CC BY
45
Информатика, вычислительная техника и управление
DOI: 10.14529/cmse160206
TOWARDS A QUANTITATIVE MODEL OF CLOUD COMPUTING RISKS AND BENEFITS1
Y. A. Zelenkov, Financial University under the Government of the Russian Federation, Moscow, Russian Federation
Migrating to the cloud is the main direction of enterprise IT optimization today. Many research papers confirm that cloud computing provides economic benefits, because it enhances flexibility and reduces costs. In other studies, cloud-specific risks are identified and their impact on the customer business is evaluated. However, most often, benefits and risks are considered separately. Model that allows simultaneously evaluate these factors is proposed here. Key factors of tangible and intangible benefits and risks are identified that allows to estimate joint impact of costs and risks on cloud adoption. Simple rules that help to quantify these factors and compute consistent pairwise comparison matrices are also proposed. Usage of proposed method is demonstrated with simple example.
Keywords: cloud computing, cloud computing risks, cloud computing benefits, multi criteria decision making.
FOR CITATION
Zelenkov Y.A. Towards a Quantitative Model of Cloud Computing Risks and Benefits. Bulletin of the South Ural State University. Series: Computational Mathematics and Software Engineering. 2016. vol. 5, no. 2. pp. 68-83. DOI: 10.14529/cmse160206.
Introduction
Migrating to the cloud is the main trend of enterprise IT optimization today. Many research papers show that cloud computing provides significant tangible and intangible economic benefits, namely reduced costs and enhanced flexibility of enterprise IT [1].
An increasing number of companies choose a model of public clouds, physical resources (servers, data storages...) in that model are owned cloud service provider. Public clouds have given consumers the potential advantage of reallocating their large capital IT expenditures and upfront planning overheads into manageable operational spending and planning. For public cloud providers as well, there are advantages, owing to economies of scale and better utilization of their resources [2, 3].
Literature analysis shows that research papers can be split into two directions. The first examines the economical benefits of the cloud, the second studies the risks that arise in the migration of information resources in the cloud. In both directions the models, which help to assess the efficiency of the clouds, are developed. However, there are very few studies that consider the economical benefits and risks together.
Very often a very complex theoretical models that involve the collection of large amounts of data and complex calculations are proposed. However, in practice it is difficult to collect and measure all required parameters, so such sophisticated techniques are of limited use.
1 The article was recommended for publication by the program committee of the International Scientific Conference «Parallel Computing Technologies - 2016»
Therefore, practice requires a fairly simple method that allows to compare different alternatives (public cloud, private cloud, own IT, etc.) on the basis of simple expert evaluations of potential benefits and risks.
Comparison of few alternatives is the problem of Multi Criteria Decision Making (MCDM). Solution of any MCDM problem consists from few steps [4]. The first step is to define the set of alternatives and the set of decision criteria that the alternatives need to be evaluated with. Definition of alternatives in practice usually does not cause the difficulties. Following options usually should be analyzed in particular case of cloud computing: the usage of own IT services, transfer of IT services to the cloud, and different combination of these scenarios.
Next very critical step is to accurately estimate the pertinent data. Very often these data cannot be known in terms of absolute values, and it is very difficult to quantify it correctly. Therefore, many MCDM methods attempt to determine relative importance of alternatives.
Last step is to compare identified alternatives with help of one of MCDM method.
Goals of presented research are: (1) to propose a simple set of criteria to assess the feasibility of cloud computing that can be used in practice, and (2) to propose rules to determine relative importance of alternatives in terms of each criterion involved in a MCDM problem.
1. Research literature review
Many articles contributing to technical aspects have appeared in research literature of cloud computing. But in a related review, Yang and Tate [5] concluded that the organization of research pertaining to business aspects of cloud computing is still in a nascent stage, as compared to technical aspects.
