CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass

Monday, October 6, 2025

DREAD Explained: Evaluating Threats with Damage, Reproducibility, Exploitability, and More

 DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, and Discoverability)

The DREAD model is a structured risk assessment framework used in cybersecurity to evaluate and prioritize threats based on five key factors:

What Does DREAD Stand For?
1. Damage Potential
  • Definition: Measures the extent of harm a threat could cause if exploited.
  • Questions to ask:
    • How severe would the impact be?
    • Could it result in data loss, financial loss, or system downtime?
  • Example: A ransomware attack has high damage potential due to data encryption and ransom demands.
2. Reproducibility
  • Definition: Assesses how easily the attack can be repeated.
  • Questions to ask:
    • Can the attack be executed consistently?
    • Does it require special conditions or tools?
  • Example: A SQL injection that works on multiple pages has high reproducibility.
3. Exploitability
  • Definition: Evaluates how easy it is to carry out the attack.
  • Questions to ask:
    • What level of skill or access is needed?
    • Are tools or scripts readily available?
  • Example: A vulnerability that can be exploited using a publicly available tool has high exploitability.
4. Affected Users
  • Definition: Estimates how many users would be impacted.
  • Questions to ask:
    • Is the threat localized or widespread?
    • Does it affect all users or just a subset?
  • Example: A flaw in a login system affecting all users has a high affected user score.
5. Discoverability
  • Definition: Measures how easy it is to find the vulnerability.
  • Questions to ask:
    • Is the flaw obvious in the code or interface?
    • Can it be found through automated scanning?
  • Example: A misconfigured server visible in a public scan has high discoverability.
Scoring and Usage
Each category is typically scored from 0 to 10, and the scores are summed to prioritize threats. Higher scores indicate more severe risks.


Benefits of DREAD
  • Helps prioritize vulnerabilities based on risk.
  • Encourages consistent threat evaluation across teams.
  • Useful in threat modeling, especially during design and testing phases.
Limitations
  • Subjectivity: Scores can vary between evaluators.
  • Not widely used today, Microsoft deprecated DREAD in favor of simpler models, such as STRIDE or CVSS.
  • It may not be suitable for all threat types, especially in modern cloud or distributed environments.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)