{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,9,27]],"date-time":"2025-09-27T17:03:44Z","timestamp":1758992624606,"version":"3.37.3"},"reference-count":48,"publisher":"Springer Science and Business Media LLC","issue":"4","license":[{"start":{"date-parts":[[2020,7,20]],"date-time":"2020-07-20T00:00:00Z","timestamp":1595203200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"},{"start":{"date-parts":[[2020,7,20]],"date-time":"2020-07-20T00:00:00Z","timestamp":1595203200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springer.com\/tdm"}],"funder":[{"DOI":"10.13039\/501100000038","name":"Natural Sciences and Engineering Research Council of Canada","doi-asserted-by":"publisher","award":["RGPIN-6115-2014"],"award-info":[{"award-number":["RGPIN-6115-2014"]}],"id":[{"id":"10.13039\/501100000038","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"published-print":{"date-parts":[[2021,8]]},"DOI":"10.1007\/s10207-020-00515-6","type":"journal-article","created":{"date-parts":[[2020,7,20]],"date-time":"2020-07-20T14:02:36Z","timestamp":1595253756000},"page":"493-510","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":9,"title":["A quantitative assessment of security risks based on a multifaceted classification approach"],"prefix":"10.1007","volume":"20","author":[{"given":"Mouna","family":"Jouini","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5657-4682","authenticated-orcid":false,"given":"Latifa","family":"Ben\u00a0Arfa\u00a0Rabai","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2499-1040","authenticated-orcid":false,"given":"Ridha","family":"Khedri","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2020,7,20]]},"reference":[{"key":"515_CR1","doi-asserted-by":"crossref","unstructured":"Aggarwal, C., Hinneburg, A., Keim, D.: On the surprising behavior of distance metrics in high dimensional space. In: International Conference on Database Theory (ICDT), vol 1973, Springer, pp. 420\u2013434 (2001)","DOI":"10.1007\/3-540-44503-X_27"},{"key":"515_CR2","doi-asserted-by":"crossref","unstructured":"Alhabeeb, M., Almuhaideb, A., Le, P., Srinivasan, B.: Information security threats classification pyramid. In: IEEE 24th International conference on Advanced Information Networking and Applications Workshops (WAINA), IEEE Xplore Digital Library, pp 208\u2013213 (2010)","DOI":"10.1109\/WAINA.2010.39"},{"issue":"7","key":"515_CR3","doi-asserted-by":"publisher","first-page":"953","DOI":"10.3923\/jas.2015.953.967","volume":"15","author":"A Amini","year":"2015","unstructured":"Amini, A., Jamil, N., Ahmad, A., Zaba, M.: Threat modeling approaches for securing cloud computing. J. Appl. Sci. 15(7), 953\u2013967 (2015)","journal-title":"J. Appl. Sci."},{"key":"515_CR4","unstructured":"Applegate, S., Stavrou, A.: Towards a cyber conflict taxonomy. In: 5th International Conference on Cyber Conflict, IEEE Xplore Digital Library (2013)"},{"key":"515_CR5","doi-asserted-by":"publisher","first-page":"262","DOI":"10.1007\/978-3-319-72817-9_17","volume":"10683","author":"N Argyropoulos","year":"2018","unstructured":"Argyropoulos, N., Angelopoulos, K., Mouratidis, H., Fish, A.: Decision-making in security requirements engineering with constrained goal models. Comput. Secur. 10683, 262\u2013280 (2018)","journal-title":"Comput. Secur."},{"key":"515_CR6","doi-asserted-by":"crossref","unstructured":"Avi\u017eienis, A., Laprie, JC., Randell, B.: Dependability and its threats: a taxonomy. In: IFIP Congress Topical Sessions, pp. 91\u2013120 (2004)","DOI":"10.1007\/978-1-4020-8157-6_13"},{"key":"515_CR7","doi-asserted-by":"crossref","unstructured":"Baldwin, A., Beres, Y., Duggan, G., Mont, M., Johnson, H., Middup, C., Shiu, S.: Economic methods and decision making by security professionals. In: The Tenth Workshop on the Economics of Information Security (WEIS), Springer, pp 213\u2013238 (2013)","DOI":"10.1007\/978-1-4614-1981-5_10"},{"key":"515_CR8","unstructured":"Ben\u00a0Aissa, A.: Vers une mesure \u00e9conom\u00e9trique de la s\u00e9curit\u00e9 des syst\u00e9mes informatiques. PhD Thesis, Faculty of Sciences of Tunis, Tunis, Tunisia (2012)"},{"issue":"1","key":"515_CR9","doi-asserted-by":"publisher","first-page":"269","DOI":"10.1007\/s11334-010-0123-2","volume":"6","author":"A Ben Aissa","year":"2010","unstructured":"Ben Aissa, A., Abercrombie, R., Sheldon, F., Mili, A.: Quantifying security threats and their potential impact: a case study. Innov. Syst. Softw. Eng. 6(1), 269\u2013281 (2010)","journal-title":"Innov. Syst. Softw. Eng."