A method from [[Microsoft]] that complements their [[STRIDE]] method. It is used to calculate the severity of an [[attack]]. It stands for: - Damage potential (implying an understanding of the value of affected [[asset|assets]]) - Reproducibility: if the attack requires a chain of [[vulnerability|vulnerabilities]] that only exist in certain environments, it may not impact your entire estate - Expolitability: that is, the amount of effort, expertise, resources, time, etc required to launch the attack - Affected users: the number of users affected is as important as the assets impacted - Discoverability: if this is low, there is a real danger that you'll never know that your system is compromised. This is the worst possible outcome