A Quantitative Threat Modeling Approach to Maximize the Return on Security Investment in Cloud Computing

摘要

The number of threats to cloud-based systems increases and likewise does the demand for effective approaches to assess and improve security of such systems. The loss, manipulation, disclosure, or simply the unavailability of information may lead to expenses, missed profits, or even legal consequences. This implies the need for effective security controls as well as practical methods to evaluate and improve cloud security. Due to the pervasive nature of cloud computing threats are not limited to the physical infrastructure but permeate all levels of an organization. Most research in cloud security, however, focuses on technical issues regarding network security, virtualization, data protection, and other related topics. The question of how to evaluate and, in a second step, improve organization wide security of a cloud has been subject to little research. As a consequence, insecurity remains among organizations regarding protection needs of cloud-based systems. To support decision makers in choosing cost-effective security controls, a stochastic cloud security risk model is introduced in this paper. The model is based on the practical experience that a threat agent is able to penetrate web-based cloud applications by successfully exploiting one of many possible attack paths. Each path originates from the combination of attack vectors and security weaknesses and results, if successfully exploited, in a negative business impact. Although corresponding risks are usually treated by an organization in its risk management, existing approaches fail to evaluate the problem in a holistic way. The integrated threat model presented in this paper leverages quantitative modeling and mathematical optimization to select security controls in order to maximize the Return on Security Investment (ROSI) according to the complete threat landscape. The model is designed to be applied within the framework of an existing risk management and to quantify security risks using expert judgment elicitation. The results indicate that already small security investments yielda significant risk reduction. This characteristic is consistent with the principle of diminishing marginal utility of security investments and emphasizes the importance of profound business decisions in the field of IT security.