},{"issue":"1","key":"515_CR10","doi-asserted-by":"publisher","first-page":"63","DOI":"10.1016\/j.jksus.2012.06.002","volume":"25","author":"L Ben Arfa Rabai","year":"2013","unstructured":"Ben Arfa Rabai, L., Jouini, M., Ben Aissa, A., Mili, A.: A cybersecurity model in cloud computing environments. J. King Saud Univ. Comput. Inf. Sci. 25(1), 63\u201375 (2013)","journal-title":"J. King Saud Univ. Comput. Inf. Sci."},{"key":"515_CR11","unstructured":"Chidambaram, V.: Threat modeling in enterprise architecture integration. In: Enterprise Architecture and Business Competitiveness, vol. 2, No. 4 (2004)"},{"key":"515_CR12","unstructured":"Cloud Security Alliance: The treacherous 12 top threats to cloud computing industry insights. Technical Report, Cloud Security Alliance (2017)"},{"key":"515_CR13","unstructured":"Curphey, M., Scambray, J., Olson, E.: Improving web application security: threats and counter measures. Microsoft Corporation, Sytem Computer Services (2003)"},{"issue":"3","key":"515_CR14","doi-asserted-by":"publisher","first-page":"249","DOI":"10.1287\/mnsc.36.3.249","volume":"36","author":"J Dyer","year":"1990","unstructured":"Dyer, J.: Remarks on the analytic hierarchy process. Manag. Sci. 36(3), 249\u2013258 (1990)","journal-title":"Manag. Sci."},{"key":"515_CR15","unstructured":"EY.: Is cybersecurity about more than protection? Global Information Security Survey 2018\u201319. Technical Report, EY (2018)"},{"issue":"2","key":"515_CR16","first-page":"202","volume":"6","author":"F Farahmand","year":"2005","unstructured":"Farahmand, F., Navathe, S., Sharp, G., Enslow, P.: A management perspective on risk of security threats to information systems. Inf. Technol. Manag. Arch. 6(2), 202\u2013225 (2005)","journal-title":"Inf. Technol. Manag. Arch."},{"issue":"31","key":"515_CR17","first-page":"51","volume":"1","author":"S Geric","year":"2007","unstructured":"Geric, S., Hutinski, Z.: Information system security threats classifications. J. Inf. Organ. Sci. 1(31), 51\u201361 (2007)","journal-title":"J. Inf. Organ. Sci."},{"key":"515_CR18","volume-title":"Writing Secure Code","author":"M Howard","year":"2002","unstructured":"Howard, M., Leblanc, D.: Writing Secure Code. Microsoft Press, Redmond (2002)"},{"key":"515_CR19","doi-asserted-by":"crossref","unstructured":"Jouini, M., Ben\u00a0Arfa\u00a0Rabai, L., Ben\u00a0Aissa, A.: Classification of security threats in information systems. In: ANT\/SEIT 2014, Procedia Computer Science, vol.\u00a032, pp. 489\u2013496 (2014)","DOI":"10.1016\/j.procs.2014.05.452"},{"key":"515_CR20","doi-asserted-by":"crossref","unstructured":"Jouini, M., Ben\u00a0Arfa\u00a0Rabai, L., Khedri, R.: A multidimensional approach towards a quantitative assessment of security threats. In: ANT\/SEIT 2015, Elsevier, Procedia Computer Science, vol.\u00a052, pp. 507\u2013514 (2015)","DOI":"10.1016\/j.procs.2015.05.024"},{"key":"515_CR21","doi-asserted-by":"crossref","unstructured":"Jouini, M., Ben\u00a0Arfa\u00a0Rabai, L., Khedri, R.: Software requirements for an ultra large scale system to compute multi dimension mean failure cost. In: PDCAT 2018, Springer, pp. 361\u2013370 (2018)","DOI":"10.1007\/978-981-13-5907-1_39"},{"issue":"6","key":"515_CR22","doi-asserted-by":"publisher","first-page":"42","DOI":"10.1109\/52.469759","volume":"12","author":"P Kruchten","year":"1995","unstructured":"Kruchten, P.: Architectural blueprints\u2014the \u201c4+1\u201d view model of software architecture. IEEE Softw. 12(6), 42\u201350 (1995)","journal-title":"IEEE Softw."},{"issue":"5","key":"515_CR23","doi-asserted-by":"publisher","first-page":"549","DOI":"10.1007\/s10207-017-0394-9","volume":"17","author":"Y Li","year":"2018","unstructured":"Li, Y., Zhou, F., Qin, Y., Lin, M., Xu, Z.: Integrity-verifiable conjunctive keyword searchable encryption in cloud storage. Int. J. Inf. Secur. 