Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA

A Quantitative Threat Modeling

Approach to Maximize the Return on
Security Investment in Cloud Computing
Andreas Schilling
Ruhr-University Bochum
andreas.schilling@rub.de
Brigitte Werners
Ruhr-University Bochum
or@rub.de
Abstract
The number of threats to cloud-based systems increases and likewise does the demand for effective approaches to
assess and improve security of such systems. The loss, manipulation, disclosure, or simply the unavailability of
information may lead to expenses, missed prots, or even legal consequences. This implies the need for effective
security controls as well as practical methods to evaluate and improve cloud security. Due to the pervasive nature of
cloud computing threats are not limited to the physical infrastructure but permeate all levels of an organization.
Most research in cloud security, however, focuses on technical issues regarding network security, virtualization, data
protection, and other related topics. The question of how to evaluate and, in a second step, improve organization wide
security of a cloud has been subject to little research. As a consequence, insecurity remains among organizations
regarding protection needs of cloud-based systems. To support decision makers in choosing cost-effective security
controls, a stochastic cloud security risk model is introduced in this paper. The model is based on the practical
experience that a threat agent is able to penetrate web-based cloud applications by successfully exploiting one of
many possible attack paths. Each path originates from the combination of attack vectors and security weaknesses and
results, if successfully exploited, in a negative business impact. Although corresponding risks are usually treated
by an organization in its risk management, existing approaches fail to evaluate the problem in a holistic way. The
integrated threat model presented in this paper leverages quantitative modeling and mathematical optimization to
select security controls in order to maximize the Return on Security Investment (ROSI) according to the complete
threat landscape. The model is designed to be applied within the framework of an existing risk management and to
quantify security risks using expert judgment elicitation. The results indicate that already small security investments
yield a signicant risk reduction. This characteristic is consistent with the principle of diminishing marginal utility
of security investments and emphasizes the importance of profound business decisions in the eld of IT security.
Keywords: cloud computing, threat modeling, return on security investment, risk management
1. Introduction
C
loud computing is a computing paradigm
which is the result of an evolution in com-
puting and information technology. It leads
to enhancements in collaboration, agility, scaling,
and availability, enabled by centralized and opti-
mized computing resources (Cloud Security Al-
liance, 2011). By pooling resources it becomes
possible to achieve signicant cost savings and
enable convenient and on-demand network access.
Services offered cover the entire information tech-
nology (IT) spectrum and include servers, stor-
age, applications, services, or entire networks (Mell
& Grance, 2011). When providing computing re-
sources as a utility, the payment model changes
from a xed rate to a pay-per-use model. As a
result, capital expenditures for IT investments are
substantially reduced and transformed into opera-
tional expenditures (Vaquero et al., 2008).
Many organizations still have concerns about
security and privacy of data which are processed
or stored in a cloud infrastructure (Armbrust et
al., 2009). The reason for this is that in a typical
public cloud environment some systems or subsys-
tems are outside of the immediate control of the
customer. Many organizations feel more secure
when they have greater inuence on security as-
pects and may intervene if they deem it necessary
(Jansen & Grance, 2011). In cloud computing this
freedom is reduced and shifted to a certain degree
to the service provider. How much control is left
depends on the service delivery model and, in case
of Software as a Service (SaaS), is very limited.
Although this characteristic of cloud services
seems problematic at rst, it has the potential to
strengthen security. A specialized data center oper-
ator is usually better able to establish and maintain
68
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
a high security infrastructure than most organi-
zations could do. Despite the fact that potential
consumers are raising numerous security concerns,
the specialization and standardization trend of
cloud service providers potentially increases secu-
rity over the long term. However, the assumption
that security is always taken care of in cloud com-
puting would be very dangerous. Just as for most
traditional solutions cloud services are still facing
several threats which arise from the integration
into an organizations IT infrastructure. An under-
standing of the context in which an organization
operates is crucial to determine if risks associated
with specic cloud services are acceptable. Default
offerings may not be suitable to meet an organi-
zations security needs. In such a case, additional
security controls can be deployed to reduce the risk
to an acceptable level (Jansen & Grance, 2011).
In the following, a novel approach to evaluate
and increase the security of cloud-based systems
is proposed. The corresponding model is designed
to support the decision maker in selecting cost-
effective security controls with respect to the un-
certainty of threats. The approach is based on the
principle of attack paths to identify how a threat
arises. By applying quantitative modeling, it is
possible to calculate business impacts and derive
optimal investment decisions. The simulation of
realistic threat scenarios shows that the proposed
model can signicantly reduce damages resulting
from security incidents.
2. Related Work
Security challenges in cloud computing have been
addressed by several authors and organizations.
According to the Cloud Security Alliance (2011)
cloud applications are facing threats which go be-
yond what traditional applications are exposed to.
This underlines the importance of enterprise risk
managent to identify and implement appropriate
organizational structures, processes, and controls.
They also state that not only the service provider
is responsible for security but also the customer.
Jansen & Grance (2011) surveyed common prob-
lems in cloud computing and published their re-
sults as guidelines on security and privacy in cloud
computing. According to this, insufcient security
controls of the cloud provider may have a negative
impact on condentiality, privacy, or integrity of
the customers data. As a consequence, an orga-
nizaton can employ compensating security and
privacy controls to work around identied short-
commings.
Tsiakis (2010) analyzed the problem of deter-
mining appropriate security expenditures and em-
phasizes the importance of security measurement.
