While the STRIDE methodology can be used to identify threats, the DREAD methodology can be effective in rating the threats. DREAD is an abbreviation for the following terms:
- D—damage potential: The damage potential factor defines the potential damage that might be caused if an exploit is successful.
- R—reproducibility: The reproducibility factor defines how easy or difficult it is to reproduce the exploit. A certain exploit may be very easy to reproduce while another might be difficult due to multiple dependencies.
- E—exploitability: The exploitability factor defines what exactly is required in order to make the exploit successful. This may include knowledge about a specific area, or skills with a certain tool, and so on.
- A—affected users: The affected users factor defines the number of users that will be affected if the exploit is successful.
- D—discoverability: The discoverability factor defines the ease with which the threat under consideration can be uncovered. Some threats in the environment might get noticed easily while some others might have to be uncovered using additional techniques.
Thus STRIDE and DREAD can be used in conjunction to produce an effective and actionable threat model.