17(5), 549\u2013568 (2018)","journal-title":"Int. J. Inf. Secur."},{"issue":"191","key":"515_CR24","doi-asserted-by":"publisher","first-page":"47","DOI":"10.1016\/j.ins.2011.09.040","volume":"15","author":"J Lia","year":"2012","unstructured":"Lia, J., Lia, M., Wua, D., Song, H.: An integrated risk measurement and optimization model for trustworthy software process management. Inf. Sci. 15(191), 47\u201360 (2012)","journal-title":"Inf. Sci."},{"key":"515_CR25","doi-asserted-by":"crossref","unstructured":"Mavoungou, S., Kaddoum, G., Taha, M., Matar, G.: Survey on threats and attacks on mobile networks. In: Security in Wireless Communications and Networking, IEEE Xplore Digital Library, pp. 4543\u20134572 (2016)","DOI":"10.1109\/ACCESS.2016.2601009"},{"key":"515_CR26","doi-asserted-by":"crossref","unstructured":"Mell, P., Grance, T.: The nist definition of cloud computing. Technical Report, National Institute of Standards and Technology (2011)","DOI":"10.6028\/NIST.SP.800-145"},{"key":"515_CR27","unstructured":"Munir, R., Disso, J., Awan, I., Mufti, M.: Quantitative enterprise network security risk assessment, broadband and wireless computing. In: BWCCA, pp. 437\u2013442 (2013)"},{"key":"515_CR28","doi-asserted-by":"crossref","unstructured":"Ou, X., Singhal, A.: Quantitative Security Risk Assessment of Enterprise Networks. SpringerBriefs in Computer Sciencee, Springer (2011)","DOI":"10.1007\/978-1-4614-1860-3"},{"key":"515_CR29","unstructured":"Ponemon Institute: 2014 cost of data breach study: Global analysis. Technical Report, Ponemon Institute LLC (2014)"},{"key":"515_CR30","doi-asserted-by":"crossref","unstructured":"Ponemon Institute: Cost of a data breach report 2019. Technical Report, Ponemon Institute (2019)","DOI":"10.1016\/S1361-3723(19)30081-8"},{"key":"515_CR31","unstructured":"Pw, C.: Managing cyber risks in an interconnected world: Key finding from the global state of information security survey 2015. Technical Report, PwC (2015)"},{"key":"515_CR32","unstructured":"Pw, C.: Strengthening digital society against cyber shocks: key findings from the global state of information security survey 2018. Technical Report, PwC (2018)"},{"key":"515_CR33","unstructured":"Rashid, M., Mufti, M., Awan, I., Hu, YF., Disso, J.: Detection, mitigation and quantitative security risk assessment of invisible attacks at enterprise network. In: FiCloud, pp. 256\u2013263 (2015)"},{"key":"515_CR34","unstructured":"Ross, R.: Guide for conducting risk assessments. NIST SP-800-30rev1 (2012)"},{"key":"515_CR35","doi-asserted-by":"crossref","unstructured":"Rudin, C.: Ranking with a p-norm push. In: International Conference on Computational Learning Theory (COLT), vol 4005, pp 589\u2013604, Springer (2006)","DOI":"10.1007\/11776420_43"},{"issue":"1","key":"515_CR36","first-page":"83","volume":"1","author":"T Saaty","year":"2008","unstructured":"Saaty, T.: Decision making with the analytic hierarchy process. Int. J. Serv. Sci. 1(1), 83\u201398 (2008)","journal-title":"Int. J. Serv. Sci."},{"issue":"2","key":"515_CR37","first-page":"1","volume":"19","author":"D Schlette","year":"2020","unstructured":"Schlette, D., Bohm, F., Caselli, M., Pernul, G.: Measuring and visualizing cyber threat intelligence quality. Int. J. Inf. Secur. 19(2), 1\u201318 (2020)","journal-title":"Int. J. Inf. Secur."},{"issue":"7","key":"515_CR38","doi-asserted-by":"publisher","first-page":"363","DOI":"10.1109\/JSYST.2012.2221853","volume":"7","author":"T Sommestad","year":"2013","unstructured":"Sommestad, T., Ekstedt, M., Holm, H.: The cyber security modeling language: a tool for assessing the vulnerability of enterprise system architectures. IEEE Syst. J. 7(7), 363\u2013373 (2013)","journal-title":"IEEE Syst. J."},{"issue":"1","key":"515_CR39","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1016\/j.jnca.2010.07.006","volume":"34","author":"S Subashini","year":"2011","unstructured":"Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. J. Netw. Comput. Appl. 34(1), 1\u201311 (2011)","journal-title":"J. Netw. Comput. Appl."