Exam 312-96 topic 1 question 16 discussion

"DREAD model is used to rate the various security threats on the application by calculating risks of each threats" From the page 97 of CASE .NET Courseware

The DREAD model is commonly used to rate the threats-based risk to an application during the threat modeling process. DREAD stands for: Damage: How bad would an attack be? Reproducibility: How easy is it to reproduce the attack? Exploitability: How much work is it to launch the attack? Affected Users: How many people will be impacted? Discoverability: How easy is it to discover the threat? Each category is usually given a score, and the scores are then used to prioritize threats. So the correct answer is: A. DREAD The other options are not standard risk assessment models used for rating threats in threat modeling: SMART is often used for goal-setting (Specific, Measurable, Achievable, Relevant, Time-bound). STRIDE is another threat modeling methodology that identifies threats but doesn't rate them (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privileges). RED is not a standard risk assessment model in this context. Therefore, DREAD is the model used for rating threats during the threat modeling process.

The correcto is DREAD!

A. DREAD DREAD is an acronym that stands for: Damage Potential: How bad would an attack be? Reproducibility: How easy is it to reproduce the attack? Exploitability: How easy is it to launch the attack? Affected Users: How many users would be impacted? Discoverability: How easy is it to discover the threat? While STRIDE is used to identify threats (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege), DREAD is used to rate and prioritize those threats.