(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
186 | P a g e
www.thesai.org
A Framework for Cloud Security Risk Management
Based on the Business Objectives of Organizations
Ahmed E. Youssef1,2
1College of Computer and Information Sciences
King Saud University, Riyadh, Saudi Arabia
2Faculty of Engineering, Helwan University, Cairo, Egypt
[email protected]
Abstract— Security is considered one of the top ranked risks of
Cloud Computing (CC) due to the outsourcing of sensitive data
onto a third party. In addition, the complexity of the cloud model
results in a large number of heterogeneous security controls that
must be consistently managed. Hence, no matter how strongly the
cloud model is secured, organizations continue suffering from lack
of trust on CC and remain uncertain about its security risk
consequences. Traditional risk management frameworks do not
consider the impact of CC security risks on the business objectives
of the organizations. In this paper, we propose a novel Cloud
Security Risk Management Framework (CSRMF) that helps
organizations adopting CC identify, analyze, evaluate, and
mitigate security risks in their Cloud platforms. Unlike traditional
risk management frameworks, CSRMF is driven by the business
objectives of the organizations. It allows any organization
adopting CC to be aware of cloud security risks and align their
low-level management decisions according to high-level business
objectives. In essence, it is designed to address impacts of cloudspecific security risks into business objectives in a given
organization. Consequently, organizations are able to conduct a
cost-value analysis regarding the adoption of CC technology and
gain an adequate level of confidence in Cloud technology. On the
other hand, Cloud Service Providers (CSP) are able to improve
productivity and profitability by managing cloud-related risks.
The proposed framework has been validated and evaluated
through a use-case scenario.
Keywords— Information Security; Data Privacy; Cloud Security
Risks; Risk Management; Business Objectives, Cloud Computing.
I. INTRODUCTION
The importance of Cloud Computing (CC) is increasing and
it is receiving a growing interest by many scientific and business
organizations [11]. According to the National Institute of
Standards and Technology (NIST) [32], cloud computing is a
model for enabling convenient, ubiquitous, on-demand access to
a shared pool of configurable resources (e.g., networks, servers,
storage, and applications) which can be easily delivered with
different types of service provider interaction that follow a
simple Pay-As-You-Go (PAYG) model. In PAYG model, the
Cloud Service Consumers (CSC) can request the computing
services as needed to their business; the services are provided
on-demand by the Cloud Service Providers (CSP), and the CSC
only pay for the services they have used. The many advantages
that CC brings to organizations, such as high scalability and
flexibility, excellent reliability and availability, economy of
scale, consolidation and energy saving, are well-documented
[35]. Furthermore, CC is poised to be a significant growth area,
according to Forbes, CC market is projected to reach $411B by
2020 [30]. LogicMonitor has conducted a survey to explore the
landscape for cloud services in 2020, one of the interesting
findings in this survey is that 83% of enterprise workloads will
be in the Cloud by 2020 [36].
Although the benefits of CC are significant for many
organizations, it has brought many risks that influence its
confidence and feasibility. Figure 1 shows the most important
risks for organizations adopting CC [36]. Security is considered
one of the top ranked risks of CC [12,13], From the CSC
perspective, the main reasons for distrust on CC are its multitenancy nature and the outsourcing of sensitive data, critical
applications and infrastructure onto the cloud. On the other
hand, from CSP perspective, security issue in CC is also a
challenge because of the complexity of the cloud model that
results in a large number of heterogeneous security controls that
must be consistently managed.
Fig.1. The biggest challenges for organization engaged with CC
Organizations have many security concerns about migration
to the cloud such as loss of control over their data, lack of
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
187 | P a g e
www.thesai.org
security guarantees, and sharing their data with malicious users.
These risks often create fears in the side of organizations causing
them to rethink their decisions in adopting CC technology. No
matter how strongly the cloud model is secured, organizations
continue suffering from lack of trust on cloud and remain
uncertain about its economic feasibility. Although the provision
of zero-risk service is not practically possible, an effective
security risk management framework may lead to a higher
confidence of organizations in CC and help them take wellinformed decisions regarding the adoption of this emerging
technology. Traditional risk management frameworks do not fit
CC well due the assumption by those frameworks that the assets
are owned and fully managed by the organization itself.
Moreover, none of them considers organization’s security
requirements and the effect of CC security risks on its business
objectives.
This paper proposes a novel Cloud Security Risk
Management Framework (CSRMF) that helps organizations and
CSP identify, analyze, evaluate security risks in CC platforms,
and establish the best course of action to avoid or mitigate them.
Unlike traditional risk management framework, CSRMF
considers organization’s security requirements and is driven by
the impact of CC security risks on the achievement of its
business objectives. It allows any organization adopting CC to
be aware of cloud security risks and align their low-level
management decisions according to high-level business
objectives. In essence, it is designed to address impacts of cloudspecific security risks into business objectives in a given
organization. Consequently, organizations are able to conduct a
cost-value analysis and take a well-informed decision regarding
the adoption of CC technology. On the other hand, CSP are able
to improve productivity and profitability by managing cloudrelated risks. This framework provides an adequate level of
confidence in CC for organizations and a cost-effective
productivity for CSP.
The rest of this paper is organized as follows: section 2
briefly introduces the main concepts in risk management. In
section 3, related work is reviewed. Section 4 describes the
proposed framework (CSRMF) in detail. In Section 5, we
evaluate the framework through a use case scenario. Finally, in
section 6, we give our conclusions and future work.
II. RISK MANAGEMENT
Risk is defined as the possibility of a hazardous event
occurring that will have an adverse consequence on the
achievement of the objectives of an organization [2]. Risks are
unavoidable and persistently exist in our daily life in almost
every situation [10]. The main concepts related to risks are:
Asset: something to which an organization assigns value and
hence it needs protection. Threat: a potential undesired event
that harms or reduces the value of an asset. Vulnerability: a flaw
or deficiency that may be exploited by a threat to harm assets.
