Towards Security Effectiveness Evaluation for Cloud Services Selection following a Risk-Driven Approach

—Cloud computing is gaining a lot of popularity with an increasing number of services available in the market. This has rendered services selection and evaluation a difficult and challenging task, particularly for security-based evaluation. A key problem with much of the literature on cloud services security evaluation is that it fails to consider the overall evaluation context given the cloud characteristics and the underlying influence factors including threats, vulnerabilities, and security controls. In this paper, we propose a holistic risk-driven security evaluation approach for cloud services selection. We first use fuzzy DEMATEL method to jointly assess the likelihood and impact of threats with respect to the cloud service types, the exploitability of vulnerabilities to the identified threats, and the effectiveness of security controls in mitigating those vulnerabilities. Consequently, the overall diffusion of risk is captured via the relations across these concepts, which is leveraged to filter and prioritize the most critical security controls. The selected controls were then weighted using a combination of fuzzy DEMATEL and fuzzy ANP methods based on several factors, including their effectiveness in preventing the identified risks, user’s preferences and level of control (i.e., responsibilities). The latter denotes how much control a cloud user is transferring to the cloud provider. To enhance the reliability of the results, the subjective weights were integrated with objective weights using the Entropy method. Finally, the TOPSIS method was employed for services ranking and the Improvement Gap Analysis (IGA) method was leveraged to provide more insights on the strength and weaknesses of the selected services. An illustrative example is given to demonstrate the application of the proposed framework.


