THE ASSESSMENT OF RISKS IN PUBLIC CLOUD ENVIRONMENT BY DEVELOPING MULTINOMINAL LOGISTIC REGRESSION MODEL

: The public cloud information infrastructure is getting increasing complex and well-connected which, in parallel, increases the risks to the cloud assets. Hence it becomes the need of the hour to identify, analyze and mitigate the risks towards the information security systems and the data associated with it. In the current research work, a quantitative information security risk analysis methodology is proposed for public clouds. In the existing methodology, enterprises follow two approaches such as consolidated and detailed approach towards information security in which the former computes risk as single value for every asset, whereas, the threat-vulnerability pair responsible for a risk is identified and a risk factor corresponding to each security property for every asset is computed in latter approach. In the proposed methodology, the assets in the public cloud are studied in which the consolidated approach is used to find the risk factor of each of these assets. The assets are classified into three different risk zones namely high, medium and low risk zone. In case of high-risk assets, it becomes mandatory for the management to install high cost infrastructure to overcome the risk. For medium-risk assets, proper auditing and ensuring all policies, guidelines and procedures in place may reduce risks. For low-risk assets, there is no such need to invest much from the management.


INTRODUCTION
There is a tremendous growth experienced in the speed and scale of Information Systems. In spite of the fact that computer networks entered our life like never before and made activities simpler and faster, the threats coupled with information system is annoying. During the instance, when a system is loaded with huge assets of information, but exposed to outside world, the possibility of losing important information and resources is high. Threats attack the assets and exploit the vulnerabilities associated with it. Generally, in any business, assets are the backbone and any damage occur to these assets bring chaos in the enterprise which is of great concern for its shareholders. So, it is a need to develop a systematic approach to mitigate such risks by evaluating the available information on security risks and framing protection strategies accordingly [1].
The present risk assessments for system security are mostly qualitative-based which are designed on the grounds of different security assessment standards that predominantly reflect few properties during the statistic design and the system development. In parallel, another kind of system security assessment deploys attack-simulation during security test. Still, this kind of attack test can only show the system insecurity and cannot prove the system security. In both the methods discussed above, uncertainty and dynamic property that arise from the mutual influence between the operation circumstance and information system, left unnoticed [2].
The importance behind risk assessment is to derive a systematic and comprehensive evaluation of the risks associated with the information systems. Human or natural threats may introduce a security event or otherwise a security risk in information systems because of the survivability of information system. Otherwise, the security events' probability and how severe those events are will decide the security risk [3]. The main objective of risk analysis is to estimate the risk factor of the assets present in the cloud. Each asset may have different risk factor values depending upon its threats and vulnerabilities. In threat action, one asset may have one or more than one vulnerabilities which might be exploited by the threat agents. The result of this action may potentially cause harm in terms of data security breach, confidentiality, integrity and/or resource availability that belongs to the cloud organization or third parties whomever involved with it.
A cloud asset is any information, system or hardware that is used in the course of business activities in the cloud. The assets which are thoroughly studied and considered in the project are physical and logical assets. Physical assets include software and hardware components whereas Logical assets include cloud management and asset monitoring. Vulnerability is nothing but a weakness using which an attacker may possibly create a mishap in the system's information and the assurance provided on it. Threat, a possible danger may exploit such a vulnerability discussed above to break the security and may harm the system. The threats for these assets include Power faults, Equipment incompatibilities, Corruption of data, Theft of media & documents, Link breaks and Coding errors. Generally, assets are the primary business needs in an organization, which when damaged or when attempted to damage, cause risk which is of greater concern to the enterprise and to its shareholders.

RISK ANALYSIS PROCESS
To carry out the process of risk analysis process, three main requirements are included, which are security requirement, business requirement and legal requirement [4].

