Skip to main content
SpringerLink
Log in

Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?

  • Chapter
  • First Online:
Advances in Core Computer Science-Based Technologies

Part of the book series: Learning and Analytics in Intelligent Systems ((LAIS,volume 14))

Abstract

Cloud computing is a type of service that allows the use of computing resources from a distance, rather than a new technology. Various services exist on-demand, ranging from data storage and processing to software as a service, like email and developing platforms. Cloud computing enables ubiquitous, on-demand access over the net to a shared pool of configurable resources, like servers, applications, etc. that can be accessed, altered or even restored rapidly with minimal service provider interaction or management effort. Still, due to the vast growth of cloud computing, new security issues have been introduced. Key factors are the loss of control over any outsourced resources and cloud’s computing inherent security vulnerabilities. Managing these risks requires the adoption of an effective risk management method, capable of involving both the Cloud customer and the Cloud Service Provider. Risk assessment methods are common tools amongst IT security consultants for managing the risk of entire companies. Still, traditional risk management methodologies are having trouble managing cloud services. Extending our previous work, the purpose of this paper is to compare and examine whether popular risk management methods and tools (e.g. NIST SP800, EBIOS, MEHARI, OCTAVE, IT-Grundschutz, MAGERIT, CRAMM, HTRA, Risk-Safe Assessment, CORAS) are suitable for cloud computing environments. Specifically, based upon existing literature, this paper points out the essential characteristics that any risk assessment method addressed to cloud computing should incorporate, and suggests three new ones that are more appropriate based on their features.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. P.M. Mell, T. Grance, Sp 800-145. The NIST Definition of Cloud Computing (2011)

    Google Scholar 

  2. S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Traditional security risk assessment methods in cloud computing environment: usability analysis, in Proceedings of the 1st International Conference of Recent Trends in Information and Communication Technologies, Universiti Teknologi Malaysia, Johor, Malaysia (2014), pp. 483–495

    Google Scholar 

  3. D. Gritzalis, G. Iseppi, A. Mylonas, V. Stavrou, Exiting the risk assessment maze: a meta-survey. ACM Comput. Surv. (CSUR) 51(1), 11 (2018)

    Article  Google Scholar 

  4. T. Haeberlen, L. Dupré, Cloud computing—benefits, risks and recommendations for information security, in European Network and Information Security Agency (ENISA) (2012)

    Google Scholar 

  5. D. Catteddu, G. Hogben, Cloud computing information assurance framework. Eur. Netw. Inf. Secur. Agency (ENISA) 13, 14 (2009)

    Google Scholar 

  6. SME Cloud Security Tool—ENISA (2019), https://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-tool. Accessed 7 Jan 2019

  7. E. Cayirci, A. Garaga, A. Santana, Y. Roudier, A cloud adoption risk assessment model, in 2014 IEEE/ACM 7th International Conference on Utility and Cloud Computing (UCC) (IEEE, 2014), pp. 908–913

    Google Scholar 

  8. E. Goettelmann, K. Dahman, B. Gateau, E. Dubois, C. Godart, A security risk assessment model for business process deployment in the cloud, in 2014 IEEE International Conference on Services Computing (SCC) (IEEE, 2014), pp. 307–314

    Google Scholar 

  9. P. Saripalli, B. Walters, QUIRC: a quantitative impact and risk assessment framework for cloud security, in 2010 IEEE 3rd International Conference on Cloud Computing (CLOUD) (IEEE, 2010), pp. 280–288

    Google Scholar 

  10. COBIT 2019 Publications & Resources (2019), http://www.isaca.org/COBIT/Pages/COBIT-2019-Publications-Resources.aspx

  11. S. Gadia, Cloud computing: cloud computing risk assessment: a case study. ISACA J. 4, 11 (2011)

    Google Scholar 

  12. G. Stergiopoulos, D. Gritzalis, V. Kouktzoglou, Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment. Comput. Netw. 134, 23–45 (2018)