Although qualitative approaches can contribute
to this evaluation, it is not possible to perform
a solid cost/benet analysis. A quantitative ap-
proach, on the other hand, can provide concrete
measures such as the Return on Investment (ROI)
and gives a clear indication to the decision maker.
Sonnenreich et al. (2006) are proposing a practical
quantitative model which is based on ROI but takes
the specics of information security into account.
The same idea is also shared by Bhme & Nowey
(2005).
To support the understanding of the economics
of security investments in general and in cloud
computing, a rst model has been proposed by Ben
Aissa et al. (2010). The model is designed to cal-
culate the mean failure cost by taking into account
requirements of different stakeholders, multiple
system components, and a threat vector. Rabai et al.
(2013) apply this model directly to cloud comput-
ing which represents a rst approach to quantify
and measure risks in economic terms. However,
the model only evaluates the current state of the
system and provides no decision support. In addi-
tion, it is not possible to derive any information on
how to improve security.
3. The structure of security threats in
cloud computing
The following model is designed to support the
establishment of cost-effective security controls in
cloud computing and is based on a component-
based view of security controls. This approach is
motivated by the fact that, although security con-
trols can be deployed individually, they do not
work in isolation. Each control affects overall secu-
rity in a specic way and only the conjunction of
all implemented controls reects the actual state
of security (Sonnenreich et al., 2006). A modu-
lar approach to system design in general is well
known and there are several modular engineering
methods available to support profound design de-
cisions. In addition, by encapsulating individual
parts of a system it becomes easier to acquire and
to utilize expert information about certain parts of
69
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
the overall system (Levin & Danieli, 2005).
In cloud computing the customer is not in-
volved in the administration and maintenance of
the infrastructure and hence has little to none
control over its conguration. As a consequence,
risk assessments can focus on direct risks originat-
ing from the application and organizational layer.
Threats in this regard are more at and may di-
rectly exploit a vulnerability to cause damage. An
organization only needs to invest in security to
complement the efforts of its service provider.
According to the Open Web Application Se-
curity Project (OWASP), a threat arises in form
of a path through an application or system, start-
ing from an attacker and resulting in a negative
business impact. This view of threats seems ap-
propriate, as most cloud applications are browser-
based and are used directly by the end user from
a workstation or mobile device. To strengthen the
security of such a system, it is necessary to identify
each path and evaluate its probability and impact.
When combined, these factors determine the over-
all risk of a security breach (Chen et al., 2007; Open
Web Application Security Project, 2013). Figure 1
illustrates this concept.
Figure 1: The concept of attack paths to assess information se-
curity risks constitutes a multi-stage attack model.
Source: Figure based on Open Web Application
Security Project (2013)
To reduce the success probability of threats,
security controls can be implemented which af-
fect corresponding vulnerabilities. By applying
the introduced threat model, it is now possible to
consider all identied attack paths and choose the
most effective controls. To decide on investments,
the management requires a concrete cost-benet
analysis, including a comprehensible measurement
of security. In addition, there normally is a conict
between the objective to lower security investments
and at the same time achieve the highest possible
degree of security. To solve this issue the Return
on Security Investment (ROSI), initially presented
by Berinato (2002), is used as decision criterion.
ROSI is a practical measure to calculate the Return
on Investment (ROI) for security solutions. It is
inspired by the original ROI where the cost of a
purchase is weighted against its expected returns:
ROI =
Expected returns Cost of invstment
Cost of investment
. (1)
To calculate the ROSI, the equation has to be
modied to reect that a security investment does
not yield any prot. The expected return is re-
placed by the monetary loss reduction and leads to
the following denition (Berinato, 2002; European
Network and Information Security Agency, 2012):
ROSI =
Monetary loss reduction Cost of solution
Cost of solution
.
(2)
A common measure of monetary loss is the
annual loss expectancy (ALE). It is calculated by
multiplying the single loss expectancy (SLE) by the
annual rate of occurrence (ARO) (Bojanc & Jerman-
Blai c, 2008):
ALE = SLE ARO. (3)
Both values, SLE and ARO, are difcult to ob-
tain because reliable historical data do not exist
or are not available for use. This is because few
companies track security incidents and even if they
do, data are often not accurate due to unnoticed
incidents or inaccurate quantication of damages.
In order to solve this problem Ryan et al. (2012)
successfully demonstrated the feasibility of expert
judgment elicitation to the eld of IT security. It
shows that the utilization of expert judgment is
particularly useful when quantitative data is miss-
ing or of insufcient quality. The following model,
therefore, relies on experts who have signicant
experience with technologies and systems in ques-
tion.
It should be noted that possible inaccuracies
regarding the risk estimation cannot completely be
eliminated using this approach, however, Sonnen-
reich et al. (2006) state that an inaccurate scoring
can be effective if it is repeatable and consistent.
This means, if different investment decisions are
compared based on the same input parameters, the
resulting outcome may not be perfectly accurate
70
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
in terms of nancial gures, but the evaluation of
different investment strategies can provide a co-
herent basis for decision-making. The following
model provides such estimation in a consistent way
to assess different investment decisions and even
determines an optimal one with respect to ROSI.
4. Mathematical cloud security model
The uncertainty about the ARO of threats is mod-
eled based on the principle of attack paths. Each
path consists of the probability of the threat to
emerge, the probability of the threat to exploit spe-
cic vulnerabilities, and the chance of a security
control to prevent such event.
4.1. The uncertainty of attack paths
Let T = (T
1
, . . . , T
I
) be a multidimensional ran-
dom variable and let each T
i
model an isolated
threat which can either be successful or not with-
out respect to its underlying attack path. This prob-
ability can be viewed as a measure of the hardness
or complexity of an attack. Each T
i
is Bernoulli
distributed:
T
i
B

