threat modeling

DREAD Threat Modeling: An Introduction to Qualitative and Quantitative Risk Analysis

From small businesses to Fortune 500 companies, cyberattacks have become a dreaded reality which cannot be ignored, and any entity lacking a robust cybersecurity system is bound to pay the price of ignorance. Cybersecurity has come a long way in the past decade with a new threat intelligence model, paving the way for enhanced qualitative risk assessments.

One such cyber threat modeling methodology is DREAD. Developed by Microsoft, the DREAD model is even used by several militaries to protect sensitive information and infrastructure against cyberattacks.

What Is DREAD Threat Modeling?

DREAD cyber threat intelligence modeling creates a rating system for threats by assessing, analyzing, and creating risk probabilities. DREAD threat modeling allows an organization to ascertain the amount of damage done by an attack and create damage assessments for similar attacks in the future. Based on data points and information gathered, the organization can then create a rating system for threats and classify them under low, medium, and high-risk categories.

DREAD Breakdown

Though the word DREAD carries a fearful connotation, yet there’s a valid reason behind the coining of this term in the cybersecurity space. The key points of DREAD threat modelling are as below:

  • “D” for Damage: Understanding the potential damage that a particular threat can cause to an organization’s IT infrastructure.
  • “R” for Reproducibility: In layman’s terms, reproducibility gives an understanding of how easily the threat can be replicated by other hackers or cyber criminals.
  • “E” for Exploitability: Analyse the system’s vulnerabilities to ascertain the ease of an attack.
  • “A” for Affected Users: Ascertain how many users, the ones within and the ones outside, of a business (clients/customers) will be affected post-attack.
  • “D” for Discoverability: The process of discovering the vulnerable points in the system infrastructure and the IT network of an organization.

The DREAD model helps to rate, compare, and prioritize the severity of threats by analyzing threats/risks in each category, ending with a final rating. Each category is given a rating between 0 to 10 and the average of these ratings determine the severity of risks.

Damage Potential

Rating Damage
0 No damage
5 Information disclosure
8 Individual/employer non-sensitive user data compromised
9 Administrative non-sensitive data compromised
10 Information system or data destruction or application unavailability


Rating How easy is it to reproduce the attack?
0 Difficult or Impossible
5 Complex
7.5 Easy for authenticated user
10 Very easy through web browser, no authentication


Rating What is required to exploit this threat?
2.5 Advanced programming and networking skills
5 Using available attack tools
9 A web application proxy tool
10 Web browser

Affected Users

Rating How many users affected?
0 No users affected
2.5 Individual user
6 Few users
8 Administrative users
10 All users


Rating How easy is it to discover the threat?
0 Very hard
5 Can figure it out by HTTP requests
8 Already in the public domain and can easily be discovered
10 Visible in the web browser address bar or in a form
The threat rating is calculated taking these five key points, wherein each point is assigned a severity rating of high, medium, and low. The risk rating for the threats and vulnerabilities is as follows:

Risk Rating DREAD Score Comments
Critical 40-50 Critical vulnerability, should be considered immediately for review and resolution
High 25-39 Severe vulnerability, should be considered for review and resolution within a short period of time
Medium 11-24 Moderate risk finding or vulnerabilities should be considered once severe and critical risks have been addressed
Low 1-10 Low risk and does not pose significant risk to the IT infrastructure

Based on the needs you want to cater to, the DREAD methodology can be customized to perform the risk analysis.

To master the DREAD threat modeling methodology, you need to climb up the ladder of cybersecurity expertise and reach the level of a threat intelligence analyst. Threat modeling methodologies require a deep understanding of basic cybersecurity techniques and hence, a certified threat intelligence analyst program is the best threat intelligence course to enroll in.

EC-Council’s Certified Threat Intelligence Analyst (CTIA) is one of the most robust and informative threat intelligence training courses in the cybersecurity industry. Our threat intelligence training program has been developed using inputs from industry professionals and renowned threat intelligence experts, providing you with the evidence-based knowledge you need to progress in your career. Become the vanguard of your organization’s IT security with CTIA, today!

CTIA Video:

get certified from ec-council
Write for Us