The rise of Cloud Computing (CC) paradigm has led to an increasing rate of the model’s adoption among start-ups, private enterprises and many government institutions across the globe. The trend has seen many public service institutions outsourcing some of their Information Technology (IT) resources supporting critical institutional services to Cloud Service Providers (CSPs) delegating to them the management of critical resources and services which traditionally used to be managed in-house.
In digital economies and smart cities, cyber infrastructures provide both the platform and mechanisms for service delivery, Improve organisational flexibility and productivity, improved asset utilisation, aggregated demand and accelerated system consolidation (e.g. Federal Data Centre Consolidation Initiative), improved productivity in application development, application management, cutting down cost of doing business, increasing the quality and innovation within e-government services government provide to citizens and businesses. However, security risks in cyberspace in recent times have become pervasive concern for all institutions that depend on the platform. Cyber-attack can affect any part of our world and could cause extensive damage to critical services such as transportation, telecommunication systems, health, banking and some cases bringing major economic activities to a halt.
Security risks in cloud infrastructure either due to threat agents or systems vulnerabilities can propagate to critical infrastructures and services that depending on cloud and degrade or disrupt operational services and other functionalities. Conversely, due to infrastructural dependencies, failures in cloud infrastructure setup could propagate to information resources and hence disrupt operation of many of the interconnected systems. For systems reliability and consistent operation of critical infrastructure networks, it is important to have tools and techniques to simulate and model causes and impact of security risks from cloud space and related interdependencies. This research is focusing on developing Risk and Vulnerability Assessment (RVA) model for security risks causes and their impact as well as infrastructural interdependency modelling. My approach is based on system dynamics modelling, where critical infrastructures are viewed as a system of systems. Security risk factor causes are captured using events study method from literature and proprietary online databases while impact analysis is captured using precise risk estimation functions. Interdependencies between different system components are captured using mathematical functions.
An important component in proactive risk management activity is the assessment and performance of various types of risk and vulnerability analyses. The main objective of performing RVA is to generate a good foundation for prevention and preparedness activities in the security risk management process and for cybersecurity-related decisions. Another purpose of conducting RVA is to analyse the impact cyber-attacks can have on critical infrastructure that depend on cloud platforms. RVA processes can also be an effective tool in reducing risk and vulnerability by creating security risk awareness of causes and impact, stimulating reflection, creating social networks affecting individual and institution’s risk relevant behaviour, etc.
The focus of the proposed methods is on vulnerability assessment of cloud infrastructure, but their use is wider context of risk and vulnerability management is also addressed. Empirical studies of public cloud service providers and over seventy-eight public service institutions with cloud presence have been conducted to demonstrate the proposed modelling approach and the applicability and validity of the methods.