Threat-specific security risk evaluation in the cloud

Armstrong Nhlabatsi, Jin Bum Hong, Dong Seong Kim, Rachael Fernandez, Alaa Hussein, Noora Fetais, Khaled M.D. Khan

Research output: Contribution to journalArticlepeer-review

13 Citations (Scopus)


Existing security risk evaluation approaches (e.g., asset-based) do not consider specific security requirements of individual cloud computing clients in the security risk evaluation. In this paper, we propose a threat-specific risk evaluation approach that uses various security attributes of the cloud (e.g., vulnerability information, the probability of an attack, and the impact of each attack associated with the identified threat(s)) as well as the client-specific security requirements in the cloud. Our approach allows a security administrator of the cloud provider to make fine-grained decisions for selecting mitigation strategies in order to protect the outsourced computing assets of individual clients based on their specific security needs against specific threats. This is different from the existing asset-based approaches where they do not have the functionalities to provide the security evaluation of the cloud with respect to specific threats. On the other hand, the proposed approach enables security administrators to compute a range of more effective client-specific countermeasures with respect to the importance of security requirements and threats. The experimental evaluation results demonstrate that effective security solutions vary due to specific threats prioritized by different clients for an application in the cloud. Further, the proposed approach is not limited to only the cloud-based systems, but can easily be adopted to other networked systems. We have also developed a software tool to support the proposed approach.
Original languageEnglish
Article number8543671
Pages (from-to)793-806
Number of pages14
JournalIEEE Transactions on Cloud Computing
Issue number2
Early online date23 Nov 2018
Publication statusPublished - 1 Apr 2021


Dive into the research topics of 'Threat-specific security risk evaluation in the cloud'. Together they form a unique fingerprint.

Cite this