I. INTRODUCTION
Cloud computing has become increasingly popular due to its cost-effective and resources efficient services.It is a "model for enabling ubiquitous, convenient, and on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction" [1].With the high number of cloud services available in the market, services selection and evaluation has become a significant challenge to users, particularly security evaluation.
The first and most critical step in any evaluation process is criteria identification.It describes the characteristics of the evaluation target that are of interest for the evaluation, thus it needs to be context specific.This is especially important in the cloud, given that the security threats, vulnerabilities, and controls differ from one service model to another.For example, IaaS suffers mainly from issues related to virtualization like hardening the host and securing inter-host communications.PaaS issues are more concerned with authentication and authorization.As for SaaS, the secure composition of the services is a critical area of concern [2].Therefore, the selection of the critical security controls in the cloud needs to consider the overall dependencies between the vulnerabilities, threats, and the particular cloud services characteristics.
Various services selection methods have been proposed in the literature to support users in finding the most suitable services.However, in most of the available methods, the evaluation criteria were generally determined based on literature and experts' surveys (e.g., [3]- [8]).Other approaches have leveraged some recent standardization efforts such as the SMI framework [9] (e.g., [10], [11]), and CSA's CCM framework [12] (e.g., [13], [14]).Still, the evaluation criteria are generally specified in a rigid way for all cloud service models without considering the change in threats, and controls when applied to different cloud service models, rendering the evaluation process inefficient.
Indeed, an extensive list of criteria is important for a comprehensive evaluation.However, security evaluation is a challenging task that involves significant effort, in terms of both computational and human resources.Therefore, a minimal and representative set of evaluation criteria is more critical in a given context.This permits to focus on the situation and eliminate unnecessary tasks.Restricting the list of evaluation criteria will also help in the criteria weighting process.Most available weighting techniques such as AHP [15] and ANP [16] do not scale well with a large set of evaluation criteria, because of the large number of pairwise comparisons to be performed.For example, in the case of 20 evaluation criteria, 190 pairwise comparisons need to be performed using AHP method, which is both time consuming and a cumbersome task.The SMI framework [9] and CCM framework [12], which are widely used as evaluation criteria for cloud services selection, contain in total 51 attributes and 133 sub-controls, respectively.Thus, due to scalability issues, there is a need for a mechanism in place to first prioritize and select the most critical criteria given the evaluation context.www.ijacsa.thesai.orgThere exist several security standards on risk management such as NIST CRMF [17], which serve as good references for the selection of the baseline security controls.However, in these frameworks, the selection of the critical security controls is conducted in a purely qualitative way mostly relying on the expertise of the decision makers.With this challenge in mind, in this paper, we focus on selecting and prioritizing the critical security services in the cloud environment in a quantitative way following a risk management approach.
Following a risk-driven approach for cloud services selection helps in assessing the effectiveness of the security controls.Current cloud services evaluation and selection methods are mostly targeting the sufficiency and efficiency of the security controls, which focus on determining whether the security service performances meet customer's requirements.However, the presence of the security controls within the cloud service system does not necessarily mean it is always secure.Effectiveness measurement can only be appraised with sufficient knowledge about the threats and vulnerabilities [18].Thus, adopting a risk-driven approach in selecting the evaluation criteria considering the relevant vulnerabilities and threats likelihoods, would consequently enable measurement of the effectiveness of the security controls.We further assess the extent of the effectiveness of the implemented security controls by analyzing their performance gaps against an assumed ideal using improvement gap analysis (IGA) method [19].
