DREAD adalah kepanjangan dari
- Damage potential : How much are the assets affected?
- Reproducitibility : How easily the attack can be reproduced?
- Exploitability : How easily the attack can be launched?
- Affected User : What’s the number of affected users?)
- Discoverability : How easily the vulnerability can be found?
Dengan mengguakan DREAD model, ancaman dari risiko yang kita analisis dinilai dengan menjawab pertanyaan diatas, kemudian ditentukan kategori resiko apakah termasuk high, medium, ataupun low.
Rumus dari model DREAD adalah sebagai berikut :
Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5
Dibawah ini contoh penggunaan DREAD Model
Damage Potential
If a threat exploit occurs, how much damage will be caused?
0 = Nothing
5 = Individual user data is compromised or affected.
10 = Complete system or data destruction
Reproducibility
How easy is it to reproduce the threat exploit?
0 = Very hard or impossible, even for administrators of the application.
5 = One or two steps required, may need to be an authorized user.
10 = Just a web browser and the address bar is sufficient, without authentication.
Exploitability
What is needed to exploit this threat?
0 = Advanced programming and networking knowledge, with custom or advanced attack tools.
5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools.
10 = Just a web browser
Affected Users
How many users will be affected?
0 = None
5 = Some users, but not all
10 = All users
Discoverability
How easy is it to discover this threat?
0 = Very hard to impossible; requires source code or administrative access.
5 = Can figure it out by guessing or by monitoring network traces.
9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.
10 = The information is visible in the web browser address bar or in a form.
Referensi
http://scanbuffer.com/b/Using-DREAD-Risk-Rating-Model-for-Threat-Modeling-Exercise-Full-Article/bid/1000016
http://resources.infosecinstitute.com/qualitative-risk-analysis-dread-model/#gref
Threat Modeling | Microsoft Learn