Karunakaran et all [3] collected 155 articles related to business view of cloud, which were published until 2012, and classified them into a classification framework that is a refinement of that found in Marston et al. [1]. According to their findings main themes of research are: pricing (32 papers), adoption (24 papers), economic value (20 papers), and sourcing (17 papers). Both issues what are the subject of our research (economic benefits and risks) are studied together only in several papers concerned to cloud service provider selection (the sourcing theme in classification of [3]). Nevertheless, Karunkaran et al. [3] argue, that the themes cost, quality of service (QoS) and risks appear intertwined and hence future research should focus on providing holistic solutions.
1.1. Economical benefits of cloud computing
Most common used methods within economical estimation of cloud computing are: profitability indicators (such as ROI—Return of Investment), NPV (Net Present Value), TCO (Total Cost of Ownership) and productivity per employee.
For example, Tak et al. [6] identify a comprehensive set of factors affecting the costs of a deployment choice (in-house, cloud, and combination), and use NPV-based cost analysis for adoption recommendations. Due to the complexity of quantifying associated security risk encountered with deployment choices, they do not include the risk factor in their current version of analysis.
KhajehHosseini et al. [7] compare TCO reduction for different scenarios of IT services deployment (purchasing a physical servers, leasing, using the cloud), similar approach is used by Williams [8]
Mirsa and Mondal [9] developed a general ROI model, which takes into consideration various intangible impacts of Cloud Computing, apart from the cost. Their model includes some of the key characteristics of the resources possessed by a company: (1) Size of the IT resources, (2) The utilization pattern of the resources, (3) Sensitivity of the data they are handling, and (4) Criticality of work done by the company. Based on this position they developed weighted sum model of economical benefits.
Maresova [10] adopted general steps of Cost-Benefit Analysis (CBA) for cloud computing purposes. She proposed a system of criteria, which is divided into three levels: economic, operational and technical criteria, to specify a cloud computing deployment. These criteria should help to decide which subjects are related to the impacts of the project, describe the differences between current IT and cloud computing, and identify and quantify all related costs and benefits. Examples of costs are: expenditure of time for implementation, support service, User-dependent basic charges, storage capacity, data transfer and etc. Examples of benefits: reduction in operating costs of IT department, energy saving, etc.
There are also studies that evaluate the effectiveness of the clouds with the help of non-economic criteria. Garg et al. [11] propose a framework that measure the quality and rank cloud services offering by different providers. They use parameters like service response time, sustainability, suitability, accuracy, etc. Each individual parameter affects the service selection process, and its impact on overall ranking depends on its priority in the overall selection process. To address this MCDM problem, they propose an Analytic Hierarchy Process (AHP) based ranking mechanism to solve the problem of assigning weights to features considering the interdependence between them, thus providing a much-needed quantitative basis for the ranking of cloud services.
Sundarraj and Venkatraman [12] integrate an information system success model [13] with preference elicitation techniques drawn from MCDM literature. This helps them to combine in one model four technical qualitative criteria viz. information quality, system quality, service quality and risk mitigation features with financial quantitative criteria (NPV).
Note, however, that in all cited works threats associated with the possible loss of information or with unauthorized access to it are not considered.
1.2. Security risks of cloud computing
A lot of research is devoted to the identification of cloud-specific risks and assessment of their impact on the business of the customer. Here are some of them.
Takabi et al. [14] argue that although clouds allow customers to avoid start-up costs, reduce operating costs, and increase their agility by immediately acquiring services and infra-structural resources when needed, their unique architectural features also raise various security and privacy concerns. They note that cloud computing environments are multidomain environments in which each domain can use different security, privacy, and trust requirements and potentially employ various mechanisms, interfaces, and semantics. They identified six security and privacy challenges, namely: authentication and identity management, access control accounting, trust management and policy integration, secure-service management, privacy and data protection, and organization security management.
European Network and Information Security Agency (ENISA) report [15] discusses assessment of the security risks and benefits of using cloud computing-providing security guidance for potential and existing users of cloud computing. It identifies most important classes of cloud-specific risks, between them:
• Lost of governance, when client necessarily cedes control to the Cloud Provider (CP) on a number of issues which may affect security;
• Lock-in of standards and procedures that can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment;
• Isolation failure. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants;
• Management interface compromise: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities;
• Cloud computing poses several data protection risks for cloud customers and providers;
• Insecure or incomplete data deletion;
• Malicious insider.
