Abstract
Cloud computing is a type of service that allows the use of computing resources from a distance, rather than a new technology. Various services exist on-demand, ranging from data storage and processing to software as a service, like email and developing platforms. Cloud computing enables ubiquitous, on-demand access over the net to a shared pool of configurable resources, like servers, applications, etc. that can be accessed, altered or even restored rapidly with minimal service provider interaction or management effort. Still, due to the vast growth of cloud computing, new security issues have been introduced. Key factors are the loss of control over any outsourced resources and cloud’s computing inherent security vulnerabilities. Managing these risks requires the adoption of an effective risk management method, capable of involving both the Cloud customer and the Cloud Service Provider. Risk assessment methods are common tools amongst IT security consultants for managing the risk of entire companies. Still, traditional risk management methodologies are having trouble managing cloud services. Extending our previous work, the purpose of this paper is to compare and examine whether popular risk management methods and tools (e.g. NIST SP800, EBIOS, MEHARI, OCTAVE, IT-Grundschutz, MAGERIT, CRAMM, HTRA, Risk-Safe Assessment, CORAS) are suitable for cloud computing environments. Specifically, based upon existing literature, this paper points out the essential characteristics that any risk assessment method addressed to cloud computing should incorporate, and suggests three new ones that are more appropriate based on their features.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
P.M. Mell, T. Grance, Sp 800-145. The NIST Definition of Cloud Computing (2011)
S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Traditional security risk assessment methods in cloud computing environment: usability analysis, in Proceedings of the 1st International Conference of Recent Trends in Information and Communication Technologies, Universiti Teknologi Malaysia, Johor, Malaysia (2014), pp. 483–495
D. Gritzalis, G. Iseppi, A. Mylonas, V. Stavrou, Exiting the risk assessment maze: a meta-survey. ACM Comput. Surv. (CSUR) 51(1), 11 (2018)
T. Haeberlen, L. Dupré, Cloud computing—benefits, risks and recommendations for information security, in European Network and Information Security Agency (ENISA) (2012)
D. Catteddu, G. Hogben, Cloud computing information assurance framework. Eur. Netw. Inf. Secur. Agency (ENISA) 13, 14 (2009)
SME Cloud Security Tool—ENISA (2019), https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-tool. Accessed 7 Jan 2019
E. Cayirci, A. Garaga, A. Santana, Y. Roudier, A cloud adoption risk assessment model, in 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC) (IEEE, 2014), pp. 908–913
E. Goettelmann, K. Dahman, B. Gateau, E. Dubois, C. Godart, A security risk assessment model for business process deployment in the cloud, in 2014 IEEE International Conference on Services Computing (SCC) (IEEE, 2014), pp. 307–314
P. Saripalli, B. Walters, QUIRC: a quantitative impact and risk assessment framework for cloud security, in 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD) (IEEE, 2010), pp. 280–288
COBIT 2019 Publications & Resources (2019), http://www.isaca.org/COBIT/Pages/COBIT-2019-Publications-Resources.aspx
S. Gadia, Cloud computing: cloud computing risk assessment: a case study. ISACA J. 4, 11 (2011)
G. Stergiopoulos, D. Gritzalis, V. Kouktzoglou, Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment. Comput. Netw. 134, 23–45 (2018)
S. Taubenberger, J. Jürjens, Y. Yu, B. Nuseibeh, Problem analysis of traditional IT-security risk assessment methods—an experience report from the insurance and auditing domain, in IFIP International Information Security Conference (Springer, Berlin, Heidelberg, 2011), pp. 259–270
Y. Sivasubramanian, A.S. Zubair, P. Ved, Risk assessment for cloud computing. Int. Res. J. Electron. Comput. Eng. 3, 7 (2017). ISSN Online: 2412-4370. https://doi.org/10.24178/irjece.2017.3.2.07
