A Hybrid Decision-making Approach to Security Metrics Aggregation in Cloud Environments

In cybersecurity, being able to quantity the level of security has been a long quest so that decisions can be made toward improving security. Various metrics have been proposed and applied, which can usually be computed from collected measurements. However, only certain aspects of the target system are measured corresponding to the purpose the metrics were designed for, be it software vulnerabilities or configuration errors, thus lacking a concise and clear image of the overall security of a system for the practitioners to act on, especially when it comes to large-scale or complex systems.We argue that overall security metrics are defined by humans based on specific security goals before they can be computed. Therefore, we propose a hybrid approach to the aggregation of well-established individual security metrics by combining machine computation with human decision making. In particular, we modify the Analytic Hierarchy Process (AHP) to reach a group decision of selected “experts”, which can derive the weights of individual metrics for their aggregation. We showcase its feasibility by selecting several common metrics to measure the target systems in our testbed, and conducting an AHP survey with seventeen experts. The resulted overall security score for the target systems shows how our approach enables comparison of the overall security between those systems. By considering cloud-oriented settings, we also showcase how this approach can be applicable to today’s virtualized environments.