1; p
t
i

. (4)
A threat requires at least one vulnerability
which is suitable to be exploited to cause dam-
age (Open Web Application Security Project, 2013).
To model this, for each threat i, multiple vulnera-
bilities are introduced as V
i
=

V
i1
, . . . , V
i J

where
each V
ij
is Bernoulli distributed. This means that
threat i exploits vulnerability j with probability p
v
ij
and fails to exploit vulnerability j with probability
1 p
v
ij
:
V
ij
B

1; p
v
ij

. (5)
It is assumed that each vulnerability j has a
number of controls associated with, which are mod-
eled by C
j
=

C
j1
, . . . , C
jK

where each C
jk
is again
Bernoulli distributed:
C
jk
B

1; p
c
jk

. (6)
4.2. Derivation of success probability of threats
To cause damage, a threat has to exploit a suit-
able vulnerability which may have multiple se-
curity controls associated with. As illustrated in
Figure 2, the probability that all security controls
fail is the joint probability that each individual
control fails, which is P

C
j1
= 0, . . . , C
jK
= 0

K
k=1

1 p
c
ij

.
Figure 2: Tree representation of the uncertainty associated
with the effectiveness of security controls. (Comple-
mentary events are omitted.)
Based here on the probability p
ve
ij
that threat i
causes damage while exploiting vulnerability j, is:
p
ve
ij
= p
v
ij

K

k=1

1 p
c
jk

. (7)
Accordingly, the overall probability that a threat
occurs and in consequence causes damage is the
joint probability that a threat emerges and the event
that at least one vulnerability is successfully ex-
ploited. The probability that a threat exploits at
least one vulnerability can be derived from the
probability of the complementary event, which
is the event that a threat exploits no vulnerability.
From this follows the probability p
ARO
i
that a threat
occurs once:
p
ARO
i
= p
t
i

