Business Guide
simplicable technology guide   »  security   »  assessing security risks

How To Assess Information Security Risks

        posted by , March 06, 2011

Know your most dangerous and credible threats.

IT risk management

Ranking threats is the final step of threat analysis. It is key to distinguishing clear and present dangers from unlikely and low impact threats.


There are several models used to rank threats. The Microsoft DREAD model ranks threats according to the following formula:

risk management system

Each factor is ranked on a scale of 1 to 10 and DREAD is calculated as follows:

DREAD = (Damage + Reproducibility + Exploitability + Affected users + Discoverability) / 5

Other Risk Ranking Models

At simplicable, we use a model that ranks threats according to damage, exploitability and discoverability.

risk ranking

Damage potential

Damage potential includes factors such as:

IT security

Business and technology should both be involved in assessing potential damages.


Exploitability measures how much time, effort, and skill is required to exploit the threat.


Discoverability measures how easily the threat can be found.

Known vulnerabilities in popular tools are easy to discover. Obscure vulnerabilities in custom code are more difficult to discover.

3 Shares Google Twitter Facebook

Related Articles

Enterprise Architecture
How to architect an organization.

ESB vs. ETL — what you need to know to make an informed choice.

How to architect an organization.

Enterprise Architecture (EA) is supposed to help manage IT risks — but is it possible that EA itself introduces new risks?

Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats. ~ Howard Aiken

Recently on Simplicable

What Big Data Really Means

posted by John Spacey
The 3 things you need to know to cut through the big data hype.

9 Reasons You Need a Current State Architectural Blueprint

posted by Anna Mar
A current state enterprise architecture blueprint represents your organization's high level architecture. It's probably the most important documentation that any IT organization can create and maintain.

The 5 Levels of Enterprise Integration

posted by Anna Mar
Enterprise Integration has traditionally focused on moving data from one database to another. Recent technology trends have challenged this approach.

Do "Real" Architects Dislike Technology Architecture?

posted by Anna Mar
Go to any job site and query architect — you'll be hard pressed to find the adverts for construction architects in the sea of job postings for technology architects.


about     contact     sitemap     privacy     terms of service     copyright