Another essential step related to the evaluation process is the weighting of the criteria.Current weighting approaches are generally based on the subjective users' preferences, criteria dependencies, or on the objective analysis of the evaluation data.An important factor that is not considered but highly relevant in the cloud context is the cloud users' varying degree of control over the implementation and management of the security services.In the cloud, the security responsibilities are shared among the cloud actors and depend on the cloud deployment model (i.e., public or private), service model (i.e., IaaS, PaaS, and SaaS), and the security control type.In the IaaS, the consumer is mostly responsible for securing the virtualized resources, application and data, while the cloud provider is responsible for securing the physical infrastructure.Contrary, in the SaaS, most of the security responsibilities are shifted to the provider side, leaving the consumer only responsible for the data and some minimal application management [17].Accordingly, more importance should be assigned to the particular security control when the cloud user loses more control over its management to emphasis the responsibility for the associated security risks.
To summarize, the main contributions of this paper are: 1) Context-aware and risk-driven criteria selection.We benefit from our earlier work [20] on criteria selection for cloud services evaluation, with enhancements on the approach to address the scalability issues and account for the uncertainty and subjectivity of the process.In this paper, Fuzzy DEMATEL [21] method is used to identify the causal relationships between the cloud service types, threats and vulnerabilities, and the security controls.Fuzzy DEMATEL requires less comparisons compared to other dependency-aware techniques like ANP or AHP (( − 1)/2 ).The goal is not to blindly use all the criteria that exist in the literature, but instead to identify those that are most critical to the context of the evaluation considering the characteristics of cloud service types and the overall evaluation context.This allows to reduce the effort required in the evaluation.
2) Criteria weighting considering more comprehensive set of factors.The proposed approach is distinguished from other existing methods in that it considers multiple factors in the weighting of criteria, namely user's preferences, criteria interdependencies, in addition to the user's level of control (i.e., responsibilities).The user's level of control reflects the degree of loss of control over the management and implementation of the security services, which represent one of the novelties of the proposed approach.Criteria weighting was performed using fuzzy DEMATEL and fuzzy ANP methods.The resultant subjective weights were further combined with objective weights based on Entropy method to obtain more accurate and less sensitive results to user's preferences or unreasonable criteria prioritization.
3) Effectiveness-driven evaluation following a risk-driven approach and gap analysis for performance improvement.The proposed framework attempts, on one hand, to enhance the efficiency of the evaluation process by reducing the set of evaluation criteria to the core attributes.On the other hand, it drives for an effectiveness-based evaluation of security services by assessing the effectiveness of the security controls in mitigating the potential threats and vulnerabilities, thus the risks prevented.Furthermore, the extent of the effectiveness of the implemented security controls are assessed using the improvement gap analysis (IGA) method [19].
The rest of the paper is organized as follows.Section 2 discusses the related work.Section 3 presents the proposed framework.Section 4 demonstrates the effectiveness of the proposed approach through a case study.Section 5 concludes the paper.

