Information systems and cloud computing infrastructures are frequently exposed to various types of threats. Without detection and prevention mechanisms, the threats can materialize and cause different types of damages that usually lead to significant financial losses. The threats arise from a complex and multifaceted environment. Currently, organizations are struggling to identify the threats to their information assets and assess the overall damage they might inflict to their systems. In order to empower mangers to better plan for shielding their information systems, the paper presents two main contributions. First, a new approach to threat classification that leads to a security assessment model that is systematic, extendable, and modular. Second, a quantitative analysis of information systems based on the model.

信息系统和云计算基础架构经常面临各种类型的威胁。如果没有检测和预防机制，威胁就会变成现实，并造成不同类型的损害，通常会导致重大的财务损失。这些威胁来自复杂和多方面的环境。当前，组织正在努力确定对其信息资产的威胁，并评估它们可能对系统造成的总体损害。为了使管理人员有能力更好地计划以屏蔽他们的信息系统，本文提出了两个主要的贡献。首先，一种用于威胁分类的新方法可导致系统，可扩展和模块化的安全评估模型。其次，基于模型对信息系统进行定量分析。