},{"key":"515_CR40","volume-title":"Threat Modeling","author":"F Swiderski","year":"2004","unstructured":"Swiderski, F., Snyder, W.: Threat Modeling. Microsoft Press, Redmond (2004)"},{"key":"515_CR41","unstructured":"Symantec.: Internet security threat report (ISTR). Technical Report, Symantec (2016)"},{"key":"515_CR42","unstructured":"Technical\u00a0white\u00a0paper.: Cloud infrastructure architecture case study vmware vsphere 5.0 and vmware vshield app 5.0. Technical Report 1.0, Technical white paper (2012)"},{"issue":"6","key":"515_CR43","doi-asserted-by":"publisher","first-page":"659","DOI":"10.1007\/s10207-019-00442-1","volume":"18","author":"E Toreini","year":"2019","unstructured":"Toreini, E., Shahandashti, S., Mehrnezhad, M., Hao, F.: Domtegrity: ensuring web page integrity against malicious browser extensions. Int. J. Inf. Secur. 18(6), 659\u2013679 (2019)","journal-title":"Int. J. Inf. Secur."},{"key":"515_CR44","doi-asserted-by":"publisher","first-page":"23","DOI":"10.1016\/j.ress.2016.08.014","volume":"157","author":"M van Staalduinen","year":"2017","unstructured":"van Staalduinen, M., Khan, F., Gadag, V., Reniers, G.: Functional quantitative security risk analysis (qsra) to assist in protecting critical process infrastructure. Reliab. Eng. Syst. Saf. 157, 23\u201334 (2017)","journal-title":"Reliab. Eng. Syst. Saf."},{"key":"515_CR45","unstructured":"Varia, J.: Architecting for the cloud: Best practices. Technical Report, Amazon.com (2011)"},{"key":"515_CR46","doi-asserted-by":"publisher","first-page":"97","DOI":"10.1016\/j.cose.2013.04.004","volume":"38","author":"R von Solms","year":"2013","unstructured":"von Solms, R., van Niekerk, J.: From information security to cyber security. Comput. Secur. 38, 97\u2013102 (2013)","journal-title":"Comput. Secur."},{"issue":"6","key":"515_CR47","doi-asserted-by":"publisher","first-page":"681","DOI":"10.1007\/s10207-017-0382-0","volume":"17","author":"G Wangen","year":"2018","unstructured":"Wangen, G., Hallstensen, C., Snekkenes, E.: A framework for estimating information security risk assessment method completeness. Int. J. Inf. Secur. 17(6), 681\u2013699 (2018)","journal-title":"Int. J. Inf. Secur."},{"issue":"1\/2","key":"515_CR48","doi-asserted-by":"publisher","first-page":"80","DOI":"10.1504\/IJCIS.2008.016093","volume":"4","author":"E Zio","year":"2008","unstructured":"Zio, E., Sanseverino, C.: Security assessment in complex networks exposed to terrorist hazard: a simulation approach. IJCIS 4(1\/2), 80\u201395 (2008)","journal-title":"IJCIS"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-020-00515-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-020-00515-6\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-020-00515-6.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2021,7,27]],"date-time":"2021-07-27T09:09:08Z","timestamp":1627376948000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-020-00515-6"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,7,20]]},"references-count":48,"journal-issue":{"issue":"4","published-print":{"date-parts":[[2021,8]]}},"alternative-id":["515"],"URL":"https:\/\/doi.org\/10.1007\/s10207-020-00515-6","relation":{},"ISSN":["1615-5262","1615-5270"],"issn-type":[{"type":"print","value":"1615-5262"},{"type":"electronic","value":"1615-5270"}],"subject":[],"published":{"date-parts":[[2020,7,20]]},"assertion":[{"value":"20 July 2020","order":1,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Compliance with ethical standards"}},{"value":"All authors declare that they have no conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Conflict of interest"}},{"value":"This article does not contain any studies with human participants or animals performed by any of the authors.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Ethical approval"}},{"value":"This paper presents a revised and extended version of the material presented in\u00a0\n[].","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Additional information"}}]}}