Apa yang dimasud dengan model DREAD dalam qualitative risk analysis ?

Qualitative risk analysis adalah teknik manajemen proyek yang berkaitan dengan menemukan probabilitas dari peristiwa risiko yang terjadi dan dampak risiko akan terjadi jika itu terjadi. Semua risiko memiliki kemungkinan dan dampak. Qualitative risk analysis juga merupakan salah satu bentuk untuk menganalisis resiko, namun lebih mengutamakan bobot kualitas nya. Terdapat beberapa cara model yang dapat digunakan dalam qualitative risk analysis. Salah satunya adalah DREAD Model.

Apa yang dimasud dengan model DREAD dalam qualitative risk analysis ?

DREAD adalah kepanjangan dari

  • Damage potential : How much are the assets affected?
  • Reproducitibility : How easily the attack can be reproduced?
  • Exploitability : How easily the attack can be launched?
  • Affected User : What’s the number of affected users?)
  • Discoverability : How easily the vulnerability can be found?

Dengan mengguakan DREAD model, ancaman dari risiko yang kita analisis dinilai dengan menjawab pertanyaan diatas, kemudian ditentukan kategori resiko apakah termasuk high, medium, ataupun low.

DREAD model

Rumus dari model DREAD adalah sebagai berikut :

Risk_DREAD = (DAMAGE + REPRODUCIBILITY + EXPLOITABILITY + AFFECTED USERS + DISCOVERABILITY) / 5

Dibawah ini contoh penggunaan DREAD Model

Damage Potential

If a threat exploit occurs, how much damage will be caused?
0 = Nothing
5 = Individual user data is compromised or affected.
10 = Complete system or data destruction

Reproducibility

How easy is it to reproduce the threat exploit?
0 = Very hard or impossible, even for administrators of the application.
5 = One or two steps required, may need to be an authorized user.
10 = Just a web browser and the address bar is sufficient, without authentication.

Exploitability

What is needed to exploit this threat?
0 = Advanced programming and networking knowledge, with custom or advanced attack tools.
5 = Malware exists on the Internet, or an exploit is easily performed, using available attack tools.
10 = Just a web browser

Affected Users

How many users will be affected?
0 = None
5 = Some users, but not all
10 = All users

Discoverability

How easy is it to discover this threat?
0 = Very hard to impossible; requires source code or administrative access.
5 = Can figure it out by guessing or by monitoring network traces.
9 = Details of faults like this are already in the public domain and can be easily discovered using a search engine.
10 = The information is visible in the web browser address bar or in a form.

Referensi

http://scanbuffer.com/b/Using-DREAD-Risk-Rating-Model-for-Threat-Modeling-Exercise-Full-Article/bid/1000016
http://resources.infosecinstitute.com/qualitative-risk-analysis-dread-model/#gref
https://msdn.microsoft.com/en-us/library/aa302419.aspx