{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:45:11Z","timestamp":1760031911995,"version":"build-2065373602"},"reference-count":56,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2025,4,4]],"date-time":"2025-04-04T00:00:00Z","timestamp":1743724800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>Cloud adoption necessitates relinquishing data control to cloud service providers (CSPs), involving diverse stakeholders with varying security and privacy (S&amp;P) needs and responsibilities. Building upon previously published work, this paper addresses the persistent challenge of a lack of standardized, transparent methods for consumers to select and quantify appropriate S&amp;P measures. This work introduces a stakeholder-centric methodology to identify and address S&amp;P challenges, enabling stakeholders to assess their cloud service protection capabilities. The primary contribution lies in the development of new classifications and updated considerations, along with tailored S&amp;P features designed to accommodate specific service models, deployment models, and stakeholder roles. This novel approach shifts from data or infrastructure perspectives to comprehensively account for S&amp;P issues arising from stakeholder interactions and conflicts. A prototype framework, utilizing a rule-based taxonomy and the Goal\u2013Question\u2013Metric (GQM) method, recommends essential S&amp;P attributes. Multi-criteria decision-making (MCDM) is employed to measure protection levels and facilitate benchmarking. The evaluation of the implemented prototype demonstrates the framework\u2019s effectiveness in recommending and consistently measuring security features. This work aims to reduce consumer apprehension regarding cloud migration, improve transparency between consumers and CSPs, and foster competitive transparency among CSPs.<\/jats:p>","DOI":"10.3390\/info16040291","type":"journal-article","created":{"date-parts":[[2025,4,7]],"date-time":"2025-04-07T05:30:59Z","timestamp":1744003859000},"page":"291","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Cloud Security Assessment: A Taxonomy-Based and Stakeholder-Driven Approach"],"prefix":"10.3390","volume":"16","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-1350-6719","authenticated-orcid":false,"given":"Abdullah","family":"Abuhussein","sequence":"first","affiliation":[{"name":"Information Systems, Herberger Business School, St. Cloud State University, St. Cloud, MN 56301, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7332-3773","authenticated-orcid":false,"given":"Faisal","family":"Alsubaei","sequence":"additional","affiliation":[{"name":"College of Computer Science and Engineering, University of Jeddah, Jeddah 23890, Saudi Arabia"}]},{"given":"Vivek","family":"Shandilya","sequence":"additional","affiliation":[{"name":"Department of Computer Science, Bowie State University, Bowie, MD 20715, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1241-2750","authenticated-orcid":false,"given":"Fredrick","family":"Sheldon","sequence":"additional","affiliation":[{"name":"The Department of Computer Science, University of Idaho, Moscow, ID 83844, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3996-7484","authenticated-orcid":false,"given":"Sajjan","family":"Shiva","sequence":"additional","affiliation":[{"name":"Department of Computer Science, The University of Memphis, Memphis, TN 38152, USA"}]}],"member":"1968","published-online":{"date-parts":[[2025,4,4]]},"reference":[{"key":"ref_1","unstructured":"Hussein, A.E.A. (2017). Pragmatic Framework for Cloud Security Assessment: A Stakeholder-Oriented and Taxonomical Approach. [Ph.D. Thesis, University of Memphis]."},{"key":"ref_2","unstructured":"(2025, January 26). Biggest Data Breaches in US History (Updated 2025)|UpGuard. Available online: https:\/\/www.upguard.com\/blog\/biggest-data-breaches-us."},{"key":"ref_3","unstructured":"(2025, January 26). Dyn Analysis Summary of Friday October 21 Attack|Dyn Blog. Available online: https:\/\/dyn.com\/blog\/dyn-analysis-summary-of-friday-october-21-attack\/."},{"key":"ref_4","unstructured":"Arkin, B. (2025, January 26). Important Customer Security Announcement. Available online: https:\/\/blog.adobe.com\/en\/publish\/2013\/10\/03\/important-customer-security-announcement."