Step 6 – rate the threats

Evaluating the likelihood and impact of each of the previous threats allows for selecting appropriate types and levels of control (and their related costs) to mitigate each. Threats with higher risk ratings may require larger amounts of investment to mitigate. Conventional threat-rating methodologies can be used at this step, including Microsoft's DREAD approach.

The DREAD model asks basic questions for each level of risk and then assigns a score (1 to 10) for each type of risk that emerges from a particular threat:

• Damage: This is the amount of damage incurred by a successful attack
• Reproducibility: What level of difficulty is involved in reproducing the attack?
• Exploitability: Can the attack be easily exploited by others?
• Affected users: What percentage of a user/stakeholder population would be affected given a successful attack?
• Discoverability: Can the attack be discovered easily by an attacker?

An example of a threat rating for our smart parking system is provided in the following table:

Security architects who are responsible for designing the security controls for an IoT system should continue with this exercise until all threats have been rated. Once complete, the next step is to perform a comparison of each against the others based on each one's threat rating (overall score). This will help prioritize the mitigations within the security architecture.