Have you heard of the DREAD cybersecurity risk assessment model? Originally pioneered by Microsoft, it’s used to assess the severity of threats using a scaled rating system. From small businesses to Fortune 500 companies and even militaries, the DREAD model has become an increasingly common tool used to protect against cyber threats. So, what is the DREAD model exactly?
Overview of the DREAD Model
The DREAD model is a form of quantitative risk analysis that involves rating the severity of a cyber threat. When you encounter a cyber threat in your business’s information technology (IT) infrastructure, you can use the DREAD model to determine how much damage it has already caused and can cause in the future. You must assess various key points of the cyber threat while assigning a numbered rating to each of these points. When finished, you can then compare the total rating to that of the DREAD model’s rating system, which should reveal whether the cyber threat has a low, medium or high risk to your business.
The 5 Key Points of the DREAD Model
When using the DREAD model to assess the severity of a cyber threat, you must scrutinize five key points. As you go through these key points, you should assign a rating of either one, two or three. A rating of one indicates a low risk. A rating of two indicating a moderate risk. A rating of three indicates a high risk.
- Damage: What’s the total amount of damage the cyber threat is capable of causing your business?
- Reproducibility: How easily can other hackers replicate the cyber threat?
- Exploitability: How much time and energy is required to exploit the threat and, thus, perform a cyber attack against your business?
- Affected Users: How many people, either inside or outside of your business, will be affected by the cyber threat?
- Discoverability: Can you easily discover the cyber threat?
Breaking Down the Numbers
As previously mentioned, the DREAD model requires to assign a rating of one to three to each of the five key points. Therefore, any given cyber threat should have a total rating of five to 15.
The DREAD model says that cyber threats with a rating of five to seven are considered a low risk, while cyber threats with a rating of eight to 11 are medium risk. If a cyber threat has a rating of 12 to 15, on the other hand, it’s considered a high risk.