},{"key":"ref_5","unstructured":"Salcedo, H. (2025, January 26). Google Drive, Dropbox, Box and iCloud Reach the Top 5 Cloud Storage Security Breaches List. Available online: https:\/\/web.archive.org\/web\/20160304081904\/https:\/\/psg.hitachi-solutions.com\/credeon\/blog\/google-drive-dropbox-box-and-icloud-reach-the-top-5-cloud-storage-security-breaches-list."},{"key":"ref_6","unstructured":"Yasani, R. (2025, February 23). Massive Cyber Attack on AWS Cloud Environment with 230 Million Unique Targets. Available online: https:\/\/cybersecuritynews.com\/massive-aws-cyber-attack-230-million-environments\/."},{"key":"ref_7","unstructured":"(2025, February 23). Ex-Amazon Employee Convicted Over Data Breach of 100 Million CapitalOne Customers|TechCrunch. Available online: https:\/\/techcrunch.com\/2022\/06\/21\/amazon-paige-thompson-capitalone-breach\/."},{"key":"ref_8","unstructured":"(2025, January 26). NIST|National Institute of Standards and Technology, Available online: https:\/\/www.nist.gov\/national-institute-standards-and-technology."},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Mell, P., and Grance, T. (2011). The NIST Definition of Cloud Computing.","DOI":"10.6028\/NIST.SP.800-145"},{"key":"ref_10","unstructured":"Badger, L., Bernstein, D., Bohn, R., Vaulx, F.D., Hogan, M., Mao, J., Messina, J., Mills, K., Sokol, A., and Tong, J. (2011). High-Priority Requirements to Further USG Agency Cloud Computing Adoption."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Jansen, W., and Grance, T. (2011). Sp 800-144: Guidelines on Security and Privacy in Public Cloud Computing.","DOI":"10.6028\/NIST.SP.800-144"},{"key":"ref_12","unstructured":"Wang, S., Zheng, Z., Sun, Q., Zou, H., and Yang, F. (2011, January 10\u201315). Cloud model for service selection. Proceedings of the 2011 IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS), Shanghai, China."},{"key":"ref_13","unstructured":"(2025, February 23). Top Threats to Cloud Computing 2024|CSA. Available online: https:\/\/cloudsecurityalliance.org\/artifacts\/top-threats-to-cloud-computing-2024."},{"key":"ref_14","unstructured":"(2025, January 26). Lord Kelvin Quotations. Available online: http:\/\/zapatopi.net\/kelvin\/quotes\/."},{"key":"ref_15","unstructured":"(2025, January 26). Encryption Can Make Cloud Computing Safer. Available online: https:\/\/www.usatoday.com\/story\/cybertruth\/2013\/05\/31\/cloud-security-hacking-encryption\/2375689\/."},{"key":"ref_16","unstructured":"Basu, S. (2025, February 23). 68 Cloud Security Statistics to Be Aware of in 2025. Available online: https:\/\/www.getastra.com\/blog\/security-audit\/cloud-security-statistics\/."},{"key":"ref_17","unstructured":"(2025, February 23). 2023 Cloud Security Report Shows Many Data Breaches\u2014Press Release. Available online: https:\/\/cpl.thalesgroup.com\/about-us\/newsroom\/2023-cloud-security-cyberattacks-data-breaches-press-release."},{"key":"ref_18","unstructured":"(2025, February 23). 7 February 2024 The State of Cloud Data Security in 2023. Available online: https:\/\/www.paloaltonetworks.com\/resources\/research\/data-security-2023-report."},{"key":"ref_19","unstructured":"(2025, February 23). Cloud Security Alliance Survey Finds 77% of Respondents Feel. Available online: https:\/\/cloudsecurityalliance.org\/press-releases\/2024\/02\/14\/cloud-security-alliance-survey-finds-77-of-respondents-feel-unprepared-to-deal-with-security-threats."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Abuhussein, A., Shiva, S., and Sheldon, F.T. (July, January 27). CSSR: Cloud Services Security Recommender. Proceedings of the 2016 IEEE World Congress on Services (SERVICES), San Francisco, CA, USA.","DOI":"10.1109\/SERVICES.2016.13"},{"key":"ref_21","first-page":"248","article-title":"Towards quantitative measures of Information Security: A Cloud Computing case study","volume":"1","author":"Jouini","year":"2012","journal-title":"Int. J. Cyber-Secur. Digit. Forensics IJCSDF"},{"key":"ref_22","unstructured":"(2017, May 23). Definition of METRIC. Available online: https:\/\/www.merriam-webster.com\/dictionary\/metric."},{"key":"ref_23","unstructured":"Jaquith, A. (2007). Security Metrics: Replacing Fear, Uncertainty, and Doubt, Addison-Wesley."},{"key":"ref_24","unstructured":"Radack, S. (2025, February 23). Security metrics: Measurements to support the continued development of information security technology. Computer Security Division, Information Technology Laboratory, National Institute of Standards and Technology, White Paper 2010, Available online: https:\/\/csrc.nist.gov\/files\/pubs\/shared\/itlb\/itlbul2010-01.pdf."