Possibilistic Assessment of Process-Related Disclosure Risks on the Cloud

  • Valerio BellandiEmail author
  • Stelvio Cimato
  • Ernesto Damiani
  • Gabriele Gianini
Part of the Studies in Computational Intelligence book series (SCI, volume 617)


Business processes that involve storing or transmitting personal data are subject to strict regulatory and compliance requirements. The choice of deploying such processes on a shared platform like the cloud hinges on the process owner being convinced that the cloud platform is fully compliant with regulations.


Cloud computing Risk assessment Secure computation Possibility Theory 



This work was partly supported by the European Commission within the PRACTICE project (contract n. FP7-609611) by the Italian MIUR project SecurityHorizons (c.n. 2010XSEMLC) and by the CMIRA2014/AcceuilPro (Subv. 14.004390) and COOPERA program of the Region Rhone-Alpes, France.


  1. 1.
    Winkler, V.: Cloud computing: risk assessment for the cloud. Technet Magazine, 01/2012Google Scholar
  2. 2.
    O’Hagan, A., Oakley, J.E.: Probability is perfect, but we can’t elicit it perfectly. Reliab. Eng. Syst. Safety 85(13), 239–248 (2004) (Alternative Representations of Epistemic Uncertainty)Google Scholar
  3. 3.
    Baudrit, C., Couso, I., Dubois, D.: Joint propagation of probability and possibility in risk analysis: towards a formal framework. Int. J. Approx. Reasoning 45(1), 82–105 (2007)zbMATHMathSciNetCrossRefGoogle Scholar
  4. 4.
    Zadeh, A.L.: Fuzzy sets as a basis for a theory of possibility. Fuzzy Sets Syst. 1, 3–28 (1978)zbMATHMathSciNetCrossRefGoogle Scholar
  5. 5.
    Dubois, D.: Fuzzy Sets and Systems: Theory and Applications, v.144. Academic press, New York (1980)Google Scholar
  6. 6.
    Dubois, D., Prade, H.: Default reasoning and possibility theory. Artif. Intell. 35(2), 243–257 (1988)zbMATHMathSciNetCrossRefGoogle Scholar
  7. 7.
    De Cooman, G.:Possibility theory i: the measure-and integral-theoretic groundwork. Int. J. Gen. Syst. 25(4), 291–323 (1997); Gert De Cooman. Possibility theory ii: Conditional possibility. International Journal Of General System, 25(4):325–351, 1997; Gert De Cooman. Possibility theory iii: Possibilistic independence. International Journal of General Systems, 25:353–372, 1997Google Scholar
  8. 8.
    Couso, I., Dubois, D., Sanchez, L.: Random Sets and Random Fuzzy Sets As Ill-Perceived Random Variables. Springer Publishing Company Incorporated, Heidelberg (2014)zbMATHCrossRefGoogle Scholar
  9. 9.
    Dubois, D., Prade, H.: Possibility theory and its applications: a retrospective and prospective view. In: Decision Theory and Multi-Agent Planning pp. 89–109. Springer, Heidelberg (2006)Google Scholar
  10. 10.
    Dubois, D., Prade, H.: Possibility theory. Scholarpedia 2(10), 2074 (2007)CrossRefGoogle Scholar
  11. 11.
    Heiser, J., Nicolett, M.: Assessing the security risks of cloud computing (2008)Google Scholar
  12. 12.
    Drissi, S., Houmani, H., Medromi, H.: Survey: risk assessment for cloud computing. Int. J. Adv. Comput. Sci. Appl. 4, 143–148 (2013)Google Scholar
  13. 13.
    Fitó, J.O., Guitart, J.: Introducing risk management into cloud computing. Technical Report UPC-DAC-RR-2010-33, Technical University of Catalonia (2010)Google Scholar
  14. 14.
    Sangroya, A., Kumar, S., Dhok, J., Varma, V.: Towards analyzing data security risks in cloud computing environments. In: Information Systems, Technology and Management—International Conference ICISTM 2010, Proceedings, pp. 255–265 (2010)Google Scholar
  15. 15.
    Catteddu, D., Hogben, G.: Cloud computing: benefits, risks and recommendations for information security. Technical report, ENISA 2009 at
  16. 16.
    Cloud Security Alliance: Security guidance for critical areas of focus in cloud computing v2.1, Technical Report 2009Google Scholar
  17. 17.
    NIST: Recommended security controls for federal information systems (2009)Google Scholar
  18. 18.
    ATOS: Risk analysis framework for a cloud specific environment. (2008)
  19. 19.
    The Open Group: Risk taxonomy. (2008)
  20. 20.
    Gadia, Sailesh: Cloud computing risk assessment: A case study. ISACA Journal 1, 1–6 (2012)Google Scholar
  21. 21.
