The present invention relates to a security investment method and apparatus, and more particularly, to a security investment method and apparatus based on security risk assessment in a cloud computing environment. According to the present invention, there is provided a security investment method based on security risk assessment, comprising the steps of: establishing one or more security threats that may occur in the cloud service and a vulnerability of each security threat according to a type of cloud service; Wherein the first and second security threats are hierarchically connected to the vulnerability points of the attack step, and when the vulnerabilities included in the first and second security threats are the same, the same vulnerability is unified into one vulnerability node, Generating an attack tree map by connecting a second security threat, matching a security control item for supplementing the vulnerability node with each of the vulnerability nodes of the attack tree map, using the child node structure and the correlation degree of the vulnerability node Calculating a vulnerability score of each of the vulnerability nodes, Summing the vulnerable score for each item, and by using this, and an aspect in that it comprises the step of quantitatively evaluating the security risk of the cloud service. According to the present invention, it is possible to perform a more accurate security evaluation by excluding a double evaluation of an overlapping attack by evaluating a security risk in consideration of an attack step of a security threat that may occur in a cloud environment.
展开▼