Risk level in cited paper [15] is measured as a sum of qualitative estimations of the business impact and likelihood of the incident.
Subashine et al. [16] present a survey of the different security risks that pose a threat to the cloud. They conclude that there are yet many practical problems which have to be solved, and an integrated security model targeting different levels of security of data for a typical cloud infrastructure is under research.
Hashizume et al. [17] argue, that cloud computing presents an added level of risk because essential services are often outsourced to a third party, which makes it harder to maintain data security and privacy, support data and service availability, and demonstrate compliance. Cloud computing leverages many technologies (SOA, virtualization, Web 2.0); it also inherits their security issues.
In practitioner publications also lot of cloud risks are mentioned, see for example [18] and [19], but hereinafter we will follow Martens and Teuteberg [20], which formalized three most common IT security objectives: confidentiality, integrity and availability.
1.3. Models of the joint assessment of economic benefit and risk
Different authors offer a different approach, which allows to consider various aspects of the problem, but we must admit that none of them is both holistic and simple.
Given security and reliability concerns, Kantarcioglu et al. [21] explored the optimal decision rule for moving certain IT function to public clouds. They assumed that value from the cloud computing adoption are governed by a mixed Brownian/jump process with mean arrival rate of the loss and size of the loss, which are set as parameters. On base of this model they concluded that entrepreneur will attempt to shift to cloud computing sooner than later if he anticipates the probability of negative events is high and the loss is substantial in traditional on-site deployment. But concrete monetization model for the benefits of both computing paradigms, the cloud computing deployment and the traditional on-site computing deployment, is not presented in this paper.
Saripalli and Pingalli [22] argue, that cloud adoption decisions tend to involve multiple, conflicting criteria (attributes) with incommensurable units of measurements, which must be compared among multiple alternatives using imprecise and incomplete available information. They present a multi-attribute decision making framework for cloud adoption. It requires
the definition of Attributes, Alternatives and Attribute Weights, to construct a Decision Matrix and arrive at a relative ranking to identify the optimal alternative. Several important attributes are taken in consideration in this paper, but possible risks did not include in that attribute list.
Martens and Teuteberg [20] developed a sophisticated formal mathematical decision model that supports the selection of cloud computing services in a multisourcing scenario. They consider cost as well as risk factors which are relevant to the decision scope. Coordination costs, IT service costs, maintenance costs and the costs of taken risks were compared. Risks are modeled by means of the three common security objectives: integrity, confidentiality and availability. In cited work, each IT service is considered separately as well as its sourcing options, the relative importance of service is calculated as number of business processes that depend from it. This model can be viewed as an enough full presentation of problem, but the number of its parameters is extremely big, so its usage in practice, most likely, is highly limited.
2. Decision making model for selection of cloud services
We can conclude from discussion in previous section that all reviewed models and methods have some drawbacks. Part of them is based on only qualitative assessments, in quantitative models point estimations are used very often that leads to the flaw of averages [23], the risks and benefits are estimated separately. To close this gap new approach is needed, which can estimate jointly risks and benefits on one hand, and which is simple enough to be used in practice on other.
As it was stated before, selection of optimal way of IT services development is the MCDM problem. The most important steps are: the definition of criteria to make an informed choice from the available alternatives, and quantitative assessment of each alternative under the selected criteria. Usually these steps cause the greatest difficulties in practice.
Many researchers state that advantages of cloud computing can be split on two parts: tangible and intangible economic benefits. Tangible benefits are due to reduction of costs of ownership. Intangible benefits arise as a result of increasing the speed of changes, improving flexibility and the ability to adapt new technologies. Since the cloud computing is associated with the risks, they also have to be included in consideration.
Thus, the minimum acceptable set of criteria should include:
• Tangible economical benefits or cost saving;
• Intangible benefits or flexibility;
• Risks.
The relative importance of the criteria depends on the requirements and priorities of a particular company and is determined for each practical case separately. To determine relative performance of alternatives in terms of each single criterion we will use approach that is based on pairwise comparisons, which was proposed by Saaty [24]. But for the comparative evaluations of alternatives for each criterion the rules are needed, which form the basis for the comparison. The main problem here is to ensure the consistency of all judgments.
