A Framework for Cloud Security Risk Management Based on the Business Objectives of Organizations

TL;DR

This paper introduces a novel Cloud Security Risk Management Framework (CSRMF) that aligns cloud security risks with organizational business objectives, enabling better decision-making and risk mitigation in cloud adoption.

Contribution

The paper presents a new risk management framework driven by business objectives, addressing gaps in traditional models for cloud security risk assessment.

Findings

Framework helps organizations understand cloud security risks in relation to business goals.

Validation through a practical use-case scenario demonstrates its effectiveness.

Enables cost-value analysis for cloud adoption decisions.

Abstract

Security is considered one of the top ranked risks of Cloud Computing (CC) due to the outsourcing of sensitive data onto a third party. In addition, the complexity of the cloud model results in a large number of heterogeneous security controls that must be consistently managed. Hence, no matter how strongly the cloud model is secured, organizations continue suffering from lack of trust on CC and remain uncertain about its security risk consequences. Traditional risk management frameworks do not consider the impact of CC security risks on the business objectives of the organizations. In this paper, we propose a novel Cloud Security Risk Management Framework (CSRMF) that helps organizations adopting CC identify, analyze, evaluate, and mitigate security risks in their Cloud platforms. Unlike traditional risk management frameworks, CSRMF is driven by the business objectives of the organizations. It allows any organization adopting CC to be aware of cloud security risks and align their low-level management decisions according to high-level business objectives. In essence, it is designed to address impacts of cloud-specific security risks into business objectives in a given organization. Consequently, organizations are able to conduct a cost-value analysis regarding the adoption of CC technology and gain an adequate level of confidence in Cloud technology. On the other hand, Cloud Service Providers (CSP) are able to improve productivity and profitability by managing cloud-related risks. The proposed framework has been validated and evaluated through a use-case scenario.