DREAD Scoring

How bad is this vulnerability in comparison to others?

DREAD is a process for calculating the risk of a vulnerability. While DREAD Scoring measures quantitative risk, FAIR Scoring measures qualitative risk.

It is an acronym for:

  • Damage: how much damage can attacker cause?
  • Reproducability: how easy is the vulnerability to reproduce?
  • Exploitability: how easy is it to conduct a successful attack?
  • Affected users: what percentage of users does this affect?
  • Discoverability: how easy is this to discover?

References:

  • Tarandach, I., & Coles, M. J. (2020). Threat Modeling: A Practical Guide for Development Teams (1st ed.). O’Reilly Media.

Notes mentioning this note


Here are all the notes in this garden, along with their links, visualized as a graph.