1
J

j=1

1 p
ve
ij

. (8)
The actual ARO is modeled by a multidimen-
sional random variable T
ARO
=

T
ARO
1
, . . . , T
ARO
I

.
The variable is used to derive for each threat the
number of successful occurrences within one year.
For this purpose, it is assumed that the expected
number of occurrences n
i
of a threat within one
year can be estimated. Every time a threat emerges,
it can either be successful or not with success prob-
ability p
ARO
i
. To model this, T
ARO
i
is considered
to be binomial distributed

T
ARO
i
B

n
i
; p
ARO
i

with n
i
number of trials. The corresponding proba-
bility mass function f
T
ARO
i
is given by
71
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
f
T
ARO
i
(s) =

n
i
s

p
ARO
i

1 p
ARO
i

n
i
s
, for s = 1, ..., n
i
.
(9)
4.3. Determining the annual loss expectancy
Based on these results, the ALE of a threat can be
derived from the expected value of T
ARO
i
and the
SLE of the threat. By denition the expected value
of T
ARO
i
is n
i
p
ARO
i
and the SLE can be estimated
or approximated by any suitable random variable
and its corresponding distribution (e.g., normal
distribution). Let E[.] represent the expected value
then the ALE of all threats is:
ALE =
I

i=1
E[SLE
i
] n
i
p
ARO
i
. (10)
4.4. Model formulation
The introduced understanding of security controls
as individual components leads to the problem of
selecting the most appropriate ones. The results
on attack paths are now being used as basis for a
novel approach to model cloud security. Proper-
ties of threats, vulnerabilities, and security controls
are combined in accordance with the denition of
ALE to form the foundation of the ROSI calcula-
tion (2). To derive the decision criterion, the ALE
as introduced in (3) is used to calculate ROSI. It is
assumed that the initial investment and the yearly
maintenance costs of each security control can be
estimated. Let be the planning period in years,
then the cost of solution can be computed as
Cost of solution =
K

k=1
c
0
k
sc
k
+
K

k=1
c
y
k
sc
k
(11)
with c
0
k
being the amount of the initial security
investment of control k and c
y
k
being the yearly
maintenance cost of the same control. The decision
variable sc
k
{0, 1} indicates whether a control is
selected (sc
k
= 1) or not (sc
k
= 0).
The monetary loss reduction is the difference
between the upper bound ALE
U
, which is the
worst case scenario in terms of nancial damage,
and the ALE to be optimized. The resulting ob-
jective function (12) expressing the ROSI is to be
maximized. The corresponding deterministic coun-
terpart of the described stochastic model utilizes
the mathematical expectation of all random vari-
ables and is referred to as the Security Controls
Selection Problem (SCSP) in the following.
Indices and sets
I Index set of threats (index i)
J Index set of vulnerabilities (index j)
K Index set of security controls (index k)
Parameters
ALE
L
Lower bound annual loss expectancy
ALE
U
Upper bound annual loss expectancy
c
0
k
Initial security investment for security
control k
c
y
k
Yearly security investment for security
control k
Maximum deviation from best case ALE
in percent
Planning period in years
n
i
Number of occurrences of threat i within
one year
p
t
i
Probability that threat i is successful
p
v
ij
Probability that threat i is successfully
exploiting vulnerability j
p
c
jk
Probability that control k prevents a
threat from exploiting vulnerability j
SLE
i
Single loss expectancy of threat i
Decision variables
ALE Annual loss expectancy to be optimized
C Cost of solution corresponding to the
current solution
sc
k
Selection of security control k to be es-
tablished, sc
k
{0, 1}
In constraint (13), the ALE is calculated by us-
ing the expected value of SLE and ARO. In (14-15)
it is again calculated once with sc
k
= 0, k and
once with sc
k
= 1, k, to obtain the lower and up-
per bounds. As stated before, the upper bound
ALE
U
is used to determine the monetary loss re-
duction required for the ROSI calculation. The
lower bound ALE
L
on the other hand is needed
to guarantee a certain quality of the solution. By
choosing parameter , it is guaranteed that the so-
lution deviates maximal percent from the best
possible outcome (16). In (17) the cost of solution
is calculated.
72
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
(SCSP)
max
ALE
U
ALE C
C
(12)
s. t. ALE =
I

