16 Threat Modeling Assessment

16.1 Learning Objectives

By the end of this chapter, you will be able to:

Demonstrate Threat Modeling Mastery: Apply STRIDE, DREAD, and attack tree concepts to assessment questions
Analyze Complex Scenarios: Evaluate multi-layer IoT security scenarios and identify root causes
Select Appropriate Mitigations: Justify security control choices for different threat types using risk scores
Synthesize Learning Resources: Connect videos and documentation to deepen threat modeling understanding

Key Concepts

Vulnerability assessment: An automated or manual scan of an IoT system to identify known vulnerabilities, misconfigurations, and security weaknesses without actively exploiting them.
Penetration test: An authorised simulation of a real attack against an IoT system that actively exploits identified vulnerabilities to demonstrate their actual impact — requires explicit written authorisation.
Security audit: A systematic review of an IoT system’s security controls, configurations, and processes against a defined standard or policy to identify compliance gaps.
Red team exercise: A realistic attack simulation conducted by an independent team operating as adversaries with no prior knowledge of the system’s defences, testing the complete detection and response capability.
Attack surface assessment: An enumeration of all interfaces through which an attacker could interact with an IoT system, used to identify underprotected entry points and prioritise hardening efforts.
Risk rating: The assessment output combining vulnerability severity (CVSS score), exploitability in the specific deployment context, and business impact to produce a prioritised remediation list.

In 60 Seconds

IoT security assessments systematically evaluate a deployed or designed system’s security posture — identifying vulnerabilities, measuring control effectiveness, and quantifying residual risk to drive prioritised remediation. Effective assessments combine automated scanning, manual penetration testing, and architecture review to cover technical vulnerabilities, configuration weaknesses, and design flaws that each method alone would miss.

For Beginners: Threat Modeling Assessment

This chapter helps you consolidate your understanding of IoT security threats through review and assessment. Think of it as a security audit of your own knowledge – identifying what you understand well and what needs more study ensures you are prepared to tackle real-world security challenges.

Related Chapters

Threat Modeling Series:

Introduction & Fundamentals - Threat modeling basics
STRIDE Framework - Systematic threat identification
Attack Scenarios - Real-world attacks and risk assessment
Hands-On Lab - Interactive simulator

Security Context:

Security Overview - Security landscape
Device Security - Device hardening

16.2 Quiz 1: Critical Attack Scenario Analysis

Quiz 2: Comprehensive Review

Match the Threat Category

Order the Attack Chain Steps

Knowledge Check: Risk Acceptance

16.3 Chapter Summary

Systematic threat modeling provides structured methodology for proactive security through five iterative steps: acquiring comprehensive architecture knowledge of IoT components and interactions, identifying entry points across physical/network/application interfaces, mapping data flow paths with encryption and authentication checkpoints, defining trust boundaries between device/gateway/cloud tiers, and conceiving plausible attack scenarios based on threat intelligence. This disciplined approach ensures comprehensive coverage of potential vulnerabilities before deployment.

Multiple threat taxonomies guide classification and prioritization. STRIDE maps threats to security properties: Spoofing violates authentication, Tampering violates integrity, Repudiation prevents accountability, Information Disclosure violates confidentiality, Denial of Service violates availability, and Elevation of Privilege violates authorization. The Open Threat Taxonomy categorizes threats as Physical (hardware damage), Resource (power/network disruption), Personnel (social engineering), and Technical (exploitation). ENISA provides IoT-specific frameworks covering devices, communications, data, services, and stakeholders.

Ten critical IoT attack scenarios demonstrate real-world exploitation paths: network eavesdropping for intelligence gathering, sensor manipulation causing safety failures, actuator sabotage for production disruption, administration system compromise enabling mass device control, protocol exploitation leveraging vulnerabilities, command injection for privilege escalation, stepping stone attacks for anonymity, DDoS botnet creation (Mirai-style), power manipulation for battery depletion, and ransomware attacks on critical infrastructure. Each scenario includes detailed attack steps, impact analysis, and targeted mitigations.

The comprehensive Python threat modeling framework implements DREAD scoring (calculating risk as average of five factors rated 1-10), attack tree analysis with probability propagation and critical path identification, automated threat identification matching asset properties to known vulnerabilities, MITRE ATT&CK phase mapping for IoT-specific techniques, residual risk calculation showing effectiveness of applied mitigations, attack surface scoring per asset based on threat count and severity, and mitigation coverage analysis identifying unprotected vulnerabilities. This framework enables data-driven security decisions with quantifiable risk metrics and prioritized remediation roadmaps.

16.4 Videos

Threat Modeling Overview

From slides — frameworks (STRIDE, attack trees) and IoT-specific considerations.

Privacy Engineering Basics

From slides — aligning threat models with privacy-by-design principles.

Attack Trees and Misuse Cases

From slides — constructing and using attack trees for IoT.

16.5 Cross-links

Security overview and CIA fundamentals: ../privacy-compliance/security-and-privacy-overview.html
Encryption choices and pitfalls: Encryption Principles
Device and network hardening: IoT Devices and Network Security
Secure data lifecycle and OTA updates: Secure Data and Software
Architectural placement decisions: Edge-Fog-Cloud Overview and Cloud Computing

16.6 Visual Reference Gallery

AI-Generated Visual: Attack Tree Analysis

Figure 16.1: Attack Tree Analysis - Hierarchical threat decomposition for IoT systems

AI-Generated Visual: IoT Threat Taxonomy

Figure 16.2: IoT Threat Taxonomy - Comprehensive classification of security threats

AI-Generated Visual: Vulnerability Management Lifecycle

Figure 16.3: Vulnerability Management - Continuous security improvement cycle for IoT

Interactive: DREAD Risk Calculator

Calculate DREAD risk scores for your IoT vulnerabilities using the standard formula.