Risk likelihood: the probability that a risk occurs. Risk impact:
the degree by which a risk influences (i.e., causes loss of
satisfaction of) an organization’s objective(s). Risk level: the
severity of a risk derived from its likelihood and impact. Risk
tolerance: the amount of satisfaction or pleasure regarding the
risk level. For example, a server is considered as an asset, a
threat could be a backdoor virus attack, and a vulnerability is a
virus scan not up to date. The likelihood that a computer is
infected by this virus is medium, but its impact on data integrity
is high [1, 2].
Risk management is the art and science of identifying,
analyzing, evaluating and responding to risks throughout the
service lifecycle. It enables an organization to recognize
uncertain events that may result in unfortunate or damaging
consequences and to set the best course of action to avoid or
mitigate them [4,15]. However, in order to apply risk
management effectively, it is vital to first identify the overall
vision, mission and objectives of an organization. Risk
management is about making decisions that contribute to the
achievement of an organization’s objectives such as costs with
benefits and expectations in investing limited public resources.
It protects and adds value to the organization and its stakeholders
by:
ï‚· Enhancing safety and security in an organization.
 Protecting organization’s assets and reputation.
ï‚· Optimizing operational efficiency.
 Supporting the achievement of organization’s objectives
by satisfying stakeholders’ expectations and improve
their confidence and trust.
ï‚· Improving decision making by comprehensive
understanding of business activities in organizations.
A Risk Management Framework (RMF) is a set of
components that provide the foundations for risk management
throughout the organization. Figure 2 shows the evolution of
RMF [37].
III. RELATED WORK
In literature, there are many frameworks that help in security
risk management [3,5-9,14,20-29,39], however, these
traditional risk management frameworks do not fit CC well due
to the complexity of CC environment and the assumption by
those frameworks that the assets are owned and fully managed
Principles and
guidelines for RMF
Design of RMF
Monitoring and
reviewing RMF
Implementing
RMF
Continual
improvement of RMF
Fig. 2. Standard Risk Management Framework Evolution
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
188 | P a g e
www.thesai.org
by the organization itself. In addition, none of them considers
organization’s security requirements and the effect of CC
security risks on the business objectives and goals of the
organizations. The work presented in this paper aims to develop
an RMF that is driven by the impact of CC security risks on the
business objectives of organizations adopting CC technology.
The existing information security risk management frameworks
are described below.
QUIRC: a quantitative impact and risk assessment
methodology for CC projects developed to assess the security
risks associated with CC platforms [8]. This framework uses the
definition of risk as a combination of the probability of a security
threat event and its severity, measured as its impact. Six key
security criteria (Confidentiality, Integrity, Availability,
Multiparty trust, Auditability, and Usability) are identified for
cloud platforms, they are referred to as the CIAMAU
framework, and it is shown that most of the typical attack vectors
and events map under one of these six categories. QUIRC
employs a quantitative approach that gives vendors, customers
and regulation agencies the ability to comparatively assess the
relative robustness of different cloud vendor offerings and
approaches in a defensible manner. Limitations of this approach
include that it requires the meticulous collection of input data for
probabilities of events, which requires collective industry inputs.
OPTIMS: an effective and efficient risk assessment
framework for cloud service provision [1, 2]. Four risk
categories, namely legal, technical, policy, and general were
identified. This framework is beneficial for end-users and
Service Providers (SP) approaching the cloud to deploy and run
services, as well as Infrastructure Providers (IP) to deploy and
operate those services. These benefits include supporting
various parties for making informed decisions regarding
contractual agreements. The risk assessment framework is fully
integrated in the OPTIMIS toolkit, which simplifies cloud selfmanagement, optimizes the cloud service lifecycle, and supports
various cloud architectures. However, the SP dynamic risk
assessment is limited due to the lack of support for service
consumer’s side monitoring tools and the limited availability of
shared monitored data from IPs.
CARAM: is a qualitative and relative risk assessment model
that helps CSC select CSP that fit their risk profile the best [9].
It consists of tools that complements the various
recommendations of ENISA [33] and CSA [40]. These tools
include a questionnaire for CSC, an algorithm to classify the
answers to Cloud Assessment Initiative Questionnaire (CAIQ)
to discrete values, a model that maps the answers to both
questionnaires to risk values, and a multi criteria decision
approach allowing to quickly and reliably compares multiple
CSP. However, there are limitations that may affect the
accuracy of the results mainly stemming from the analyzed input
data such as: Vague formulation of the CAIQ answers provided
by the analyzed CSP, Possibility for deliberate misinformation
in the CAIQ, and Ineffective implementation of the security
controls by the analyzed CSPs.
CRAMM: a risk analysis and management method that
includes a comprehensive range of risk assessment tools that are
fully compliant with ISO27001 and address tasks such as: asset
dependency modeling, identifying and assessing threats and
vulnerabilities, assessing risk levels, and identifying required
controls [14,22]. It provides a staged and disciplined approach
embracing both technical (e.g. hardware and software) and nontechnical (e.g. physical and human) aspects of security. The
major flaws in CRAMM are: 1) quantitative risk assessment
cannot be provided. Hence, there is need to extend this
methodology in this direction and 2) it does not clearly talk
about the security attributes e.g. Confidentiality, Integrity, and
Availability [23].
COBRA: a risk assessment model that consists of a range of
risk analysis, consultative and security review tools which were
developed largely in recognition of changing nature of IT and
security, and the demands placed by business upon these areas
[39]. The default risk assessment process usually consists of
three stages: questionnaire building, risk surveying, and report
generation. The major weaknesses of COBRA are 1) risk
assessment technique is not clearly mentioned; hence, there is
need to extend this methodology in this direction and 2) threats
and vulnerabilities play a very important role in the process of
risk assessment; but how these are taken into consideration, is
not clearly given in COBRA [23].
IV. THE PROPOSED FRAMEWORK
We propose a Cloud Security Risk Management Framework
(CSRMF) that implies methods for identifying, analyzing,
evaluating, treating, and monitoring security risks throughout
the cloud service lifecycle. In this context, assets include data
hosted on the cloud, physical nodes, virtual machines, and other
cloud resources as well as the Service Level Agreement (SLA),
risks are potential security threats attacking the assets in CC
platforms causing loss of satisfaction of organization’s
objectives. The proposed CSRMF aims at:
ï‚· Identifying the risks that present threats to the cloud
within the context of organization’s concerns.