Security Requirement
• Access-In private organizations, only authorized users can have data access. Such access need to be provided only to limited people such as specific customers and auditors to mitigate such risks. The values ranging from 1 to 5 are taken. • Availability-As customers have to be addressed without any time delays, availability plays a major role in cloud computing. The values do range from 1-5 are considered. • Network Load-Cloud network load is also proved to reduce the performance of the cloud computing system. The values ranging from 1 to 5 are taken. • Reliability-Reliability determines the recovery of a system when any faults occur. Values ranging from 1 to 5 are taken. • Data Security-Data security is one another key criterion in cloud since the data needs to be secured in an appropriate manner from outsiders. Data protection is mandatory and there is a need to ensure that that data security is less prone to corruption. The values ranging from 1 to 5 are taken. • Data Location-In cloud computing, data location is one more aspect since the service providers are spread across the globe and not from a single location. The values, ranging from 1 to 5 are taken.

Business Requirement
An asset within a CLOUD is primarily used to run the entire processes in a proper manner. Since it is a graded parameter, it is scaled from 1 to 5 on the basis of magnitude of the loss incurred.

Legal Requirement
Legal requirement is a bundle of statutory and contractual requirements which have to be satisfied among the organization, its service providers, trading partners and contractors. Legal requirement parameter has only two values such as 0 and 5 in which the former denotes if there is no such requirement and latter, the vice versa.

RISK ANALYSIS METHODOLOGY
Risk analysis is conducted only for two main aims. The first aim is, risk analysis helps in identifying the actual risks to organizational assets. The second aim is, it supports to select security controls for protecting the organizational assets. On the basis of these two aims, two different approaches have been proposed in the current research work to identify the risks which are associated with an asset. The first approach is consolidated approach which computes a risk factor value for every asset. This specific value defines an asset as whether it is at high or medium or low risk. The second approach seems to be a broad approach which not only computes a risk factor value, but in addition, it also identifies the threat-vulnerability pair, the reason behind the risk. Risk management standards also suggest a two-pronged approach in which the first one is 'high-level risk assessment' which usually takes business values of information assets, and the risks from the organization's business point of view into account whereas a detailed risk assessment encompasses the in-depth identification and valuation of assets, assessment of threats to those assets, and assessment of vulnerabilities [6]. In the proposed methodology of current research work, the consolidated approach corresponds to high-level risk assessment, while a detailed approach helps to perform a detailed risk assessment

Consolidated Approach
As discussed earlier, a risk factor value is computed in consolidated approach for every asset.
Risk Factor: Risk Factor [RF], is defined as a function of the asset value and its security concern and since it is usually associated with an asset, one can identify the risks involved with an asset based on this value such as high, medium or low risk.

Risk Factor
where, AV is asset value and SC is Security Concern (defined later) of an asset where, SR is Security Requirement, BR is Business Requirement and LR is Legal Requirement [8]. The above said parameters are calculated as below. In the above formula, the relative weights are denoted as alpha, beta and gamma assigned towards security, business and legal requirements respectively. One must observe that the individual components of the SR were assigned equal Risk Factor (RF) Asset Value Security weights. However, on the basis of requirement and priorities in an institution, it is fine to apply the relative weights. For instance, in military organizations, confidentiality requirements may be given higher priority than other security parameters due to which the weights may be altered according to custom needs. Since, in any organization, security requirement is the prime determinant for evaluating the security risk, it is obvious to assign increased weight to it. Based on the organizational type, assets owned by the organization, the way how these assets are utilized, the decision towards the business, legal and contractual requirements are made. Accordingly, the organizational type (otherwise, the type of business which an organization conducts) can be taken as a base to adjust the weights for calculating AV.

