LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you calculate a DREAD risk score and what do the rating levels mean?

Score each of the 5 categories 1–3 (Low/Med/High), sum them (range 5–15), then band it: 5–7 Low, 8–11 Medium, 12–15 High.

DREAD Rating Scale:

Rating Score Example (Damage) Example (Reproducibility)
High 3 Full system compromise, admin access, content upload Attack reproducible every time, no timing window
Medium 2 Leaking sensitive information Requires timing window or race condition
Low 1 Leaking trivial information Very difficult even with knowledge of the hole

Risk Classification:

Total Score Risk Level
12-15 High
8-11 Medium
5-7 Low

Example Calculation:

  • SQL Injection: D=3, R=3, E=3, A=3, D=2 = 14 (High)
  • Credential theft via network monitoring: D=3, R=3, E=2, A=2, D=2 = 12 (High)

Note on Discoverability: Some organizations either ignore "D" (DREAD-D) or always assume maximum discoverability to avoid rewarding security through obscurity.

From Quiz: SPRG / Repetition and Review | Updated: Jul 14, 2026