},{"key":"ref_25","unstructured":"Wong, C. (2011). Security Metrics, a Beginner\u2019s Guide, McGraw-Hill Education. [1st ed.]."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"32","DOI":"10.1109\/MSP.2010.140","article-title":"Cloud Provider Transparency: An Empirical Evaluation","volume":"8","author":"Pauley","year":"2010","journal-title":"IEEE Secur. Priv."},{"key":"ref_27","unstructured":"Ristov, S., Gusev, M., and Kostoska, M. (2012, January 21\u201325). A new methodology for security evaluation in cloud computing. Proceedings of the 2012 35th International Convention MIPRO, Opatija, Croatia."},{"key":"ref_28","unstructured":"(2017, May 24). TPC-Homepage V5. Available online: http:\/\/www.tpc.org\/."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Kossmann, D., Kraska, T., and Loesing, S. (2010, January 6\u201311). An Evaluation of Alternative Architectures for Transaction Processing in the Cloud. Proceedings of the 2010 ACM SIGMOD International Conference on Management of Data, Indianapolis, IN, USA.","DOI":"10.1145\/1807167.1807231"},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Barker, S.K., and Shenoy, P. (2010, January 22\u201323). Empirical Evaluation of Latency-sensitive Application Performance in the Cloud. Proceedings of the First Annual ACM SIGMM Conference on Multimedia Systems, Phoenix, AZ, USA.","DOI":"10.1145\/1730836.1730842"},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Zeng, W., Zhao, Y., and Zeng, J. (2009, January 12\u201314). Cloud Service and Service Selection Algorithm Research. Proceedings of the First ACM\/SIGEVO Summit on Genetic and Evolutionary Computation, Shanghai, China.","DOI":"10.1145\/1543834.1544004"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Rehman, Z.U., Hussain, F.K., and Hussain, O.K. (July, January 30). Towards Multi-criteria Cloud Service Selection. Proceedings of the 2011 Fifth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, Seoul, Republic of Korea.","DOI":"10.1109\/IMIS.2011.99"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Han, S.-M., Hassan, M.M., Yoon, C.-W., and Huh, E.-N. (2009, January 24\u201326). Efficient Service Recommendation System for Cloud Computing Market. Proceedings of the 2Nd International Conference on Interaction Sciences: Information Technology, Culture and Human, Seoul, Republic of Korea.","DOI":"10.1145\/1655925.1656078"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Ruiz-Alvarez, A., and Humphrey, M. (2011, January 8). An Automated Approach to Cloud Storage Service Selection. Proceedings of the 2Nd International Workshop on Scientific Cloud Computing, San Jose, CA, USA.","DOI":"10.1145\/1996109.1996117"},{"key":"ref_35","unstructured":"(2017, May 24). WS-DREAM: Towards Open Datasets and Source Code for Web Service Research. Available online: http:\/\/wsdream.github.io\/."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Alnemr, R., Pearson, S., Leenes, R., and Mhungu, R. (2014, January 15\u201318). COAT: Cloud Offerings Advisory Tool. Proceedings of the 2014 IEEE 6th International Conference on Cloud Computing Technology and Science, Singapore.","DOI":"10.1109\/CloudCom.2014.100"},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"98","DOI":"10.1016\/j.ins.2019.10.004","article-title":"A service recommendation algorithm with the transfer learning based matrix factorization to improve cloud security","volume":"513","author":"Lei","year":"2020","journal-title":"Inf. Sci."},{"key":"ref_38","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cose.2016.06.003","article-title":"Novel efficient techniques for real-time cloud security assessment","volume":"62","author":"Modic","year":"2016","journal-title":"Comput. Secur."},{"key":"ref_39","unstructured":"(2022). Information Security, Cybersecurity and Privacy Protection\u2014Information Security Management Systems\u2014Requirements (Standard No. ISO\/IEC 27001:2022)."},{"key":"ref_40","unstructured":"(2017, June 06). Automated Security and Compliance. Available online: https:\/\/www.cloudpassage.com\/."},{"key":"ref_41","unstructured":"(2025, April 02). Your Business is in the Clouds. Protect what Matters with CipherCloud. Available online: https:\/\/cpl.thalesgroup.com\/partners\/ciphercloud."