Show code

viewof damage = Inputs.range([0, 10], {
  value: 7,
  step: 1,
  label: "Damage Potential (D):",
  description: "What's the worst-case impact if exploited? (0=none, 10=catastrophic)"
})

viewof reproducibility = Inputs.range([0, 10], {
  value: 8,
  step: 1,
  label: "Reproducibility (R):",
  description: "How reliably can the attack be repeated? (0=never, 10=always)"
})

viewof exploitability = Inputs.range([0, 10], {
  value: 6,
  step: 1,
  label: "Exploitability (E):",
  description: "What skill level is required? (0=nation-state, 10=script kiddie)"
})

viewof affected = Inputs.range([0, 10], {
  value: 8,
  step: 1,
  label: "Affected Users (A):",
  description: "How many users/systems are impacted? (0=none, 10=all)"
})

viewof discoverability = Inputs.range([0, 10], {
  value: 5,
  step: 1,
  label: "Discoverability (D):",
  description: "How easy to find? (0=impossible, 10=obvious)"
})

dreadScore = (damage + reproducibility + exploitability + affected + discoverability) / 5

riskCategory = dreadScore >= 8.0 ? "CRITICAL" :
               dreadScore >= 6.0 ? "HIGH" :
               dreadScore >= 4.0 ? "MEDIUM" : "LOW"

categoryColor = riskCategory === "CRITICAL" ? "#E74C3C" :
                riskCategory === "HIGH" ? "#E67E22" :
                riskCategory === "MEDIUM" ? "#E67E22" :
                "#16A085"

actionRequired = riskCategory === "CRITICAL" ? "Emergency patch required" :
                 riskCategory === "HIGH" ? "Fix within 30 days" :
                 riskCategory === "MEDIUM" ? "Fix within 90 days" :
                 "Monitor, fix in next release"

html`
<div style="background: linear-gradient(135deg, #2C3E50 0%, #34495E 100%); padding: 24px; border-radius: 8px; margin: 20px 0; border-left: 4px solid ${categoryColor};">
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 20px; margin-bottom: 20px;">
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px;">
      <div style="color: #BDC3C7; font-size: 0.9em; margin-bottom: 4px;">DREAD Score</div>
      <div style="color: white; font-size: 2em; font-weight: bold;">${dreadScore.toFixed(1)}/10</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px;">
      <div style="color: #BDC3C7; font-size: 0.9em; margin-bottom: 4px;">Risk Category</div>
      <div style="color: ${categoryColor}; font-size: 1.5em; font-weight: bold;">${riskCategory}</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px;">
      <div style="color: #BDC3C7; font-size: 0.9em; margin-bottom: 4px;">Action Required</div>
      <div style="color: white; font-size: 0.95em; font-weight: 500; line-height: 1.4;">${actionRequired}</div>
    </div>
  </div>
  <div style="background: rgba(255,255,255,0.05); padding: 16px; border-radius: 6px; border-left: 3px solid #16A085;">
    <div style="color: #16A085; font-weight: bold; margin-bottom: 8px;">Calculation</div>
    <div style="color: white; font-family: monospace; font-size: 0.9em;">
      (D + R + E + A + D) / 5 = (${damage} + ${reproducibility} + ${exploitability} + ${affected} + ${discoverability}) / 5 = ${dreadScore.toFixed(1)}
    </div>
  </div>
  <div style="margin-top: 16px; padding: 12px; background: rgba(52, 152, 219, 0.2); border-radius: 6px; border-left: 3px solid #3498DB;">
    <div style="color: #3498DB; font-weight: bold; margin-bottom: 6px;">Risk Thresholds</div>
    <div style="color: #ECF0F1; font-size: 0.85em; line-height: 1.6;">
      <strong style="color: #E74C3C;">CRITICAL (≥8.0)</strong>: Emergency patch<br>
      <strong style="color: #E67E22;">HIGH (6.0-7.9)</strong>: Fix within 30 days<br>
      <strong style="color: #F39C12;">MEDIUM (4.0-5.9)</strong>: Fix within 90 days<br>
      <strong style="color: #16A085;">LOW (<4.0)</strong>: Monitor, fix in next release
    </div>
  </div>
</div>
`

Try It: Adjust the sliders to see how different factor values affect the overall DREAD score and risk classification. Notice how high Damage or Affected Users scores can push a vulnerability into CRITICAL territory even if other factors are moderate.

Worked Example: DREAD Risk Scoring for Smart Lock Vulnerability

Scenario: A penetration tester discovers that a smart lock’s Bluetooth pairing can be sniffed and replayed within 30 seconds of legitimate pairing, allowing an attacker to clone the digital key.

