DREAD has withstood the test of time is due to its simplicity and clarity. If you make things too heavyweight, people are less likely to use it. Also, when classification systems are too granular, more time is spent trying to find the absolute right bucket.  When one has only 3 to choose from, it’s easier to identify the right risk and be more consistent time after time.

As for severity ratings (Low, Medium, High, Critical), while I understand the high level argument for having a "Critical" category, I think it creates complexity and too many edge cases. I prefer to have severity ratings cover only three different cases: Low, Medium and High. Most people using DREAD and vulnerability classification ratings will not always be application security experts, so even if some descriptive power is lost, simple is better. There is huge value in keeping things simple. While Microsoft and their public push for software security may have helped DREAD's exposure, DREAD was adopted because it made simple intuitive sense. Clarity is a big benefit to adoption.

I don't think the small details matter as much for non-numerical weighted assessments. If the goal were to calculate a numerical result, there may be some point to having a granularity up to 5 values. In most cases, clients (whether internal or external) want to know one primary thing: "How urgent is it and should we act now?" While vulnerability rating remains a notable factor, it's less relevant when determining immediate action.

Also, for areas of DREAD related to Impact and Likelihood, I prefer to err on the side of caution. Those ratings are not exact but rather best guess estimates - and guesses are often wrong. Even when you have the business context to better estimate Impact or Likelihood, you can still get it wrong. Maybe if you really understand the environment(s) in which a vulnerability exists, you might be in a position to use a 4th or 5 criteria (i.e. Critical on one end or Minimal on the other). But again, I think that most don't have that deep contextual knowledge and would benefit from simplicity.

I conduct software security assessments for a living – while I'm always open to the notion of marking a vulnerability as Critical, there would have to be an exceptional reason for doing so. I almost never use Critical, even in systems that have 5 vs. 3 categories. Most times, those vulnerabilities are marked as simply High.

Whatever vulnerability rating system we end up with it will be imperfect. And hence, we shouldn't think too deeply trying to consider every edge case. The original purpose of DREAD was to simplify and otherwise complex situation of security defect triage. By further complicating DREAD, you're mitigating the very value for which it was created.

Software Threat Classification

Want to hear from the other side? Read DREAD 2.0: An Argument FOR Critical Ratings.

Get a monthly digest of our blog posts