Documente Academic
Documente Profesional
Documente Cultură
1; p
t
i
. (4)
A threat requires at least one vulnerability
which is suitable to be exploited to cause dam-
age (Open Web Application Security Project, 2013).
To model this, for each threat i, multiple vulnera-
bilities are introduced as V
i
=
V
i1
, . . . , V
i J
where
each V
ij
is Bernoulli distributed. This means that
threat i exploits vulnerability j with probability p
v
ij
and fails to exploit vulnerability j with probability
1 p
v
ij
:
V
ij
B
1; p
v
ij
. (5)
It is assumed that each vulnerability j has a
number of controls associated with, which are mod-
eled by C
j
=
C
j1
, . . . , C
jK
where each C
jk
is again
Bernoulli distributed:
C
jk
B
1; p
c
jk
. (6)
4.2. Derivation of success probability of threats
To cause damage, a threat has to exploit a suit-
able vulnerability which may have multiple se-
curity controls associated with. As illustrated in
Figure 2, the probability that all security controls
fail is the joint probability that each individual
control fails, which is P
C
j1
= 0, . . . , C
jK
= 0
K
k=1
1 p
c
ij
.
Figure 2: Tree representation of the uncertainty associated
with the effectiveness of security controls. (Comple-
mentary events are omitted.)
Based here on the probability p
ve
ij
that threat i
causes damage while exploiting vulnerability j, is:
p
ve
ij
= p
v
ij
K
k=1
1 p
c
jk
. (7)
Accordingly, the overall probability that a threat
occurs and in consequence causes damage is the
joint probability that a threat emerges and the event
that at least one vulnerability is successfully ex-
ploited. The probability that a threat exploits at
least one vulnerability can be derived from the
probability of the complementary event, which
is the event that a threat exploits no vulnerability.
From this follows the probability p
ARO
i
that a threat
occurs once:
p
ARO
i
= p
t
i
1
J
j=1
1 p
ve
ij
. (8)
The actual ARO is modeled by a multidimen-
sional random variable T
ARO
=
T
ARO
1
, . . . , T
ARO
I
.
The variable is used to derive for each threat the
number of successful occurrences within one year.
For this purpose, it is assumed that the expected
number of occurrences n
i
of a threat within one
year can be estimated. Every time a threat emerges,
it can either be successful or not with success prob-
ability p
ARO
i
. To model this, T
ARO
i
is considered
to be binomial distributed
T
ARO
i
B
n
i
; p
ARO
i
with n
i
number of trials. The corresponding proba-
bility mass function f
T
ARO
i
is given by
71
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
f
T
ARO
i
(s) =
n
i
s
p
ARO
i
1 p
ARO
i
n
i
s
, for s = 1, ..., n
i
.
(9)
4.3. Determining the annual loss expectancy
Based on these results, the ALE of a threat can be
derived from the expected value of T
ARO
i
and the
SLE of the threat. By denition the expected value
of T
ARO
i
is n
i
p
ARO
i
and the SLE can be estimated
or approximated by any suitable random variable
and its corresponding distribution (e.g., normal
distribution). Let E[.] represent the expected value
then the ALE of all threats is:
ALE =
I
i=1
E[SLE
i
] n
i
p
ARO
i
. (10)
4.4. Model formulation
The introduced understanding of security controls
as individual components leads to the problem of
selecting the most appropriate ones. The results
on attack paths are now being used as basis for a
novel approach to model cloud security. Proper-
ties of threats, vulnerabilities, and security controls
are combined in accordance with the denition of
ALE to form the foundation of the ROSI calcula-
tion (2). To derive the decision criterion, the ALE
as introduced in (3) is used to calculate ROSI. It is
assumed that the initial investment and the yearly
maintenance costs of each security control can be
estimated. Let be the planning period in years,
then the cost of solution can be computed as
Cost of solution =
K
k=1
c
0
k
sc
k
+
K
k=1
c
y
k
sc
k
(11)
with c
0
k
being the amount of the initial security
investment of control k and c
y
k
being the yearly
maintenance cost of the same control. The decision
variable sc
k
{0, 1} indicates whether a control is
selected (sc
k
= 1) or not (sc
k
= 0).
The monetary loss reduction is the difference
between the upper bound ALE
U
, which is the
worst case scenario in terms of nancial damage,
and the ALE to be optimized. The resulting ob-
jective function (12) expressing the ROSI is to be
maximized. The corresponding deterministic coun-
terpart of the described stochastic model utilizes
the mathematical expectation of all random vari-
ables and is referred to as the Security Controls
Selection Problem (SCSP) in the following.