Given:

Vulnerability: BLE pairing replay attack
Affected product: Consumer smart door lock ($200)
Attack requires: Proximity during pairing (within 10 meters), BLE sniffer ($50), replay tool
Impact: Unauthorized physical access to home

Step 1: Score Each DREAD Factor (0-10 scale)

Factor	Question	Score	Justification
Damage	What’s the worst case?	9	Complete home access, theft of valuables, physical safety risk
Reproducibility	How easy to reproduce?	7	Requires timing (during pairing), but attack works consistently when conditions met
Exploitability	How much skill needed?	6	Requires BLE knowledge and tools, but tutorials exist online
Affected Users	How many users impacted?	8	All users of this lock model (~500,000 sold), vulnerability is systematic
Discoverability	How easy to find?	5	Requires security research to discover, not obvious to casual attackers

Step 2: Calculate DREAD Score

DREAD Score = (D + R + E + A + D) / 5 DREAD Score = (9 + 7 + 6 + 8 + 5) / 5 = 35 / 5 = 7.0

Step 3: Interpret Risk Level

Score Range	Risk Level	Action Required
0-3	Low	Monitor, fix in next release
4-6	Medium	Fix within 90 days
7-8	High	Fix within 30 days
9-10	Critical	Emergency patch required

Result: DREAD Score of 7.0 = HIGH RISK - requires fix within 30 days.

Step 4: Design Mitigation and Recalculate

Proposed Fix: Implement BLE Secure Connections (SC) with ECDH key exchange, making replay impossible.

Factor	Before	After	Change
Damage	9	9	Unchanged (if breached)
Reproducibility	7	2	ECDH prevents replay
Exploitability	6	3	Requires breaking ECDH
Affected Users	8	2	Only unpatched devices
Discoverability	5	2	Attack no longer works

New DREAD Score = (9 + 2 + 3 + 2 + 2) / 5 = 18 / 5 = 3.6 (LOW)

Step 5: Calculate Risk Reduction

Risk Reduction = (7.0 - 3.6) / 7.0 = 48.6% reduction

Residual risk of 3.6 (Low) is acceptable because: - Damage potential remains (inherent to the asset being protected) - But exploitability and reproducibility are dramatically reduced - OTA firmware update can patch existing devices within 30 days

Key insight: DREAD scoring shows that mitigations should target the factors with highest scores AND highest potential for reduction. Damage (9) is difficult to reduce (the lock still protects your home), but Reproducibility and Exploitability can be dramatically reduced through cryptographic fixes. Focusing mitigation on the “reducible” factors provides maximum risk reduction per engineering dollar spent.

Worked Example: DREAD Scoring for Real-World IoT Vulnerability

Scenario: During penetration testing, a security researcher discovers that a widely-deployed industrial IoT gateway stores AWS API credentials in plaintext in a world-readable configuration file at /etc/iot-gateway/aws-config.json.

System Context:

Product: Industrial IoT gateway (50,000+ units deployed globally)
Function: Aggregates sensor data from 10-200 sensors per gateway, forwards to AWS IoT Core
Deployment: Manufacturing plants, warehouses, smart buildings
Network: Connected to both OT (sensor) and IT (internet) networks

Step-by-Step DREAD Scoring:

D = Damage Potential (0-10): Score 9

Question: If exploited successfully, what is the worst possible outcome?

Analysis:

Attacker gains AWS credentials with IoT Core publish permissions
Can inject false sensor data for all 50,000 gateways
Could trigger automated responses (e.g., safety shutdowns, alarms)
Potential for supply chain attack (compromised gateways send malware to cloud)
Regulatory penalties (GDPR, CCPA) for data breach

Damage Score Justification: 9/10 (one point below maximum because attacker doesn’t gain persistent remote code execution, “only” credential theft)

R = Reproducibility (0-10): Score 10

Question: How reliably can this vulnerability be exploited?

Analysis:

File is always present on every gateway (part of default configuration)
No authentication required (world-readable permissions)
No special timing or race conditions needed
Works 100% of the time on all 50,000 deployed units

Reproducibility Score: 10/10 (perfect reliability)

E = Exploitability (0-10): Score 8

Question: What level of attacker skill/resources are required?

Analysis:

Requires network access to the gateway (local network or compromised VPN)
No cryptographic breaking required
Basic Linux commands: cat /etc/iot-gateway/aws-config.json
Exploit code is trivial:

#!/bin/bash
# Exploit: Read plaintext AWS credentials
creds=$(cat /etc/iot-gateway/aws-config.json)
echo "Stolen AWS credentials: $creds"
# Use credentials to publish to IoT Core
aws iot-data publish --topic "sensors/compromised" --payload "$malicious_data" --endpoint-url $endpoint

Skill Level Required: Junior penetration tester or motivated amateur

Exploitability Score: 8/10 (requires network access, otherwise trivial)

A = Affected Users (0-10): Score 9

Question: How many users/systems are impacted?

Analysis:

50,000 deployed gateways globally
Each gateway serves 10-200 sensors
Estimated affected sensors: 500,000 - 10,000,000
Industrial customers: ~5,000 companies
Potential cascading failures if false data triggers automated safety systems

Affected Users Score: 9/10 (massive scale, but not literally “all internet users”)

D = Discoverability (0-10): Score 7

Question: How easy is it for an attacker to find this vulnerability?

