Page 117 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 117
Damage Potential ranking, high/medium/low rating, or the DREAD
system.
The ranking technique of Probability × Damage Potential produces a
risk severity number on a scale of 1 to 100, with 100 the most severe
risk possible. Each of the two initial values can be assigned numbers
between 1 and 10, with 1 being lowest and 10 being highest. These
rankings can be somewhat arbitrary and subjective, but since the same
person or team will be assigning the numbers for their own
organization, it should still result in assessment values that are
accurate on a relative basis.
The high/medium/low rating process is even simpler. Each threat is
assigned one of these three priority labels. Those given the high-
priority label need to be addressed immediately. Those given the
medium-priority label should be addressed eventually, but they don’t
require immediate action. Those given the low-priority level might be
addressed, but they could be deemed optional if they require too much
effort or expense in comparison to the project as a whole.
The DREAD rating system is designed to provide a flexible rating
solution that is based on the answers to five main questions about
each threat:
Damage potential: How severe is the damage likely to be if the
threat is realized?
Reproducibility: How complicated is it for attackers to reproduce
the exploit?
Exploitability: How hard is it to perform the attack?
Affected users: How many users are likely to be affected by the
attack (as a percentage)?
Discoverability: How hard is it for an attacker to discover the
weakness?
By asking these and potentially additional customized questions, along
with assigning H/M/L or 3/2/1 values to the answers, you can
establish a detailed threat prioritization.
Once threat priorities are set, responses to those threats need to be