Let A1,A2, ...,An be n entities (alternatives or criteria) to be compared. To evaluate the relative weights of the above entities they are compared with each other in terms of a single common characteristic. Results of comparison are represented in matrix A, each entry of which represents a pairwise comparison (judgment). Specifically, the entry a^ denotes the
number that estimates the relative importance of element A¡ when it is compared with element Aj, and a¡j = w¡/wj, where wk denotes the actual weight of importance of element Ak. Obviously, a¡j = 1/aji and ay = 1. For consistent case following condition should be satisfied:
a¡j = aikakj, i 6 [1, n], j 6 [1, n], k 6 [1, n],
Fulfillment of this condition is difficult to achieve in practice, because when the set of entities to be compared contains n elements, the estimation of n(n — 1)/2 pairwise comparisons is required. A measure of closeness to the consistency for the pairwise comparison matrix has been provided by Saaty [24] in terms of the principal eigenvalue Amax:
Ci = ^max — n
n — 1 '
and right eigenvector w = {w1; w2,..., wn} associated with Amax has been considered as weighting vector. Here CI - consistency index and n - number of entities in matrix. Saaty shows that more CI is close to zero, the more the ratios Wi/Wj are close to the preference ratio aij. Many techniques of deriving consistent comparison matrix A are developed [4], but all of them are based on a-posterior quantifying of qualitative non-consistent data. These approaches are based on subjective judgments and require enough sophisticated calculations, that sometimes causes difficulties in practice. So practitioners need a simple method of consistent evaluation of all criteria and alternatives.
To solve formulated problem, according to the above considerations, it is necessary to propose rules of consistent matrices C, S, F and R calculation. Entries Cij of matrix C represent a relative weights of criteria, entries Sij of matrix S represent a relative weights of alternatives under the cost saving criterion, entries fij of matrix F represent a relative weights of alternatives under the flexibility criterion, and entries rij of matrix R represent a relative weights of alternatives under the risk criterion. Procedures for assessing all of these parameters should be as simple as possible and based on available data. For this it is necessary to do two things: firstly, to select those parameters which can be easily quantified, and secondly, to determine measurement scale for each parameter.
2.1. Evaluation of cost saving criterion
To quantify the cost reductions, the discounted cash flows, which form the total cost of ownership, are generally considered, and their Net Present Value (NPV) is calculated [8-10]:
v TCOij NPV = x ij
j Z-, (1 + R)1 ■
1=1
Here NPVj is NPV of alternative j; TCOij is the net cash flow, which is defined as total cost of ownership for alternative j in time period i; R is the discount rate; n is the number of time periods.
The relative cost of ownership of two alternatives Ak and Ai in time period i is:
di,kl = TCOik/TCOii.
Suppose, that TCO^ is the normally distributed random variable with mean mj and variance Gj, it value can be presented via ^(a) - inverse cumulative distribution function of standard normal distribution [25]: TCOij(a; mj, Gj) = mj + Gj^(a), here a is probability. So, relative attractiveness of two alternatives in any time period can be estimated as:
dkl =
mk + ^Жа)
m4 + а4ф(а)
(1)
Therefore, relative cost of two different alternatives can be obtained if mean and variance of their TCO are known. When these data are not available, preliminary estimation of the expected mean can be used. We can conclude also from the equation (1) that linear scale should be used for comparing the relative costs of alternatives.
Obviously, lower value of TCO corresponds to the more attractive alternative. Therefore, in order to transform this problem into a problem of maximization, we should consider the cost saving value Ski = 1/dki for comparison of alternatives.
2.2. Evaluation of flexibility criterion
As was stated above, this criterion assesses the speed of response to changes in IT services requirements. In order to form a basis for it, we will use following considerations. In the context of the contemporary turbulent business environment most important challenge is the need to keep track of coming changes and update IT services accordingly. Once a business
Factors that determine the speed of change
Business A value
Unmanaged change 1 Managed change
Fig. 1. General model of IT service change
event occurs, the value-add of reacting to that event decreases over time. Therefore, it would be in a business's best interest to reduce the time between business events and decisions made about them [26-28]. Zelenkov [29] reviewed the process of IT service change, he postulated that this time gap is made up of three components: change detection, change analysis and solution development, and solution implementation. General model of change, which summarizes the results of [26-29], is presented in Fig. 1.
