The present invention relates to a security investment method and an apparatus thereof and, more specifically, to a security investment method based on a security risk evaluation in a cloud computing environment and an apparatus thereof. The security investment method based on a security risk evaluation comprises the steps of: setting a vulnerability for each security threat and at least one security threat which may occur in a cloud service according to the type of the cloud service; hierarchically connecting a vulnerability for each detailed attack step constituting one security threat, simplifying the same vulnerability as one vulnerability node if vulnerabilities included in a first security threat and a second security threat are identical, and generating an attack tree map by connecting the first security threat and the second security threat to a unified vulnerability node; matching a security control item for supplementing a corresponding vulnerability to each vulnerability node of the attack tree map; calculating a weak score of each vulnerability node by using a child node structure and correlation of the vulnerability node; and doing the sum of the weak score for each security control item and quantitatively evaluating a security risk of the cloud service by using the same. According to the present invention, a security risk is evaluated by considering an attack step of a security threat which may occur in a cloud environment, and thus a more accurate security evaluation can be performed by excluding a duplicate evaluation for a duplicated attack.
展开▼