DREAD (risk assessment model)

DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) is a risk assessment and threat modeling system for computer security threats. When a given threat is assessed using DREAD, each category is given a rating from 1 to 10, and the sum of all ratings is taken to assess the overall risk.^[1] It was formerly used at Microsoft before being discontinued for its inconsistency and subjectivity.^[2]^[3] It has also been criticised for promoting security through obscurity through the discoverability element. Some organizations have moved to a DREAD-D "DREAD minus D" scale, which omits Discoverability.^[4]^[5]

References

^ "Security/OSSA-Metrics - OpenStack". wiki.openstack.org.
^ Shostack, Adam. "Experiences Threat Modeling at Microsoft" (PDF).
^ "Do you use DREAD as it is?". Archived from the original on 2016-03-06. Retrieved 2014-09-08.
^ "Security/OSSA-Metrics - OpenStack". wiki.openstack.org.
^ "Threat Modeling | OWASP". owasp.org.

External links

This computer security article is a stub. You can help Wikipedia by expanding it.

[1] "Security/OSSA-Metrics - OpenStack". wiki.openstack.org.

[2] Shostack, Adam. "Experiences Threat Modeling at Microsoft" (PDF).

[3] "Do you use DREAD as it is?". Archived from the original on 2016-03-06. Retrieved 2014-09-08.

[4] "Security/OSSA-Metrics - OpenStack". wiki.openstack.org.

[5] "Threat Modeling | OWASP". owasp.org.

[1]

[2]

[3]

[4]

[5]

See also

References

External links