    Article  Google Scholar 

  13. S. Taubenberger, J. Jürjens, Y. Yu, B. Nuseibeh, Problem analysis of traditional IT-security risk assessment methods—an experience report from the insurance and auditing domain, in IFIP International Information Security Conference (Springer, Berlin, Heidelberg, 2011), pp. 259–270

    Google Scholar 

  14. Y. Sivasubramanian, A.S. Zubair, P. Ved, Risk assessment for cloud computing. Int. Res. J. Electron. Comput. Eng. 3, 7 (2017). ISSN Online: 2412-4370. https://doi.org/10.24178/irjece.2017.3.2.07

  15. S. Drissi, S. Benhadou, H. Medromi, Evaluation of risk assessment methods regarding cloud computing, in The 5th Conference on Multidisciplinary Design Optimization and Application (2016)

    Google Scholar 

  16. G. Wangen, E. Snekkenes, A taxonomy of challenges in information security risk management, in Proceeding of Norwegian Information Security Conference/Norsk informasjonssikkerhetskonferanse-NISK 2013-Stavanger, 18th–20th November 2013 (Akademika Forlag, 2013)

    Google Scholar 

  17. J.R. Nurse, S. Creese, D. De Roure, Security risk assessment in internet of things systems. IT Prof. 19(5), 20–26 (2017)

    Article  Google Scholar 

  18. Glossary (2019), https://www.isaca.org/Pages/Glossary.aspx?tid=1087&char=A. Accessed 7 Jan 2019

  19. NIST Cloud Computing Standards Roadmap Working Group, NIST Cloud Computing Standards Roadmap (2013)

    Google Scholar 

  20. S.H. Albakri, B. Shanmugam, G.N. Samy, N.B. Idris, A. Ahmed, Security risk assessment framework for cloud computing environments. Secur. Commun. Netw. 7(11), 2114–2124 (2014)

    Article  Google Scholar 

  21. M. Theoharidou, N. Tsalis, D. Gritzalis, In cloud we trust: Risk-Assessment-as-a-Service, in IFIP International Conference on Trust Management (Springer, Berlin, Heidelberg, 2013), pp. 100–110

    Google Scholar 

  22. OWASP Cloud—10 Project—OWASP (2019), https://www.owasp.org/index.php/Category:OWASP_Cloud_%E2%80%90_10_Project. Accessed 7 Jan 2019

  23. R. Latif, H. Abbas, S. Assar, Q. Ali, Cloud computing risk assessment: a systematic literature review, in Future Information Technology (Springer, Berlin, Heidelberg, 2014), pp. 285–295

    Google Scholar 

  24. S.V. Garde, A. Mudaliar, B. NCHSE, Concurrency Lock Issues in Relational Cloud Computing (2013)

    Google Scholar 

  25. F. Xie, Y. Peng, W. Zhao, D. Chen, X. Wang, X. Huo, A risk management framework for cloud computing, in 2012 IEEE 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), vol. 1 (IEEE, 2012), pp. 476–480

    Google Scholar 

  26. R. Alosaimi, M. Alnuem, Risk management frameworks for cloud computing: a critical review. Int. J. Comput. Scie. Inf. Technol. 8(4) (2016)

    Google Scholar 

  27. A.B. Ruighaver, M. Warren, A. Ahmad, Does traditional security risk assessment have a future in Information Security? J. Inf. Warf. 10(3), 16-IV (2011)

    Google Scholar 

  28. NIST, S. 800-30, Guide for Conducting Risk Assessments (2012)

    Google Scholar 

  29. M. Iorga, A. Karmel, Managing risk in a cloud ecosystem. IEEE Cloud Comput. 2(6), 51–57 (2015)

    Article  Google Scholar 

  30. G. Stergiopoulos, V. Kouktzoglou, M. Theocharidou, D. Gritzalis, A process-based dependency risk analysis methodology for critical infrastructures. Int. J. Crit. Infrastruct. 13(2–3), 184–205 (2017)

