CSCCRA: A Novel Quantitative Risk Assessment Model for Cloud Service Providers

  • Olusola AkinrolabuEmail author
  • Steve New
  • Andrew Martin
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 341)


Assessing and managing cloud risks can be a challenge, even for the cloud service providers (CSPs), due to the increased numbers of parties, devices and applications involved in cloud service delivery. The limited visibility of security controls down the supply chain, further exacerbates this risk assessment challenge. As such, we propose the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by cloud supplier security assessment (CSSA) and cloud supply chain mapping (CSCM). Using the CSCCRA model, we assess the risk of a Customer Relationship Management (CRM) application, mapping its supply chain to identify weak links, evaluating its security risks and presenting the risk value in dollar terms, with this, promoting cost-effective risk mitigation and optimal risk prioritisation.


Cloud computing Quantitative risk assessment Supply chain Transparency Security Rating Service 


  1. 1.
    Akinrolabu, O., New, S., Martin, A.: Cyber supply chain risks in cloud computing - bridging the risk assessment gap. Open J. Cloud Comput. (OJCC) 5(1), 1–19 (2018)Google Scholar
  2. 2.
    Badger, L., Patt-Corner, R., Voas, J.: Cloud Computing Synopsis and Recommendations. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-146, p. 81 (2012)Google Scholar
  3. 3.
    Boyens, J., Paulsen, C., Moorthy, R., Bartol, N.: Supply Chain Risk Management Practices for Federal Information Systems and Organizations. NIST Special Publication (2015)Google Scholar
  4. 4.
    Dawes, R.M.: The robust beauty of improper linear models in decision making. Am. Psychol. 34(7), 571–582 (1979)CrossRefGoogle Scholar
  5. 5.
    Djemame, K., Armstrong, D.J., Kiran, M.: A risk assessment framework and software toolkit for cloud service ecosystems. In: Computing, pp. 119–126 (2011)Google Scholar
  6. 6.
    Fito, J., Macias, M., Guitart, J.: Toward business-driven risk management for Cloud computing. In: 2010 International Conference Network and Service Management (CNSM), pp. 238–241 (2010)Google Scholar
  7. 7.
    Freund, J., Jones, J.: Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann (2014)Google Scholar
  8. 8.
    Ghadge, A., Dani, S., Chester, M., Kalawsky, R.: A systems approach for modelling supply chain risks. Supply Chain Manag. Int. J. 18(5), 523–538 (2013)CrossRefGoogle Scholar
  9. 9.
    Gresh, D., Deleris, L.A., Gasparini, L., Evans, D.: Visualizing risk. In: Proceedings of IEEE Information Visualization Conference (2011)Google Scholar
  10. 10.
    Islam, S., Fenz, S., Weippl, E., Mouratidis, H.: A risk management framework for cloud migration decision support. J. Risk Financ. Manag. 10(2), 10 (2017)CrossRefGoogle Scholar
  11. 11.
    Kaliski Jr, B.S., Pauley, W.: Toward risk assessment as a service in cloud environments. In: Proceedings 2nd USENIX Conference Hot Topics in Cloud Computing, pp. 1–7 (2010)Google Scholar
  12. 12.
    Olcott, J.: Input to the Commission on Enhancing National Cybersecurity: The Impact of Security Ratings on National Cybersecurity (2016)Google Scholar
  13. 13.
    Palisade: Monte Carlo Simulation: What is it and How Does it Work? - Palisade (2017)Google Scholar
  14. 14.
    Pearson, S.: Data Protection in the Cloud. Cloud Security Alliance Online, pp. 10–13 (2016)Google Scholar
  15. 15.
    Saripalli, P., Walters, B.: QUIRC: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference Cloud Computing, pp. 280–288 (2010)Google Scholar
  16. 16.
    Sendi, A.S., Cheriet, M.: Cloud computing: a risk assessment model. In: 2014 IEEE International Conference Cloud Engineering, pp. 147–152 (2014)Google Scholar
  17. 17.
    Sherman, M.: Risks in the software supply chain. In: Software Solution Symposium, pp. 1–36 (2017)Google Scholar
  18. 18.
    Sivasubramanian, Y., Ahmed, S.Z., Mishra, V.P.: Risk assessment for cloud computing Int. Res. J. Electron. Comput. Eng. 3(2) (2017). ISSN Online 2412-4370CrossRefGoogle Scholar
  19. 19.
    Sourcemap: Sub-Supplier Mapping: Tracing Products to the Source with a Supply Chain Social Network, p. 5 (2011)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity of OxfordOxfordUK
  2. 2.Said Business SchoolUniversity of OxfordOxfordUK

Personalised recommendations