},{"key":"ref_42","unstructured":"(2025, April 02). CASB and Cloud Cybersecurity Solutions|Cisco Cloudlock. Available online: https:\/\/www.cisco.com\/site\/us\/en\/products\/security\/cloudlock\/index.html."},{"key":"ref_43","unstructured":"(2025, January 26). Cloud Controls Matrix: Cloud Security Alliance. Available online: https:\/\/cloudsecurityalliance.org\/group\/cloud-controls-matrix\/."},{"key":"ref_44","unstructured":"(2025, January 26). Dan Morrill, \u201cCloudPassage Cloud Security Survey. Available online: https:\/\/web.archive.org\/web\/20220804124303\/https:\/\/www.cloudave.com\/25217\/cloudpassage-cloud-security-survey\/."},{"key":"ref_45","unstructured":"Bauer, D.S., and Koblentz, M.E. NIDX-an expert system for real-time network intrusion detection. Proceedings of the [1988] Proceedings. Computer Networking Symposium, Washington, DC, USA."},{"key":"ref_46","unstructured":"Jackson, K., DuBois, D., and Stallings, C. (1991, January 1\u20134). An Expert System Application for Network Intrusion Detection. Proceedings of the National Computer Security Conference, Washington, DC, USA."},{"key":"ref_47","doi-asserted-by":"crossref","unstructured":"Gruschka, N., and Jensen, M. (2010, January 5\u201310). Attack Surfaces: A Taxonomy for Attacks on Cloud Services. Proceedings of the 2010 IEEE 3rd International Conference on Cloud Computing, Miami, FL, USA.","DOI":"10.1109\/CLOUD.2010.23"},{"key":"ref_48","unstructured":"Simmons, C., Ellis, C., Shiva, S., Dasgupta, D., and Wu, Q. (2014). AVOIDIT: A Cyber Attack Taxonomy, University of Memphis. Technical Report."},{"key":"ref_49","unstructured":"(2024, December 23). Cloud Security Alliance Releases Top Threats to Cloud. Available online: https:\/\/cloudsecurityalliance.org\/press-releases\/2024\/08\/06\/cloud-security-alliance-releases-top-threats-to-cloud-computing-2024-report."},{"key":"ref_50","unstructured":"Joint Task Force Transformation Initiative (2025, April 02). SP 800-53 Rev. 3. Recommended Security Controls for Federal Information Systems and Organizations; National Institute of Standards and Technology, Gaithersburg, MD, USA, Available online: https:\/\/nvlpubs.nist.gov\/nistpubs\/Legacy\/SP\/nistspecialpublication800-53r3.pdf."},{"key":"ref_51","doi-asserted-by":"crossref","unstructured":"van Solingen, R., Basili, V., Caldiera, G., and Rombach, H.D. (2002). Goal Question Metric (GQM) Approach. Encyclopedia of Software Engineering, John Wiley & Sons, Inc.","DOI":"10.1002\/0471028959.sof142"},{"key":"ref_52","doi-asserted-by":"crossref","unstructured":"Abuhussein, A., Alsubaei, F., Shiva, S., and Sheldon, F.T. (2016, January 10\u201314). Evaluating Security and Privacy in Cloud Services. Proceedings of the 2016 IEEE 40th Annual Computer Software and Applications Conference (COMPSAC), Atlanta, GA, USA.","DOI":"10.1109\/COMPSAC.2016.263"},{"key":"ref_53","unstructured":"(2025, January 26). Code Spaces Forced to Close Its Doors After Security Incident|CSO Online. Available online: http:\/\/www.csoonline.com\/article\/2365062\/disaster-recovery\/code-spaces-forced-to-close-its-doors-after-security-incident.html."},{"key":"ref_54","unstructured":"Moss, S. (2025, January 26). Major DDoS Attack on Dyn Disrupts AWS, Twitter, Spotify and More. Available online: http:\/\/www.datacenterdynamics.com\/content-tracks\/security-risk\/major-ddos-attack-on-dyn-disrupts-aws-twitter-spotify-and-more\/97176.fullarticle."},{"key":"ref_55","unstructured":"(2025, February 24). The Hunt for ALBeast: A Technical Walkthrough|Miggo. Available online: https:\/\/www.miggo.io\/resources\/uncovering-auth-vulnerability-in-aws-alb-albeast."},{"key":"ref_56","doi-asserted-by":"crossref","first-page":"1357","DOI":"10.1109\/32.6178","article-title":"Evaluating Software Complexity Measures","volume":"14","author":"Weyuker","year":"1988","journal-title":"IEEE Trans Softw. Eng."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/4\/291\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:10:30Z","timestamp":1760029830000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/16\/4\/291"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,4]]},"references-count":56,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,4]]}},"alternative-id":["info16040291"],"URL":"https:\/\/doi.org\/10.3390\/info16040291","relation":{},"ISSN":["2078-2489"],"issn-type":[{"type":"electronic","value":"2078-2489"}],"subject":[],"published":{"date-parts":[[2025,4,4]]}}}