- Damage potential: This refers to the potential harm or damage that could be caused by a security threat, such as loss of data, financial loss, or reputational damage.
- Reproducibility: This refers to the ease with which a security threat can be replicated or exploited. Threats that are easy to reproduce are considered to be more serious than those that are difficult to replicate.
- Exploitability: This refers to the level of skill or knowledge required to exploit a security vulnerability. Threats that can be easily exploited are considered to be more serious than those that require advanced skills or specialized knowledge.
- Affected users: This refers to the number of users who would be affected by a security threat. Threats that would impact a large number of users are considered to be more serious than those that would only affect a small number of users.
- Discoverability: This refers to how easy it is to detect a security threat. Threats that are difficult to detect are considered to be more serious than those that can be easily detected.
Using the DREAD model, each potential security threat is assigned a score based on these five factors. The scores can then be used to prioritize which threats should be addressed first, and to determine the most appropriate security measures to mitigate each threat.
The DREAD model was developed by Microsoft in 2003 as part of its Security Development Lifecycle (SDL) methodology. The model was created to help developers and security professionals identify, prioritize, and manage security risks in software and technology systems. Since its creation, the DREAD model has become a widely recognized and adopted framework for risk assessment in the information security industry.
Can you give an example of how to manage an IT risk with a Dread framework?
Shure, click on the link
