Traditionally, risk assessment consists of evaluating the probability of "feared events", corresponding to known threats and attacks, as well as these events' severity, corresponding to their impact on one or more stakeholders. Assessing risks of cloud-based processes is particularly difficult due to lack of historical data on attacks, which has prevented frequency-based identification of "typical" threats and attack vectors. Also, the dynamic, multi-party nature of cloud-based processes makes severity assessment very dependent on the particular set of stakeholders involved in each process execution. In this paper, we tackle these problems by presenting a novel, process-oriented quantitative risk assessment methodology aimed at disclosure risks on cloud computing platforms. Key advantages of our methodology include (i) a fully quantitative and iterative approach, which enables stakeholders to compare alternative versions of cloud-based processes (e.g., with and without security controls) (ii) non-frequency-based probability estimates, which allow analyzing threats for which a detailed history is not available (iii) support for quick visual comparisons of risk profiles of alternative processes even when impact cannot be exactly quantified.

A risk model for cloud processes / E. Damiani, S. Cimato, G. Gianini. - In: ISECURE. - ISSN 2008-2045. - 6:2(2014), pp. 99-123. [10.22042/isecure.2015.6.2.2]

A risk model for cloud processes

E. Damiani
Primo
;
S. Cimato
Secondo
;
G. Gianini
Ultimo
2014

Abstract

Traditionally, risk assessment consists of evaluating the probability of "feared events", corresponding to known threats and attacks, as well as these events' severity, corresponding to their impact on one or more stakeholders. Assessing risks of cloud-based processes is particularly difficult due to lack of historical data on attacks, which has prevented frequency-based identification of "typical" threats and attack vectors. Also, the dynamic, multi-party nature of cloud-based processes makes severity assessment very dependent on the particular set of stakeholders involved in each process execution. In this paper, we tackle these problems by presenting a novel, process-oriented quantitative risk assessment methodology aimed at disclosure risks on cloud computing platforms. Key advantages of our methodology include (i) a fully quantitative and iterative approach, which enables stakeholders to compare alternative versions of cloud-based processes (e.g., with and without security controls) (ii) non-frequency-based probability estimates, which allow analyzing threats for which a detailed history is not available (iii) support for quick visual comparisons of risk profiles of alternative processes even when impact cannot be exactly quantified.
Cloud computing; Value of Information; Risk Assessment; Secure Computation
Settore INF/01 - Informatica
Settore ING-INF/05 - Sistemi di Elaborazione delle Informazioni
2014
Article (author)
File in questo prodotto:
File Dimensione Formato  
255-540-1-PB.pdf

accesso aperto

Tipologia: Publisher's version/PDF
Dimensione 886.51 kB
Formato Adobe PDF
886.51 kB Adobe PDF Visualizza/Apri
Pubblicazioni consigliate

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/2434/270906
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact