{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,13]],"date-time":"2026-01-13T04:04:01Z","timestamp":1768277041881,"version":"3.49.0"},"reference-count":41,"publisher":"MDPI AG","issue":"5","license":[{"start":{"date-parts":[[2020,5,11]],"date-time":"2020-05-11T00:00:00Z","timestamp":1589155200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100010661","name":"Horizon 2020","doi-asserted-by":"publisher","award":["830929"],"award-info":[{"award-number":["830929"]}],"id":[{"id":"10.13039\/100010661","id-type":"DOI","asserted-by":"publisher"}]},{"name":"Seventh Framework Programme","award":["285223"],"award-info":[{"award-number":["285223"]}]},{"DOI":"10.13039\/501100000780","name":"European Union","doi-asserted-by":"publisher","award":["300267102"],"award-info":[{"award-number":["300267102"]}],"id":[{"id":"10.13039\/501100000780","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Security has become one of the primary factors that cloud customers consider when they select a cloud provider for migrating their data and applications into the Cloud. To this end, the Cloud Security Alliance (CSA) has provided the Consensus Assessment Questionnaire (CAIQ), which consists of a set of questions that providers should answer to document which security controls their cloud offerings support. In this paper, we adopted an empirical approach to investigate whether the CAIQ facilitates the comparison and ranking of the security offered by competitive cloud providers. We conducted an empirical study to investigate if comparing and ranking the security posture of a cloud provider based on CAIQ\u2019s answers is feasible in practice. Since the study revealed that manually comparing and ranking cloud providers based on the CAIQ is too time-consuming, we designed an approach that semi-automates the selection of cloud providers based on CAIQ. The approach uses the providers\u2019 answers to the CAIQ to assign a value to the different security capabilities of cloud providers. Tenants have to prioritize their security requirements. With that input, our approach uses an Analytical Hierarchy Process (AHP) to rank the providers\u2019 security based on their capabilities and the tenants\u2019 requirements. Our implementation shows that this approach is computationally feasible and once the providers\u2019 answers to the CAIQ are assessed, they can be used for multiple CSP selections. To the best of our knowledge this is the first approach for cloud provider selection that provides a way to assess the security posture of a cloud provider in practice.<\/jats:p>","DOI":"10.3390\/info11050261","type":"journal-article","created":{"date-parts":[[2020,5,11]],"date-time":"2020-05-11T12:26:30Z","timestamp":1589199990000},"page":"261","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["Selecting a Secure Cloud Provider\u2014An Empirical Study and Multi Criteria Approach"],"prefix":"10.3390","volume":"11","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0893-7856","authenticated-orcid":false,"given":"Sebastian","family":"Pape","sequence":"first","affiliation":[{"name":"Faculty of Economics and Business, Goethe University Frankfurt, 60323 Frankfurt, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3122-0236","authenticated-orcid":false,"given":"Federica","family":"Paci","sequence":"additional","affiliation":[{"name":"Department of Computer Science, University of Verona, 37134 Verona, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8938-0470","authenticated-orcid":false,"given":"Jan","family":"J\u00fcrjens","sequence":"additional","affiliation":[{"name":"Faculty of Computer Science, University of Koblenz, 56070 Koblenz, Germany &amp; Fraunhofer ISST, 44227 Dortmund, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1091-8486","authenticated-orcid":false,"given":"Fabio","family":"Massacci","sequence":"additional","affiliation":[{"name":"Department of Information Sciences and Engineering, University of Trento, 38123 Trento, Italy"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2020,5,11]]},"reference":[{"key":"ref_1","unstructured":"(2020, March 31). NIST Special Publication 800-53\u2014Security and Privacy Controls for Federal Information Systems and Organizations, Available online: http:\/\/nvlpubs.nist.gov\/nistpubs\/SpecialPublications\/NIST.SP.800-53r4.pdf."},{"key":"ref_2","unstructured":"KPMG (2020, March 31). 2014 KPMG Cloud Survey Report. Available online: http:\/\/www.kpmginfo.com\/EnablingBusinessInTheCloud\/downloads\/7397-CloudSurvey-Rev1-5-15.pdf#page=4."},{"key":"ref_3","first-page":"10","article-title":"Security Metrics and Security Investment Models. Advances in Information and Computer Security","volume":"Volume 6434","author":"Echizen","year":"2010","journal-title":"Proceedings of the 5th International Workshop on Security, IWSEC 2010"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"488","DOI":"10.2307\/1879431","article-title":"The Market for \u2019Lemons\u2019: Quality Uncertainty and the Market Mechanism","volume":"84","author":"Akerlof","year":"1970","journal-title":"Q. J. Econ."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"265","DOI":"10.1257\/aer.99.1.265","article-title":"Cognition and Incomplete Contracts","volume":"99","author":"Tirole","year":"2009","journal-title":"Am. Econ. Rev."},{"key":"ref_6","first-page":"287","article-title":"An Insight into Decisive Factors in Cloud Provider Selection with a Focus on Security. Computer Security","volume":"Volume 11980","author":"Katsikas","year":"2019","journal-title":"Proceedings of the ESORICS 2019 International Workshops, CyberICPS, SECPRE, SPOSE, ADIoT"},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Anastasi, G., Carlini, E., Coppola, M., and Dazzi, P. (July, January 27). QBROKAGE: A Genetic Approach for QoS Cloud Brokering. Proceedings of the 2014 IEEE 7th International Conference on Cloud Computing (CLOUD), Anchorage, AK, USA.","DOI":"10.1109\/CLOUD.2014.49"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Ngan, L.D., and Kanagasabai, R. (2012, January 24\u201329). OWL-S Based Semantic Cloud Service Broker. Proceedings of the 2012 IEEE 19th International Conference on Web Services (ICWS), Honolulu, HI, USA.","DOI":"10.1109\/ICWS.2012.103"},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"564","DOI":"10.1109\/TSC.2011.52","article-title":"Agent-Based Cloud Computing","volume":"5","author":"Sim","year":"2012","journal-title":"Serv. Comput. IEEE Trans."},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"491","DOI":"10.1007\/978-3-642-45005-1_38","article-title":"An Incentive Mechanism for Game-Based QoS-Aware Service Selection","volume":"Volume 8274","author":"Wang","year":"2013","journal-title":"Service-Oriented Computing"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Karim, R., Ding, C., and Miri, A. (July, January 28). An End-to-End QoS Mapping Approach for Cloud Service Selection. Proceedings of the 2013 IEEE Ninth World Congress on Services (SERVICES), Santa Clara, CA, USA.","DOI":"10.1109\/SERVICES.2013.71"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Sundareswaran, S., Squicciarini, A., and Lin, D. (2012, January 24\u201329). A Brokerage-Based Approach for Cloud Service Selection. Proceedings of the 2012 IEEE 5th International Conference on Cloud Computing (CLOUD), Honolulu, HI, USA.","DOI":"10.1109\/CLOUD.2012.119"},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"66","DOI":"10.1109\/TCC.2014.2328578","article-title":"SelCSP: A Framework to Facilitate Selection of Cloud Service Providers","volume":"3","author":"Ghosh","year":"2014","journal-title":"IEEE Trans. Cloud Comput."},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"456","DOI":"10.1007\/978-3-642-45005-1_34","article-title":"Evaluating Cloud Services Using a Multiple Criteria Decision Analysis Approach","volume":"Volume 8274","author":"Costa","year":"2013","journal-title":"Service-Oriented Computing"},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Garg, S., Versteeg, S., and Buyya, R. (2011, January 5\u20138). SMICloud: A Framework for Comparing and Ranking Cloud Services. Proceedings of the 2011 Fourth IEEE International Conference on Utility and Cloud Computing (UCC), Melbourne, Australia.","DOI":"10.1109\/UCC.2011.36"},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1007\/978-3-642-40651-5_4","article-title":"Managing Imprecise Criteria in Cloud Service Ranking with a Fuzzy Multi-criteria Decision Making Method","volume":"Volume 8135","author":"Lau","year":"2013","journal-title":"Service-Oriented and Cloud Computing"},{"key":"ref_17","first-page":"127","article-title":"Cloud Service Selection Based on Variability Modeling","volume":"Volume 7636","author":"Liu","year":"2012","journal-title":"Service-Oriented Computing"},{"key":"ref_18","doi-asserted-by":"crossref","first-page":"2185","DOI":"10.1002\/sec.748","article-title":"Towards a trust management system for cloud computing marketplaces: using CAIQ as a trust information source","volume":"7","author":"Habib","year":"2014","journal-title":"Secur. Commun. Netw."},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"2276","DOI":"10.1016\/j.jss.2013.03.011","article-title":"A framework to support selection of cloud providers based on security and privacy requirements","volume":"86","author":"Mouratidis","year":"2013","journal-title":"J. Syst. Softw."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Akinrolabu, O., New, S., and Martin, A. (2018, January 4\u20135). CSCCRA: A novel quantitative risk assessment model for cloud service providers. Proceedings of the European, Mediterranean, and Middle Eastern Conference on Information Systems, Limassol, Cyprus.","DOI":"10.1007\/978-3-030-11395-7_16"},{"key":"ref_21","doi-asserted-by":"crossref","unstructured":"Mahesh, A., Suresh, N., Gupta, M., and Sharman, R. (2020). Cloud risk resilience: Investigation of audit practices and technology advances-a technical report. Cyber Warfare and Terrorism: Concepts, Methodologies, Tools, and Applications, IGI Global.","DOI":"10.4018\/978-1-7998-2466-4.ch090"},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Bleikertz, S., Mastelic, T., Pape, S., Pieters, W., and Dimkov, T. (2013, January 25\u201327). Defining the Cloud Battlefield\u2014Supporting Security Assessments by Cloud Customers. Proceedings of the IEEE International Conference on Cloud Engineering (IC2E), San Francisco, CA, USA.","DOI":"10.1109\/IC2E.2013.31"},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Siegel, J., and Perdue, J. (2012, January 24\u201327). Cloud Services Measures for Global Use: The Service Measurement Index (SMI). Proceedings of the 2012 Annual SRII Global Conference (SRII), San Jose, CA, USA.","DOI":"10.1109\/SRII.2012.51"},{"key":"ref_24","unstructured":"Cloud Services Measurement Initiative Consortium (2014). Service Measurement Index Version 2.1, Carnegie Mellon University. Technical Report."