CSCCRA: A Novel Quantitative Risk Assessment Model for SaaS Cloud Service Providers

Abstract

Security and privacy concerns represent a significant hindrance to the widespread adoption of cloud computing services. While cloud adoption mitigates some of the existing information technology (IT) risks, research shows that it introduces a new set of security risks linked to multi-tenancy, supply chain and system complexity. Assessing and managing cloud risks can be a challenge, even for cloud service providers (CSPs), due to the increased numbers of parties, devices and applications involved in cloud service delivery. The limited visibility of security controls down the supply chain, further exacerbates this risk assessment challenge. As such, we propose the Cloud Supply Chain Cyber Risk Assessment (CSCCRA) model, a quantitative risk assessment model which is supported by supplier security posture assessment and supply chain mapping. Using the CSCCRA model, we assess the risk of a SaaS application, mapping its supply chain, identifying weak links in the chain, evaluating its security risks and presenting the risk value in monetary terms (£), with this, promoting cost-effective risk mitigation and optimal risk prioritisation. We later apply the Core Unified Risk Framework (CURF) in comparing the CSCCRA model with already established methods, as part of evaluating its completeness.