II. RELATED WORK
In this section, we will review the related work on cloud services evaluation with the focus on security-driven studies and dependency-aware cloud services selection approaches.

A. Cloud Services Security-based Evaluation
Security evaluation, in our context, aims to provide a quantification of the security level of cloud services in a way to enable comparison between different services offerings.Cloud services evaluation has mostly targeted measurable attributes such as performance and availability, with less focus on security [22], [23].Although security is mentioned in almost every study on cloud services evaluation, most of the studies do not of focus on security related attributes and influence factors.
Among the few works focused on security, Mouratidis et al. [24] proposed a holistic framework starting from the elicitation of the security and privacy requirements to the selection of cloud services providers.Luna et al. [13] presented www.ijacsa.thesai.orgtwo evaluation techniques, namely Quantitative Policy Trees (QPT) and Quantitative Hierarchy Tree (QHP) for assessing the security level of cloud providers as per the claimed SLAs with respect to users' requirements.The QPT weighted the criteria and aggregated alternatives performances in an ad-hoc manner, whereas QHP employed the AHP technique for criteria weighting and ranking of alternatives.Modic et al. [14] proposed a cloud security assessment technique called Moving Intervals Process (MIP) that aimed at decreasing the time complexity of the assessment algorithm by separating scores for services providers that can fulfill users' needs from scores of those that are under-provisioning.Halabi and Bellaiche [8] proposed a security self-evaluation methodology for cloud providers using a variety of security metrics.In another work from the same authors [3], the security level of cloud service providers was quantified with respect to the traditional security attributes (CIA triad), namely: confidentiality, integrity, and availability.The best solution was then obtained using a linear multi-objective optimization technique that aims at minimizing the dissatisfaction factors.Alabool and Mahmood [25] proposed a framework for ranking IaaS cloud providers and used the IPA method for ranking the unimproved gaps to provide insights on how to better improve the cloud services.
In the above studies and most available cloud services evaluation approaches, an extensive list of criteria is employed in the evaluation, either identified through literature and experts survey, or by leveraging existing frameworks such as the SMI framework [9] or CCM framework [12].However, these frameworks target cloud services in general and do not consider the change in threats and measures when applied to different cloud deployment models and service types.Besides, the long list of criteria (e.g., CCM framework includes 16 control domains with more than 130 security sub-controls) renders the weighting process a tedious task.Furthermore, security evaluation constitutes only a part of the overall trustworthiness evaluation of cloud services.A variety of other evaluation criteria including financial and performance attributes are of interest.Thus, prioritizing and filtering the criteria to a minimum and representative set is important for practical and efficient evaluation.
There exists some general security frameworks and guidelines for selecting baseline security controls such as NIST cloud-adapted risk management framework (CRMF) [17].However, existing standards lack a quantitative and systematic method of how controls should be selected.In [26], the authors proposed a quantitative framework for prioritizing the security controls with respect to the identified vulnerabilities and threats given the severity and cost of the remediation effort.Nevertheless, the proposed framework targets the security information domain in general and thus fails to consider the specific characteristic of the cloud environment including the influences of cloud service models on the potential threats and vulnerabilities, as well as the shared responsibility of cloud users in the process.In the next section, we will discuss some of the works addressing dependency relations in cloud security evaluation literature.

