We covered the Microsoft DREAD risk assessment Framework. DREAD is used widely to assess risks and threats using five categories; damage, reproducibility, exploitability, affected users and discoverability. The risk is assessed qualitatively using the analyst subjective opinion about the vulnerability and based on that they assign a number from 0 to 10 for each category then calculate the overall average to find the score. The higher the score the higher the risk and the more priority assigned to mitigating the risk. This was part of TryHackMe Threat Modeling
What is Microsoft DREAD risk assessment Framework?
The DREAD framework is a risk assessment model developed by Microsoft to evaluate and prioritize security threats and vulnerabilities.
The categories are commonly phrased with the following questions to ingest the definitions provided above quickly:
- Damage – How bad would an attack be?
- Reproducibility – How easy is it to reproduce the attack?
- Exploitability – How much work is it to launch the attack?
- Affected Users – How many people will be impacted?
- Discoverability – How easy is it to discover the vulnerability?
DREAD Framework Guidelines
As mentioned above, the DREAD framework is an opinion-based model that heavily relies on an analyst’s interpretation and assessment. However, the reliability of this framework can still be improved by following some guidelines:
- Establish a standardised set of guidelines and definitions for each DREAD category that provides a consistent understanding of how to rate vulnerabilities. This can be supported by providing examples and scenarios to illustrate how scores should be assigned under various circumstances.
- Encourage collaboration and discussion among multiple teams. Constructive feedback from different members aids in justifying the assigned scores, which can lead to a more accurate assessment.
- Use the DREAD framework with other risk-assessment methodologies and regularly review and update the chosen methods and techniques to ensure they remain relevant and aligned with the organisation’s needs.
By ensuring that these guidelines are strictly followed, organisations can reduce the subjective nature of the framework and improve the accuracy and reliability of their risk assessments.