ï‚· Analyzing and evaluating identified risks with respect to
organization’s goals and objectives.
ï‚· Applying the best course of treatment actions to reduce
the likelihood and/or the impacts of these risks.
ï‚· Monitoring the currency of identified risks regularly to
ensure that treatment actions are valid.
ï‚· Establishing a dynamic relationship between the
organization and CSP during risk management process
to ensure the compliance to SLA.
Figure 3 shows the main components of the proposed
framework. In the following subsections, we discuss each one of
these components.
A. Identifying Organization’s Business Objectives
Organizational objectives are short-term and medium-term
goals that an organization seeks to accomplish. Achievement of
these objectives helps an organization reach its overall strategic
goals. Therefore, the proposed framework, CSRMF, is driven by
the organization’s high-level objectives. Organizational
objectives are established through understanding the overall
internal culture (e.g. vision, mission, etc.) of the organization
and a number of environmental analyses that include identifying
the constraints and opportunities of the operating environment.
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
189 | P a g e
www.thesai.org
To set the organization’s objectives, CSRMF proposes to
conduct SWOT analysis [41] where organizations identify their
internal Strengths and Weaknesses as well as
external Opportunities and Threats. This information allows
CEO to develop objectives and strategies that are relevant and
realistic to their organizations. In CSRMF, organizational
objectives should follow the SMART model (i.e., should be
Specific, Measurable, Attainable, Relevant, and Time bound).
To apply the SMART model, CEO have to ask themselves the
following questions when setting their organizations’
objectives:
 Specific – What type of company do you want to be the
best at? On what scale do you want to compete? Do you
want to be the best company in your area or in the world?
 Measurable – How will you know when you have
achieved your objective? What benchmarks are you
going to use to measure your success?
 Attainable – Is this objective achievable given your
resources? What are the obstacles that you are going to
encounter and can you get past the hurdles?
 Relevant – How relevant is this objective to the
company and its employees? Will it benefit your
organization?
 Time bound – When do you want to achieve this
objective by?
Examples for good organization objectives are: achieving
financial success, increasing sales figures, improving human
resources, retaining talented employees, focusing on customer
service, and establishing brand awareness.
B. Risk Identification
The second phase in CSRMF is to identify risks that are
likely to affect the achievement of the objectives of the
organization. The identification of security risks affecting cloud
services in organizations that adopt CC is the most critical step
in risk management. The better identifying and understanding
these risks, the more meaningful and effective will be the risk
management process. The appropriate risk identification method
will depend on the application area (i.e., nature of activities and
the hazard groups), the nature of projects in organization,
resources available, regularity requirements and client
requirements as to objectives, desired outcome and the required
level of detail. However, there is no single scientific method that
guarantees identification of all risks [10].
Risks are caused by security threats that may exploit
vulnerabilities in CC platform to harm organization’s assets and
consequently affect the achievement of its objectives. Therefore,
in order to identify risks precisely, we need to identify assets,
vulnerabilities, and threats in CC platform. Since there is no
single scientific approach that guarantees identification of all
risks, CSRMF employs a hybrid approach that combines two
techniques for risk identification. This combination will be more
effective for full and adequate coverage of risks. Risk
identification techniques that are employed by CSRMF are:
documented knowledge acquisition and brainstorming.
B.1. Documented Knowledge Acquisition
This technique implies collecting and reading documents
about CC risk domain such as books, surveys, articles, and
regulations. Many documents in literature have attempted
identifying CC risks and threats [31-33, 38,40]. One of the most
useful documents regarding CC risk is the one provided by the
European Network and Information Security Agency (ENISA)
[33] that affords generic lists of risks for CC. Examples of such
risks are Lock-in, Resource Exhaustion, Isolation Failure and
Malicious Insider, a sample of these risks is shown in figure 4.
However, these lists do not reflect the organization objectives
nor they reveal a specific class of business applications.
Risk Assessment
Risk
Treatment
Risk
Analysis
Risk
Evaluation
Identifying
Organization
Objectives
Risk
Identification
GUI/DBMS
Risk Monitoring and Reviewing
Cloud Security Risk
Knowledge Base
Organization CSP
Fig. 3. The Proposed Framework (CSRMF)
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
190 | P a g e
www.thesai.org
Fig.4. A sample of ENISA CC Risk Identification (LOCK-IN risk)
The documented knowledge acquisition technique is an
important prerequisite to other techniques. However, the huge
amount of available documentation may lead to irrelevant
details and outdated information. An effective solution that we
employed to solve this issue is to use meta-knowledge (know
what you need to know and what you do not need to know) to
prune the document space. The knowledge acquired in this step
is stored in a cloud security risk knowledge base for use in the
next step (i.e., brainstorming).
B.2. Brainstorming
Brainstorming a semi-structured creative group-based
activity, used most often in ad-hoc business meetings to come
up with new ideas for solving problems, innovation or
improvement [34]. It usually involves a group, under the
direction of a facilitator and implies two stages:
1. Idea generation: generate as many ideas as possible to
address the problem from each participant without
criticism.
2. Idea evaluation: by all participants together according
to agreed criteria (e.g. value, cost, feasibility) to
prioritize ideas.
In CSRMF, members of a team that comprises information
security experts and a diverse group of stakeholders in the
organization meet to identify organization’s assets,
vulnerabilities, and potential threats. Risks identification takes
place in a series of group workshops; group sessions provide a
wider exploration of issues and more creative ways for
identifying risks. The group uses the knowledge acquired in the
previous step to identify different risks. The outcome of this step
is a list of identified risks which is reviewed by an independent
stakeholders group. If satisfaction is achieved the risk
management process proceeds to the next phase, otherwise, it
goes through another round of risk identification.