Analysis:

NOT visible on Shodan (requires authenticated access to device first)
Requires insider knowledge or prior compromise of the network
Configuration file name is not guessable (not /etc/passwd or common name)
However, after initial discovery by one attacker, vulnerability becomes widely known
Static analysis tools (SAST) would flag this in code review

Discoverability Score: 7/10 (requires some reconnaissance, but once found by one attacker, becomes public knowledge)

Overall DREAD Score:

DREAD = (D + R + E + A + D) / 5 = (9 + 10 + 8 + 9 + 7) / 5 = 43 / 5 = 8.6 / 10

Risk Classification: CRITICAL (≥8.0)

Recommended Response Timeline: Immediate (24-48 hours)

Mitigation Plan:

Step	Action	Responsibility	Timeline	Cost	Risk Reduction
1	Emergency patch release - move credentials to OS keyring	Engineering	48 hours	$10K (dev time)	8.6 → 4.0
2	Rotate all AWS credentials (invalidate old keys)	Security	1 week	$5K (coordination)	4.0 → 2.5
3	Push OTA firmware update to all 50,000 gateways	Operations	2 weeks	$15K (bandwidth + support)	2.5 → 1.8
4	Add static analysis to CI/CD to prevent recurrence	DevSecOps	1 month	$8K (tooling)	Prevent future instances

Total Investment: $38K Risk Reduction: 8.6 → 1.8 (79% reduction) Residual Risk: 1.8 (LOW - requires OS-level compromise to access keyring)

Comparison: What if we scored it incorrectly?

Common Mistake: Underestimating Impact

If the team had scored this as: - Damage: 5 (thinking “it’s just config file access”) - Reproducibility: 10 - Exploitability: 8 - Affected: 5 (thinking “only users who let attacker on their network”) - Discoverability: 5

Incorrect Overall: (5+10+8+5+5)/5 = 6.6 (HIGH, not CRITICAL)

Result: Vulnerability gets 90-day remediation window instead of immediate response. Attacker discovers and exploits during those 90 days. Breach costs $25M in remediation + lawsuits + regulatory fines.

Key Insight: DREAD scoring requires understanding both technical exploitability AND business impact. This vulnerability affects AWS credentials for 50,000 devices – the cascading impact across the entire customer base pushes Damage and Affected scores into CRITICAL territory.

Decision Framework: Determining Acceptable Residual Risk

After mitigating threats, some residual risk always remains. Use this framework to decide whether residual risk requires additional mitigation or can be accepted:

Residual Risk Score (After Mitigation)	Risk Level	Decision Required	Approval Authority	Documentation Required
8.0-10.0	CRITICAL	MUST mitigate further	Cannot be accepted	N/A (unacceptable)
6.0-7.9	HIGH	Additional mitigation OR executive acceptance	VP/C-level + Board notification	Risk acceptance form, annual re-review
4.0-5.9	MEDIUM	Evaluate: cost-benefit analysis	Director-level	Risk register entry
2.0-3.9	LOW	Can be accepted	Manager-level	Risk register entry
0.0-1.9	MINIMAL	Standard acceptance	No formal approval needed	Brief notation in security log

Risk Acceptance Criteria:

Accept residual risk ONLY if ALL of the following are true:

Mitigation costs exceed potential impact by 10x or more
Attack requires nation-state level resources (not script kiddies or cybercriminals)
Affected systems are not safety-critical or regulatory-sensitive
Compensating controls exist (defense-in-depth)
Executive leadership has formally acknowledged the risk
Risk is reviewed annually and re-evaluated

Example Decision Matrix:

Scenario 1: SQL Injection Vulnerability

Initial DREAD: 8.5 (CRITICAL)
After mitigation (parameterized queries): 2.0 (LOW)
Residual risk: Logic errors in query construction
Decision: ACCEPT - approved by Engineering Manager, noted in risk register

Scenario 2: Default Credentials

Initial DREAD: 9.2 (CRITICAL)
After mitigation (forced password change on first boot): 4.5 (MEDIUM)
Residual risk: User may set weak password despite complexity requirements
Decision: ACCEPT with compensating control - implemented account lockout after 3 failed attempts + MFA option
Approval: Director of Security

Scenario 3: Unencrypted Sensor Data

Initial DREAD: 7.0 (HIGH)
After mitigation (TLS encryption): 6.8 (HIGH)
Residual risk: TLS misconfiguration or downgrade attack
Decision: ADDITIONAL MITIGATION REQUIRED - implement certificate pinning, reduce score to 3.0 (LOW)

Scenario 4: Physical Tampering

Initial DREAD: 8.0 (CRITICAL)
After mitigation (tamper-evident seals + secure boot): 7.2 (HIGH)
Residual risk: Sophisticated attacker can bypass seals with specialized tools
Mitigation cost: $200/device for hardware security module (HSM)
Device value: $50/device
Deployment: 100,000 devices
Decision: Cannot justify $20M for HSM when device is $5M total value
Resolution: Accept 7.2 HIGH risk with executive sign-off + insurance policy + monitoring for tamper attempts
Approval: CEO + Board of Directors

Cost-Benefit Decision Tree:

START: Residual risk score after initial mitigation?

├─ Score ≥ 8.0 (CRITICAL)?
│  └─ MUST mitigate further, no acceptance allowed
│     └─ If mitigation truly impossible, system cannot be deployed
│
├─ Score 6.0-7.9 (HIGH)?
│  └─ Calculate: Mitigation Cost vs Potential Impact
│     ├─ Cost < Impact/10 → Mitigate
│     └─ Cost > Impact/10 → Escalate to executive for acceptance
│        └─ Requires: Formal risk acceptance, compensating controls, insurance
│
├─ Score 4.0-5.9 (MEDIUM)?
│  └─ Evaluate: Quick wins available?
│     ├─ YES → Implement if cost < $10K and time < 2 weeks
│     └─ NO → Accept with director approval
│
└─ Score < 4.0 (LOW)?
   └─ ACCEPT - standard risk management process