},{"key":"ref_25","unstructured":"(2020, March 31). Cloud Services Measurement Initiative Consortium. Available online: https:\/\/www.iaop.org\/Download\/Download.aspx?ID=1779&AID=&SSID=&TKN=6a4b939cba11439e9d3a."},{"key":"ref_26","unstructured":"Saaty, T.L. (2005). Theory and Applications of the Analytic Network Process: Decision Making with Benefits, Opportunities, Costs, and Risks, RWS Publications."},{"key":"ref_27","first-page":"83","article-title":"Decision making with the analytic hierarchy process","volume":"1","author":"Saaty","year":"2008","journal-title":"Int. J. Serv. Sci."},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"21","DOI":"10.1016\/0165-0114(85)90013-2","article-title":"Ranking alternatives using fuzzy numbers","volume":"15","author":"Buckley","year":"1985","journal-title":"Fuzzy Sets Syst."},{"key":"ref_29","doi-asserted-by":"crossref","first-page":"649","DOI":"10.1016\/0377-2217(95)00300-2","article-title":"Applications of the extent analysis method on fuzzy AHP","volume":"95","author":"Chang","year":"1996","journal-title":"Eur. J. Oper. Res."},{"key":"ref_30","unstructured":"(2020, March 31). Cloud Security Alliance. Available online: https:\/\/cloudsecurityalliance.org\/."},{"key":"ref_31","unstructured":"Cloud Security Alliance (2020, March 31). Cloud Controls Matrix. v3.0.1. Available online: https:\/\/cloudsecurityalliance.org\/research\/cloud-controls-matrix\/."},{"key":"ref_32","unstructured":"Cloud Security Alliance (2020, March 31). Consensus Assessments Initiative Questionnaire. v3.0.1. Available online: https:\/\/cloudsecurityalliance.org\/artifacts\/consensus-assessments-initiative-questionnaire-v3-1\/."},{"key":"ref_33","first-page":"707","article-title":"Binary codes capable of correcting deletions, insertions and reversals","volume":"10","author":"Levenshtein","year":"1966","journal-title":"Sov. Phys. Dokl."},{"key":"ref_34","doi-asserted-by":"crossref","first-page":"319","DOI":"10.2307\/249008","article-title":"Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology","volume":"13","author":"Davis","year":"1989","journal-title":"MIS Q."},{"key":"ref_35","doi-asserted-by":"crossref","unstructured":"Svahnberg, M., Aurum, A., and Wohlin, C. (2008). Using Students As Subjects\u2014An Empirical Evaluation. Proceedings of the Second ACM-IEEE International Symposium on Empirical Software Engineering and Measurement, ACM.","DOI":"10.1145\/1414004.1414055"},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"201","DOI":"10.1023\/A:1009848320066","article-title":"Using Students As Subjects: A Comparative Study of Students and Professionals in Lead-Time Impact Assessment","volume":"5","author":"Regnell","year":"2000","journal-title":"Empir. Softw. Eng."},{"key":"ref_37","unstructured":"NIST Cloud Computing Security Working Group (2013). NIST Cloud Computing Security Reference Architecture, National Institute of Standards and Technology. Technical Report."},{"key":"ref_38","unstructured":"Deutsche Telekom (2020, March 31). Cloud Broker: Neues Portal von T-Systems lichtet den Cloud-Nebel. Available online: https:\/\/www.telekom.com\/de\/medien\/medieninformationen\/detail\/cloud-broker-neues-portal-von-t-systems-lichtet-den-cloud-nebel-347356."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Schneier, B. (2004). Security and compliance. Secur. Priv. IEEE, 2.","DOI":"10.1109\/MSP.2004.22"},{"key":"ref_40","unstructured":"National Institute of Standards and Technology (2020, March 31). Minimum Security Requirements for Federal Information and Information Systems (FIPS 200), Available online: http:\/\/csrc.nist.gov\/publications\/fips\/fips200\/FIPS-200-final-march.pdf."},{"key":"ref_41","unstructured":"Decision Deck (2020, March 31). The XMCDA Standard. Available online: http:\/\/www.decision-deck.org\/xmcda\/."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/11\/5\/261\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,11]],"date-time":"2025-10-11T09:27:50Z","timestamp":1760174870000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/11\/5\/261"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2020,5,11]]},"references-count":41,"journal-issue":{"issue":"5","published-online":{"date-parts":[[2020,5]]}},"alternative-id":["info11050261"],"URL":"https:\/\/doi.org\/10.3390\/info11050261","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2020,5,11]]}}}