i=1
E[SLE
i
] n
i
p
t
i

1
J

j=1

1 p
v
ij

K

k=1

1 p
c
jk
sc
k

(13)
ALE
L
=
I

i=1
E[SLE
i
] n
i
p
t
i

1
J

j=1

1 p
v
ij

K

k=1

1 p
c
jk

(14)
ALE
U
=
I

i=1
E[SLE
i
] n
i
p
t
i

1
J

j=1

1 p
v
ij

(15)
ALE (1 + ) ALE
L
(16)
C =
K

k=1
c
0
k
sc
k
+
K

k=1
c
y
k
sc
k
(17)
sc
k
{0, 1} k K (18)
5. Application example and data
evaluation
Some exemplary threats, vulnerabilities, security
controls, and model parameters are introduced in
the following to demonstrate the quality of the ap-
proach. In any real life application these values
would be obtained by conducting a risk assessment
of the cloud application or service. For the purpose
of this example the data are based on the judgment
of the authors.
Although the model can in principle be applied
to any type of threats, the following example is
addressing the eld of identity and access man-
agement (IAM). Related threats are particularly
important in cloud computing due to the ubiqui-
tous access opportunities. In Tables 1 to 3, a num-
ber of threats, vulnerabilities, and security controls
are presented based on a literature review. In any
practical application this information is usually
gathered during a risk assessment.
Symbol Threat
T1 Exploiting default passwords
T2 Password guessing: Dictionary, brute
force, and rainbow attacks
T3 Shoulder surng
T4 Social engineering
T5 Dumpster diving and identity theft
Table 1: Examples of IAM related threats.
Source: Todorov (2007)
Symbol Vulnerability
V1 Lack of, or insufcient, rules
V2 Inadequate sensitization to IT security
V3 Non-compliance with IT security safe-
guards
V4 Hazards posed by cleaning staff or out-
side staff
V5 Inappropriate handling of passwords
V6 Inadequate checking of the identity of
communication partners
Table 2: Examples of vulnerabilities which are exploitable by
IAM related threats.
Source: German Federal Ofce for Information Se-
curity (2005)
Symbol Security Control
C1 Suitable storage of ofcial documents
and data media
C2 Provisions governing the use of pass-
words
C3 Supervising or escorting outside
staff/visitors
C4 Clean desk policy
C5 Training on IT security safeguards
C6 Log-out obligation for users
C7 Change of preset passwords
C8 Secure log-in
C9 Using encryption, checksums or digital
signatures
C10 Use of one-time passwords
Table 3: Possible security controls to reduce the exploitability
of IAM related vulnerabilities.
Source: German Federal Ofce for Information Se-
curity (2005)
To connect the three stages of the correspond-
ing attack paths, Tables 4 to 7 contain exemplary
73
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
probabilities, damages, and costs.
i p
t
i
n
i
SLE
i
1 0.8 100 20K
2 0.5 50 20K
3 0.1 10 20K
4 0.5 20 20K
5 0.1 10 20K
Table 4: Example probabilities and SLE values of threats in
USD.
i/j 1 2 3 4 5 6
1 0.5 0.5 0 0 0.1 0
2 0.8 0 0.5 0 0 0
3 0.1 0.5 0.1 0.8 0 0
4 0.1 0.5 0.1 0.1 0 0.8
5 0.1 0.1 0.1 0.5 0.8 0
Table 5: Example probabilities that a vulnerability is success-
fully exploited by a threat