    Article  Google Scholar 

  31. EBIOS—Risk Management Methodology (2010), http://people.redhat.com/swells/anssi/EBIOS-1-GuideMethodologique-2010-01-25-english.pdf. Accessed 7 Jan 2019

  32. B. Rahmad, S.H. Supangkat, J. Sembiring, K. Surendro, Threat scenario dependency-based model of information security risk analysis. IJCSNS 10(8), 93 (2010)

    Google Scholar 

  33. R.A. Caralli, J.F. Stevens, L.R. Young, W.R. Wilson, Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process (No. CMU/SEI-2007-TR-012) (Carnegie-Mellon University, Software Engineering Institute, Pittsburgh, PA, 2007)

    Google Scholar 

  34. F. Crespo, M. Gómez, J. Candau, J. Mañas, MAGERIT—Version 2 Methodology for Information Systems Risk Analysis and Management. Book (Ministerio de Administraciones Públicas, Madrid, 2006)

    Google Scholar 

  35. J. Viehmann, Reusing risk analysis results—an extension for the CORAS risk analysis method, in 2012 International Conference on Privacy, Security, Risk and Trust (PASSAT) and 2012 International Conference on Social Computing (SocialCom) (IEEE, 2012), pp. 742–751

    Google Scholar 

  36. G. Brændeland, H.E. Dahl, I. Engan, K. Stølen, Using dependent CORAS diagrams to analyse mutual dependency, in International Workshop on Critical Information Infrastructures Security (Springer, Berlin, Heidelberg, 2007), pp. 135–148

    Google Scholar 

  37. R. CSE, Harmonized Threat and Risk Assessment (TRA) Methodology. TRA-1 Date: October 23 (2007)

    Google Scholar 

  38. L. Coles-Kemp, J.W. Bullee, L. Montoya, M. Junger, C. Heath, W. Pieters, L. Wolos, Technology-supported Risk Estimation by Predictive Assessment of Socio-technical Security (2015)

    Google Scholar 

  39. P. Bernard, COBIT® 5-A Management Guide (Van Haren, 2012)

    Google Scholar 

  40. COBIT Control Practices: Guidance to Achieve Control Objective for Successful IT Governance, 2nd Edition (2019), http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/COBIT-Control-Practices-Guidance-to-Achieve-Control-Objective-for-Successful-IT-Governance-2nd-Edition.aspx. Accessed 7 Jan 2019

  41. M. Grall, EBIOS: The Risk Management Toolbox (Club EBIOS, Viroflay, France, 2018), pp. 1–27, https://club-ebios.org/site/wp-content/uploads/productions/EBIOS-GenericApproach-2018-09-05-Approved.pdf

  42. Agence nationale de la sécurité des systèmes d’information (ANSSI), Fiches méthodes (2018), p. 43, https://www.ssi.gouv.fr/uploads/2018/10/fiches-methodes-ebios_projet.pdf

  43. Agence nationale de la sécurité des systèmes d’information (ANSSI), Prestataires de services d’informatique en nuage (SecNumCloud)—référentiel d’exigences (2018), https://www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1_anssi.pdf

  44. Agence nationale de la sécurité des systèmes d’information (ANSSI), Etude De Cas: Securite D’un Service Du Cloud (2011), https://julienlhonore.files.wordpress.com/2013/02/logiciel-ebios-etudedecassc3a9curitc3a9servicecloud-2011-07-e280a6.pdf

  45. Mehari—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_mehari.html

  46. D.F.C. Velasco, J.E.F. Quinayás, S.A. Donado, Adaptación De La Metodología Mehari A La Fase De Planeación De Un Sgsi Para Un Procedimiento De Estudio Propuesto/Adaptation of the Mehari methodology to the planning phase of an ISMS for a proposed study procedure. Rev. Teckne 14(1) (2017)

    Google Scholar 

  47. Mehari 2007—Security Stakes Analysis and Classification Guide, Club de la Sécurité de l’Information Français (CLUSIF) (2007)