    Information Systems Audit and Control Association: Cobit 5. (2013)Google Scholar
  22. 22.
    Saripalli, P., Walters, B.: QUIRC: A quantitative impact and risk assessment framework for cloud security. In: IEEE 3rd International Conference on Cloud Computing (CLOUD), pp. 280–288 (2010)Google Scholar
  23. 23.
    Sendi, A.S., Cheriet, M.: Cloud computing: a risk assessment model. In: IEEE International Conference on Cloud Engineering (IC2E), pp. 147–152 (2014)Google Scholar
  24. 24.
    Khan, A.U., Oriol, M., Kiran, M., Jiang, M., Djemame, K.: Security risks and their management in cloud computing. In: IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom), pp. 121–128 (2012)Google Scholar
  25. 25.
    den Braber, F., Brndeland, G., Dahl, H.E.I., Engan, I., da Hogganvik, I., Lund, M.S., Solhaug, B., Stlen, K., Vraalsen, F.: The coras model-based method for security risk analysis. Technical report, SINTEF, 2006Google Scholar
  26. 26.
    Information risk analysis methodology, IRAMGoogle Scholar
  27. 27.
    Cavoukian, A.: Privacy risk management. Technical report, Information and Privacy Commissioner—Ontario - Canada, 2010Google Scholar
  28. 28.
    Kung, A., Crespo Garcia, A., Notario McDonnell, N., Kroener, I., Le Mtayer, D., Troncoso, C., Mara del Lamo, J., Martns, Y.S.: Pripare: A new vision on engineering privacy and security by design. Technical report, PRIPARE (2014)Google Scholar
  29. 29.
    Wright, D.: Should privacy impact assessments be mandatory? Commun. ACM 54(8), 121–131 (2011)CrossRefGoogle Scholar
  30. 30.
    Garcia, P.A.A., Schirru, R., et al.: A fuzzy data envelopment analysis approach for FMEA. Prog. Nucl. Energy 46(3), 359–373 (2005)CrossRefGoogle Scholar
  31. 31.
    Gargama, H., Chaturvedi, S.K.: Criticality assessment models for failure mode effects and criticality analysis using fuzzy logic. Reliab. IEEE Trans. 60(1), 102–110 (2011)Google Scholar
  32. 32.
    Yang, Z., Bonsall, S., Wang, J.: Fuzzy rule-based Bayesian reasoning approach for prioritization of failures in FMEA. Reliab. IEEE Trans. 57(3), 517–528 (2008)CrossRefGoogle Scholar
  33. 33.
    Mohamed, S., McCowan, A.K.: Modelling project investment decisions under uncertainty using possibility theory. Int. J. Project Manage. 19(4), 231–241 (2001)Google Scholar
  34. 34.
    Lorterapong, P., Moselhi, O.: Project-network analysis using fuzzy sets theory. J. Constr. Eng. Manage. 122(4), 308–318 (1996)CrossRefGoogle Scholar
  35. 35.
    Wong, K.C., So, A.T.P.: A fuzzy expert system for contract decision making. Constr. Manage. Econ. 13(2), 95–103 (1995)CrossRefGoogle Scholar
  36. 36.
    Tam, C.M., Fung, I.: Assessing safety performance by fuzzy reasoning. Asia Pacific Build. Constr. Manage. J. 2(1), 6–13 (1996)Google Scholar
  37. 37.
    Karimi, I., Hüllermeier, E.: Risk assessment system of natural hazards: a new approach based on fuzzy probability. Fuzzy Sets Syst. 158(9), 987–999 (2007) (Selected papers from {IFSA} 2005 11th World Congress of International Fuzzy Systems Association)Google Scholar
  38. 38.
    Dubois, D., Prade, H.: Possibility theory in information fusion. Data fusion and perception. In: International Centre for Mechanical Sciences, vol. 431, pp. 53–76. Springer, Heidelberg (2001)Google Scholar
  39. 39.
    Dubois, D., Prade, H.: On the use of aggregation operations in information fusion processes. Fuzzy Sets Syst. 142(1), 143–161 (2004)zbMATHMathSciNetCrossRefGoogle Scholar
  40. 40.
    Dubois, D.: Representation, propagation, and decision issues in risk analysis under incomplete probabilistic information. Risk Anal. 30(3), 361–368 (2010)CrossRefGoogle Scholar
  41. 41.
    Pedroni, N., Zio, E.: Empirical comparison of methods for the hierarchical propagation of hybrid uncertainty in risk assessment, in presence of dependence. Int. J. Uncertainty Fuzziness Know. Based Syst. 20(04), 509–557 (2012)zbMATHMathSciNetCrossRefGoogle Scholar
  42. 42.