p
v
ij

.
To solve the problem, the model is implemented
using the standard optimization software Xpress
Optimization Suite. The nonlinear problem can be
solved applying successive linear approximation
provided by the Xpress-SLP solver (FICO, 2012).
Figure 3 shows multiple optimal solutions for
= 0, . . . , 6 and illustrates the relations between
ROSI, ALE, and cost of solution for a planning
period of = 3 years. The costs are constantly
decreasing and the ALE is increasing when reduc-
ing the quality of the solution by choosing larger
values. Although this behavior is expected, it
is notable that ROSI in fact decreases with higher
security. This seems to be an unwanted property
since security should be as high as possible, but it
is in fact a desired property of ROSI, as it measures
the return on investment and not the security of
the system. To utilize ROSI the decision maker is
therefore required to choose how much security
is desired before applying the model. When se-
curity requirements have been xed by choosing
, the model is capable to calculate the optimal
selection of security controls with respect to this
requirement.
Figure 3: Relation between ROSI, ALE, and cost of solution
for decreasing quality of solution ( = 0, . . . , 6)
To demonstrate how this approach con-
tributes to efciently increase security, SCSP is
solved optimally with = 1 and the solution
(sc
2
= 1, sc
5
= 1, sc
6
= 1) is analyzed applying a
Monte Carlo simulation which is based on repeated
random sampling to obtain concrete results for
the stochastic parameters. For this purpose, the
stochastic model is implemented using @RISK by
Palisade Corporation and the simulation is con-
ducted with 10,000 iterations (Palisade Corpora-
tion, 2013). In each iteration the probability distri-
butions take on a specic value which is used for
the calculation.
To examine the implementation of the optimal
solution for = 1, the density of the maximal dam-
age is rst depicted in Figure 4. The maximal dam-
age is obtained by calculating the damage without
j/k 1 2 3 4 5 6 7 8 9 10
1 0 0.8 0 0.1 0 0.8 0 0 0 0
2 0 0 0 0.1 0.8 0.5 0.1 0 0 0.1
3 0 0.5 0 0 0.5 0.1 0.1 0 0 0.1
4 0.8 0 0.8 0.8 0 0.5 0.1 0.1 0 0.1
5 0.5 0 0.5 0.5 0.5 0 0 0.1 0.1 0.5
6 0 0 0.1 0 0.8 0 0 0 0.5 0
Table 6: Example probabilities that a security control prevents a threat from exploiting a vulnerability

p
c
jk

.
74
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
the implementation of any security controls. As
expected, the mean value ($ 1,917,694) is almost
identical to the result of the deterministic model.
The probability density plot, however, shows that
a damage realization of more than $ 1.917 million
is very likely with a probability of 71. 6%. This fact
emphasizes the need for effective controls. The gap
between $ 1 million and $ 1.5 million is caused by
the structure of the threats. T
1
is causing a damage
shift due to its high success probability

p
t
1
= 0.8

.
Figure 4: Probability density plot with cumulative overlay of
maximal damage with no implementation of con-
trols.
When implementing the optimal solution of
SCSP for = 1, the simulation produces a com-
pletely different outcome. As can be seen in Figure
5, the probability density of the actual damage
shows signicantly smaller realizations compared
to the maximal damage. There is in fact a 30.4 %
chance that no damage occurs. The probability of a
realization of more than $ 1.917 million is reduced
to 3.4 % when implementing controls according to
the solution. As can be seen, the shape of the den-
sity function is now attened out and in particular
high realizations are very rare. The previous gap is
hardly visible anymore, as the applied solution is
consisting of controls that have a distinct inuence
on vulnerabilities which are exploitable by T
1
. The
superiority of this solution is particularly obvious
when examining the cumulated probability den-
sity of both cases, as the actual damage is clearly
ranked as superior to the maximal damage.
Figure 5: Probability density plot with cumulative overlay of
actual damage based on the implementation of the
optimal solution for = 1.
6. Conclusion
With the emergence of cloud computing, organiza-
tions are confronted with a new situation which
requires, more than before, a solid evaluation of
their systems and the establishment of proper secu-
rity controls. The security of cloud-based systems
is to a large extent assured by the service provider
but still needs to be complemented by additional
security controls which have to be implemented by
the consumer of the service.
In this paper, a quantitative approach is intro-
duced to support the decision maker in selecting
such compensating controls in a cost-effective man-
ner. The corresponding model is taking into ac-
count how threats are arising in a cloud context
and adds the element of uncertainty. By dening
the stochastic structure it becomes possible to de-
termine how much damage can be expected with
respect to different security solutions. In addition,
by leveraging well-established methods of mathe-
matical optimization it is possible to select the best
possible investment strategy.
Simulations of possible threat scenarios have
shown that the developed approach is providing a
signicant improvement of security. However, the
modeling still leaves room for improvement with
respect to the representation of uncertainty. In case
of extreme events the utilization of expected val-
k 1 2 3 4 5 6 7 8 9 10
c
0
k
30K 15K 10K 5K 15K 5K 5K 25K 15K 5K
c
y
k
2.5K 2.5K 40K 2.5K 50K 1K 5K 0 10K 5K
Table 7: Example probabilities that a security control prevents a threat from exploiting a vulnerability