Indices and sets
I Index set of threats (index i)
J Index set of vulnerabilities (index j)
K Index set of security controls (index k)
Parameters
ALE
L
Lower bound annual loss expectancy
ALE
U
Upper bound annual loss expectancy
c
0
k
Initial security investment for security
control k
c
y
k
Yearly security investment for security
control k
Maximum deviation from best case ALE
in percent
Planning period in years
n
i
Number of occurrences of threat i within
one year
p
t
i
Probability that threat i is successful
p
v
ij
Probability that threat i is successfully
exploiting vulnerability j
p
c
jk
Probability that control k prevents a
threat from exploiting vulnerability j
SLE
i
Single loss expectancy of threat i
Decision variables
ALE Annual loss expectancy to be optimized
C Cost of solution corresponding to the
current solution
sc
k
Selection of security control k to be es-
tablished, sc
k
{0, 1}
In constraint (13), the ALE is calculated by us-
ing the expected value of SLE and ARO. In (14-15)
it is again calculated once with sc
k
= 0, k and
once with sc
k
= 1, k, to obtain the lower and up-
per bounds. As stated before, the upper bound
ALE
U
is used to determine the monetary loss re-
duction required for the ROSI calculation. The
lower bound ALE
L
on the other hand is needed
to guarantee a certain quality of the solution. By
choosing parameter , it is guaranteed that the so-
lution deviates maximal percent from the best
possible outcome (16). In (17) the cost of solution
is calculated.
72
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
(SCSP)
max
ALE
U
ALE C
C
(12)
s. t. ALE =
I
i=1
E[SLE
i
] n
i
p
t
i
1
J
j=1
1 p
v
ij
K
k=1
1 p
c
jk
sc
k
(13)
ALE
L
=
I
i=1
E[SLE
i
] n
i
p
t
i
1
J
j=1
1 p
v
ij
K
k=1
1 p
c
jk
(14)
ALE
U
=
I
i=1
E[SLE
i
] n
i
p
t
i
1
J
j=1
1 p
v
ij
(15)
ALE (1 + ) ALE
L
(16)
C =
K
k=1
c
0
k
sc
k
+
K
k=1
c
y
k
sc
k
(17)
sc
k
{0, 1} k K (18)
5. Application example and data
evaluation
Some exemplary threats, vulnerabilities, security
controls, and model parameters are introduced in
the following to demonstrate the quality of the ap-
proach. In any real life application these values
would be obtained by conducting a risk assessment
of the cloud application or service. For the purpose
of this example the data are based on the judgment
of the authors.
Although the model can in principle be applied
to any type of threats, the following example is
addressing the eld of identity and access man-
agement (IAM). Related threats are particularly
important in cloud computing due to the ubiqui-
tous access opportunities. In Tables 1 to 3, a num-
ber of threats, vulnerabilities, and security controls
are presented based on a literature review. In any
practical application this information is usually
gathered during a risk assessment.
Symbol Threat
T1 Exploiting default passwords
T2 Password guessing: Dictionary, brute
force, and rainbow attacks
T3 Shoulder surng
T4 Social engineering
T5 Dumpster diving and identity theft
Table 1: Examples of IAM related threats.
Source: Todorov (2007)
Symbol Vulnerability
V1 Lack of, or insufcient, rules
V2 Inadequate sensitization to IT security
V3 Non-compliance with IT security safe-
guards
V4 Hazards posed by cleaning staff or out-
side staff
V5 Inappropriate handling of passwords
V6 Inadequate checking of the identity of
communication partners
Table 2: Examples of vulnerabilities which are exploitable by
IAM related threats.
Source: German Federal Ofce for Information Se-
curity (2005)
Symbol Security Control
C1 Suitable storage of ofcial documents
and data media
C2 Provisions governing the use of pass-
words
C3 Supervising or escorting outside
staff/visitors
C4 Clean desk policy
C5 Training on IT security safeguards
C6 Log-out obligation for users
C7 Change of preset passwords
C8 Secure log-in
C9 Using encryption, checksums or digital
signatures
C10 Use of one-time passwords
Table 3: Possible security controls to reduce the exploitability
of IAM related vulnerabilities.
Source: German Federal Ofce for Information Se-
curity (2005)
To connect the three stages of the correspond-
ing attack paths, Tables 4 to 7 contain exemplary
73
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
probabilities, damages, and costs.
i p
t
i
n
i
SLE
i
1 0.8 100 20K
2 0.5 50 20K
3 0.1 10 20K
4 0.5 20 20K
5 0.1 10 20K
Table 4: Example probabilities and SLE values of threats in
USD.
i/j 1 2 3 4 5 6
1 0.5 0.5 0 0 0.1 0
2 0.8 0 0.5 0 0 0
3 0.1 0.5 0.1 0.8 0 0
4 0.1 0.5 0.1 0.1 0 0.8
5 0.1 0.1 0.1 0.5 0.8 0
Table 5: Example probabilities that a vulnerability is success-
fully exploited by a threat
p
v
ij
.