B. Dependency-Aware Cloud Security Evaluation Methods
The relationships between the evaluation concepts are often neglected in existing cloud evaluation studies.To address this lack, Sun et al. [27] applied fuzzy measure and Choquet integral to measure and aggregate non-linear relations between criteria.Taha et al. [28] proposed a framework for measuring the structural dependencies between cloud security services, which were then used as weights for the evaluation criteria.However, the proposed approach only considered the relations between the services in a hierarchical structure.In [29], The influences of attributes on the overall quality of services were integrated with the user's preferences in order to calculate the final weights of attributes using the ANP method to allow for a flexible network-like structure representation.In [30], the authors employed fuzzy-ANP to calculate criteria weights for cloud services evaluation.In [31], the authors examined the causal relationships between the criteria using fuzzy DEMATEL-based ANP technique to determine the influence and the weights of the criteria.VIKOR method was then employed to rank the alternatives and identify the weaknesses to help improve service performances.Several other works have combined DEMATEL and ANP to handle the dependencies between the evaluation criteria in the cloud such as [32] and [33].However, the above-reviewed methods do not consider the dependencies between criteria from a risk perspective.
In [34], the authors applied DEMATEL-based ANP to account for the dependencies between the security controls, which were identified following risk assessment procedure.Also, in [35], a method was proposed for evaluating the risk levels of information security.DEMATEL was first used to analyze the interrelations among security control areas.The risk likelihood ratings were then obtained using the ANP method.Still, these frameworks only considered the dependencies between the security controls directly.That is, the influence of threats and vulnerabilities were not jointly included in the quantitative analysis.Besides, the above methods were applied to security information in general, and hence lack the specific characteristic of the cloud environment.That is the change in threats, vulnerabilities, and controls when applied to different cloud deployment and service models types.
Overall, while some researchers have considered the dependencies between the evaluation criteria, they have ignored the characteristics of cloud service model types, as well as the underlying risk factors (threat likelihood, vulnerability relevance, and control effectiveness).Besides, the dependencies between criteria, when considered, were only addressed as part of the weighting process.In contrast, in this paper, we leverage the causal relationships between the cloud service types, threats vulnerabilities and security controls to extract the minimum and critical set of the evaluation criteria.The dependency values were then integrated with users' preferences and their level of control (i.e., responsibilities) to obtain the total subjective weights, which were then combined with objective weights to improve the reliability and accuracy of the approach.The proposed framework attempts to enhance the efficiency of the evaluation process by reducing the set of evaluation criteria to the core factors, and drive for effectiveness-based evaluation by understanding the extent of the effectiveness of the implemented security controls in preventing the risks.www.ijacsa.thesai.org

III. PROPOSED FRAMEWORK
The proposed framework, as shown in Fig. 1, consists of five main phases: context establishment, criteria selection, criteria weighting, services ranking, and finally performance improvement and gap analysis.The detailed description of the steps at each phase is described in the following sections.

A. Context Building and Criteria Selection
The concepts model follows a risk perspective by modeling the threats, vulnerabilities, and security controls, while considering the characteristics of the cloud service types.The problem can be formally modeled as follows.Let  = { 1 ,  2 , … ,   } be the cloud service model types of the evaluation target,  = { 1 ,  2 , … ,   } the threats,  = { 1 ,  2 , … ,   } the vulnerabilities, and  = { 1 ,  2 , … ,   } the security controls representing the evaluation criteria.For criteria selection, DEMATEL [21] method is used to analyze the dependencies (direct and indirect) between the service model, potential threats, exploited vulnerabilities, and the appropriate security controls.This way, we can jointly assess the likelihood of threats given the service type, the relevance of various vulnerabilities to the identified threats, and the effectiveness of the security controls in mitigating the vulnerabilities.Consequently, the overall diffusion of risk is captured via the relations and dependencies across these concepts, which will be used to filter and prioritize the critical security controls that contribute the most to the evaluation.To cope with the fact that human judgment is often uncertain and hard to estimate by exact numerical values.fuzzy theory [36] is applied to the DEMATEL method.The output at this stage is a list of the minimal and critical security controls judged necessary and sufficient for an effective and efficient evaluation of cloud services.The steps are as follows.
Step 1. Establishing the dependencies between elements and forming the fuzzy direct-relation matrix.The directrelation matrix  ̃ is constructed through pairwise comparison among the elements in which ̃  = (  ,   ,   ) indicates the degree to which the element  affects element  as ascertain by experts.It is assumed that a consensus of opinions exists among experts in the evaluation process.(1) Fig. 2 illustrates the graphical structure of the concepts and their relations.
Step 2. Calculating the normalized fuzzy direct-relation matrix.On the base of the direct-relation matrix  ̃, the normalized direct-relation matrix  ̃ can be obtained as follows.
, then ̃=  ̃× , where Step 3. Calculating the fuzzy total-relation matrix.The fuzzy direct/indirect relation matrix, known as the total relation matrix can be obtained as follows.
Step 4. Setting a threshold value and selecting the critical security controls.A threshold value α is set to filter minor effects and reduce the complexity of the decision process.Only elements whose influence value in the total matrix is higher than the threshold value can be chosen.The influence values in matrix  ̃ is reset to zero if its values are less than α.The new matrix is called the α-cut total-influence matrix  ̃.Based on this idea, we exclude the security controls with negligible effects and select the controls with the most influence relationships.The threshold value can be decided by experts or using analytical methods such as the mean value of the total influence matrix.To simplify the calculation, we first defuzzify the total fuzzy relation matrix  ̃.Several defuzzification methods exist, we chose the center of area (CoA) method, as it is the most commonly used method.The formula is as follows.
The sum of rows   denotes the sum of direct and indirect effects of element  on the other elements.Whereas, the sum of columns   denotes the sum of direct and indirect effects that element  has received from the other elements.Consequently,   +   denotes the strength of influences given and received, which represents the degree of the central role that element  plays in the decision-making process.If   −   is positive than element  is affecting other elements (cause group), if negative, it is being influenced by the other elements (effect group).Furthermore, a visual causal diagram can be depicted by arranging   +   values in x-axis and   −   values on the y-axis.

