STRIDE and DREAD (Week 7)

I have used a few different methods and procedures for identifying threats and determining risk over the years.  However, I have never used the STRIDE model for identifying threats and the DREAD model for determining risk, that is, until this week.

Throughout this week I have been using both models to identify threats and determine risk for an assignment in my final class, Current Trends in Cybersecurity.  What I quickly discovered about the two models is they are not methods used just for identifying threats and determining risk in applications and software.  They can also be used to identify threats and determine risk for just about anything related to information security.  A quick explanation of each model will help you understand what I am talking about.

The STRIDE model is an acronym used to help remember the following threats: spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privileges.  Each threat corresponds to a security property that information security professionals try to achieve which are authentication, integrity, non-repudiation, confidentiality, availability, and authorization.  The table below shows each STRIDE threat and its corresponding security property.

Threat	Security Property
Spoofing	Authentication
Tampering	Integrity
Repudiation	Non-repudiation
Information Disclosure	Confidentiality
Denial of Service	Availability
Elevation of Privilege	Authorization

The DREAD model is an acronym used to help remember the categories for measuring and prioritizing risk created by identified threats.  The categories that compose the DREAD acronym are: damage potential, reproducibility, exploitability, affected users, and discoverability.  The table below explains what each category analyzes:

Category	Explanation
Damage Potential	How much damage can the threat cause?
Reproducibility	Can the threat be reproduced easily?
Exploitability	What is the level of knowledge and experience needed?
Affected Users	How many user will be affected?
Discoverability	Can the threat be easily discovered?

A numerical value can be assigned to each category to assist with determining the overall risk level.  For example, for my assignment this week I used 1 through 3 with 1 representing low, 2 representing medium, and 3 representing high.  Then, I added each category up to determine the overall risk level.  So, a threat assigned the following: D=1, R=2, E=2, A=3, D=1 would have an overall risk level of 9.

Remember I said I quickly learned that the STRIDE and DREAD models can both be used for applications other than application and software security.  I used both models to analysis and determine the threats and risks for an entire network.  However, after using both models I think they can be used to analyze threats and risk for just about anything security related such as threats and risk associated with physical security.