Abstract
Assessing and managing cloud risks can be a challenge, even for the cloud service providers (CSPs), due to the increased numbers of parties, devices and applications involved in cloud service delivery. The limited visibility of security controls down the supply chain, further exacerbates this risk assessment challenge. As such, we propose the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by cloud supplier security assessment (CSSA) and cloud supply chain mapping (CSCM). Using the CSCCRA model, we assess the risk of a Customer Relationship Management (CRM) application, mapping its supply chain to identify weak links, evaluating its security risks and presenting the risk value in dollar terms, with this, promoting cost-effective risk mitigation and optimal risk prioritisation.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Akinrolabu, O., New, S., Martin, A.: Cyber supply chain risks in cloud computing - bridging the risk assessment gap. Open J. Cloud Comput. (OJCC) 5(1), 1–19 (2018)
Badger, L., Patt-Corner, R., Voas, J.: Cloud Computing Synopsis and Recommendations. Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-146, p. 81 (2012)
Boyens, J., Paulsen, C., Moorthy, R., Bartol, N.: Supply Chain Risk Management Practices for Federal Information Systems and Organizations. NIST Special Publication (2015)
Dawes, R.M.: The robust beauty of improper linear models in decision making. Am. Psychol. 34(7), 571–582 (1979)
Djemame, K., Armstrong, D.J., Kiran, M.: A risk assessment framework and software toolkit for cloud service ecosystems. In: Computing, pp. 119–126 (2011)
Fito, J., Macias, M., Guitart, J.: Toward business-driven risk management for Cloud computing. In: 2010 International Conference Network and Service Management (CNSM), pp. 238–241 (2010)
Freund, J., Jones, J.: Measuring and Managing Information Risk: A FAIR Approach. Butterworth-Heinemann (2014)
Ghadge, A., Dani, S., Chester, M., Kalawsky, R.: A systems approach for modelling supply chain risks. Supply Chain Manag. Int. J. 18(5), 523–538 (2013)
Gresh, D., Deleris, L.A., Gasparini, L., Evans, D.: Visualizing risk. In: Proceedings of IEEE Information Visualization Conference (2011)
Islam, S., Fenz, S., Weippl, E., Mouratidis, H.: A risk management framework for cloud migration decision support. J. Risk Financ. Manag. 10(2), 10 (2017)
Kaliski Jr, B.S., Pauley, W.: Toward risk assessment as a service in cloud environments. In: Proceedings 2nd USENIX Conference Hot Topics in Cloud Computing, pp. 1–7 (2010)
Olcott, J.: Input to the Commission on Enhancing National Cybersecurity: The Impact of Security Ratings on National Cybersecurity (2016)
Palisade: Monte Carlo Simulation: What is it and How Does it Work? - Palisade (2017)
Pearson, S.: Data Protection in the Cloud. Cloud Security Alliance Online, pp. 10–13 (2016)
Saripalli, P., Walters, B.: QUIRC: a quantitative impact and risk assessment framework for cloud security. In: 2010 IEEE 3rd International Conference Cloud Computing, pp. 280–288 (2010)
Sendi, A.S., Cheriet, M.: Cloud computing: a risk assessment model. In: 2014 IEEE International Conference Cloud Engineering, pp. 147–152 (2014)
Sherman, M.: Risks in the software supply chain. In: Software Solution Symposium, pp. 1–36 (2017)
Sivasubramanian, Y., Ahmed, S.Z., Mishra, V.P.: Risk assessment for cloud computing Int. Res. J. Electron. Comput. Eng. 3(2) (2017). ISSN Online 2412-4370
Sourcemap: Sub-Supplier Mapping: Tracing Products to the Source with a Supply Chain Social Network, p. 5 (2011)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Akinrolabu, O., New, S., Martin, A. (2019). CSCCRA: A Novel Quantitative Risk Assessment Model for Cloud Service Providers. In: Themistocleous, M., Rupino da Cunha, P. (eds) Information Systems. EMCIS 2018. Lecture Notes in Business Information Processing, vol 341. Springer, Cham. https://doi.org/10.1007/978-3-030-11395-7_16
Download citation
DOI: https://doi.org/10.1007/978-3-030-11395-7_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-11394-0
Online ISBN: 978-3-030-11395-7
eBook Packages: Computer ScienceComputer Science (R0)