Andrew van der Stock vanderaj at greebo.net
Thu Sep 8 08:41:59 EDT 2005

Yes, I do. It works well for technical issues in code developed in  
house, particularly useful at developing a TODO list for future  
fixes. It is not perfect - it takes longer than necessary to work out  
when there are many issues to work through, but I haven't yet come  
across a way as good as STRIDE / DREAD which is *acceptable* to the  
business types who have to fund remediation work as they can work the  
sums just like Excel and for some reason they tend to believe the  
subjective bits of DREAD a bit more than simply putting in "High"  
"Medium" or "Low" based upon one's experience.

However, it is *not* out of the box a business risk modelling tool -  
if you need to factor that in, DREAD is missing the average loss  
expectancy component.

You could change D = damage to be the ALE, and calculate the ALE as  
per normal, with

ARO = Annualized Rate of Occurrence
SLE = Single Loss Expectancy


ARO is very subjective and impossible to garner realistic numbers or  
statistics. I'm not saying make it up, but you might have to. Costing  
the SLE is next to impossible unless you have had that event happen  
in the past. There are many good references on how to incorporate the  
actual cost of a SLE. Make sure you use "opportunity cost" and future  
revenue losses as well - if you lose thousands of people days  
organization wide due to a virus or no backups, that's a real hit to  
the bottom line *and* future activities they were working on.

However, it is my experience, there is a great deal of confusion  
about if the ARO refers to the organization, or globally. For  
example, an organization will receive hundreds if not hundreds of  
thousands of viruses per year. It's easy to use this as the ARO and  
no one will disagree. But what about more esoteric items, such as  
phishing or DDoS attacks. Until you've lost money, you could easily  
set ARO to zero. Yet, there are millions of phishing victims and  
thousands of DDoS victims every year, and once a phishing or DDoS  
attack starts against you, they rarely if ever stop.

That's why we rate the ARO of a building fire in any particular  
building as a 1 in 10 year event as it is averaged out over a bunch  
of buildings, even if you don't own or occupy more than one. You have  
to have fire exits and evacuation plans ... even if you never intend  
to have a fire. Unless a risk is unique to the organization, I always  
take the global ARO, not the local / organization ARO.

Communicating this successfully to business types is very very hard.


On 08/09/2005, at 8:57 PM, Daniel wrote:

> Is anyone here using DREAD rating's for reporting vulnerability  
> issues yet?
> Daniel
> -------------------------------------------------------
> SF.Net email is Sponsored by the Better Software Conference & EXPO
> September 19-22, 2005 * San Francisco, CA * Development Lifecycle  
> Practices
> Agile & Plan-Driven Development * Managing Projects & Teams *  
> Testing & QA
> Security * Process Improvement & Measurement * http://www.sqe.com/ 
> bsce5sf
> _______________________________________________
> Owasp-leaders mailing list
> Owasp-leaders at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/owasp-leaders

More information about the Owasp-testing mailing list