Skip to content

DREAD

DREAD prioritizes threats by risk level
After STRIDE identifies what threats exist , DREAD helps decide which ones to fix first by scoring each threat on five criteria

The Five Categories

D - Damage Potential How severe is the damage if the threat is realized?

10 - Complete system compromise, full data breach
7-9 - Significant data exposure, system-wide impact
4-6 - Moderate data exposure, limited impact
1-3 - Minor information leak, no critical data
0 - No damage

R - Reproducibility How reliably can the attack be reproduced?

10 - Can be reproduced every time, no conditions needed
7-9 - Easily reproduced with some conditions
4-6 - Reproducible under specific timing/conditions
1-3 - Very hard to reproduce, race condition dependent
0 - Practically impossible to reproduce

E - Exploitability How easy is it to launch the attack?

10 - Novice attacker, single command, public exploit exists
7-9 - Easy exploit, standard tools, minor skill required
4-6 - Requires some skill, custom tooling needed
1-3 - Advanced exploit technique, significant skill
0 - Requires insider access or extreme sophistication

A - Affected Users How many users are impacted?

10 - All users or critical infrastructure
7-9 - Most users or major subsystems
4-6 - Some users or specific functions
1-3 - Very few users or edge cases
0 - No users affected

D - Discoverability How easy is it to find the vulnerability?

10 - Publicly known, CVE published, exploit in wild
7-9 - Easily findable through normal testing
4-6 - Requires specific knowledge or tools
1-3 - Obscure, requires deep code analysis
0 - Practically undiscoverable

Scoring

Average the five scores:

DREAD Score = (D + R + E + A + D) / 5

9-10 - Critical - Fix immediately
7-8  - High - Fix in current sprint
4-6  - Medium - Fix in next sprint
1-3  - Low - Fix when resources available
0    - Informational - Document only

Example Scoring

Threat: SQL injection in login API

Damage:     9 (database compromise, data exfiltration)
Reproduce:  10 (every time with ' OR 1=1--)
Exploit:    8  (sqlmap automates, script kiddie capable)
Affected:   9  (all users' data exposed)
Discover:   9  (automated scanners find these)

DREAD Score: (9 + 10 + 8 + 9 + 9) / 5 = 9.0 (Critical)

DREAD Limitations

  • Subjective - Different analysts may score differently
  • Context-dependent - Same threat scores differently in different environments
  • Outdated - Microsoft deprecated DREAD in favor of other methods
  • Offline by one - Slight score differences can mis-prioritize
  • No business context - Doesn't account for business impact beyond users

Alternatives to DREAD

  • CVSS - Industry standard (NVD, all major vendors)
  • OWASP Risk Rating - Web-application focused
  • FAIR - Quantitative risk analysis (more rigorous)
  • Relative scoring - Compare threats to each other instead of absolute numbers