S. Drissi, S. Benhadou, H. Medromi, Evaluation of risk assessment methods regarding cloud computing, in The 5th Conference on Multidisciplinary Design Optimization and Application (2016)
G. Wangen, E. Snekkenes, A taxonomy of challenges in information security risk management, in Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse-NISK 2013-Stavanger, 18th–20th November 2013 (Akademika Forlag, 2013)
J.R. Nurse, S. Creese, D. De Roure, Security risk assessment in internet of things systems. IT Prof. 19(5), 20–26 (2017)
Glossary (2019), https://www.isaca.org/Pages/Glossary.aspx?tid=1087&char=A. Accessed 7 Jan 2019
NIST Cloud Computing Standards Roadmap Working Group, NIST Cloud Computing Standards Roadmap (2013)
S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Security risk assessment framework for cloud computing environments. Secur. Commun. Netw. 7(11), 2114–2124 (2014)
M. Theoharidou, N. Tsalis, D. Gritzalis, In cloud we trust: Risk-Assessment-as-a-Service, in IFIP International Conference on Trust Management (Springer, Berlin, Heidelberg, 2013), pp. 100–110
OWASP Cloud—10 Project—OWASP (2019), https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project. Accessed 7 Jan 2019
R. Latif, H. Abbas, S. Assar, Q. Ali, Cloud computing risk assessment: a systematic literature review, in Future Information Technology (Springer, Berlin, Heidelberg, 2014), pp. 285–295
S.V. Garde, A. Mudaliar, B. NCHSE, Concurrency Lock Issues in Relational Cloud Computing (2013)
F. Xie, Y. Peng, W. Zhao, D. Chen, X. Wang, X. Huo, A risk management framework for cloud computing, in 2012 IEEE 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), vol. 1 (IEEE, 2012), pp. 476–480
R. Alosaimi, M. Alnuem, Risk management frameworks for cloud computing: a critical review. Int. J. Comput. Scie. Inf. Technol. 8(4) (2016)
A.B. Ruighaver, M. Warren, A. Ahmad, Does traditional security risk assessment have a future in Information Security? J. Inf. Warf. 10(3), 16-IV (2011)
NIST, S. 800-30, Guide for Conducting Risk Assessments (2012)
M. Iorga, A. Karmel, Managing risk in a cloud ecosystem. IEEE Cloud Comput. 2(6), 51–57 (2015)
G. Stergiopoulos, V. Kouktzoglou, M. Theocharidou, D. Gritzalis, A process-based dependency risk analysis methodology for critical infrastructures. Int. J. Crit. Infrastruct. 13(2–3), 184–205 (2017)
EBIOS—Risk Management Methodology (2010), http://people.redhat.com/swells/anssi/EBIOS-1-GuideMethodologique-2010-01-25-english.pdf. Accessed 7 Jan 2019
B. Rahmad, S.H. Supangkat, J. Sembiring, K. Surendro, Threat scenario dependency-based model of information security risk analysis. IJCSNS 10(8), 93 (2010)
R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson, Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (No. CMU/SEI-2007-TR-012) (Carnegie-Mellon University, Software Engineering Institute, Pittsburgh, PA, 2007)
F. Crespo, M. Gómez, J. Candau, J. Mañas, MAGERIT—Version 2 Methodology for Information Systems Risk Analysis and Management. Book (Ministerio de Administraciones Públicas, Madrid, 2006)
J. Viehmann, Reusing risk analysis results—an extension for the CORAS risk analysis method, in 2012 International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2012 International Conference on Social Computing (SocialCom) (IEEE, 2012), pp. 742–751
G. Brændeland, H.E. Dahl, I. Engan, K. Stølen, Using dependent CORAS diagrams to analyse mutual dependency, in International Workshop on Critical Information Infrastructures Security (Springer, Berlin, Heidelberg, 2007), pp. 135–148
R. CSE, Harmonized Threat and Risk Assessment (TRA) Methodology. TRA-1 Date: October 23 (2007)
L. Coles-Kemp, J.W. Bullee, L. Montoya, M. Junger, C. Heath, W. Pieters, L. Wolos, Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (2015)
P. Bernard, COBIT® 5-A Management Guide (Van Haren, 2012)
COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition (2019), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Control-Practices-Guidance-to-Achieve-Control-Objective-for-Successful-IT-Governance-2nd-Edition.aspx. Accessed 7 Jan 2019