    Bilgiç, T., Türksen, I.B.: Measurement of membership functions: theoretical and empirical work. In: Fundamentals of fuzzy sets, pp. 195–227. Springer, Heidelberg (2000)Google Scholar
  43. 43.
    Zadeh, A.L.: Fuzzy sets. Inf. Control 8(3), 338–353 (1965)zbMATHMathSciNetCrossRefGoogle Scholar
  44. 44.
    He, L., Xiao, J., Huang, H.-Z., Luo, Z.: System reliability modeling and analysis in the possibility context. In: IEEE International Conference on Quality, Reliability, Risk, Maintenance, and Safety Engineering (ICQR2MSE), pp. 361–367 (2012)Google Scholar
  45. 45.
    Huang, H.-Z., Tong, X., Zuo, M.J.: PosBist fault tree analysis of coherent systems. Reliab. Eng. Syst. Saf. 84(2), 141–148 (2004)Google Scholar
  46. 46.
    He, L., Huang, H., Du, L., Zhang, X., Miao, Q.: A review of possibilistic approaches to reliability analysis and optimization in engineering design. In: Human-Computer Interaction. HCI Applications and Services, Lecture Notes in Computer Science, vol. 4553, pp. 1075–1084. Springer, Heidelberg (2007)Google Scholar
  47. 47.
    Onisawa, T.: An approach of system reliability analysis using failure possibility and success possibility. In: IV IEEE International Conference on Fuzzy Systems and II International Fuzzy Engineering Symposium, Proceedings of 1995 IEEE vol. 4, pp. 2069–2076 (1995)Google Scholar
  48. 48.
    Guyonnet, D., Bellenfant, G., Bouc, O.: Soft methods for treating uncertainties: applications in the field of environmental risks. In: Soft Methods for Handling Variability and Imprecision, Advances in Soft Computing, vol. 48, pp. 16–26. Springer, Heidelberg (2008)Google Scholar
  49. 49.
    Bortolan, G., Degani, R.: A review of some methods for ranking fuzzy subsets. Fuzzy Sets Syst. 15(1), 1–19 (1985)zbMATHMathSciNetCrossRefGoogle Scholar
  50. 50.
    Dubois, D., Prade, H.: Ranking fuzzy numbers in the setting of possibility theory. Inf. Sci. 30(3), 183–224 (1983)zbMATHMathSciNetCrossRefGoogle Scholar
  51. 51.
    Basu, S., Bultan, T.: Choreography conformance via synchronizability. In Proceedings of International Conference on World Wide Web, WWW 2011, pp. 795–804 (2011)Google Scholar
  52. 52.
    Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: The ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, pp. 784–796 (2012)Google Scholar
  53. 53.
    Rabin, M.O.: How to exchange secrets with oblivious transfer. IACR Cryptology ePrint Archive 2005, 187 (2005)Google Scholar
  54. 54.
    CISCO: Data leakage worldwide white paper: the high cost of insider threats (2011)Google Scholar
  55. 55.
    In Networks and Groups, Studies in Economic Design. (2003)Google Scholar
  56. 56.
    Anisetti, M., Bellandi, V., Damiani, E., Frati, F., Gianini, G., Jeon, G., Jeong, J.: Supply chain risk analysis: open source simulator. In Proceedings of V International Conference Signal Image Technology and Internet Based Systems, SITIS, pp. 443–450 (2009)Google Scholar
  57. 57.
    Anisetti, M., Damiani, E., Frati, F., Cimato, S., Gianini, G.: Using incentive schemes to alleviate supply chain risks. In: Proceedings of International Conference on Management of Emergent Digital Eco Systems, MEDES’10, pp. 221–228. ACM, New York, NY (2010)Google Scholar
  58. 58.
    Ceravolo, P., Damiani, E., Fasoli, D., Gianini, G.: Representing immaterial value in business model. In: Enterprise Distributed Object Computing Conference Workshops 2010, pp. 323–329Google Scholar
  59. 59.
    Damiani, E.: Risk-aware collaborative processes. In: International Conference on Enterprise Information Systems (ICEIS). ISBN 978-989-8111-88-3 (2009)Google Scholar
  60. 60.
    Damiani, E., Frati, F., Tchokpon, R.: The role of information sharing in supply chain management: the securescm approach. Int. J. Innov. Technol. Manage. 08(03), 455–467 (2011)CrossRefGoogle Scholar
  61. 61.
    Frati, F., Damiani, E., Ceravolo, P., Cimato, S., Fugazza, C., Gianini, G., Marrara, S., Scotti, O.: Hazards in full-disclosure supply chains. In: Conference on Advanced Information Technologies for Management (AITM). Publishing house of the Wroclaw University of Economics (2008)Google Scholar
  62. 62.
    Kerschbaum, F., Pibernik, R., Damiani, E., Gianini, G.: Toward value-based control of knowledge sharing in networked services design. Prace Naukowe Uniwersytetu Ekonomicznego we Wrocllawiu 85, 51–65 (2009)Google Scholar
  63. 63.
