An optimal investment scheme based on ATM considering cloud security environment

There is an increasing use of cloud computing in information technology (IT) with the widening scope of cloud computing. However, some service owners are reluctant to adopt cloud computing because the associated security technologies have not yet matured. Cloud service providers need to invest in security to improve the use of cloud computing. Additionally, research on the security investment in cloud computing is still in its early stages; due to the lack of related work, most companies or organizations should not provide an unlimited budget for security investment. Therefore, we devised an optimal investment scheme for constructing cloud security services that considers budget and the features of cloud computing services. This scheme includes an evaluation of security vulnerabilities concerning potential security attacks, and we performed an evaluation of a security investment strategy based on attack tree map (ATM) that analyze cloud security threat and vulnerabilities. Finally, we demonstrated the proposed scheme by examining two case studies using different security investment strategies.

[1]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[2]  Jian Liang,et al.  Government Cloud: Enhancing Efficiency of E-Government and Providing Better Public Services , 2012, 2012 International Joint Conference on Service Sciences.

[3]  Iftikhar Ahmad,et al.  Cloud Based C4I Systems: Security Requirements and Concerns , 2014, 2014 International Conference on Computational Science and Computational Intelligence.

[4]  Joost R. Santos,et al.  Modeling the Demand Reduction Input‐Output (I‐O) Inoperability Due to Terrorism of Interconnected Infrastructures * , 2004, Risk analysis : an official publication of the Society for Risk Analysis.

[5]  D. G. Chandra,et al.  Cloud Computing Model for National E-governance Plan (NeGP) , 2012, 2012 Fourth International Conference on Computational Intelligence and Communication Networks.

[6]  Christopher J. Alberts,et al.  Managing Information Security Risks: The OCTAVE Approach , 2002 .

[7]  Ketil Stølen,et al.  The CORAS Tool-Supported M ethodology for UM L-Based Security Analysis , 2004 .

[8]  Ketil Stølen,et al.  Model-Driven Risk Analysis - The CORAS Approach , 2010 .

[9]  Indrajit Ray,et al.  Optimal security hardening using multi-objective optimization on attack tree models of networks , 2007, CCS '07.

[10]  Ketil Stølen,et al.  The CORAS Tool , 2011 .

[11]  Zeki Yazar,et al.  A Qualitative Risk Analysis and Management Tool-CRAMM , 2019 .

[12]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[13]  Wes Sonnenreich,et al.  Return On Security Investment (ROSI) - A Practical Quantitative Modell , 2005, J. Res. Pract. Inf. Technol..

[14]  Christian Gollier,et al.  Expected Net Present Value, Expected Net Future Value, and the Ramsey Rule , 2009, SSRN Electronic Journal.

[15]  Ibrahim Sogukpinar,et al.  ISRAM: information security risk analysis method , 2005, Comput. Secur..

[16]  Indrajit Ray,et al.  Optimal security hardening on attack tree models of networks: a cost-benefit analysis , 2012, International Journal of Information Security.

[17]  Martin Gilje Jaatun,et al.  Security SLAs for Federated Cloud Services , 2011, 2011 Sixth International Conference on Availability, Reliability and Security.

[18]  Laura Painton Swiler,et al.  A graph-based network-vulnerability analysis system , 1997, S&P 1998.

[19]  Michael M. May,et al.  How much is enough? A risk management approach to computer security , 2000 .