    Google Scholar 

  48. M. Masky, S.S. Young, T.Y. Choe, A novel risk identification framework for cloud computing security, in 2015 2nd International Conference on Information Science and Security (ICISS) (IEEE, 2015), pp. 1–4

    Google Scholar 

  49. G. Wangen, C. Hallstensen, E. Snekkenes, A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 1–19 (2016)

    Google Scholar 

  50. Federal Office for Information Security, Secure Use of Cloud Services. Bonn, Germany, pp. 1–23, https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/CloudComputing/SecureUseOfCloudServices/SecureUseOfCloudServices.pdf?__blob=publicationFile&v=6

  51. Federal Office for Information Security, IT-Grundschutz Catalogues. Bonn, Germany (2016), pp. 132–136, https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/International/GSK_15_EL_EN_Draft.pdf?__blob=publicationFile&v=2

  52. K.V.D. Kiran, L.S.S. Reddy, N.L. Haritha, A comparative analysis on risk assessment information security models. Int. J. Comput. Appl. 82(9) (2013)

    Google Scholar 

  53. EAR—Tools—versions, https://www.pilar-tools.com/download/stable_en.html

  54. PILAR—Manual de Usuario (6.2) (2016), https://www.pilar-tools.com/doc/v62/manual_std_risk_es_2016-08-21.pdf

  55. MAGERIT v. 3: Metodología de Análisis y Gestión de Riesgos de los Sistemas de Información (2012)

    Google Scholar 

  56. RiskSafe Assessment—ENISA, https://www.enisa.europa.eu/topics/threat-risk-management/risk-management/current-risk/risk-management-inventory/rm-ra-methods/m_risksafe-assessment

  57. A.U. Khan, M. Oriol, M. Kiran, M. Jiang, K. Djemame, Security risks and their management in cloud computing, in 2012 IEEE 4th International Conference on Cloud Computing Technology and Science (CloudCom) (IEEE, 2012), pp. 121–128

    Google Scholar 

  58. Information Risk Analysis Methodology, IRAM, https://www.securityforum.org/iram#iramtva

  59. ISACA, Information Systems Audit, & Control Association, IT Control Objectives for Cloud Computing: Controls and Assurance in the Cloud. ISACA (2011)

    Google Scholar 

  60. G. Stergiopoulos, P. Kotzanikolaou, M. Theocharidou, D. Gritzalis, CIDA: Critical Infrastructure Dependency Analysis Tool, Information Security and Critical Infrastructure Protection Laboratory, Department of Informatics, Athens University of Economics and Business, Athens, Greece (2014), http://github.com/geostergiop/CIDA

  61. S. Drissi, H. Medromi, A new risk assessment approach for cloud consumer. J. Commun. Comput. 11, 52–58 (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Information Security & Critical Infrastructure Protection (INFOSEC) Laboratory, Department of Informatics, Athens University of Economics & Business, Athens, Greece

    Dimitris Gritzalis, George Stergiopoulos, Efstratios Vasilellis & Argiro Anagnostopoulou

Authors
  1. Dimitris Gritzalis
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. George Stergiopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Efstratios Vasilellis
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Argiro Anagnostopoulou
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Dimitris Gritzalis .

Editor information

Editors and Affiliations

  1. Department of Informatics, University of Piraeus, Piraeus, Greece

    George A. Tsihrintzis

  2. Department of Informatics, University of Piraeus, Piraeus, Greece

    Maria Virvou

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Gritzalis, D., Stergiopoulos, G., Vasilellis, E., Anagnostopoulou, A. (2021). Readiness Exercises: Are Risk Assessment Methodologies Ready for the Cloud?. In: Tsihrintzis, G., Virvou, M. (eds) Advances in Core Computer Science-Based Technologies. Learning and Analytics in Intelligent Systems, vol 14. Springer, Cham. https://doi.org/10.1007/978-3-030-41196-1_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-41196-1_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-41195-4

  • Online ISBN: 978-3-030-41196-1

  • eBook Packages: EngineeringEngineering (R0)

Publish with us

Policies and ethics

Search

Navigation