If the implementation of the changes is delayed, users are trying to adapt existing applications to new challenges [30]. In that case changes are unmanageable, that leads to fragmentation of enterprise IT system, harmony of its original design is lost [31] due to the unforeseen scenarios of usage, incremental improvements, patches, etc. In such situation, the management should be focused on ensuring compliance of IT with the requirements of the organization [32] and, therefore, on managed evolution of enterprise IT system [33]. The rate of change of enterprise IT services must match the speed of changes in the requirements of business [29]. Cloud computing in this case can provide additional value in the form of intangible benefits which are the result of acceleration of IT services change.
To estimate the losses, associated with a delay of changes, let us consider the following variables:
• v0 — the value that an organization would have received if the change were implemented immediately, at the moment of business event;
• t — the time spent on the implementation of changes;
• v(t) — the value that an organization receives if the change is realized over time t.
It is followed from Fig. 1 that the desired function must satisfy the following conditions:
t = 0: v(t) = v> t ^ œ: v(t) ^ 0
For example, power law v(t) = v0e_T satisfy these conditions, where e is the base of of the natural logarithm (Euler's number). Hence, loss due to delays in the implementation of the changes over time t are:
L(t) = v> - v(t) = v> - v>e_T = v>(1 - e"T) . (2)
It follows from equation (2) that the quick reaction to the changes provide a significant impact to the organization, but after a while, the potential of IT service change is exhausted. This may mean that users found alternative way of action under the new conditions, for example, they acquired the IT tools from third-party, without the consent of the IT department, or developed own applications based on spreadsheets and etc.
Equation (2) can be used as a basis for comparison of the intangible benefits of different options of sourcing IT services. Suppose that the expected values of reaction time of the two alternatives Ak and Ai are Tk and tj respectively. Therefore, relative performance of alternatives under flexibility criterion is:
fki=V0fIFH = e(FI-Fk). ki v>e"Fi
So exponential scale should be used for comparing the alternatives and relative performance of alternative is defined by reduction of reaction time, which it promises. These data
can be obtained from the system of change tracing (for existing IT services), service level agreements (for service in the cloud), or on the basis of expert assessments.
2.3. Evaluation of risk criterion
To develop a method for evaluating the potential risks of various alternatives, we will use the seminal model of Gordon and Loeb [34] with additions made Matsuura [35].
Let us consider a one-period economic model of a firm contemplating the additional security efforts to protect a given information set. The information set is characterized by the following three parameters:
• A — the monetary loss conditioned on a breach occurring.
• t — the threat probability, defined as the probability of a threat occurring, since t is a probability, 0 < t < 1. So the potential loss L is defined as L = At.
• v — the vulnerability, defined as the conditional probability that a threat once realized would be successful. Since v is a probability, 0 < v < 1.
Let z > 0 denote the monetary investment in information security to protect the given information set, measured in the same units used to measure the potential loss L The purpose of the investment z is to lower the probability that the information set will be breached. Let S(z, v) denote the probability that an information set with vulnerability v will be breached, conditional on the realization of a threat and given that the firm has made an information security investment of z to protect that information. The expected benefits of an investment in information security, denoted as EBIS, are equal to the reduction in the firm's expected loss attributable to the extra security. That is:
EBIS(z) = [v - S(z, v)]L = A[vt- S(z,v)t] .
Matsuura [35] noted that the information security investment z can reduce the threat probability and that the reduction depends only on the investment z and the current level of threat probability Q. So let T(z, t) denote the probability that a threat occurring, given that the firm has made an investment of z. So in his extended model:
EBIS(z) = A[vt- S(z,v)T(z,t)] . ( 3 )
Equation (3) can be used as a basis for quantitative comparison of risks of various alternatives.