Risk Acceptance Template:

## Residual Risk Acceptance Form

**Risk ID**: SEC-2024-042
**System**: Industrial IoT Gateway v3.2
**Date**: 2024-11-15

### Threat Description
Physical device tampering to extract firmware and cryptographic keys

### Initial Risk Score
8.0/10 (CRITICAL) - High damage, medium exploitability

### Mitigations Implemented
1. Tamper-evident seals on device enclosure
2. Secure boot with signed firmware
3. Encrypted storage for sensitive data
4. Physical access logging

### Residual Risk Score
7.2/10 (HIGH) - Sophisticated attacker with lab equipment can still extract keys

### Additional Mitigation Considered But Not Implemented
- Hardware Security Module (HSM) to store keys in tamper-resistant silicon
- Cost: $200/device × 100,000 devices = $20M
- Device unit cost: $50
- Total fleet value: $5M

### Justification for Acceptance
- Mitigation cost ($20M) exceeds total system value ($5M) by 4x
- Attack requires physical access + specialized equipment (>$50K)
- Attack only affects individual compromised device, not fleet-wide
- Threat actor: Nation-state or highly-funded organized crime (not opportunistic attackers)
- Compensating controls: Physical security at deployment sites, monitoring for tamper attempts
- Insurance: $10M cyber insurance policy in place

### Acceptance
- **Accepted By**: Jane Doe, Chief Information Security Officer
- **Date**: 2024-11-15
- **Review Date**: 2025-11-15 (annual re-evaluation required)
- **Board Notification**: Yes, presented at 2024-11-20 board meeting

### Monitoring & Response
- Monthly review of tamper detection logs
- Incident response plan if physical compromise detected
- Key rotation for all devices if ANY device is compromised

**Signatures**:
CISO: _________________________
CEO: __________________________
Board Chair: ___________________

Key Principle: Residual risk acceptance is not a shortcut to avoid security work. It’s a formal process for acknowledging that perfect security is impossible and documenting rational risk management decisions when mitigation costs exceed potential benefits.

Common Mistake: Averaging DREAD Scores Without Understanding Dimensions

The Mistake: A security team scores a vulnerability and gets: - Damage: 2/10 - Reproducibility: 10/10 - Exploitability: 10/10 - Affected Users: 10/10 - Discoverability: 10/10

Average DREAD: (2+10+10+10+10)/5 = 42/5 = 8.4/10 (CRITICAL)

The team prioritizes this for immediate remediation, allocating 2 engineers for 1 week ($20K cost).

Reality Check: The vulnerability is “Information disclosure of public product documentation via HTTP instead of HTTPS.”

Damage: 2/10 (information is already public on the website)
Reproducibility: 10/10 (works every time)
Exploitability: 10/10 (no authentication required)
Affected Users: 10/10 (all users can access it)
Discoverability: 10/10 (linked from homepage)

The Problem: The DREAD average (8.4) suggests CRITICAL priority, but the actual damage is trivial (public info over HTTP vs HTTPS). The team wasted $20K on a non-issue.

Why This Happens:

Treating DREAD as purely mathematical (average of 5 numbers)
Not considering that Damage should outweigh other factors
Scoring “Can we exploit this?” instead of “Should we care?”

The Correct Approach: Weighted DREAD

Not all DREAD dimensions are equally important. Damage and Affected Users have more business impact than Discoverability.

Weighted DREAD Formula:

Weighted DREAD = (Damage × 3) + (Reproducibility × 1) + (Exploitability × 1) + (Affected Users × 2) + (Discoverability × 1)
                 ─────────────────────────────────────────────────────────────────────────────────────────────────────
                                                      8 (sum of weights)

Re-scoring the Example:

Original (Unweighted): (2 + 10 + 10 + 10 + 10) / 5 = 8.4 (CRITICAL)

Weighted: (2×3 + 10×1 + 10×1 + 10×2 + 10×1) / 8 = (6 + 10 + 10 + 20 + 10) / 8 = 56/8 = 7.0 (HIGH)

Still HIGH, but borderline. Let’s apply domain judgment:

Domain-Adjusted: “Information is public anyway, so actual Damage = 0” (0×3 + 10×1 + 10×1 + 10×2 + 10×1) / 8 = (0 + 10 + 10 + 20 + 10) / 8 = 50/8 = 6.25 (HIGH)

Now let’s look at Affected Users: “Users accessing public docs – is this really 10/10?” - Users affected: Anyone accessing docs - Actual impact: They see HTTP URL instead of HTTPS URL in browser - Security impact: None (data is public) - Adjusted Affected Users: 2/10 (low impact even if many users)

Final Score: (0×3 + 10×1 + 10×1 + 2×2 + 10×1) / 8 = (0 + 10 + 10 + 4 + 10) / 8 = 34/8 = 4.25 (MEDIUM)

Decision: Fix during regular maintenance, not emergency response. Cost: $2K instead of $20K.

