Quiz Entry - updated: 2026.07.14
How do you calculate the overall DREAD risk rating?
Score all five categories 1-3, sum them (range 5-15), then band the total: 12-15 High, 8-11 Medium, 5-7 Low.
Summing and banding exists to turn five separate judgement calls into one comparable priority — a single number you can sort every threat by, so the team fixes the High band before it spends effort on the Low one.
Calculation:
- Score each category 1-3 (Low/Medium/High)
- Sum all five scores
- Map total to risk level:
| Risk Rating | Score Range |
|---|---|
| High | 12-15 |
| Medium | 8-11 |
| Low | 5-7 |
Example - SQL Injection:
| D | R | E | A | D | Total | Rating |
|---|---|---|---|---|---|---|
| 3 | 3 | 3 | 3 | 2 | 14 | High |
Best practice for Discoverability: Assume Discoverability = 3 (High) for internet-facing applications. If it's online, attackers will find it. Don't rely on obscurity for security.