B. Criteria Weighting
The selected security controls from the previous stage represent the top-level evaluation criteria (dimensions or clusters).These criteria are further divided into more finegrained sub-criteria.The weights of criteria are calculated using subjective and objective methods.The subjective weights are determined based on the influence degree of the criteria, level of control, and their importance to the users.Fuzzy ANP method is used to assign the importance weights to the criteria through pairwise comparisons.However, contrary to the assumption of equal cluster's weight in traditional ANP, we use fuzzy DEMATEL influence degrees obtained previously combined with the level of control degree to weight the clusters.The obtained subjective weighs are further adjusted with objective weights using the entropy method to obtain more reliable results.The steps for weighting the criteria are described below.
Step 1. Performing pairwise comparison and obtaining priority vectors.The ANP method [16] combined with fuzzy set theory is employed to derive the subjective weights.The relations between clusters (i.e., dependence relations between security controls) are determined based on the previous results from the DEMATEL network relation map (NRM).Once the relations between criteria and sub-criteria are identified, users are asked to perform pairwise comparison between criteria.The importance values are assigned using triangular fuzzy numbers based on a 9-point scale (from equally important to extremely important) The priority vectors for each pairwise comparison matrix can be calculated using the eigenvalue method [16].Then, the weighs are defuzzified in the same way as in Eq. (4).A consistency ratio of the pair-wise comparisons is calculated and should be less than 0.10 for the comparison to be acceptable.Otherwise, it is necessary to adjust the results.The priorities are gathered into the appropriate columns to build the supermatrix.The form of the supermatrix is as follows.
Step 2. Obtaining the weights of clusters.In the traditional ANP, the weights of elements are divided by the number of clusters.This normalization method implies that the clusters are of equal weights (in our context the high-level security controls).However, in reality, the effect of each cluster on the www.ijacsa.thesai.orgother clusters is different, and have been determined in the previous step using fuzzy DEMATEL method.Hence, these influence values are used in weighting the clusters, in addition to another factor, which is the level of control.
Step 2.1.Obtaining the influence degree of the clusters.The interdependencies between the clusters are already determined previously using DEMATEL, hence can be directly derived from the total influence matrix.Let   be the α-cut total-influence matrix for security controls.   represents the degree of influence that the cluster  (i.e., security control) exerts on the cluster .
Step 2.2.Determining the user's level of control degree.The degree of control (  ) denotes how much control a consumer is transferring to the cloud provider.Accordingly, more importance should be assigned to the particular security control when the cloud user loses more control over its management, as oppose to when the user has full control for its management.In NIST security reference architecture [17], the responsibility of the cloud user for each security component given the cloud deployment model and service type was defined as follows:  Full responsibility.Meaning the user has full control over the management of the security control and thus, less importance value should be assigned to the security control.In this case (  = 0.25).
 Shared responsibility.Meaning both the cloud user and provider share responsibility for managing the particular security control.In this case (  = 0.5).
 Least responsibility.Meaning the provider has full control over the management of the security control.
The consumer needs to negotiate with the provider to ensure that the requirements are met.Therefore, more importance value is assigned to the security control since the consumer loses the ability to implement it and manage it.In this case (  = 1).
For example, the responsibility for the security component "Data Governance >Secure Disposal of Data" is a shared responsibility between the consumer and provider in the IaaS model (  = 0.5) , but needs to be implemented by the cloud provider in all other service models (  = 1).
Step 2.3.Obtaining the total weights of the clusters.The weight of the cluster   is the product of its influence degree   and level of control   .
The clusters' weights are then normalized as follows.
Step 3. Obtaining the weighted supermatrix.By combining the weights of the clusters with the unweighted supermatrix as defined in [37], we obtain the weighted supermatrix as follows. = Step 4. Obtaining the limit weighted supermatrix.To obtain the global priorities, the weighted supermatrix is raised to the limiting powers lim →∞    , where  is the number of powers.
Step 5. Calculating the objective weights.In the previous steps, criteria weights were calculated using subjective approaches and based on subjective factors that rely heavenly on decision-makers' opinions.To adjust the weights and help achieve more reliable results, we measure the weights using objective method, namely, the entropy method [38].The entropy method determines the criterion's weight based on the information transmitted by that criterion.That is, if a particular criterion has similar values for all the alternatives, then this criterion has little importance in the decision-making.In contrast, the criterion that alternatives are most dissimilar should have the highest importance weight since it transmits more information and helps to differentiate between the different alternatives.
The projected outcomes   of a criterion   is defined as: is the performance of alternative  on criterion .
The entropy is calculated as follows: The degree of diversification of the information provided by the criterion  is The entropy weight is then: Step 6. Compute the final criteria weights.The final criteria weights are obtained by combing the subjective and objective weights as follows.
=    +    , where  +  = 1 can be adjusted accordingly to reflect the influence of subjective and objective weights on the decisionmaking.www.ijacsa.thesai.org

