A Security Risk Management Metric for Cloud Computing Systems

1. Introduction

Security concerns become more and more serious thanks to the development and exploitation of information systems. In fact, Information systems are today used everywhere by individuals or organizations and systems are target to various kind of attacks. Cloud computing technologies represent a revolution in information technologies development that offer several gains. It is an environment that offers infrastructure, platforms, data, software and security as a services and it is used to speed up and reduce the costs of existing processes.

As cloud computing technology develops will continue to centralize and simplify, allowing for increased employee productivity and more efficient use of limited resources. Interest has continued to increase and many organizations have moved elements of their IT into the cloud. Despite these positive gains, security in the cloud remains a valid concern due to customer’s data that are stored to third parties datacenters. Security comes from hackers, viruses or internal employees’ attacks and leads to information loss or corruption, large amount of money loss, time and other resources loss. Thus, cloud providers and users (organizations or individuals) must find efficient means to protect their assets from threats damage and prevent financial losses which come from technical security equipments such as firewalls, IDSs and encryption tools. In this context, information security risk management model comes to reduce cost investment without increasing the risk. Risk identification allows organizations to be more competitive and to take appropriate security decisions (Jonsson & Pirzadeh, 2011). There are few quantitative models that estimate the security risks (Speaks, 2010; Sangroya et al., 2010; Johnson, 2003) and the other work are based on qualitative model like in Zhang et al. (2010).

In this article, we explore a quantitative cyber security metric in cloud computing emerging technologies to quantify security breaches. The risk assessment metric that we use evaluate for each stakeholders costs due to security failures. Indeed, we illustrate how this measure can be used to analyze cloud computing as a business model. The security metric we use in this article is quantified in economic terms, in that way it enables providers and subscribers to weight these security risks, and then to evaluate the cost effectiveness of some security countermeasures. We also, recommend a solution related to the vulnerabilities in cloud environment, based on a cyber security model, in order to reduce the probability that architectural components fail.

• •

  The first part shows literature review of basic security metrics for risk estimations. The section discusses as well advantages and drawbacks of these metrics.

• •

  The second part illustrates the quantification of security breaches in Cloud Computing systems using the Mean Failure Cost (MFC) metric.

• •

  The third part illustrates how this security cost model allows rationalizing security decision making in cloud computing environments.

• •

  Finally, the fourth part illustrates our proposed security metrics to reduce vulnerability in cloud systems by reducing the probability components failure.

2. Information Security Risks Management

Individual or enterprise users rely on information systems to be secured and able to predict their risk and their strategies in reducing these risks. Thus, it is an investment to be measured in dollars saved as a result of reduced losses from security breaches, or in profits from new ventures that would be too risky to undertake without investments in security (Schechter, 2004). It represents, for instance, an essential business function that allows organizations to perform with some difficulties their operations and deliver services to the public (Chew et al., 2009).