C. Risk Analysis
Risk analysis involves the estimation of risks likelihoods and
impacts. CSRMF deploys a quantitative approach for risk
analysis and assumes the following:
ï‚· Objective weight (ð‘¤ð‘—
): the importance of an objective
ð‘œð‘—, (0 ≤ ð‘¤ð‘— ≤ 1, ∑𑗠ð‘¤ð‘—=1, ð‘— = 1,2, … , ð‘š)
ï‚· Risk Likelihood L(ð‘Ÿð‘–
): the probability of occurrence of
risk ð‘Ÿð‘–
. (0 ≤ ð¿(ð‘Ÿð‘–) ≤ 1, ð‘– = 1,2, … , ð‘›)
ï‚· Risk Impact I( ð‘Ÿð‘–
, ð‘œð‘—) : the effect of ð‘Ÿð‘– on ð‘œð‘—
, (0 ≤
ð¼(ð‘Ÿð‘–
, ð‘œð‘—) ≤ 1), where 0 means no loss of satisfaction in
ð‘œð‘—
, 1 means total loss of satisfaction in ð‘œð‘—
, m and n are
numbers of objectives and risks respectively.
The goal of risk analysis phase is to estimate values for ð¿(ð‘Ÿð‘–
)
and ð¼(ð‘Ÿð‘–
, ð‘œð‘—). A widely accepted consensus-based estimation
technique is the Delphi method [8, 16-19]. Three essential
characteristics of Delphi method are: 1) structured and iterative
information flow, 2) anonymity of the participants in order to
alleviate peer pressure and other performance anxieties, and 3)
iterative feedback of the participants until consensus is reached.
We adapted the Delphi technique for the estimation of security
risk likelihood and impacts; this is shown in figure 5.
Fig. 5. The Delphi process for risk analysis as used in CSRMF
In CSRMF Delphi technique, a moderator is used to control
and facilitate information gathering from a selected group of
Subject Matter Experts (SME). SME are knowledgeable about
the likelihoods and impacts of risks on the organization’s
particular type of business. During the Delphi process, each
Start
Delphi
Identify Moderator and SME
Individual Estimate L(ð‘Ÿð‘–
), I(ð‘Ÿð‘–
, ð‘œð‘—
) & wj
Moderator Collects and Analyzes
Estimates
Consensus>=85
%
No
Yes
Develop
Feedback for
the next round
End
Delphi
Report Final Estimate
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
191 | P a g e
www.thesai.org
participant is asked to provide his best numerical estimates of
ð‘¤ð‘—
, ð¿(ð‘Ÿð‘–) and ð¼(ð‘Ÿð‘–
, ð‘œð‘—) . Following this step, the moderator
collects the estimates from all participants in anonymous
presentation, shares and analyses the combined results with all
participants. The participant are encouraged to iteratively
reconsider and modify their estimates based on the feedback
from previous discussion. When estimates reach a consensus
(e.g. 85% or more), the moderator reports the final estimates to
be used in the next phase.
D. Risk Evaluation
Risk evaluation implies estimate of the risk level (i.e., risk
severity) to be able to decide whether the risk is tolerable (i.e.,
acceptable) by the organization or not. Tolerable risk criteria
must be defined, approved, and documented by relevant
committee from experts and stakeholders. Should the estimated
risk level greater than the tolerable level then the specific risk
needs treatment or improved countermeasures. In CSRMF, risks
are evaluated using a quantitative approach, the level of risk ð‘Ÿð‘–
(ð‘–. ð‘’. , ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
)) is estimated using equation 1.
ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
) = ð¿(ð‘Ÿð‘–
)∑ ð‘¤ð‘—
ð‘š
ð‘—=1
ð¼(ð‘Ÿð‘–
, ð‘œð‘—) (1)
0 ≤ ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
) ≤ 1
Risk level (ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
)) ranges between 0 and 1, where 0
means ð‘Ÿð‘– has no effect (min. severity) on the organization’s
objectives and 1 means ð‘Ÿð‘– has significant effect (max. severity)
on organization’s objectives. A risk , ð‘Ÿð‘–
, may be considered
acceptable (tolerable) if ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
) is less than threshold 𛼠,
otherwise ð‘Ÿð‘–
requires treatment. This threshold (0 ≤ 𛼠≤ 1) is
predetermined by the organization. By applying this condition
an organization can achieve an acceptable Global Risk Level
(GRL) which is given by equation 2.
ðºð‘…ð¿ = ∑ ð¿ð‘’ð‘£ð‘’ð‘™
ð‘›
ð‘–=1
(ð‘Ÿð‘–
) (2)
E. Risk Treatment
Any unacceptable risk should be treated, which means to
reduce its risk level to become less than the threshold ð›¼. The
objective of risk treatment is to develop cost effective options
for treating unacceptable risks. Different treatment options may
be employed, which are not necessarily mutually exclusive or
appropriate in all circumstances such as risk avoidance, risk
transfer or share with a third party and risk mitigation
(reduction) which means controlling the likelihood of risk
occurrence, or controlling the impact of the consequences if the
risk occurs.
CSRMF employs risk mitigation approach for risk treatment.
The ultimate goal is to reduce GRL by reducing ð¿ð‘’ð‘£ð‘’ð‘™(ð‘Ÿð‘–
) for
each unacceptable risk. Risk likelihood, ð¿(ð‘Ÿð‘–
), can be reduced
through preventative maintenance, or quality assurance and
management, change in business systems and processes. On the
other hand, risk impact, ð¼(ð‘Ÿð‘–
, ð‘œð‘—) , can be reduced through
contingency planning, minimizing exposure to sources of risk or
separation/relocation of an activity and resources. Risk
mitigation actions can be determined using a combination of
documented knowledge acquisition and brainstorming
techniques. Examples for CC risk mitigation actions
(countermeasures) adopted in CSRMF are shown in Table 1.
TABLE 1: EXAMPLES OF RISK COUNTERMEASURES USED IN CSRMF
CC risk Countermeasures
Account or service
hijacking
-Identify and access management
guidance
-Dynamic credentials
Data leakage -Fragmentation Redundancy
Scattering (FRS)
-Digital signature
-Encryption
Customer data
manipulation
-Web application scanners
Malicious VM -Protecting aegis from live
migrations of VMs
Sniffing/spoofing
virtual Net
-Virtual Network security
guarantees
F. Risk Monitoring
The last phase in CSRMF is to monitor and evaluate the
effectiveness of the preferred risk treatments and current control
activities. To do this, we need to estimate the risk level reduction
after applying a countermeasure technique. Suppose that
ð‘𑘠(k=1,2,3, …) is a countermeasure that can be applied to
mitigate a risk (i.e., reduce its level). The Delphi approach
described in section 4.C can be used to estimate risk level
reduction of ð‘Ÿð‘– after applying ð‘𑘠which is denoted as
ð¿ð‘’ð‘£ð‘’ð‘™ð‘…ð‘’ð‘‘(ð‘Ÿð‘–
|ð‘ð‘˜
). ð¿ð‘’ð‘£ð‘’ð‘™ð‘…ð‘’ð‘‘(ð‘Ÿð‘–
|ð‘ð‘˜
) is a measure to the amount
by which a countermeasure ð‘𑘠mitigates (reduces the level of)
risk ð‘Ÿð‘–
. Its value ranges between 0 and 1 ( 0 ≤
ð¿ð‘’ð‘£ð‘’ð‘™ð‘…ð‘’ð‘‘(ð‘Ÿð‘–
|ð‘ð‘˜
) ≤ 1) where 0 means no reduction, 1 means
risk elimination.
The Combined Risk Reduction (CRR) of a risk ð‘Ÿð‘–
which
measures the resultant (i.e., joint) mitigation in ð‘Ÿð‘– after applying
a course of countermeasures is given by equation 3. Its value
ranges between 0 and 1 (0 ≤ ð¶ð‘…ð‘…(ð‘Ÿð‘–
) ≤ 1) where 0 means no
reduction, 1 means risk elimination. This metric is used to decide
whether a treatment course for a risk is successful or not.
ð¶ð‘…ð‘…(ð‘Ÿð‘–
) = 1−âˆ(1 −
ð‘
ð‘˜=1
ð¿ð‘’ð‘£ð‘’ð‘™ð‘…ð‘’ð‘‘(ð‘Ÿð‘–
|ð‘ð‘˜
)) (3)
0 ≤ ð¶ð‘…ð‘…(ð‘Ÿð‘–
) ≤ 1
(p is the number of countermeasures applied to ð‘Ÿð‘–)
The Global Risk Reduction (GRR) for the organization is
given by equations (6).
ðºð‘…ð‘… = ∑ð¶ð‘…ð‘…(ð‘Ÿð‘–
) (4)
ð‘›
ð‘–=1
V. FRAMEWORK VALIDATION AND EVALUATION
In order to validate the proposed framework for usability and
applicability, we provide a step-by-step use-case scenario that
shows how an organization can benefit from the proposed
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
192 | P a g e
www.thesai.org
framework to manage Cloud security risks. Advanced Telecom
(AT) is a leading telecommunications company that has a broad
range of customers. AT’s services bundle includes fixed
landlines, Internet and mobile communications. AT employs 80
thousand employees, who spare no effort or time to reach
customers and provide best services. The CEO of AT thought
that it would be a great idea to develop several Intranet site
applications that would allow employees in AT to share their
knowledge. He also thought it would make sense to make some
information available to the company’s clients. For example, the
company could provide advertisements about products, articles,
links to other sites, and an Ask the Expert feature to help build
relationships with current and future clients. He has heard about
the cutting-edge CC technology and thought that it would
probably be a good idea to adopt the Cloud technology in his
company to support the Intranet project; however, he was
worried about the security risks associated with that technology.
Since AT emphasizes the importance of high-payoff projects, he
wanted to explore the management of security risks in CC
environment before adopting this technology in his company.
Our goal is to help AT company take a decision on the adoption
of CC using our proposed CSRMF.
A. Phase 1: Identifying Organization’s Objectives
AT uses SWOT analysis and SMART model to help identify
its business objectives. AT’s representatives would provide the
underlying information on AT’s business objectives and the
security requirements to protect these objectives against security
risks as well as information concerning risk tolerance criteria.
This Information is stored in the risk knowledge base and is used
as a profile for the organization. The outcomes of this phase are
shown in tables 2 and 3.
TABLE 2: BUSEINESS OBJECTIVES FOR AT ORGANIZATION
Symbol Objective (oj)
o1 Enhance customer trust and
build relationships with current
and future customers
o2 Boost employees’ relationships
and allow knowledge share
among them
o3 Provide perfect customer
services and improve customer
satisfaction
o4 Increase profitability and
decrease operational costs
TABLE 3: SECURITY REQUIREMENTS FOR AT ORGANIZATION
Security requirements Confidentiality – medium
Integrity – high
Availability – high
Risk tolerance 0.25
B. Phase 2: Risk Identification
A team consists of seven members of information security
experts (i.e., SME) and a diverse group of stakeholders in AT
uses documented knowledge such as those described in section
4.B to gather information on security risks related to CC that are
likely to affect the organization’s objectives. Information
regarding identified risks are stored in the risk knowledge base.
The team then meets, conducts brainstorming session, and uses
the knowledge stored in the risk knowledge base to prepare a
final list of possible risks. This list is shown in table 4.
TABLE 4: IDENTIFIED RISKS FOR AT ORGANIZATION
Symbol Risks
r1 Account hijacking
r2 Data leakage
r3 Denial of services
r4 Insecure VM migration
r5 Sniffing/spoofing virtual networks
C. Phase 3: Risk Analysis
The team utilizes the Delphi technique explained in section
4.C to estimate values for the weights, ð‘¤ð‘—
, risk likelihoods,
ð¿(ð‘Ÿð‘–
), and risk impacts, ð¼(ð‘Ÿð‘–
, ð‘œð‘—). These information are shown
in table 5. For example, the weight of ð‘œ2
ð‘–ð‘ ð‘¤2 = 0.2, the
likelihood of ð‘Ÿ3
is ð¿(ð‘Ÿ3
) = 0.5 , while the impact of ð‘Ÿ3 on ð‘œ2
is
ð¼(ð‘Ÿ3
, ð‘œ2
) = 0.3 (all shaded in gray).