Key Insight Comparison:

Factor	Unweighted Average	Weighted Formula	Domain-Adjusted	Priority	Cost
DREAD Score	8.4 (CRITICAL)	7.0 (HIGH)	4.25 (MEDIUM)	N/A	N/A
Response	Immediate	Urgent (1 week)	Standard (30 days)	N/A	N/A
Allocated Resources	2 engineers × 1 week	1 engineer × 2 weeks	1 engineer × 1 day	N/A	N/A
Cost	$20,000	$10,000	$2,000	N/A	N/A

Guidelines for DREAD Dimension Weighting:

When to Weight Damage Higher (×3):

Safety-critical systems (medical, automotive, industrial control)
Financial systems (payment processing, banking)
Personally identifiable information (PII) at risk

When to Weight Affected Users Higher (×2):

Consumer-facing products with millions of users
Supply chain components affecting multiple downstream systems
Single point of failure in critical infrastructure

When to Reduce Reproducibility/Exploitability/Discoverability Weight (×1):

If damage is low, who cares if it’s easy to exploit?
Example: Easily-exploitable bug that prints “hello” to console = low priority

Red Flags for “Fake CRITICAL” Scores:

DREAD average is 7.0+ but Damage score is below 5
All dimensions scored 10/10 (probably not enough analysis)
Affected Users is 10/10 but only applies to test environment
Threat requires chaining 5+ separate exploits (lower Reproducibility)

Verification Checklist Before Finalizing DREAD:

If Damage is below 5, can score ever be CRITICAL? (Answer: rarely)
If attack requires physical access, is Exploitability truly 8+? (Answer: usually not)
If information is public, is Damage truly above 2? (Answer: no)
If system is not deployed yet, are Affected Users scored correctly? (Answer: should be 0)

Key Takeaway: DREAD is a tool, not a religion. The average provides a starting point, but human judgment must adjust for domain context. A 10/10 Exploitability on a 2/10 Damage vulnerability is still low priority. Always sanity-check: “If this is CRITICAL, would we wake up the CEO at 2am?” If not, it’s not CRITICAL.

Interactive: Residual Risk Calculator

Calculate how much risk remains after applying mitigation controls.

Show code

viewof initialRisk = Inputs.range([0, 100], {
  value: 80,
  step: 1,
  label: "Initial Risk Score (0-100):",
  description: "Risk score before mitigation"
})

viewof mitigationEffectiveness = Inputs.range([0, 100], {
  value: 85,
  step: 1,
  label: "Mitigation Effectiveness (%):",
  description: "How effective is the mitigation? (0%=useless, 100%=perfect)"
})

residualRisk = initialRisk * (1 - mitigationEffectiveness / 100)
riskReduction = initialRisk - residualRisk
reductionPercent = (riskReduction / initialRisk) * 100

residualCategory = residualRisk < 4 ? "MINIMAL" :
                   residualRisk < 20 ? "LOW" :
                   residualRisk < 40 ? "MEDIUM" :
                   residualRisk < 60 ? "HIGH" : "CRITICAL"

residualColor = residualCategory === "CRITICAL" ? "#E74C3C" :
                residualCategory === "HIGH" ? "#E67E22" :
                residualCategory === "MEDIUM" ? "#F39C12" :
                residualCategory === "LOW" ? "#16A085" : "#16A085"

html`
<div style="background: linear-gradient(135deg, #2C3E50 0%, #34495E 100%); padding: 24px; border-radius: 8px; margin: 20px 0; border-left: 4px solid ${residualColor};">
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(180px, 1fr)); gap: 16px; margin-bottom: 20px;">
    <div style="background: rgba(231, 76, 60, 0.2); padding: 14px; border-radius: 6px; border-left: 3px solid #E74C3C;">
      <div style="color: #BDC3C7; font-size: 0.85em; margin-bottom: 4px;">Initial Risk</div>
      <div style="color: #E74C3C; font-size: 1.8em; font-weight: bold;">${initialRisk}/100</div>
    </div>
    <div style="background: rgba(22, 160, 133, 0.2); padding: 14px; border-radius: 6px; border-left: 3px solid #16A085;">
      <div style="color: #BDC3C7; font-size: 0.85em; margin-bottom: 4px;">Risk Reduced</div>
      <div style="color: #16A085; font-size: 1.8em; font-weight: bold;">${riskReduction.toFixed(1)}</div>
      <div style="color: #BDC3C7; font-size: 0.75em;">${reductionPercent.toFixed(1)}% reduction</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 14px; border-radius: 6px; border-left: 3px solid ${residualColor};">
      <div style="color: #BDC3C7; font-size: 0.85em; margin-bottom: 4px;">Residual Risk</div>
      <div style="color: ${residualColor}; font-size: 1.8em; font-weight: bold;">${residualRisk.toFixed(1)}/100</div>
      <div style="color: ${residualColor}; font-size: 0.85em; font-weight: bold;">${residualCategory}</div>
    </div>
  </div>
  <div style="background: rgba(255,255,255,0.05); padding: 16px; border-radius: 6px; border-left: 3px solid #3498DB;">
    <div style="color: #3498DB; font-weight: bold; margin-bottom: 8px;">Formula</div>
    <div style="color: white; font-family: monospace; font-size: 0.9em;">
      Residual Risk = Initial Risk × (1 - Effectiveness)<br>
      Residual Risk = ${initialRisk} × (1 - ${(mitigationEffectiveness/100).toFixed(2)}) = ${residualRisk.toFixed(1)}
    </div>
  </div>
  <div style="margin-top: 14px; padding: 12px; background: rgba(230, 126, 34, 0.2); border-radius: 6px; border-left: 3px solid #E67E22;">
    <div style="color: #E67E22; font-weight: bold; margin-bottom: 6px;">⚠️ Key Insight</div>
    <div style="color: #ECF0F1; font-size: 0.85em; line-height: 1.5;">
      Perfect mitigation (100%) is impossible in practice. Residual risk of <20 is often acceptable for MEDIUM threats, but CRITICAL threats may require <5 residual risk. Organizations must document acceptable residual risk levels based on impact and risk appetite.
    </div>
  </div>
</div>
`

Try It: See how mitigation effectiveness affects residual risk. Notice that even 85% effective mitigation on an 80/100 risk still leaves 12 points of residual risk.

