Risk Assessment Model for Cloud-Connected Networks with Case Study on an Academic Institution

Islam Younes Amro

Abstract


The reliance on cloud services has increased recently, resulting in an abundance of networks connected to these services partially or fully. However, several risks emerge from this action that imposes new challenges. Organizations often maintain a range of services managed in its own local or expanded networks as well as services that could exist on the cloud services sites partially or totally. Organizations have to deal with two types of risks: The first relates to the internal information systems risk of the organization, and the second relates to risks that come with working with cloud services providers. Furthermore, organizations lack benchmarking and references on assessing information systems risks. Most organizations work with vulnerability management concepts rather than risk assessment and mitigation. In this paper, we reformulate strategic e-services in an educational institution as it works between local networks and cloud services at the same time to study the risks associated with them in a hybrid manner. These services are distributed over local network nodes and relevant cloud components. The local network components and nodes; represent hosts with known vulnerability values generated from commercial tools. These vulnerabilities are gathered into vectors with expected impacts and estimate assets value related to these services. Probabilities or risks are identified accordingly. The other component of the research considers analyzing the risk of the cloud services with the computational approach, but it deals with cloud standard components such as data management policies, internal cloud provider management, and internet security. Vulnerability in cloud providers is identified as the compromise of these components and their impact on business continuity. Using vulnerability concepts for both local network and cloud, we introduce a risk probability model for educational organization (e.g.: QOU) services where risks are estimated over Borda Count generated weights for both local network and cloud. Moreover, the overall risk is estimated independently for each component; local network and two clouds. The final step is to investigate the overall risk for the organization. It will be done by prioritizing these risks mutually and analyzing the value of each risk in terms of other risks. For this purpose, we use the analytic hierarchy process (AHP). 


Keywords


Cloud Computing Risk Assessment, Vulnerability Management, Business Continuity, Borda Count., Analytic hierarchy process (AHP).

Full Text:

PDF

References


- Amin Saurabh, Galina A., Schwartz, & Alefiya Hussain (2013). In quest of benchmarking security risks to cyber-physical systems. IEEE Network Transaction. 27(1)19 - 24

- Amro I. (2015). A Network Service-Based Risk Assessment Model with Case Study on an Educational Organization. Palestinian Journal for Open Learning and e-Learning. Volume 15

- Andersen A. (2010). Firm objectives, IT alignment, and information securit. IBM Journal of Research and Development.54(3):5.1-5.7

- Asosheh A., & Dehmoubed A., & Khani A. (2009). A new quantitative approach for information security risk assessment. Presented in 2nd IEEE International Conference on Computer Science and Information Technology pp. 222-227. China

- Bernardo D. (2013). Utilizing Security Risk Approach in Managing Cloud Computing Services. Presented in IEEE 16th International Conference on Network-Based Information Systems. South Korea

- George R. (2014). Systems Engineering Guide. The MITRE Corporation. Produced by MITRE Corporate Communications and Public Affairs. USA

- International Organization for Standardization ISO (20018) The ISO 27001 standard on information security matters, http:// www.27000.org/

- Jianxing Y. , C. Haicheng, W. Shibo & F. Haizhao (2020).A Novel Risk Matrix Approach Based on Cloud Model for Risk Assessment Under Uncertainty. in IEEE Access, vol. 9, pp. 27884-27896, 2021.

- Kassou M., & Kjiri L. (2012). SOASMM: A novel service-oriented architecture Security Maturity Model. Presented in IEEE International Conference on Multimedia Computing and Systems, 2012, pp. 912-918. Morroco

- Khidzir Nik Zulkarnaen, & Azlinah Mohamed, & Noor Habibah Hj Arshad (2010). Information Security Risk Management: An Empirical Study on the Difficulties and Practices in ICT Outsourcing. Presented in IEEE Second International Conference on Network Applications, Protocols and Services. Malysia.

- Lonita D., & Hertel P., & Pieters W., & Wieringa R. (2014). Current Established Risk Assessment Methodologies and Tools. ICT Section, Delft University of Technology. Netherlands

- Maček1 Davor, & Magdalenić1 Ivan, & Nina Begičević Ređep1 (2020). A Systematic Literature Review on the Application of Multicriteria Decision Making Methods for Information Security Risk Assessment.International Journal of Safety and Security Engineering Vol. 10, No. 2, pp. 161-174

- Maule R. W., & Lewis W. C. (2009). Risk Management Framework for Service-Oriented Architecture. Presented 2009 IEEE International Conference on Web Services. Proceeding pages: 1000-1005. USA

- Metzger Louis, & Bender Lisa (2007). MITRE Systems Engineering (SE) Competency Model Version 1.13. The MITRE Corporation. Bedford, MA 01730

- Moona Jewook, & Chanwoo Lee, & Sangho Park, & Yanghoon Kimc (2018). Mathematical model-based security management framework for future ICT outsourcing project.Discrete Applied Mathematics The Journal of Combinatorial Algorithms, Informatics, and Computational Sciences.Volume 241: 67-77

- Riaz M. T., M. Shah Jahan, K. S. Arif and W. Haider Butt (2019). Risk Assessment on Software Development using Fishbone Analysis. 2019 International Conference on Data and Software Engineering (ICoDSE), 2019, pp. 1-6,

- Saleem M, & Jaafar J., & Hassan F.Model Driven Security framework for definition of security requirements for SOA based applications. Presented in IEEE International Conference on Computer Applications and Industrial Electronics, 2010, pp. 266-270, Malasya.

- Xi G., H. Ruimin, P. Yongjun, B. Hao and L. Haitao (2010). The Comprehensive Assessment Method for Community Risk Based on AHP and Neural Network Presented in 2010 Second International Conference on Networks Security, Wireless Communications and Trusted Computing, 2010, pp. 410-413, doi: 10.1109/NSWCTC.2010.230.

- Xiao B. and J. Ran. (2010). Risk Evaluation of Network Security Based on NLPCA-RBF Neural Network,” in Multimedia Information Networking and Security, International Conference on, Nanjing, Jiangsu China, 2010 pp. 398-402.

- Xiaojun Wu and Cong Li (2011). Research and design of one security model for service-oriented multi-application architecture. Presented in IEEE International Conference on Computer Science and Service System (CSSS), pp. 3990-3993. China

- Zhang, Q. C. Zhou, Y. Tian, N. Xiong, Y. Qin and B. Hu (2018). A Fuzzy Probability Bayesian Network Approach for Dynamic Cybersecurity Risk Assessment in Industrial Control Systems. in IEEE Transactions on Industrial Informatics, vol. 14, no. 6, pp. 2497-2506




DOI: http://dx.doi.org/10.33977/2106-000-005-004

Refbacks

  • There are currently no refbacks.


Copyright (c) 2022 Palestinian Journal of Technology and Applied Sciences (PJTAS)

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.