TABLE 5: RISK IMPACT MATRIX FOR AT ORGANIZATION
↓ ð’˜ð’‹ ð‘³(ð’“ð’Š
) → r1 /0.6 r2 /0.2 r3 /0.5 r4 /0.7 r5/0.3
o1 / 0.2 0.65 0.15 0.4 0.85 0.1
o2 / 0.2 0.85 0.35 0.3 0.8 0.3
o3 /0.3 0.75 0.8 0.25 0.7 0.7
o4 /0.3 0.8 0.65 0.1 0.6 0.2
D. Phase 4: Risk Evaluation
The levels of identified risks are evaluated using equations
1, the results are shown in table 6. This evaluation allows the
organization to decide whether the risk is tolerable (i.e.,
acceptable) or not. Tolerable risk criteria have been defined,
approved, and documented by the relevant committee of experts
and stakeholders in phase 1. The committee has agreed that the
risk level for a tolerable risk should not exceed 0.25 (i.e., 𛼠=
0.25), this means that r1 and r4 need treatment to lower their risk
levels below 0.25. The GRL (the sum of all risk levels) has been
estimated using equation 2.
TABLE 6: RISK LEVELS FOR AT ORGANIZATION
ð’“ð’Š ð‘³ð’†ð’—ð’†ð’(ð’“ð’Š
)
r1 0.46
r2 0.11
r3 0.12
r4 0.50
r5 0.11
GRL 1.30
E. Phase 5: Risk Treatment
Unacceptable risks (r1, r4) require treatment; the objective of
this phase is to identify countermeasures to mitigate
unacceptable risks. The ultimate goal is to reduce GRL for the
organization. Risk countermeasures are identified by the team
using a combination of knowledge acquisition and
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
193 | P a g e
www.thesai.org
brainstorming techniques. Countermeasures used by AT for r1
and r4 are listed in table 7.
TABLE 7: RISK COUNTERMEASURES EMPLOYED BY AT ORGANIZATION
Symbol Countermeasure used to
mitigate risks
Risk
Mitigated
c1 Identify and access management
guidance
r1
c2 Dynamic credentials r1
c3 Protecting aegis from live
migrations of VMs
r4
F. Phase 6: Risk Monitoring
Using the Delphi technique, the team would estimate
ð¿ð‘’ð‘£ð‘’ð‘™ð‘…ð‘’ð‘‘(ð‘Ÿð‘–
|ð‘ð‘˜
) for r1 and r4 as per table 7. This is given in the
risk reduction matrix shown below in table 8. For each
unacceptable risk, the risk reduction matrix shows risk reduction
by each alternative countermeasure and estimates its CRR as per
equation 3.
TABLE 8: RISK REDUCTION MATRIX FOR AT ORGANIZATION
ck ð‘³ð’†ð’—ð’†ð’ð‘¹ð’†ð’…(ð’“ðŸ|ð’„ð’Œ
) ð‘³ð’†ð’—ð’†ð’ð‘¹ð’†ð’…(ð’“ðŸ’|ð’„ð’Œ
)
c1 0.8 0
c2 0.9 0
c3 0 0.9
ð‘ªð‘¹ð‘¹(ð’“ð’Š
) 0.98 0.9
From table 8, we can see that CRR(r1) = 0.98 which means
that the new risk level of r1 after treatment is 0.46*(1-0.98) =
0.01 < 0.25 and CRR(r4) = 0.9 which means that the new risk
level of r4 after treatment is 0.50*(1-0.9) = 0.05 < 0.25. The new
value of GRL after treatment =0.40, compared to 1.30 before
treatment with %69 risk reduction, this is shown in table 9. The
global risk reduction in AT organization GRR= 0.98+0.9= 1.88.
Finally, the organization should continuously monitor the
occurrence of the identified risks to ensure that the treatment
actions are still valid and to identify new risks that may occur.
TABLE 9: RISK LEVELS FOR AT ORGANIZATION
ð’“ð’Š Risk Level
Before mitigation After mitigation
r1 0.46 0.01
r2 0.11 0.11
r3 0.12 0.12
r4 0.50 0.05
r5 0.11 0.11
GRL 1.30 0.40
VI. CONCLUSION AND FUTURE WORK
CC offers numerous advantages to organizations in terms of
economical saving, elasticity, flexibility, and minimal
management effort. However, security and privacy concerns of
CC have always been the focus of the impediments to its
widespread adoption by businesses. Over time, organizations
tend to relax security risks associated with CC, however, this
relaxation requires a regular effective security risk management.
In this paper, we proposed a novel framework for cloud security
risk management that helps organizations and CSP identify,
analyze, evaluate, and mitigate security risks in their CC
platforms. It allows any organization adopting CC to be aware
of cloud security risks and align their low-level management
decisions according to high-level business objectives. In
essence, it is designed to address impacts of cloud-specific
security risks into business objectives in a given organization.
Consequently, organizations are able to conduct a cost-value
analysis and take a well-informed decision regarding the
adoption of CC technology. On the other hand, CSP are able to
improve productivity and profitability by managing cloudrelated risks. This framework provides an adequate level of
confidence in CC for organizations and a reliable and costeffective productivity for CSP. In the future, we plan to explore
quantitative techniques based on statistical analysis for risk
management in CC so that we can reach a higher level of
confidence in this emerging technology for organizations.
REFERENCES
[1] Karim Djemame, Django Armstrong, Mariam Kiran, and Ming Jiang, “A
Risk Assessment Framework and Software Toolkit for Cloud Service
Ecosystemsâ€, 2ndInternational Conference on Cloud Computing, GRIDs,
and Virtualization, 2011.
[2] Karim Djemame, Django Armstrong ,Jordi Guitart, and Mario Macias, “A
Risk Assessment Framework for Cloud Computingâ€, IEEE Transactions
on Cloud Computing, Vol. 4 , Issue. 3 , 2016.
[3] MohemedAlmorsy, John Grundy and Amani S. Ibrahim, “CollaborationBased Cloud Computing Security Management Frameworkâ€, IEEE 4th
International Conference on Cloud Computing, Washington, DC, USA,
2011.
[4] Drissi S.,Houmani H. and Medromi H, “Survey: Risk Assessment for
Cloud Computingâ€, International Journal of Advanced Computer Science
and Applications (IJACSA), Vol. 4, No. 12, 2013.
[5] Xuan Zhang , NattapongWuwong , Hao Li and Xuejie Zhang, “Information
Security Risk Management Framework for the Cloud Computing
Environmentsâ€, 10th IEEE International Conference on Computer and
Information Technology, Bradford, UK, 29 June-1 July 2010.
