Models for Cloud Risk Assessment: A Tutorial

  • Erdal CayirciEmail author
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8937)


Although the technology for cloud services has been maturing for more than a decade, many potential users still have some concerns about the security and especially privacy. Users need to analyze the risks to face prior to embracing the cloud concept. Recently, many organizations and researchers assessed the cloud risks. There are also both quantitative and qualitative models developed for this purpose. Our tutorial first introduces the definitions and then provides a survey on the results from cloud risk assessment efforts and risk models developed for cloud.


Risk assessment Risk analysis Risk management Risk modeling Trust Cloud Security Privacy Service ENISA CNIL CSA 



This work was supported by EU FP7 Accountability for Cloud and Other Future Internet Services (A4Cloud) Project.


  1. 1.
    ENISA, Cloud Computing; Benefits, Risks and Recommendations for Information Security, 2009 Edition, June 2014.
  2. 2.
  3. 3.
  4. 4.
    CSA, Security, Trust & Assurance Registry (STAR), June 2014.
  5. 5.
    Kaplan, S., Garrick, B.J.: On the quantitative definition of risk. Risk Anal. 1(1), 11–27 (1981)CrossRefGoogle Scholar
  6. 6.
    Cayirci, E.: Joint trust and risk model for MSaaS mashups. In: Pasupathy, R., Kim, S.-H., Tolk, A., Hill, R., Kuhl, M.E. (eds.) Proceedings of the 2013 Winter Simulation Conference, pp. 1347–1358. Institute of Electrical and Electronics Engineers, Inc., Piscataway (2013)CrossRefGoogle Scholar
  7. 7.
    Cayirci, E., Garaga, A., Oliveira, A.S., Roudier, Y.: Cloud adopted risk assessment model. In: International Workshop on Advances in Cloud Computing Legislation, Accountability, Security and Privacy (CLASP) (2014)Google Scholar
  8. 8.
    Jansen, W., Grance, T.: Guidelines on security & Privacy, Draft Special Publication 800-144 NIST, US Department of Commerce (2011)Google Scholar
  9. 9.
    Pearson, S., Charlesworth, A.: Accountability as a way forward for privacy protection in the cloud. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Cloud Computing. LNCS, vol. 5931, pp. 131–144. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  10. 10.
    DHS, DHS Risk Lexicon. Department of Homeland Security (2008)Google Scholar
  11. 11.
    Ezell, B.C., Bennet, S.P., Von Winterfeldt, D., Sokolowski, J., Collins, A.J.: Probabilistic risk analysis and terrorism risk. Risk Anal. 30(4), 575–589 (2010)CrossRefGoogle Scholar
  12. 12.
    Cayirci, E.: Modelling and Simulation as a Service: A Survey. In: Pasupathy, R., Kim, S.-H., Tolk, A., Hill, R., Kuhl, M.E. (eds.) Proceedings of the 2013 Winter Simulation Conference, pp. 389–400. Institute of Electrical and Electronics Engineers Inc, Piscataway (2013)CrossRefGoogle Scholar
  13. 13.
    Rousseau, D., Sitkin, S., Burt, R., Camerer, C.: Not so different after all: a cross-discipline view of trust. Acad. Manag. Rev. 23(3), 393–404 (1998)CrossRefGoogle Scholar
  14. 14.
    Pearson, S.: Privacy, security and trust in cloud computing. In: Pearson, S., Yee, G. (eds.) Privacy and Security for Cloud Computting, Computer Communications and Networks, pp. 3–42. Springer-Verlag, New York (2012)Google Scholar
  15. 15.
    Rashidi, A., Movahhedinia, N.: A model for user trust in cloud computing. Int. J. Cloud Comput. Serv. Archit. (IJCCSA) 2(2), 1–8 (2012)Google Scholar
  16. 16.
    Li, W., Ping, L.: Trust model to enhance security and interoperability of cloud environment. In: Jaatun, M.G., Zhao, G., Rong, C. (eds.) Cloud Computing. LNCS, vol. 5931, pp. 69–79. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  17. 17.
    Marsh, S.: Formalising Trust as a Computational Concept. Doctoral dissertation, University of Stirling (1994)Google Scholar
  18. 18.
    Banerjee, S., Mattmann, C., Medvidovic, N., Golubchik, L.: Leveraging architectural models to inject trust into software systems. In: Proceedings of the SESS 2005, pp. 1–7. ACM, New York (2005)Google Scholar
  19. 19.
    Mayer, R.C., Davis, J.H., Schoorman, F.D.: An integrative model of organizational trust. Acad. Manag. Rev. 20(3), 709–734 (1995)Google Scholar
  20. 20.
    Wang, Y., Lin, K.-J.: Reputation-oriented trustworthy computing in e-commerce environments. Internet Comput. 12(4), 55–59 (2008)CrossRefGoogle Scholar
  21. 21.
    Osterwalder, D.: Trust through evaluation and certification. Soc. Sci. Comput. Rev. 19(1), 32–46 (2001). Sage Publications, Inc.CrossRefGoogle Scholar
  22. 22.
    Singh, S., Morley, C.: Young australians’ privacy, security and trust in internet banking. In: Proceedings of the 21st Annual Conference of the Australian Computer-Human Interaction Special Interest Group: Design: Open 24/7 (2009)Google Scholar
  23. 23.
    Ko, R.K.L., Jagadpramana, P., Mowbray, M., Pearson, S., Kirchberg, M., Liang, Q., Lee, B.S.: TrustCloud: a framework for accountability and trust in cloud computing. In: 2nd IEEE Cloud Forum for Practitioners (ICFP) (2011)Google Scholar
  24. 24.
    Kandukuri, B.R., Paturi, R., Rakshit, V.A.: Cloud security issues. In: IEEE International Conference on Services Computing (2009)Google Scholar
  25. 25.
    Khan, K., Malluhi, Q.: Trust in cloud services: providing more controls to clients. IEEE Comput. 46(7), 94–96 (2013)CrossRefGoogle Scholar
  26. 26.
    Singhal, M., Chandrasekhar, S., Tingjian, G., Sandhu, R., Krishnan, R., Gail-Joon, A., Bertino, E.: Collaboration in multicloud computing environments: framework and security issues. IEEE Comput. Mag. 46(2), 76–84 (2013)CrossRefGoogle Scholar
  27. 27.
    Simmonds, P., Rezek, C., Reed, A.: Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 (No. 3.0) (p. 177). Cloud Security Alliance (2011).
  28. 28.
    ISACA, COBIT 5: A Business Framework for the Governence and Management of Enterprise IT, June 2014.
  29. 29.
    ISO/IEC 31010, Risk Management-Risk Assesment Techniques (2009 Edition), June 2014.
  30. 30.
    CSA, Consensus Assessment Initiative Questionnaire, June 2014.
  31. 31.
    CNIL, Methodology for Privacy Risk Management: How to Implement the Data Protection Act, 2012 Edition, June 2014.
  32. 32.
    WEKA: Data Mining Software in Java, June 2014.

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Electrical and Computer Engineering DepartmentUniversity of StavangerStavangerNorway

Personalised recommendations