Using formal distributions for threat likelihood estimation in cloud-enabled IT risk assessment

We present a quantitative business-process risk assessment methodology that utilizes formal mathematical distributions over historical data to enable better granularity and less subjective assessment on cyber-physical systems (CPS) and IT systems that use cloud services in general. The proposed methodology supports risks on asset-based processes associated with cloud computing platforms. ISO and US standards for cloud platforms are used to detect cloud-based attack vectors, threats and vulnerabilities both for CPS and traditional IT systems. Poisson distributions are proposed as a scientific means to quantify the likelihood of threat manifestation for assessing security risks. The key advantage of the presented method is its non-subjective likelihood threat estimation (contrary to current standards) and its ability to assess risk based on novel asset-based processes that fully support cloud services and CPS, which can aid stakeholders to comparatively assess the risk of using cloud services to process data. A real-world critical infrastructure was used to compare results of the presented methodology with its current security plan.