Security risk assessment is done to identify the vulnerabilities of a client’s application and develop strong security measures within budgetary constraints. However, while migrating to the Cloud platform, a generic notion of their publicly available security policies make it challenging for clients to assess the security threats solely relevant to their applications. Additionally, traditional risk assessment techniques cannot address these challenges as they neither consider cloud security domains as assessment criteria nor identifies critical system resources that need to be protected in the likelihood of a successful attack. In order to address these challenges, this paper presents a risk assessment framework for clients’ applications that is characterized by the inclusion of cloud security metrics to perform risk assessment during the design phase of an application by incorporating the techniques of cloud misuse patterns. It also helps improve the security requirements phase that precedes risk assessment, by illustrating clients how different attack scenarios can spread through the applications by using the concepts of percolation centrality and probabilistic state transition diagrams. One of the key findings this work address is how to systematically gain a distinction between multiple system resources belonging to the same security defense priority level.

进行安全风险评估以识别客户端应用程序的漏洞，并在预算限制内制定强有力的安全措施。但是，在迁移到Cloud平台时，其公开可用的安全策略的一般概念使客户很难评估仅与应用程序相关的安全威胁。此外，传统的风险评估技术无法解决这些挑战，因为它们既没有将云安全域视为评估标准，也没有确定在成功攻击的可能性下需要保护的关键系统资源。为了应对这些挑战，本文提出了一种针对客户应用程序的风险评估框架，其特征在于包含云安全度量，以通过结合云滥用模式的技术在应用程序的设计阶段进行风险评估。它还通过使用渗流集中性和概率状态转换图的概念来说明客户端如何在应用程序中传播不同的攻击场景，从而有助于改善风险评估之前的安全需求阶段。该工作解决的主要发现之一是如何系统地区分属于同一安全防御优先级的多个系统资源。它还通过使用渗流集中性和概率状态转换图的概念来说明客户端如何在应用程序中传播不同的攻击场景，从而有助于改善风险评估之前的安全需求阶段。该工作解决的主要发现之一是如何系统地区分属于同一安全防御优先级的多个系统资源。它还通过使用渗流集中性和概率状态转换图的概念来说明客户端如何在应用程序中传播不同的攻击场景，从而有助于改善风险评估之前的安全需求阶段。该工作解决的主要发现之一是如何系统地区分属于同一安全防御优先级的多个系统资源。