[6] Rana Alosaimi and Mohamed Alnum,“A Proposed Risk Management
Framework for Cloud Computing Environmentâ€, Inernational Journal of
Computer Science and Information Security, Vol. 14, No.8, 2016.
[7] Rana Alosaimi and Mohamed Alnum, “Risk Management Framework for
Cloud Computing: A Critical Reviewâ€, International Journal of Computer
Science and Information Technology, Vol.8, No. 4, 2016.
[8] Prasad Saripalli and Ben Walters, “QUIRC: A Quantitative Impact and
Risk Assessment Framework for Cloud Securityâ€, IEEE 3rd International
Conference on Cloud Computing, Miami, FL, USA, 5-10 July 2010.
[9] Erdal Cayirci, Alexandr Garaga, Anderson Santana and Yves Roudier,
“A Risk Assessment Model for Selecting Cloud Service Providersâ€,
Journal of Cloud Computing: Advances, Systems and Applications, 5:14,
2016.
[10] Heinz-Peter Berg, “Risk Management: Procedures, Methods and
Experiencesâ€, RT&A, Vol. 1, No. 2(17), 2010.
[11] BlessonVarghese and RajkumarBuyya, “Next generation cloud
computing: New trends and research directionsâ€, Future Generation
Computer Systems, Vol. 79, Part 3,pp. 849-861, February 2018,
[12] Keiko Hashizume, David G Rosado, Eduardo Fernández-Medina, and
Eduardo B Fernandez, “An analysis of security issues for cloud
computingâ€, Journal of Internet Services and Applications, 4:5, 2013.
[13] SaurabhSingh,Young-SikJeong, and Jong HyukPark, “A Survey on Cloud
Computing Security: Issues, Threats, and Solutionsâ€, Journal of Network
and Computer Applications, Vol. 75, pp. 200-222, 2016.
(IJACSA) International Journal of Advanced Computer Science and Applications
Vol.10, No.12, 2019
194 | P a g e
www.thesai.org
[14] CRAMM: Information Security Risk Assessment Toolkit, [online]
Available: http://www.cramm.com
[15] https://www.theirm.org/media/4709/arms_2002_irm.pdf.
[16] H.A. Linstone, The Delphi Method: Techniques and Applications,
Addison-Wesley, 1975.
[17] L.M. Stuter, “The Delphi Technique: What is it?”, Lynn’s Educational and
Research Network, March 1996.
[18] RAND Corporation 2007, “A collection of RAND publications on the
Delphi methodâ€, Jan 2010.
[19] E. Teijlingen, E. Pitchfork, C. Bishop, E. Russell, “Delphi method and
nominal group techniques in family planning and reproductive health
research”, Journal of Family Planning and Reproductive Health Care,
Vol. 31, No. 2, pp. 132-135, 2005.
[20] Umesh Kumar Singh and Chanchala Joshi, “Comparative Study of
Information Security Risk Assessment Frameworksâ€, International
Journal of Computer Application, Vol. 2, Issue 8, 2018.
[21] Filipe Macedo and Miguel Mira da Silva, “Comparative Study of
Information Security Risk Assessment Modelsâ€, available online:
https://fenix.tecnico.ulisboa.pt/downloadFile/395139415147/resumo.pdf
[22] Ahmad Amini and Norziana Jamil, “A Comprehensive Review of Existing
Risk Assessment Models in Cloud Computingâ€, Journal of Physics:
Conference Series, Volume 1018, 2018.
[23] S. K. Pandey and K. Mustafa, “A Comparative Study of Risk Assessment
Methodologies for Information Systemsâ€, Bulletin of Electrical
Engineering and Informatics, Vol.1, No.2, pp. 111-122, June 2012.
[24] Mohammed Alnuem, Hala Alrumaih and Halah Al-Alshaikh, “A
Comparison Study of Information Security Risk Management
Frameworks in Cloud Computingâ€, The Sixth International Conference
on Cloud Computing, GRIDs, and Virtualization, CLOUD COMPUTING
2015.
[25] Neeta Shukla and Sachin Kumar, “A Comparative Study on Information
Security Risk Analysis Practices†International Journal of Computer
Applications, Special Issue on Issues and Challenges in Networking,
Intelligence and Computing Technologies, 2012.
[26] MounaJouinia, Latifa Ben Arfa Rabaia, “Comparative Study of
Information Security Risk Assessment Models for Cloud Computing
systemsâ€, The 6th International Symposium on Frontiers in Ambient and
Mobile Systems, Procedia Computer Science 83, pp. 1084 – 1089, 2016.
[27] Vivek Agrawal, “A Comparative Study on Information Security Risk
Analysis Methodsâ€, Journal of Computers, Vol. 12, No. 1, January 2017.
[28] Nada Mannane , Youssef
Bencharhi, BrahimBoulafdour and BoubkerRegragui, “Survey: Risk
assessment models for cloud computing: Evaluation criteriaâ€, 3rd
International Conference of Cloud Computing Technologies and
Applications , Rabat, Morocco, 24-26 Oct. 2017.
[29] K.V.D.Kiran, SaikrishnaMukkamala, AnudeepKatragadda and
L.S.S.Reddy, “Performance And Analysis Of Risk Assessment
Methodologies In Information Securityâ€, International Journal of
Computer Trends and Technology (IJCTT),Vol. 4, Issue 10, October
2013.
[30] https://www.forbes.com/sites/louiscolumbus/2017/10/18/cloudcomputing-market-projected-to-reach-411b-by-2020/#1317df7078f2
[31] https://www.idc.com/
[32] https://www.nist.gov/
[33] https://www.enisa.europa.eu/publications/cloud-computing-riskassessment
[34] https://www.mindtools.com/brainstm.html
[35] Ahmed E. Youssef, “Exploring Cloud Computing Services and
Applicationsâ€, Journal of Emerging Trends in Computing and
Information Sciences, VOL. 3, NO. 6, July 2012.
[36] https://www.forbes.com/sites/louiscolumbus/2018/01/07/83-ofenterprise-workloads-will-be-in-the-cloud-by-2020/#6ae3cce76261
[37] https://www.iso.org/standard/43170.html
[38] “The Top Cyber Security Risks”, SAN Institute Report, Sept. 2009.
