Design and Implementation of a Threat-Specific Security Risk Assessment Tool
Author | Nhlabatsi, Armstrong |
Author | Hussein, Alaa |
Author | Fetais, Noora |
Author | Khan, Khaled M. |
Available date | 2024-03-10T05:42:10Z |
Publication Date | 2020 |
Publication Name | 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies, ICIoT 2020 |
Resource | Scopus |
Abstract | Security threats posed to individual cloud computing clients vary depending on their specific security requirements. However, Cloud Providers apply generic security risk assessment approaches which result do not consider client-specific security requirements. This results into unrealistic and inaccurate security risk evaluation. In this paper, we describe the detailed design and implementation of a security risk assessment tool. The tool supports a threat-specific method to security risk evaluation. The threat-specific method enables Cloud Providers to evaluate the security risk of their tenants based tenant-specific threats as dictated by their particular security requirements. Evaluation shows that the tool is highly usable, but lacks in scaleability. |
Sponsor | This paper has described the detailed design and implementation of a threat-specific security risk evaluation tool, called ThreatRiskEvaluator. The tool enables security administrators of Cloud Providers to evaluate security risk from the perspective of different threats for their tenants. The approach is centered on the idea that Cloud tenants have different security requirements and hence they hence care about different threats. ThreatRiskEvaluator helps security administrators decide which threats to prioritize for each of their clients and to formulate more effective security solutions specific to the security requirements of particular clients. Evaluation of the tool shows that it is highly usable, but lacking in scaleability. In the current version of the tool, the user has to manually draw the network topology model. This is time-consumming and may lead to modelling errors, especially, when the network topology is large and complex. We plan to extend the tool to incorporate network scanners to scanner in order to build a more accurate network topology quickly. The evaluation of security risk is dependent on the general vulnerability information supplied by the National Vulnerability Database(NVD). This does not take account that, for a given instance of an Operating system, certain vulnerabilities may have already been patched. The consideration of such threats may lead to inaccurate risk evaluation. In order to address this limitation, we are extending the tool to incorporate a vulnerability scanner so that risk evauation is based only on the vulnerabilities that are not yet patched in a particular node, instead of all the vulnerabilities that are recorded in the NVD. We are in the process of reviewing and optimizing the design of the tool to make more scaleable. ACKNOWLEDGMENT This paper was made possible by Grant NPRP 8-531-1-111 from Qatar National Research Fund (QNRF). The statements made herein are solely the responsibility of the authors. |
Language | en |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
Subject | class diagrams Cloud computing domain model risk assessment security objectives security risk security threats use cases vulnerability |
Type | Conference |
Pagination | 511-518 |
Files in this item
Files | Size | Format | View |
---|---|---|---|
There are no files associated with this item. |
This item appears in the following Collection(s)
-
Network & Distributed Systems [70 items ]