p
c
jk

.
75
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
ues in the deterministic counterpart of the model
may cause undesired properties of the solution.
To avoid this, the applicability of other modeling
approaches and decision criteria are currently un-
der consideration. Possible approaches include the
use of different measures of dispersion, other risk
measures like Value at Risk, and multiple criteria
decision making.
References
Armbrust, M. et al. (2009) Above the Clouds: A
Berkeley View of Cloud Computing. Berke-
ley: EECS Department, University of Califor-
nia.
Ben Aissa, A., Abercrombie, R.K., Sheldon, F.T. &
Mili, A. (2010) Quantifying security threats
and their potential impacts: A case study
Innovations in Systems and Software Engi-
neering, Vol. 6, No. 4, December, pp. 269-281.
Berinato, S. (2002) Finally, a real return on secu-
rity spending, CIO Magazine.
Bhme, R. & Nowey, T. (2005) Economic Security
Metrics In: I. Eusgeld, F. C. Freiling & R.
Reussner, eds. Dependability Metrics. Berlin:
Springer, pp. 176-187.
Bojanc, R. & Jerman-Blai c, B. (2008) An eco-
nomic modelling approach to information se-
curity risk management International Jour-
nal of Information Management, Vol. 28, No.
5, October, pp. 413-422.
Chen, Y., Boehm, B. & Sheppard, L. (2007) Value
Driven Security Threat Modeling Based on
Attack Path Analysis Proceedings of the
40th Annual Hawaii International Conference
on System Sciences, January, p. 280a.
Cloud Security Alliance (2011) Security Guid-
ance for Critical Areas of Focus in Cloud
Computing V3.0. [online] Available at:
https://cloudsecurityalliance.org/
guidance/csaguide.v3.0.pdf.
European Network and Information Secu-
rity Agency (2012) Introduction to Re-
turn on Security Investment - Helping
CERTs assessing the cost of (lack of) se-
curity, Heraklion: ENISA. FICO (2012)
FICO Xpress-SLP. [online] Available at:
http://www.co.com/en/products/
dmtools/xpress-overview/pages/xpress-
slp.aspx.
German Federal Ofce for Information Secu-
rity (2005) IT-Grundschutz Catalogues, Bonn:
BSI.
Jansen, W. & Grance, T. (2011) Guidelines on Secu-
rity and Privacy in Public Cloud Computing,
Gaithersburg: National Institute of Standards
and Technology.
Levin, M.S. & Danieli, M.A. (2005) Hierarchical
Decision Making Framework for Evaluation
and Improvement of Composite Systems (Ex-
ample for Building) Informatica, Vol. 16, No.
2, April, pp. 213-240.
Mell, P. & Grance, T. (2011) The NIST Denition
of Cloud Computing, National Institute of
Standards and Technology, Gaithersburg.
Open Web Application Security Project (2013)
OWASP Top Ten Project. [online] Available
at: https://www.owasp.org/index.php/
Category:OWASP_Top_Ten_Project.
Palisade Corporation (2013) @RISK: Risk Anal-
ysis Software using Monte Carlo Simu-
lation for Excel. [online] Available at:
http://www.palisade.com/risk/.
Rabai, L.B.A., Jouini, M., Ben Aissa, A. & Mili,
A. (2013) A cybersecurity model in cloud
computing environments Journal of King
Saud University - Computer and Information
Sciences, Vol. 25, No. 1, January, pp. 63-75.
Ryan, J.J. et al. (2012) Quantifying information
security risks using expert judgment elicita-
tion Computers & Operations Research, Vol.
39, No. 4, April, pp. 774-784.
Sonnenreich, W., Albanese, J. & Stout, B. (2006)
Return On Security Investment (ROSI) - A
Practical Quantitative Model Journal of Re-
search and Practice in Information Technol-
ogy, Vol. 38, No. 1, February, pp. 55-66.
Todorov, D. (2007) Mechanics of User Identi-
cation and Authentication: Fundamentals
of Identity Management, Auerbach Publica-
tions, Boca Raton.
76
Proceedings of the International Conference on Cloud Security Management, Seattle, WA, USA
Tsiakis, T. (2010) Information Security Expendi-
tures: A Techno-Economic Analysis Inter-
national Journal of Computer Science and
Network Security, Vol. 10, No. 4, April, pp.
7-11.
Vaquero, L.M., Rodero-Merino, L., Caceres, J. &
Lindner, M. (2008) A Break in the Clouds:
Towards a Cloud Denition ACM SIG-
COMM Computer Communication Review,
Vol. 39, No. 1, January, pp. 50-55.
77