Interactive: Attack Tree Probability Calculator

Calculate the overall success probability of a multi-step attack chain.

Show code

viewof step1Prob = Inputs.range([0, 100], {
  value: 95,
  step: 1,
  label: "Step 1: Reconnaissance (%)",
  description: "Probability of success for first attack step"
})

viewof step2Prob = Inputs.range([0, 100], {
  value: 70,
  step: 1,
  label: "Step 2: Exploit Vulnerability (%)",
  description: "Probability of successfully exploiting"
})

viewof step3Prob = Inputs.range([0, 100], {
  value: 60,
  step: 1,
  label: "Step 3: Privilege Escalation (%)",
  description: "Probability of escalating privileges"
})

viewof step4Prob = Inputs.range([0, 100], {
  value: 90,
  step: 1,
  label: "Step 4: Maintain Control (%)",
  description: "Probability of maintaining access"
})

overallProb = (step1Prob/100) * (step2Prob/100) * (step3Prob/100) * (step4Prob/100) * 100
weakestStep = Math.min(step1Prob, step2Prob, step3Prob, step4Prob)
weakestStepName = weakestStep === step1Prob ? "Reconnaissance" :
                  weakestStep === step2Prob ? "Exploit" :
                  weakestStep === step3Prob ? "Privilege Escalation" : "Maintain Control"

withDefense50 = overallProb * 0.5
withDefense25 = overallProb * 0.25

html`
<div style="background: linear-gradient(135deg, #2C3E50 0%, #34495E 100%); padding: 24px; border-radius: 8px; margin: 20px 0; border-left: 4px solid #E67E22;">
  <div style="display: grid; grid-template-columns: repeat(auto-fit, minmax(200px, 1fr)); gap: 16px; margin-bottom: 20px;">
    <div style="background: rgba(231, 76, 60, 0.2); padding: 16px; border-radius: 6px; border-left: 3px solid #E74C3C;">
      <div style="color: #BDC3C7; font-size: 0.9em; margin-bottom: 4px;">Overall Attack Success</div>
      <div style="color: #E74C3C; font-size: 2em; font-weight: bold;">${overallProb.toFixed(1)}%</div>
    </div>
    <div style="background: rgba(255,255,255,0.1); padding: 16px; border-radius: 6px;">
      <div style="color: #BDC3C7; font-size: 0.9em; margin-bottom: 4px;">Weakest Link</div>
      <div style="color: #E67E22; font-size: 1.2em; font-weight: bold;">${weakestStepName}</div>
      <div style="color: #BDC3C7; font-size: 0.85em;">${weakestStep}% success rate</div>
    </div>
  </div>
  <div style="background: rgba(255,255,255,0.05); padding: 16px; border-radius: 6px; border-left: 3px solid #3498DB; margin-bottom: 16px;">
    <div style="color: #3498DB; font-weight: bold; margin-bottom: 8px;">AND Gate Logic (All steps must succeed)</div>
    <div style="color: white; font-family: monospace; font-size: 0.85em;">
      ${(step1Prob/100).toFixed(2)} × ${(step2Prob/100).toFixed(2)} × ${(step3Prob/100).toFixed(2)} × ${(step4Prob/100).toFixed(2)} = ${(overallProb/100).toFixed(3)} = ${overallProb.toFixed(1)}%
    </div>
  </div>
  <div style="background: rgba(22, 160, 133, 0.2); padding: 16px; border-radius: 6px; border-left: 3px solid #16A085;">
    <div style="color: #16A085; font-weight: bold; margin-bottom: 10px;">Defense-in-Depth Impact</div>
    <div style="color: #ECF0F1; font-size: 0.9em; line-height: 1.6;">
      <strong>With 50% effective defense layer:</strong> ${withDefense50.toFixed(1)}% attack success<br>
      <strong>With 75% effective defense layer:</strong> ${withDefense25.toFixed(1)}% attack success
    </div>
  </div>
  <div style="margin-top: 14px; padding: 12px; background: rgba(52, 152, 219, 0.2); border-radius: 6px; border-left: 3px solid #3498DB;">
    <div style="color: #3498DB; font-weight: bold; margin-bottom: 6px;">💡 Strategic Insight</div>
    <div style="color: #ECF0F1; font-size: 0.85em; line-height: 1.5;">
      Strengthening the weakest link (${weakestStepName} at ${weakestStep}%) has the most impact. Even one failure breaks the entire attack chain. This is why defense-in-depth works: adding layers multiplicatively reduces overall attack success.
    </div>
  </div>
</div>
`

Try It: Adjust individual step probabilities to see how they affect overall attack success. Notice how the probabilities multiply (AND gate logic), not average.

Putting Numbers to It: Vulnerability Assessment Metrics

Quantitative vulnerability severity scoring using industry-standard metrics (CVSS, DREAD) to prioritize remediation.

