The present invention relates to a security investment method and apparatus and, more specifically, to a security investment method and apparatus based on a security risk evaluation in a cloud computing environment. The security investment method based on security risk evaluation comprises the steps of: setting a vulnerability for each security threat and at least one security threat which can be generated in the cloud service according to a cloud service type; generating an attack tree map by singulating a vulnerability overlapping one or more entire security threats into one node; matching a security control item for supplementing a relevant vulnerability to each vulnerability node of the attack tree map; calculating a vulnerability score of each vulnerability node by using the child node structure and correlation of the vulnerability node; and adding the vulnerability score for each security control item and quantitatively evaluating the security risk of the cloud service by using the same. According to the present invention, a security risk can be evaluated by considering an attack step of a security threat which may occur in a cloud environment, and thus a more accurate security assessment can be performed by excluding a duplicate evaluation for a duplicated attack.
展开▼