. Asset Value Calculation
Security Concern: It is defined as a function of threats and vulnerabilities which might be connected to an asset. Threats and vulnerabilities have many-to-many relations [8]. It is possible to obtain the SC value through the determination of vulnerabilities that can potentially be exploited by a threat. Security Concern is a graded parameter and have a scale of 1 to 5.
Security Concern (SC) = function (Tv, Vv) where Tv is Threat value and Vv is Vulnerability value [8].
For the purpose of computing asset A's Security Concern [SC], one must obtain a list of threats such as [T1, T2, . . ., Tm] that can positively be in association with specific asset in addition to their Likelihood of Occurrence [Loc(T)] values. Loc value is defined as the probability of incidents of a threat that may be connected with an asset based on the earlier experience or availability statistics. Loc value is a three-scale value such as Low (1) / Medium (3) / High (5) specified with their numerical values in brackets. Then, for each threat Ti, a list of vulnerabilities [Vi1, Vi2 ..., Vin] that might be capable to be exploited by the threat are identified in addition to their Severity [Sev(V)] values [8]. Sev value is defined as the level upto which the vulnerability (associated with an asset) is or can be exploited by some threat. Sev too produces a threescale value as in Loc.

Fig. 3. Security Concern Calculation
The figure 3 shows how a threat-vulnerability tree is formed and how it helps to compute the Security Concern of an asset. When calculating from the bottom of the tree, the vulnerability value is calculated based on each threat to the asset. Imagine if there are 'n' number of vulnerability to an asset which can be exploited by a specific threat, say Ti low/medium/high converted to numerical values 1/3/5, depending on how easily it can be exploited. Vulnerability value Vv corresponding t0 threat Ti is determined as Vvi = (sigma(Sev(Vj))/n,j=1...,n,if n>0;

1, if n=0
Threat value corresponding to threat Ti is determined as The reason behind taking base 2 of the logarithm is to normalize the result within a scale of 0 to 5. Through the identification of the most critical threat, Security Concern value is obtained. So SC value for an asset remains the maximum of all the threat values for an asset as given below SC=max(Tv1,Tv2,.....,Tvm) Provided there are no threats for an asset, then the SC value is assumed to be zero. (SC = 0), where SC is considered as the quantitative measure of the risk [5].

CASE STUDY
The current section presents a case study in which a sample implementation of the proposed methodology is shown. Consider a public cloud, say XYZ Ltd., has Physical and Logical assets as shown in the given table 1; their Security Requirements (SR), Business Requirements (BR) and Legal Requirements (LR) are also given. "Location" refers to the hardware in which the software and information assets are installed.

CONCLUSION
Risk assessment in cloud information security management remains is a crucial and challenging process. Public clouds need to adopt a systematic and well-structured process in order to assess the information security risks to its assets. Not only in computing the risk values, the risk assessment and management should also focus on identifying such contributors to this values. Through this way, the negative impacts of the contributors can be reduced leading to risk mitigation.
In the current proposed methodology, with the help of two-pronged approach, it is strived to achieve the above-said scenario. In the first phase i.e., consolidated approach, the risk values are computed and the assets are classified into specific risk zones. During the second phase, i.e., detailed approach, contributors to such risks are identified. The current research work however focused only on the consolidated approach for calculating the risk factor. An unsaid advantage is, in case, if a public cloud face any budgetary or other challenges, only a consolidated risk analysis can be performed at initial stages. When favorable conditions permit, it can go for a detailed risk analysis. There is no exact 'value' of risk since risk quantification in scalar values is always subjected to uncertainties due to various reasons that includes challenges in defining the likelihood and consequence severity and the mathematics to combine them.

FUTURE WORK
Risk assessment is long investigated and complex subject with full of uncertainties and vague in nature. So, in order to formulate new risk analysis methodologies, one can use fuzzy logic since it can also be applied to process the vaguely defined variables and those that is not possible through mathematical modelling [7]. Risks that can be segregated as 'high', 'low, 'tolerant', either in terms of qualitative or quantitative, requires in-depth experience, expertise and excellence. Fuzzy logic can be the best in incorporating the human judgment for defining such variables and its relations. This will help define a model that closely resembles the real world. In the current research work, for the purpose of defining the risk zone, the final risk value is calculated by defining the weights to individual risks followed by the calculation of final risk value as the "weighted average" of these weighted individual risks. Further research can be carried on with a detailed approach in which an in depth analysis about the contributors of individual risks can be investigated.