C. Services Ranking
After weighing the criteria, the ranking of the best cloud service provider is performed using TOPSIS [39] method.TOPSIS method is based on the distance measure of an alternative from the ideal solution, taking into account both the closeness distance from the positive ideal solution (PIS) and the farthest distance from the negative ideal solution (NIS).TOPSIS was chosen as it best reflects the risk attitudes of decision-makers.The smaller the distance measure from PIS, the higher alternative preference to profit; whereas the larger the distance measure from NIS, the higher the alternative preference to avoid risk [39].This approach is suitable for a security-based evaluation of cloud services as a risk avoider strategy.Due to space limitations, the steps of TOPSIS method can be found in [39].

D. Performance Improvement and Gap Analysis
Most existing cloud services evaluation studies have limited the evaluation process to the ranking of cloud services alternatives.However, the evaluation process also aims to help cloud service providers in improving their service performances.Few studies have attempted to identify what should be improved.Work in this direction was proposed by Alabool et al. [4].They used the importance-performance analysis (IPA) [40] method to identify and rank the unimproved gaps.IPA is one of the most used methods to identify the strength and weaknesses of service performances.However, IPA has some limitations concerning the nonlinearity between the performance of attributes and customer satisfaction [19].Aiming to overcome these problems, Tontini and Picolo [19] proposed the improvement gap analysis (IGA) method.IPA method compares the performance of the criteria with respect to their importance.In contrast, the IGA method compares the expected customer dissatisfaction if an attribute has a low performance with the expected customer satisfaction if the attribute is improved [19].
In traditional IGA, customers are asked to estimate their expected satisfaction and dissatisfaction with respect to each attribute and the actual attribute performance.The improvement gap () for each attribute is calculated as the difference between the expected and the actual performance (  =  − ) .The dissatisfaction is stated directly according to the expected impact on customer dissatisfaction if an attribute has low performance.In this paper, we calculate the improvement gap as the difference between the best available performance among all alternatives (   ) and the actual performance of the particular service   (Eq.14).The value of the gap represents the scope of improvement needed in order to achieve high market competition.The best performance can also be replaced by the aspirational levels instead of the minimum-maximum values.
=   −   where ( 14) represents the performance of alternative  on criteria .
As for the dissatisfaction value (  ), it is calculated based on its importance and the difference between user's requirements (  ) and the actual service performance.
We plot the performance of alternatives into a twodimensional graph as defined in the IGA method (see Fig. 3), showing each criterion's expected dissatisfaction on the y-axis with respect to the improvement gap on the x-axis.Attributes are classified into four categories: (1) critical for improvement, (2) keep as it is, (3) attractive, and (4), neutral [19].
An attribute is classified as critical to improve if its performance is lower than its competitors and doesn't satisfy the customer's requirements.It is classified as keep as it is when its performance is higher than the competition but not fully satisfying customers' requirements.Employing more resources to improve this attribute when its performance is already higher and deemed sufficient than the market, will not necessarily bring superior satisfaction to costumers, which may lead to a waste of resources.It is classified as attractive attribute if there is no strong dissatisfaction with its performance but there is still a high gap to the market, which if improved can bring superior customer satisfaction.It is classified as neutral when more improvement in this attribute will neither bring strong market differentiation nor superior customer satisfaction.

IV. CASE STUDY
To demonstrate the applicability of the proposed framework, we present an example of an evaluation for a SaaS service using data extracted from NIST security reference architecture [17] and CSA STAR repository, which is a public registry that documents the security controls provided by popular cloud computing.Following the proposed framework, the first phase involves establishment of the evaluation context, including the modeling of the target's service model, potential threats, vulnerabilities, and available security controls.For simplicity and without loss of generality, we consider the list of possible threats, vulnerabilities, and security controls presented in Table II.The next phase involves the selection of the critical security controls from the derived list of controls.www.ijacsa.thesai.orgThe initial fuzzy direct relation matrix of DEMATEL is shown in Table III using linguistic values from Table I.It depicts the different dependencies between the cloud service type, threats, vulnerabilities, and security controls considering several factors: the likelihood of a threat on SaaS service type, its impact, the relevance degree of the vulnerabilities to the identified threats, the effectiveness of controls on mitigating those vulnerabilities, and the interdependencies between the security controls.Following steps 2-4 (Section 3.1), we obtain the defuzzified total influence matrix, as shown in Table IV.The resultant security controls submatrix is depicted in bold in Table IV.We set a threshold value of (0.068); influence values less than the threshold are reset to zero.From the results, it can be concluded that criterion (C4) have less impact and relevance on the overall evaluation in this case study, thus it is excluded from the evaluation process.The resulting network relation (NRM) structure between the selected security controls (C1, C2, C3, C5, C6, and C7) is shown in Fig. 4.
After the selection of the critical security controls and establishing the network structure, we proceed to the next phase, criteria weighting.The control criteria are divided into more fine-grained sub-criteria.Table V presents the performance of alternatives with respect to the criteria.After performing the pairwise comparisons between each node in the cluster and the nodes in the related clusters as per the network structure, we obtain the initial supermatrix (step 1, section 3.2), as shown in Table VI.Next, we calculate the weights of the control criteria to obtain the weighted supermatrix.As discussed in (step 2, section 3.2), the weight of a control criterion is the combination of its influence weight and the level of control granted to the user over its management.The influence weights of the control criteria are the α-cut total-influence sub-matrix for security controls.The level of control the user has over the criteria are defined as follows:  1  = 1,  2  = 1,  3  = 0.5,  5  = 1,  6  = 1,  7  = 1.The total weight of the cluster is the product of its influence degree and level of control.The clusters weights are used to calculate the weighted supermatrix and obtain the limit supermatrix to derive the total subjective weights of criteria.The subjective criteria weights are combined with objective weights following (steps 5-6, section 3.2).The coefficients are set to (α=β=0.5).The results are shown in  Next, we perform the ranking of alternatives following the TOPSIS method.The final results regarding the closeness distance to the ideal solution, and the final ranking are shown in Table VIII.The best alternative according to the results is (A3).