To solve the problem, the model is implemented
using the standard optimization software Xpress
Optimization Suite. The nonlinear problem can be
solved applying successive linear approximation
provided by the Xpress-SLP solver (FICO, 2012).
Figure 3 shows multiple optimal solutions for
= 0, . . . , 6 and illustrates the relations between
ROSI, ALE, and cost of solution for a planning
period of = 3 years. The costs are constantly
decreasing and the ALE is increasing when reduc-
ing the quality of the solution by choosing larger
values. Although this behavior is expected, it
is notable that ROSI in fact decreases with higher
security. This seems to be an unwanted property
since security should be as high as possible, but it
is in fact a desired property of ROSI, as it measures
the return on investment and not the security of
the system. To utilize ROSI the decision maker is
therefore required to choose how much security
is desired before applying the model. When se-
curity requirements have been xed by choosing
, the model is capable to calculate the optimal
selection of security controls with respect to this
requirement.
Figure 3: Relation between ROSI, ALE, and cost of solution
for decreasing quality of solution ( = 0, . . . , 6)
To demonstrate how this approach con-
tributes to efciently increase security, SCSP is
solved optimally with = 1 and the solution
(sc
2
= 1, sc
5
= 1, sc
6
= 1) is analyzed applying a
Monte Carlo simulation which is based on repeated
random sampling to obtain concrete results for
the stochastic parameters. For this purpose, the
stochastic model is implemented using @RISK by
Palisade Corporation and the simulation is con-
ducted with 10,000 iterations (Palisade Corpora-
tion, 2013). In each iteration the probability distri-
butions take on a specic value which is used for
the calculation.
To examine the implementation of the optimal
solution for = 1, the density of the maximal dam-
age is rst depicted in Figure 4. The maximal dam-
age is obtained by calculating the damage without
j/k 1 2 3 4 5 6 7 8 9 10
1 0 0.8 0 0.1 0 0.8 0 0 0 0
2 0 0 0 0.1 0.8 0.5 0.1 0 0 0.1
3 0 0.5 0 0 0.5 0.1 0.1 0 0 0.1
4 0.8 0 0.8 0.8 0 0.5 0.1 0.1 0 0.1
5 0.5 0 0.5 0.5 0.5 0 0 0.1 0.1 0.5
6 0 0 0.1 0 0.8 0 0 0 0.5 0
Table 6: Example probabilities that a security control prevents a threat from exploiting a vulnerability
p
c
jk
.
74
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
the implementation of any security controls. As
expected, the mean value ($ 1,917,694) is almost
identical to the result of the deterministic model.
The probability density plot, however, shows that
a damage realization of more than $ 1.917 million
is very likely with a probability of 71. 6%. This fact
emphasizes the need for effective controls. The gap
between $ 1 million and $ 1.5 million is caused by
the structure of the threats. T
1
is causing a damage
shift due to its high success probability
p
t
1
= 0.8
.
Figure 4: Probability density plot with cumulative overlay of
maximal damage with no implementation of con-
trols.
When implementing the optimal solution of
SCSP for = 1, the simulation produces a com-
pletely different outcome. As can be seen in Figure
5, the probability density of the actual damage
shows signicantly smaller realizations compared
to the maximal damage. There is in fact a 30.4 %
chance that no damage occurs. The probability of a
realization of more than $ 1.917 million is reduced
to 3.4 % when implementing controls according to
the solution. As can be seen, the shape of the den-
sity function is now attened out and in particular
high realizations are very rare. The previous gap is
hardly visible anymore, as the applied solution is
consisting of controls that have a distinct inuence
on vulnerabilities which are exploitable by T
1
. The
superiority of this solution is particularly obvious
when examining the cumulated probability den-
sity of both cases, as the actual damage is clearly
ranked as superior to the maximal damage.
Figure 5: Probability density plot with cumulative overlay of
actual damage based on the implementation of the
optimal solution for = 1.
6. Conclusion
With the emergence of cloud computing, organiza-
tions are confronted with a new situation which
requires, more than before, a solid evaluation of
their systems and the establishment of proper secu-
rity controls. The security of cloud-based systems
is to a large extent assured by the service provider
but still needs to be complemented by additional
security controls which have to be implemented by
the consumer of the service.
In this paper, a quantitative approach is intro-
duced to support the decision maker in selecting
such compensating controls in a cost-effective man-
ner. The corresponding model is taking into ac-
count how threats are arising in a cloud context
and adds the element of uncertainty. By dening
the stochastic structure it becomes possible to de-
termine how much damage can be expected with
respect to different security solutions. In addition,
by leveraging well-established methods of mathe-
matical optimization it is possible to select the best
possible investment strategy.