M. Grall, EBIOS: The Risk Management Toolbox (Club EBIOS, Viroflay, France, 2018), pp. 1–27, https://club-ebios.org/site/wp-content/uploads/productions/EBIOS-GenericApproach-2018-09-05-Approved.pdf
Agence nationale de la sécurité des systèmes d’information (ANSSI), Fiches méthodes (2018), p. 43, https://www.ssi.gouv.fr/uploads/2018/10/fiches-methodes-ebios_projet.pdf
Agence nationale de la sécurité des systèmes d’information (ANSSI), Prestataires de services d’informatique en nuage (SecNumCloud)—référentiel d’exigences (2018), https://www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1_anssi.pdf
Agence nationale de la sécurité des systèmes d’information (ANSSI), Etude De Cas: Securite D’un Service Du Cloud (2011), https://julienlhonore.files.wordpress.com/2013/02/logiciel-ebios-etudedecassc3a9curitc3a9servicecloud-2011-07-e280a6.pdf
Mehari—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html
D.F.C. Velasco, J.E.F. Quinayás, S.A. Donado, AdaptaciĂłn De La MetodologĂa Mehari A La Fase De PlaneaciĂłn De Un Sgsi Para Un Procedimiento De Estudio Propuesto/Adaptation of the Mehari methodology to the planning phase of an ISMS for a proposed study procedure. Rev. Teckne 14(1) (2017)
Mehari 2007—Security Stakes Analysis and Classification Guide, Club de la Sécurité de l’Information Français (CLUSIF) (2007)
M. Masky, S.S. Young, T.Y. Choe, A novel risk identification framework for cloud computing security, in 2015 2nd International Conference on Information Science and Security (ICISS) (IEEE, 2015), pp. 1–4
G. Wangen, C. Hallstensen, E. Snekkenes, A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 1–19 (2016)
Federal Office for Information Security, Secure Use of Cloud Services. Bonn, Germany, pp. 1–23, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/SecureUseOfCloudServices/SecureUseOfCloudServices.pdf?__blob=publicationFile&v=6
Federal Office for Information Security, IT-Grundschutz Catalogues. Bonn, Germany (2016), pp. 132–136, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.pdf?__blob=publicationFile&v=2
K.V.D. Kiran, L.S.S. Reddy, N.L. Haritha, A comparative analysis on risk assessment information security models. Int. J. Comput. Appl. 82(9) (2013)
EAR—Tools—versions, https://www.pilar-tools.com/download/stable_en.html
PILAR—Manual de Usuario (6.2) (2016), https://www.pilar-tools.com/doc/v62/manual_std_risk_es_2016-08-21.pdf
MAGERIT v. 3: MetodologĂa de Análisis y GestiĂłn de Riesgos de los Sistemas de InformaciĂłn (2012)
RiskSafe Assessment—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_risksafe-assessment
A.U. Khan, M. Oriol, M. Kiran, M. Jiang, K. Djemame, Security risks and their management in cloud computing, in 2012 IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, 2012), pp. 121–128
Information Risk Analysis Methodology, IRAM, https://www.securityforum.org/iram#iramtva
ISACA, Information Systems Audit, & Control Association, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud. ISACA (2011)
G. Stergiopoulos, P. Kotzanikolaou, M. Theocharidou, D. Gritzalis, CIDA: Critical Infrastructure Dependency Analysis Tool, Information Security and Critical Infrastructure Protection Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece (2014), http://github.com/geostergiop/CIDA
S. Drissi, H. Medromi, A new risk assessment approach for cloud consumer. J. Commun. Comput. 11, 52–58 (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Gritzalis, D., Stergiopoulos, G., Vasilellis, E., Anagnostopoulou, A. (2021). Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?. In: Tsihrintzis, G., Virvou, M. (eds) Advances in Core Computer Science-Based Technologies. Learning and Analytics in Intelligent Systems, vol 14. Springer, Cham. https://doi.org/10.1007/978-3-030-41196-1_6
Download citation
DOI: https://doi.org/10.1007/978-3-030-41196-1_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41195-4
Online ISBN: 978-3-030-41196-1
eBook Packages: EngineeringEngineering (R0)