DREAD (risk assessment model)


DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft and although currently used by OpenStack and other corporations it was abandoned by its creators. It provides a mnemonic for risk rating security threats using five categories.
The categories are:
The DREAD name comes from the initials of the five categories listed. It was initially proposed for threat modeling, but it was discovered that the ratings are not very consistent and are subject to debate. It was out of use at Microsoft by 2008.
When a given threat is assessed using DREAD, each category is given a rating from 1 to 10.The sum of all ratings for a given issue can be used to prioritize among different issues.

Discoverability debate

Some security experts feel that including the "Discoverability" element as the last D rewards security through obscurity, so some organizations have either moved to a DREAD-D "DREAD minus D" scale or always assume that Discoverability is at its maximum rating.