Simulations of possible threat scenarios have
shown that the developed approach is providing a
signicant improvement of security. However, the
modeling still leaves room for improvement with
respect to the representation of uncertainty. In case
of extreme events the utilization of expected val-
k 1 2 3 4 5 6 7 8 9 10
c
0
k
30K 15K 10K 5K 15K 5K 5K 25K 15K 5K
c
y
k
2.5K 2.5K 40K 2.5K 50K 1K 5K 0 10K 5K
Table 7: Example probabilities that a security control prevents a threat from exploiting a vulnerability
p
c
jk
.
75
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
ues in the deterministic counterpart of the model
may cause undesired properties of the solution.
To avoid this, the applicability of other modeling
approaches and decision criteria are currently un-
der consideration. Possible approaches include the
use of different measures of dispersion, other risk
measures like Value at Risk, and multiple criteria
decision making.
References
Armbrust, M. et al. (2009) Above the Clouds: A
Berkeley View of Cloud Computing. Berke-
ley: EECS Department, University of Califor-
nia.
Ben Aissa, A., Abercrombie, R.K., Sheldon, F.T. &
Mili, A. (2010) Quantifying security threats
and their potential impacts: A case study
Innovations in Systems and Software Engi-
neering, Vol. 6, No. 4, December, pp. 269-281.
Berinato, S. (2002) Finally, a real return on secu-
rity spending, CIO Magazine.
Bhme, R. & Nowey, T. (2005) Economic Security
Metrics In: I. Eusgeld, F. C. Freiling & R.
Reussner, eds. Dependability Metrics. Berlin:
Springer, pp. 176-187.
Bojanc, R. & Jerman-Blai c, B. (2008) An eco-
nomic modelling approach to information se-
curity risk management International Jour-
nal of Information Management, Vol. 28, No.
5, October, pp. 413-422.
Chen, Y., Boehm, B. & Sheppard, L. (2007) Value
Driven Security Threat Modeling Based on
Attack Path Analysis Proceedings of the
40th Annual Hawaii International Conference
on System Sciences, January, p. 280a.
Cloud Security Alliance (2011) Security Guid-
ance for Critical Areas of Focus in Cloud
Computing V3.0. [online] Available at:
https://cloudsecurityalliance.org/
guidance/csaguide.v3.0.pdf.
European Network and Information Secu-
rity Agency (2012) Introduction to Re-
turn on Security Investment - Helping
CERTs assessing the cost of (lack of) se-
curity, Heraklion: ENISA. FICO (2012)
FICO Xpress-SLP. [online] Available at:
http://www.co.com/en/products/
dmtools/xpress-overview/pages/xpress-
slp.aspx.
German Federal Ofce for Information Secu-
rity (2005) IT-Grundschutz Catalogues, Bonn:
BSI.
Jansen, W. & Grance, T. (2011) Guidelines on Secu-
rity and Privacy in Public Cloud Computing,
Gaithersburg: National Institute of Standards
and Technology.
Levin, M.S. & Danieli, M.A. (2005) Hierarchical
Decision Making Framework for Evaluation
and Improvement of Composite Systems (Ex-
ample for Building) Informatica, Vol. 16, No.
2, April, pp. 213-240.
Mell, P. & Grance, T. (2011) The NIST Denition
of Cloud Computing, National Institute of
Standards and Technology, Gaithersburg.
Open Web Application Security Project (2013)
OWASP Top Ten Project. [online] Available
at: https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project.
Palisade Corporation (2013) @RISK: Risk Anal-
ysis Software using Monte Carlo Simu-
lation for Excel. [online] Available at:
http://www.palisade.com/risk/.
Rabai, L.B.A., Jouini, M., Ben Aissa, A. & Mili,
A. (2013) A cybersecurity model in cloud
computing environments Journal of King
Saud University - Computer and Information
Sciences, Vol. 25, No. 1, January, pp. 63-75.
Ryan, J.J. et al. (2012) Quantifying information
security risks using expert judgment elicita-
tion Computers & Operations Research, Vol.
39, No. 4, April, pp. 774-784.
Sonnenreich, W., Albanese, J. & Stout, B. (2006)
Return On Security Investment (ROSI) - A
Practical Quantitative Model Journal of Re-
search and Practice in Information Technol-
ogy, Vol. 38, No. 1, February, pp. 55-66.
Todorov, D. (2007) Mechanics of User Identi-
cation and Authentication: Fundamentals
of Identity Management, Auerbach Publica-
tions, Boca Raton.
76
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
Tsiakis, T. (2010) Information Security Expendi-
tures: A Techno-Economic Analysis Inter-
national Journal of Computer Science and
Network Security, Vol. 10, No. 4, April, pp.
7-11.
Vaquero, L.M., Rodero-Merino, L., Caceres, J. &
Lindner, M. (2008) A Break in the Clouds:
Towards a Cloud Denition ACM SIG-
COMM Computer Communication Review,
Vol. 39, No. 1, January, pp. 50-55.
77