SaaS
In the final phase, we perform the gap analysis for the bestselected alternative (A3) as discussed in section 3.4.The IGA map is shown in Fig. 5.We can further leverage the characteristics of DEMATEL to understand the cause-effect relationship between the different attributes based on the prominence level (  +   ) and relation level (   −   ) as discussed in (step 4, section 3.1).The relation level for the control criteria are as follows: (   −   : C1= -0.125, C2= 0.271, C3=0.119,C5=0.086,C6=0.153,C7=-0.083),calculated from the security control total influence matrix (Table IV).Both criteria C1 and C7 have a negative relation level, which means that they are effect criteria.The remaining criteria (C2, C3, C5, and C6) are cause criteria, representing the driving factors of the core problem.We plot the cause attributes into the IGA map following Eq.14-15 (Section 3.4), as shown in Fig. 5.Most of the attributes fall into the "keep as it is" quadrant, while criterion C32 is considered a "neutral" attribute, and criteria C51 and C63 "critical" to improve.For example, the criterion C63 being a critical attribute, while most of the attributes being influenced fall into the "keep as it is".
Then, the improvements towards this attribute should begin immediately along with the performance of the other attributes.V. CONCLUSION In this paper, we proposed a holistic risk-driven security evaluation approach for cloud services selection.We addressed three main issues, namely, (1) lack of a systematic and quantitative approach for the selection of the minimal and representative criteria for cloud services security evaluation considering the dependency relations between cloud service models, the potential threats and vulnerabilities, and the effectiveness of the security controls; (2) lack of comprehensive criteria weighting approach considering the dependencies between control criteria and cloud stockholder's varying degree of control for implementing and managing the security services; and (3) lack of effectiveness-based evaluation for cloud services.The proposed method first builds the evaluation context and selects the core security controls (i.e., evaluation criteria) considering several factors, namely threat likelihood, vulnerability relevance, and controls effectiveness given the cloud service models using fuzzy DEMATEL method.Next, the weights of criteria were calculated based on the dependencies between the security controls, cloud user's level of control given the cloud service model and security control type, as well as user preferences using a combination of fuzzy DEMATEL and fuzzy ANP methods.Furthermore, subjective weights were combined with objective weights to obtain more reliable results.Finally, the TOPSIS method was employed for services ranking and the improvement gap analysis (IGA) method was leveraged to provide more insights on the strength and weaknesses of the selected services.The proposed method facilitates a systematic

Fig. 1 .
Fig. 1.The Conceptual Model of the Proposed Framework.

Fig. 2 .
Fig. 2. Criteria Selection Problem Structure of the underlying Factors and Relations.

Fig. 5 .
Fig. 5.The IGA Map based on the cause Attributes from DEMATEL for Best-Selected Alternative (A3).

TABLE .
Fig. 4. Security Controls Network Structure based on Fuzzy DEMATEL Analysis.

TABLE .
VII. THE OBJECTIVE, SUBJECTIVE, AND TOTAL CRITERIA WEIGHTS

TABLE .
VIII.THE DISTANCE MEASURES TO THE BEST IDEAL SOLUTION (S+), WORST SOLUTION (S-), CLOSENESS, AND THE FINAL RANKING OF ALTERNATIVES