Child pages
  • [security] Threat Risk Modeling
Skip to end of metadata
Go to start of metadata

Threat Classification


STRIDE is a classification scheme for characterizing known threats according to the kinds of exploit that are used (or motivation of the attacker). The STRIDE acronym is formed from the first letter of each of the following categories.







Impersonating something or someone else.

Pretending to be any of billg, or ntdll.dll



Modifying data or code

Modifying a DLL on disk or DVD, or a packet as it traverses the LAN.



Claiming to have not performed an action.

“I didn’t send that email,” “I didn’t modify that file,” “Icertainly didn’t visit that web site, dear!”

Information Disclosure


Exposing information to someone not authorized to see it

Allowing someone to read the Windows source code; publishing a list of customers to a web site.

Denial of Service


Deny or degrade service to users

Crashing Windows or a web site, sending a packet and absorbing seconds of CPU time, or routing packets into a black hole.

Elevation of Privilege


Gain capabilities without proper authorization

Allowing a remote internet user to run commands is the classic example, but going from a limited user to admin is also EoP.

Threat Rating

At this stage in the process, you have a list of threats that apply to your particular application scenario. In the final step of the process, you rate threats based on the risks they pose. This allows you to address the threats that present the most risk first, and then resolve the other threats. In fact, it may not be economically viable to address all of the identified threats, and you may decide to ignore some because of the chance of them occurring is small and the damage that would result if they did is minimal.

Risk = Probability * Damage Potential

This formula indicates that the risk posed by a particular threat is equal to the probability of the threat occurring multiplied by the damage potential, which indicates the consequences to your system if an attack were to occur.

You can use a 1–10 scale for probability where 1 represents a threat that is very unlikely to occur and 10 represents a near certainty. Similarly, you can use a 1–10 scale for damage potential where 1 indicates minimal damage and 10 represents a catastrophe. Using this approach, the risk posed by a threat with a low likelihood of occurring but with high damage potential is equal to the risk posed by a threat with limited damage potential but that is extremely likely to occur.

For example, if Probability=10 and Damage Potential=1, then Risk = 10 * 1 = 10. If Probability=1 and Damage Potential=10, then Risk = 1 * 10 = 10.

This approach results in a scale of 1–100, and you can divide the scale into three bands to generate a High, Medium, or Low risk rating.

High, Medium, and Low Ratings

You can use a simple High, Medium, or Low scale to prioritize threats. If a threat is rated as High, it poses a significant risk to your application and needs to be addressed as soon as possible. Medium threats need to be addressed, but with less urgency. You may decide to ignore low threats depending upon how much effort and cost is required to address the threat.

DREAD (OWASP version)

 RatingHigh (10)... (9)Medium (5)Low (0)
DDamage potential

Complete system or data destruction

 Individual user data is compromised or affected.Nothing
RReproducibilityJust a web browser and the address bar is sufficient, without authentication. One or two steps required, may need to be an authorized user.Very hard or impossible, even for administrators of the application.
EExploitabilityJust a web browser Malware exists on the Internet, or an exploit is easily performed, using available attack tools.Advanced programming and networking knowledge, with custom or advanced attack tools.
AAffected usersAll users Some users, but not allNone
DDiscoverabilityThe information is visible in the web browser address bar or in a form.Details of faults like this are already in the public domain and can be easily discovered using a search engine.

Can figure it out by guessing or by monitoring network traces.

Very hard to impossible; requires source code or administrative access.

Table 3.7 shows an example DREAD rating for both threats:

Table 3.7   DREAD rating


Attacker obtains authentication credentials by monitoring the network.1010555(10+10+5+5+5)/5 = 7High
SQL commands injected into application.101010105(10+10+10+10+5)/5 = 9High


DREAD (Microsoft version)

The problem with a simplistic rating system is that team members usually will not agree on ratings. To help solve this, add new dimensions that help determine what the impact of a security threat really means. At Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions:

  • Damage potential: How great is the damage if the vulnerability is exploited?
  • Reproducibility: How easy is it to reproduce the attack?
  • Exploitability: How easy is it to launch an attack?
  • Affected users: As a rough percentage, how many users are affected?
  • Discoverability: How easy is it to find the vulnerability?

You can use above items to rate each threat. You can also extend the above questions to meet your needs. For example, you could add a question about potential reputation damage:

Reputation: How high are the stakes? Is there a risk to reputation, which could lead to the loss of customer trust?

Ratings do not have to use a large scale because this makes it difficult to rate threats consistently alongside one another. You can use a simple scheme such as High (1), Medium (2), and Low (3).

When you clearly define what each value represents for your rating system, it helps avoids confusion. Table 3.6 shows a typical example of a rating table that can be used by team members when prioritizing threats.

Table 3.6   Thread Rating Table


 RatingHigh (3)Medium (2)Low (1)
DDamage potentialThe attacker can subvert the security system; get full trust authorization; run as administrator; upload content.Leaking sensitive informationLeaking trivial information
RReproducibilityThe attack can be reproduced every time and does not require a timing window.The attack can be reproduced, but only with a timing window and a particular race situation.The attack is very difficult to reproduce, even with knowledge of the security hole.
EExploitabilityA novice programmer could make the attack in a short time.A skilled programmer could make the attack, then repeat the steps.The attack requires an extremely skilled person and in-depth knowledge every time to exploit.
AAffected usersAll users, default configuration, key customersSome users, non-default configurationVery small percentage of users, obscure feature; affects anonymous users
DDiscoverabilityPublished information explains the attack. The vulnerability is found in the most commonly used feature and is very noticeable.The vulnerability is in a seldom-used part of the product, and only a few users should come across it. It would take some thinking to see malicious use.The bug is obscure, and it is unlikely that users will work out damage potential.

After you ask the above questions, count the values (1–3) for a given threat. The result can fall in the range of 5–15. Then you can treat threats with overall ratings of 12–15 as High risk, 8–11 as Medium risk, and 5–7 as Low risk.

For example, consider the two threats described earlier:

  • Attacker obtains authentication credentials by monitoring the network.
  • SQL commands injected into application.

Table 3.7 shows an example DREAD rating for both threats:

Table 3.7   DREAD rating


Attacker obtains authentication credentials by monitoring the network.3322212High
SQL commands injected into application.3333214High


Once you have obtained the risk rating, you update the documented threats and add the discovered rating level, which is High for both of the above threats. Table 3.8 shows an example.

Table 3.8   Threat 1


Threat DescriptionAttacker obtains authentication credentials by monitoring the network
Threat targetWeb application user authentication process
Risk ratingHigh
Attack techniquesUse of network monitoring software
CountermeasuresUse SSL to provide encrypted channel

More Reading

  • No labels