Suppose that the expected values of threat and vulnerability of the two alternatives Ak and Ai are vktk and viti respectively. Therefore, relative performance of alternatives is:
viti
rki =■
vktk
Lower value of vjtj corresponds to the more attractive alternative, therefore, in order to go to the maximization problem, we should consider the reciprocal values under risk criterion. Linear scale should be used for comparing the alternatives under risk criterion.
2.4. Evaluation of priorities of criteria
In case of relative importance of criteria comparison, it is necessary to take in consideration a requirement of normality:
Wj + w2 + —+ Wn = 1,
where Wj — the actual weight of importance of criterion Cj.
As formulated above, in case of cloud computing we deal with only n = 3 parameters. Therefore, following simple procedure can be used in practice. The first step is to assign weights Wj and Wj to two random criteria Cj and Cj based on their relative importance. The values of the weights are selected to satisfy the conditions 0 < wj + Wj < 1. The third criterion weight is calculated as wk = 1 — (wj + Wj). Easy to check that in this case condition of consistency is satisfied, because cjj = cjk/ckj = (Wj/Wk)/(Wk/Wj). If obtained values cjj do not satisfy the decision maker for some reasons, the entire procedure must be performed again, starting with the definition of new values of actual weights Wj, i = 1, ..,n.
3. Example
For example, suppose, that some company considers three options:
• Use of its own IT infrastructure (alternative A-J;
• Migration of all IT services to the public cloud (alternative A2);
• Migration of only non-critical IT services to a public cloud (alternative A3). Absolute values of alternatives in terms of each criterion were estimated by experts,
these values are shown in Table 1.
Table 1
Absolute values of alternatives
Criterion TCO (million dollars per month) X (days) vt (probability)
Ai 0,5 3 0,20
a2 0,2 1 0,30
A3 0,4 2 0,22
In accordance with rules proposed in Section 3, the entries of S, F and R can be calculated as follows:
sjj = TCOj/TCOj, fjj = e(xrx0, rjj = vjtj/vjtj.
Matrices S, F and R are presented in Table 2.
Suppose that after discussion company experts decided that actual weight of cost saving importance is ws = 0,3 and actual weight of flexibility is Wf = 0,15. In accordance with Section 3.4, actual weight of risk is We = 1 — (ws + Wf) = 0,55.
Table 2
Pairwise comparison matrices
Alternatives A\ A] A3
Matrix S
А\ 1 0,4 0,8
a2 2,5 1 2
A3 1,25 0,5 1
Matrix F
A\ 1 0,135 0,368
A] 7,389 1 2,718
A3 2,718 0,368 1
Matrix R
A\ 1 1,500 1,100
A] 0,667 1 0,733
A3 0,909 1,364 1
Let use weighted production model (WPM) to define relative attractiveness of alternatives. WPM is one of best known and simplest MCDM method for evaluating number of alternatives in terms of a number decision criteria. Suppose that a given MCDM problem is defined on m alternatives and n decision criteria, and all the criteria are benefit criteria, that is, the higher the values are, the better it is. Let Wj denotes the relative weight of importance of the criterion Cj and ajki is the relative performance value of alternative Ak regarding alternative Aj when they are evaluated in terms of criterion Cj. So, to compare the two alternatives Ak and Aj the following product has to be calculated [4]:
n
P(Ak/A4) = gajkiw) for k,l = 1,2, ...,m. j=i
If the ratio P(Ak/Aj) is greater than or equal to the value 1, then it indicates that alternative Ak is more desirable than alternative Aj, the best alternative is the one that is better than or at least equal to all other alternatives.
With given C, S, F and R: P(Ai/A2) = 0,703, P(Ai/A3) = 0,848, and P(A2/A3) = 1,206. Therefore, with given criteria priorities and parameters estimations the best alternative is A2, because it is superior to all the other alternatives. The ranking of alternatives is as follows: A2 > A3 > A^
Conclusion
The main goal of paper is to propose simple model that can be used in practice. Three criteria (cost of ownerships saving, intangible benefits that associated with speed of reaction to change and security risks) that have been proposed here are enough simple and all necessary data can be obtained from accounting system, contract conditions, statistics and expert opinions. The proposed method helps easy to get a consistent matrix of pairwise comparisons. All of this leads to the conclusion that the proposed method can be used in practice.