[39] COBRA: Introduction to Security Risk Analysis. Available on:
http://www.security-risk-analysis.com/
[40] https://cloudsecurityalliance.org/
[41] https://www.mindtools.com/pages/article/newTMC_05.htm
Are you busy and do not have time to handle your assignment? Are you scared that your paper will not make the grade? Do you have responsibilities that may hinder you from turning in your assignment on time? Are you tired and can barely handle your assignment? Are your grades inconsistent?
Whichever your reason is, it is valid! You can get professional academic help from our service at affordable rates. We have a team of professional academic writers who can handle all your assignments.
Students barely have time to read. We got you! Have your literature essay or book review written without having the hassle of reading the book. You can get your literature paper custom-written for you by our literature specialists.
Do you struggle with finance? No need to torture yourself if finance is not your cup of tea. You can order your finance paper from our academic writing service and get 100% original work from competent finance experts.
Computer science is a tough subject. Fortunately, our computer science experts are up to the match. No need to stress and have sleepless nights. Our academic writers will tackle all your computer science assignments and deliver them on time. Let us handle all your python, java, ruby, JavaScript, php , C+ assignments!
While psychology may be an interesting subject, you may lack sufficient time to handle your assignments. Don’t despair; by using our academic writing service, you can be assured of perfect grades. Moreover, your grades will be consistent.
Engineering is quite a demanding subject. Students face a lot of pressure and barely have enough time to do what they love to do. Our academic writing service got you covered! Our engineering specialists follow the paper instructions and ensure timely delivery of the paper.
In the nursing course, you may have difficulties with literature reviews, annotated bibliographies, critical essays, and other assignments. Our nursing assignment writers will offer you professional nursing paper help at low prices.
Truth be told, sociology papers can be quite exhausting. Our academic writing service relieves you of fatigue, pressure, and stress. You can relax and have peace of mind as our academic writers handle your sociology assignment.
We take pride in having some of the best business writers in the industry. Our business writers have a lot of experience in the field. They are reliable, and you can be assured of a high-grade paper. They are able to handle business papers of any subject, length, deadline, and difficulty!
We boast of having some of the most experienced statistics experts in the industry. Our statistics experts have diverse skills, expertise, and knowledge to handle any kind of assignment. They have access to all kinds of software to get your assignment done.
Writing a law essay may prove to be an insurmountable obstacle, especially when you need to know the peculiarities of the legislative framework. Take advantage of our top-notch law specialists and get superb grades and 100% satisfaction.
We have highlighted some of the most popular subjects we handle above. Those are just a tip of the iceberg. We deal in all academic disciplines since our writers are as diverse. They have been drawn from across all disciplines, and orders are assigned to those writers believed to be the best in the field. In a nutshell, there is no task we cannot handle; all you need to do is place your order with us. As long as your instructions are clear, just trust we shall deliver irrespective of the discipline.
Our essay writers are graduates with bachelor's, masters, Ph.D., and doctorate degrees in various subjects. The minimum requirement to be an essay writer with our essay writing service is to have a college degree. All our academic writers have a minimum of two years of academic writing. We have a stringent recruitment process to ensure that we get only the most competent essay writers in the industry. We also ensure that the writers are handsomely compensated for their value. The majority of our writers are native English speakers. As such, the fluency of language and grammar is impeccable.
There is a very low likelihood that you won’t like the paper.
Not at all. All papers are written from scratch. There is no way your tutor or instructor will realize that you did not write the paper yourself. In fact, we recommend using our assignment help services for consistent results.
We check all papers for plagiarism before we submit them. We use powerful plagiarism checking software such as SafeAssign, LopesWrite, and Turnitin. We also upload the plagiarism report so that you can review it. We understand that plagiarism is academic suicide. We would not take the risk of submitting plagiarized work and jeopardize your academic journey. Furthermore, we do not sell or use prewritten papers, and each paper is written from scratch.
You determine when you get the paper by setting the deadline when placing the order. All papers are delivered within the deadline. We are well aware that we operate in a time-sensitive industry. As such, we have laid out strategies to ensure that the client receives the paper on time and they never miss the deadline. We understand that papers that are submitted late have some points deducted. We do not want you to miss any points due to late submission. We work on beating deadlines by huge margins in order to ensure that you have ample time to review the paper before you submit it.
We have a privacy and confidentiality policy that guides our work. We NEVER share any customer information with third parties. Noone will ever know that you used our assignment help services. It’s only between you and us. We are bound by our policies to protect the customer’s identity and information. All your information, such as your names, phone number, email, order information, and so on, are protected. We have robust security systems that ensure that your data is protected. Hacking our systems is close to impossible, and it has never happened.
You fill all the paper instructions in the order form. Make sure you include all the helpful materials so that our academic writers can deliver the perfect paper. It will also help to eliminate unnecessary revisions.
Proceed to pay for the paper so that it can be assigned to one of our expert academic writers. The paper subject is matched with the writer’s area of specialization.
You communicate with the writer and know about the progress of the paper. The client can ask the writer for drafts of the paper. The client can upload extra material and include additional instructions from the lecturer. Receive a paper.
The paper is sent to your email and uploaded to your personal account. You also get a plagiarism report attached to your paper.
GET A PERFECT SCORE!!! 
Delivering a high-quality product at a reasonable price is not enough anymore.
That’s why we have developed 5 beneficial guarantees that will make your experience with our service enjoyable, easy, and safe.
You have to be 100% sure of the quality of your product to give a money-back guarantee. This describes us perfectly. Make sure that this guarantee is totally transparent.
Read moreEach paper is composed from scratch, according to your instructions. It is then checked by our plagiarism-detection software. There is no gap where plagiarism could squeeze in.
Read moreThanks to our free revisions, there is no way for you to be unsatisfied. We will work on your paper until you are completely happy with the result.
Read moreYour email is safe, as we store it according to international data protection rules. Your bank details are secure, as we use only reliable payment systems.
Read moreBy sending us your money, you buy the service we provide. Check out our terms and conditions if you prefer business talks to be laid out in official language.
Read more