    Chan, S.Y.: An alternative approach to the modeling of probability distributions. Risk Anal. 13(1), 97–102 (1993)CrossRefGoogle Scholar
  64. 64.
    van Dorp, J.R., Rambaud, S.C., Pérez, J.G., Pleguezuelo, R.H.: An elicitation procedure for the generalized trapezoidal distribution with a uniform central stage. Decis. Anal. 4(3), 156–166 (2007)Google Scholar
  65. 65.
    MacDonell, S.G., Gray, A.R., Calvert, J.M.: FULSOME: A fuzzy logic modeling tool for software metricians. In: IEEE International Conference of the North American Fuzzy Information Processing Society, NAFIPS 1999, pp. 263–267 (1999)Google Scholar
  66. 66.
    Howard, R.A.: Information value theory. IEEE Trans. Sys. Science Cybern. 2(1), 22–26 (1966)CrossRefGoogle Scholar
  67. 67.
    Hoomans, T., Seidenfeld, J., Basu, A., Meltzer, D.: Systematizing the use of value of information analysis in prioritizing systematic reviews. Technical Report 12-EHC109-EF, Agency for Healthcare Research and Quality (2012)Google Scholar
  68. 68.
    Cheng, P.C., Rohatgi, P., Keser, C., Karger, P.A., Wagner, G.M., Reninger, A.S.: Fuzzy multi-level security: an experiment on quantified risk-adaptive access control. In: IEEE Symposium on Security and Privacy, SP’07, 2007, pp. 222–230Google Scholar
  69. 69.
    Chowdhury, S., Champagne, P., McLellan, P.J.: Uncertainty characterization approaches for risk assessment of {DBPs} in drinking water: a review. J. Environ. Manage. 90(5), 1680–1691 (2009)Google Scholar
  70. 70.
    Gupta, A., Maranas, C.D.: Managing demand uncertainty in supply chain planning. Comput. Chem. Eng. 27(89), 1219–1227 (2003) (2nd Pan American Workshop in Process Systems Engineering)Google Scholar
  71. 71.
    Hanratty, T., Hammell II, R.J., Heilman, E.: A fuzzy-based approach to the value of information in complex military environments. In Scalable Uncertainty Management, Lecture Notes in Computer Science, vol. 6929, pp. 539–546. Springer, Heidelberg (2011)Google Scholar
  72. 72.
    Tanaka, H., Ichihashi, H., Asai, K.: A value of information in FLP problems via sensitivity analysis. Fuzzy Sets Syst. 18(2), 119–129 (1986)zbMATHCrossRefGoogle Scholar
  73. 73.
    Scheer, A.-W., Nüttgens, M.: ARIS architecture and reference models for business process management. In: Business Process Management, Models, Techniques, and Empirical Studies, pp. 376–389 (2000)Google Scholar
  74. 74.
    Bogdanov, D., Kamm, L., Laur, S., Pruulmann-Vengerfeldt, P.: Secure multi-party data analysis: end-user validation and practical experiments. Cryptology ePrint Archive, Report 2013/826 (2013)Google Scholar
  75. 75.
    Buckley, I., Fernández, E.B., Anisetti, M., Ardagna, C.A., Sadjadi, S.M., Damiani, E.: Towards pattern-based reliability certification of services. In: On the Move to Meaningful Internet Systems Proceedings, Part II, pp. 560–576 (2011)Google Scholar
  76. 76.
    Damiani, E., Ardagna, C.A., EI Ioini, N.: Open Source Systems Security Certification. Springer, Heidelberg (2009). ISBN 978-0-387-77323-0CrossRefGoogle Scholar
  77. 77.
    Kolesnikov, V.: Gate evaluation secret sharing and secure one-round two-party computation. In: Advances in Cryptology—ASIACRYPT 2005, 11th International Conference on the Theory and Application of Cryptology and Information Security, Proceedings, pp. 136–155 (2005)Google Scholar
  78. 78.
    Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay—secure two-party computation system. In: Proceedings of the 13th USENIX Security Symposium, August 9–13, 2004, San Diego, CA, USA, pp. 287–302 (2004)Google Scholar
  79. 79.
    Schneider, T., Zohner, M.: GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In: Financial Cryptography and Data Security—17th International Conference FC 2013, Okinawa, Japan, April 1–5, 2013, Revised Selected Papers, pp. 275–292 (2013)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Valerio Bellandi
    • 1
    Email author
  • Stelvio Cimato
    • 1
  • Ernesto Damiani
    • 1
  • Gabriele Gianini
    • 1
  1. 1.Department of Computer ScienceUniversità degli Studi di MilanoMilanoItaly

Personalised recommendations