CVSS v3.1 Base Score Formula (simplified): \[\text{CVSS} = \min\left(1.08 \times (\text{Impact} + \text{Exploitability}), 10\right)\]

Working through an example: Given: IoT gateway SQL injection vulnerability - Exploitability = 3.9 (network accessible, low complexity, no privileges required) - Impact = 5.9 (high confidentiality impact, high integrity impact, low availability impact)

Step 1: Sum components: $3.9 + 5.9 = 9.8$ Step 2: Apply multiplier: $1.08 \times 9.8 = 10.584$ Step 3: Cap at 10: $\min(10.584, 10) = 10.0$

Result: CVSS Score = 10.0 (CRITICAL severity - patch immediately)

Finding Severity Distribution: Given: Security audit finds 47 vulnerabilities across 200 devices - Critical (9.0-10.0): 3 findings - High (7.0-8.9): 12 findings - Medium (4.0-6.9): 23 findings - Low (0.1-3.9): 9 findings

Mean Time To Remediate (MTTR) Calculation: \[\text{MTTR} = \frac{\sum (\text{Severity} \times \text{Count})}{\text{Total Findings}}\] Assuming: Critical=30 days, High=90 days, Medium=180 days, Low=365 days \[\text{MTTR} = \frac{3 \times 30 + 12 \times 90 + 23 \times 180 + 9 \times 365}{47} = \frac{90 + 1{,}080 + 4{,}140 + 3{,}285}{47} = \frac{8{,}595}{47} = 182.9 \text{ days}\]

Result: Average remediation timeline = 183 days (weighted by severity)

Audit Finding Rate: \[\text{Finding Rate} = \frac{\text{Total Findings}}{\text{Devices Audited}} = \frac{47}{200} = 0.235 \text{ findings/device}\]

Result: 0.235 vulnerabilities per device (industry benchmark: <0.1 for mature IoT deployments)

In practice: CVSS scoring transforms subjective “this bug seems bad” into objective “this is CVSS 10.0 CRITICAL.” MTTR calculation shows that fixing 47 vulnerabilities takes ~6 months on average - cannot all be fixed simultaneously, so CVSS prioritization is mandatory. Finding rate benchmarking: 0.235 > 0.1 indicates security debt requiring architectural fixes, not just patching individual bugs.

Common Pitfalls

1. Confusing a vulnerability scan with a penetration test

Automated vulnerability scanners identify potential weaknesses based on version numbers and configuration patterns; penetration testers validate whether those weaknesses are actually exploitable and what an attacker could achieve. Both are necessary but neither alone is sufficient.

2. Conducting assessments on lab systems instead of production configurations

A security assessment of a hardened lab environment will miss the misconfigured VLAN, the default credential left on one production gateway, and the unpatched device that was added without going through the standard provisioning process.

3. Not scoping the assessment before beginning

An IoT security assessment without a defined scope will either be too broad (months of work without focus) or miss critical components (because they were assumed to be out of scope). Define scope, objectives, and success criteria before beginning.

4. Filing assessment reports without tracking remediation

Assessment findings are only valuable if they drive remediation. Track each finding in a risk register with an assigned owner, target remediation date, and verification evidence — and schedule a follow-up assessment to verify fixes.

Label the Diagram

💻 Code Challenge

16.7 Summary

STRIDE Classification: Each IoT threat maps to a specific STRIDE category – Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, or Elevation of Privilege – guiding the selection of appropriate countermeasures
DREAD Risk Scoring: Quantify threat severity by averaging five factors (Damage, Reproducibility, Exploitability, Affected users, Discoverability) on a 1-10 scale, with scores above 8.0 classified as CRITICAL and requiring immediate remediation
Attack Tree Probability: Sequential attack steps multiply (AND gate logic), so defense-in-depth dramatically reduces overall attack success – adding even a 50% defense layer halves the probability
Residual Risk Management: After mitigation, residual risk equals initial risk multiplied by (1 - mitigation effectiveness); unmitigated threats must be formally documented as accepted risk with management approval
Prioritization Strategy: Always address CRITICAL threats first regardless of budget constraints, then move to HIGH threats – fixing easy MEDIUM threats while leaving CRITICAL ones active is never acceptable

Concept Relationships

Understanding how threat assessment concepts interconnect:

Assessment Method	Input Requirements	Output	Best Used For	Limitation
STRIDE Analysis	System architecture, data flows	Categorized threat list (S/T/R/I/D/E)	Comprehensive threat discovery	Generates 30-50+ threats (need DREAD to prioritize)
DREAD Scoring	Identified threats (from STRIDE)	Risk score 0-10 per threat	Remediation prioritization	Subjective (two assessors may score differently)
Attack Trees	Attack goal, sequential steps	Probability of success	Quantifying defense-in-depth ROI	Time-intensive for complex systems
Residual Risk Calculation	Initial risk, mitigation effectiveness	Remaining risk after fixes	Acceptance decisions, insurance estimates	Assumes mitigation works as designed
Risk Acceptance Framework	Residual risk score, management authority	Go/no-go decision	Documenting unmitigated threats	Doesn’t reduce risk, only documents it

Key Insight: Combine methods for complete coverage. STRIDE identifies threats, DREAD prioritizes them, Attack Trees quantify defense effectiveness, Residual Risk shows what’s left after fixes, Risk Acceptance documents intentionally unmitigated threats.

16.8 What’s Next

If you want to…	Read this
Understand threat modelling to scope assessments	Threat Modelling and Mitigation
Apply STRIDE to systematically identify what to assess	STRIDE Framework
Study the attacks your assessment should detect	Threats Attacks and Vulnerabilities
Explore compliance requirements driving assessment scope	Threats Compliance
Return to the security module overview	IoT Security Fundamentals