LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

How do you score each DREAD category (High/Medium/Low)?

Score each category 3/2/1 on one axis — how much harm and how easily an attacker can repeat, perform, reach, or find the exploit. High = worst case (total, effortless, universal, obvious); Low = best case (trivial, fiddly, rare, hidden).

DREAD hub fanning to its five factors, each scored 1-3 and summed to 5-15.

* DREAD's five factors — Damage, Reproducibility, Exploitability, Affected users, Discoverability — each scored 1-3 and summed. *

The unifying principle: each DREAD category asks "how bad does this lean?" and you grade it High (3) → Medium (2) → Low (1). Damage grades how much harm; Reproducibility and Exploitability grade how easily an attacker can pull it off; Affected Users grades how widely it spreads; Discoverability grades how easily it's found. Always pick the row that best matches reality, then carry the number to the sum.

Category High (3) Medium (2) Low (1)
Damage Full system compromise, admin access, upload content Leaking sensitive info Leaking trivial info
Reproducibility Can be reproduced every time, no timing window Requires timing window or race condition Very difficult even with knowledge of the hole
Exploitability Novice programmer can do it quickly Skilled programmer can repeat steps Requires extremely skilled person, deep knowledge
Affected Users All users, default config, key customers Some users, non-default config Very small percentage, obscure feature, anonymous users
Discoverability Published info explains attack, obvious feature Seldom-used feature, requires thinking to see malicious use Obscure, unlikely users will find it

Go deeper:

  • doc DREAD (Wikipedia) — the five-factor model, its 1-10 vs 1-3 scoring variants, and why Microsoft later retired it for subjectivity.

From Quiz: SPRG / Mitigation and Risk Analysis | Updated: Jul 14, 2026