Trustworthy Selection of Cloud Providers Based on Security and Privacy Requirements: Justifying Trust Assumptions

  • Michalis Pavlidis
  • Haralambos Mouratidis
  • Christos Kalloniatis
  • Shareeful Islam
  • Stefanos Gritzalis
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8058)


Cloud computing is a new paradigm with a promising potential. However, issues of security, privacy, and trust raise concerns and discourage its adoption. In previous work we presented a framework for the selection of appropriate cloud provider based on security and privacy requirements criteria. However, the adoption of cloud includes release of control over valuable assets, which constitutes trust in the cloud provider of paramount importance. In this paper we extend the framework by incorporating trust and control concepts in its language and adding a new activity to properly identify and reason about trust assumptions during the selection of appropriate cloud provider. Also, the CASE tool was extended to support the new activity. A case study is used to illustrate the usefulness of our approach.


Cloud Computing Security Privacy Requirements Trust Control 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Kalloniatis, C., Mouratidis, H., Islam, S.: Evaluating Cloud Deployment Scenarios Based on Security and Privacy Requirements. Requirements Engineering Journal, REJ (2013),
  2. 2.
    Mouratidis, H., Islam, S., Kalloniatis, C., Gritzalis, S.: A framework to support selection of cloud providers based on security and privacy requirements. To appear in Journal of Systems and Software (2013)Google Scholar
  3. 3.
    Mouratidis, H., Giorgini, P.: Secure Tropos: a Security-Oriented Extension of the Tropos Methodology. International Journal of Software Engineering and Knowledge Engineering 17(2), 285–309 (2007)CrossRefGoogle Scholar
  4. 4.
    Kalloniatis, C., Kavakli, E., Gritzalis, S.: Addressing privacy requirements in system design: The PriS method. Requirements Engineering Journal 13(3), 241–255 (2008)CrossRefGoogle Scholar
  5. 5.
    Giorgini, P., Mylopoulos, J., Nicchiarelli, E., Sebastiani, R.: Reasoning with Goal Models. In: Spaccapietra, S., March, S.T., Kambayashi, Y. (eds.) ER 2002. LNCS, vol. 2503, pp. 167–181. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  6. 6.
    Castelfranchi, C., Falcone, R.: Trust Is Much More than Subjective Probability: Mental Components and Sources of Trust. In: 33rd International Conference on System Sciences, Hawaii (2000)Google Scholar
  7. 7.
    Pavlidis, M., Islam, S., Mouratidis, H., Kearney, P.: Modeling Trust Relationships for Developing Trustworthy Information Systems. International Journal of Information Systems Modelling and Design 5(1) (2014)Google Scholar
  8. 8.
    Pavlidis, M., Mouratidis, H., Islam, S.: Dealing with Trust and Control: A Meta-Model for Trustworthy Information Systems Development. In: Sixth IEEE International Conference on Research Challenges in Information Science, Valencia, Spain (2012)Google Scholar
  9. 9.
    Mollering, G.: The Trust/Control Duality: An Integrative Perspective on Positive Expectations of Others. International Sociology 20(3), 283–305 (2005)CrossRefGoogle Scholar
  10. 10.
    Schneider, K., Knauss, E., Houmb, S.H., Islam, S., Jürjens, J.: Enhancing Security Requirements Engineering by Organisational Learning. Requirements Engineering Journal (REJ) 17(1), 35–36 (2012)CrossRefGoogle Scholar
  11. 11.
    Mead, N.R., Steheny, T.: Security Quality Requirements Engineering (SQUARE) methodology. SIGSOFT Software Engineering Notes 30(4), 1–7 (2005)CrossRefGoogle Scholar
  12. 12.
    Houmb, S.H., Islam, S., Knauss, E., Jürjens, J., Schneider, K.: Eliciting Security Requirements and Tracing them to Design: An Integration of Common Criteria, Heuristics, and UMLsec. Requirements Engineering Journal 15(1), 63–93 (2010)CrossRefGoogle Scholar
  13. 13.
    Deng, M., Wuyts, K., Scandariato, R., Preneel, B., Joosen, W.: A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements. Requirements Engineering Journal 16(1), 3–32 (2011)CrossRefGoogle Scholar
  14. 14.
    Smith Gillam, L., Li, B., O’Loughlin, J.: Adding Cloud Performance To Service Level Agreements. In: 2nd International Conference on Cloud Computing and Services Science (CLOSER), Portugal (2012)Google Scholar
  15. 15.
    Islam, S., Mouratidis, H., Weippl, E.: A Goal-driven Risk Management Approach to Support Security and Privacy Analysis of Cloud-based System. In: Security Engineering for Cloud Computing: Approaches and Tools. IGI Global Publication (2012)Google Scholar
  16. 16.
    Wenzel, S., Wessel, C., Humberg, T., Jürjens, J.: Securing Processes for Outsourcing into the Cloud. In: 2nd International Conference on Cloud Computing and Services Science. SciTe Press (2012)Google Scholar
  17. 17.
    Khajeh-Hosseini, A., Sommerville, I., Bogaerts, J., Teregowda, P.: Decision Support Tools for Cloud Migration in the Enterprise. In: 4th International Conference on Cloud Computing. IEEE Computer Society (2011)Google Scholar
  18. 18.
    Ko, R., Jagadprama, P.: TrustCloud: A Framework for Accountability and Trust in Cloud Computing. In: World Congress on Services (2011)Google Scholar
  19. 19.
    Peterson, G.: Don’t Trust. And Verify: Security Architecture Stack for the Cloud. IEEE Security and Privacy (September/October 2010)Google Scholar
  20. 20.
    Pearson, S., Benameur, A.: Privacy, Security and Trust Issues Arising from Cloud Computing. In: 2nd IEEE International Conference on Cloud Computing Technology and Science (2010)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2013

Authors and Affiliations

  • Michalis Pavlidis
    • 1
  • Haralambos Mouratidis
    • 1
  • Christos Kalloniatis
    • 2
  • Shareeful Islam
    • 1
  • Stefanos Gritzalis
    • 3
  1. 1.School of Architecture, Computing and EngineeringUniversity of East LondonU.K.
  2. 2.Cultural Informatics Laboratory, Dept. Of Cultural Technology and CommunicationUniversity of the AegeanGreece
  3. 3.Laboratory of Information and Communication Systems Security, Dept. of Information and Communications Systems EngineeringUniversity of the AegeanGreece

Personalised recommendations