679,\"commentCount\":191,\"publisher\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/dread-threat-modeling-intro-thumb.jpg\",\"articleSection\":[\"Threat Intelligence\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/\",\"url\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/\",\"name\":\"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis | EC-Council\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/dread-threat-modeling-intro-thumb.jpg\",\"datePublished\":\"2022-03-09T23:59:50+00:00\",\"dateModified\":\"2025-09-26T07:49:12+00:00\",\"description\":\"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/dread-threat-modeling-intro-thumb.jpg\",\"contentUrl\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/wp-content\\\/uploads\\\/2022\\\/03\\\/dread-threat-modeling-intro-thumb.jpg\",\"width\":521,\"height\":521,\"caption\":\"DREAD Threat Modeling\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/threat-intelligence\\\/dread-threat-modeling-intro\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.eccouncil.org\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity Exchange\",\"item\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Threat Intelligence\",\"item\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/category\\\/threat-intelligence\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#website\",\"url\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/\",\"name\":\"Cybersecurity Exchange\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#organization\",\"name\":\"Cybersecurity Exchange\",\"url\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"caption\":\"Cybersecurity Exchange\"},\"image\":{\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.eccouncil.org\\\/cybersecurity-exchange\\\/#\\\/schema\\\/person\\\/1f49faedc5529f41f3b27a68d73232f0\",\"name\":\"EC-Council\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis | EC-Council","description":"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/","og_locale":"en_US","og_type":"article","og_title":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis","og_description":"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.","og_url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/","og_site_name":"Cybersecurity Exchange","article_published_time":"2022-03-09T23:59:50+00:00","article_modified_time":"2025-09-26T07:49:12+00:00","og_image":[{"width":521,"height":521,"url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-feature-1.jpg","type":"image\/jpeg"}],"author":"EC-Council","twitter_card":"summary_large_image","twitter_misc":{"Written by":"EC-Council","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#article","isPartOf":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/"},"author":{"name":"EC-Council","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#\/schema\/person\/1f49faedc5529f41f3b27a68d73232f0"},"headline":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis","datePublished":"2022-03-09T23:59:50+00:00","dateModified":"2025-09-26T07:49:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/"},"wordCount":679,"commentCount":191,"publisher":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#organization"},"image":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-thumb.jpg","articleSection":["Threat Intelligence"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/","url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/","name":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis | EC-Council","isPartOf":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#primaryimage"},"image":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#primaryimage"},"thumbnailUrl":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-thumb.jpg","datePublished":"2022-03-09T23:59:50+00:00","dateModified":"2025-09-26T07:49:12+00:00","description":"DREAD is a risk analysis framework used to qualitatively assess cyberthreats. Learn how understanding the DREAD model can improve your threat intelligence.","breadcrumb":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#primaryimage","url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-thumb.jpg","contentUrl":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-content\/uploads\/2022\/03\/dread-threat-modeling-intro-thumb.jpg","width":521,"height":521,"caption":"DREAD Threat Modeling"},{"@type":"BreadcrumbList","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/threat-intelligence\/dread-threat-modeling-intro\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.eccouncil.org\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Exchange","item":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/"},{"@type":"ListItem","position":3,"name":"Threat Intelligence","item":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/category\/threat-intelligence\/"},{"@type":"ListItem","position":4,"name":"DREAD Threat Modeling: An Introduction to Qualitative Risk Analysis"}]},{"@type":"WebSite","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#website","url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/","name":"Cybersecurity Exchange","description":"","publisher":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#organization","name":"Cybersecurity Exchange","url":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#\/schema\/logo\/image\/","url":"","contentUrl":"","caption":"Cybersecurity Exchange"},"image":{"@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/#\/schema\/person\/1f49faedc5529f41f3b27a68d73232f0","name":"EC-Council"}]}},"_links":{"self":[{"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/posts\/5846","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/users\/31"}],"replies":[{"embeddable":true,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/comments?post=5846"}],"version-history":[{"count":0,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/posts\/5846\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/media\/80944"}],"wp:attachment":[{"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/media?parent=5846"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/categories?post=5846"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.eccouncil.org\/cybersecurity-exchange\/wp-json\/wp\/v2\/tags?post=5846"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}