Quiz Entry - updated: 2026.07.14
How do you calculate a DREAD risk score and what do the rating levels mean?
Score each of the 5 categories 1–3 (Low/Med/High), sum them (range 5–15), then band it: 5–7 Low, 8–11 Medium, 12–15 High.
DREAD Rating Scale:
| Rating | Score | Example (Damage) | Example (Reproducibility) |
|---|---|---|---|
| High | 3 | Full system compromise, admin access, content upload | Attack reproducible every time, no timing window |
| Medium | 2 | Leaking sensitive information | Requires timing window or race condition |
| Low | 1 | Leaking trivial information | Very difficult even with knowledge of the hole |
Risk Classification:
| Total Score | Risk Level |
|---|---|
| 12-15 | High |
| 8-11 | Medium |
| 5-7 | Low |
Example Calculation:
- SQL Injection: D=3, R=3, E=3, A=3, D=2 = 14 (High)
- Credential theft via network monitoring: D=3, R=3, E=2, A=2, D=2 = 12 (High)
Note on Discoverability: Some organizations either ignore "D" (DREAD-D) or always assume maximum discoverability to avoid rewarding security through obscurity.