References
1. Marston S., Li Z., Bandyopadhyay S., Zhang J., Ghalsasi A. Cloud Computing: The Business Perspective. Decision Support Systems. 2011. vol. 51, no. 1. pp. 176-189.
2. Armbrust M., Fox A., Griffith R., Joseph A. D., Katz R., Konwinski A. A View of Cloud Computing. Communications of the ACM. 2010. vol. 53, no. 4. pp. 50-58.
3. Karunakaran S., Krishnaswamy V., Sundarraj R.P. Business View of Cloud: Decisions, Models and Opportunities - a Classification and Review of Research. Management Research Review. 2015. vol. 38, no. 6. pp. 582-604.
4. Triantaphyllou E. Multi-Criteria Decision Making: A Comparative Study. Kluwer, 2000. 320 p.
5. Yang H., Tate M. A Descriptive Literature Review and Classification of Cloud Computing Research. Communications of the Association for Information Systems. 2012. vol. 31, no. 1. Paper 2.
6. Tak B.C., Urgaonkar B., Sivasubramaniam A. To Move or not to Move: The Economics of Cloud Computing. Proceedings of the 3rd USENIX Conference on Hot Topics in Cloud Computing. 2011. pp. 5-5.
7. Khajeh-Hosseini A., Greenwood D., Smith J. W., Sommerville I. The Cloud Adoption Toolkit: Supporting Cloud Adoption Decisions in the Enterprise. Software: Practice and Experience. 2012. vol. 42, no. 4. pp. 447-465.
8. Williams B. The Economics of Cloud Computing. Cisco Press, 2011.
9. Misra S. C., Mondal A. Identification of A Company's Suitability for The Adoption of Cloud Computing and Modelling Its Corresponding Return on Investment. Mathematical and Computer Modelling. 2011. vol. 53, no. 3. pp. 504-521.
10. Maresová P. Cost Benefit Analysis Approach for Cloud Computing. Advanced Computer and Communication Engineering Technology. Springer, 2016. pp. 913-923.
11. Garg S. K., Versteeg S., Buyya R. A Framework for Ranking of Cloud Computing Services. Future Generation Computer Systems. 2013. vol. 29, no. 4. pp. 1012-1023.
12. Sundarraj R.P., Venkatraman S.: On Integrating an IS Success Model and Multicriteria Preference Analysis into a System for Cloud-Computing Investment Decisions. Outlooks and Insights on Group Decision and Negotiation. Springer, 2015. pp. 357-368.
13. Delone W.H., McLean E.R. The Delone and Mclean Model of Information Systems Success: A Ten-Year Update. Journal of management information systems. 2003. vol. 19, no. 4. pp. 9-30.
14. Takabi H., Joshi J.B., Ahn G.J. Security and Privacy Challenges in Cloud Computing Environments. IEEE Security & Privacy. 2010. no. 6. pp. 24-31.
15. Catteddu D., Hogben G. Cloud Computing: Benefits, Risks and Recommendations for Information Security. ENISA, 2009. URL: www.enisa.europa.eu/act/rm /files/deliverables/cloud-computing-risk-assessment/at_download/fullReport (accessed: 07.02.2016).
16. Subashini S., Kavitha V. A Survey on Security Issues in Service Delivery Models of Cloud Computing. Journal of Network and Computer Applications. 2011. vol. 34, no. 1. pp. 1-11.
17. Hashizume K., Rosado D.G., Fernández-Medina E., Fernandez E.B. An Analysis of Security Issues for Cloud Computing. Journal of Internet Services and Applications. 2013. vol. 4, no.1. pp. 1-13.
18. Angeles S. 8 Reasons to Fear Cloud Computing. Business News Daily, 2013. URL: http: //www.businessnewsdaily.com /5215-dangers-cloud-computing.html (accessed: 07.02.2016).
19. Grimes R. The 5 Cloud Risks You Have to Stop Ignoring. InfoWorld, 2013. URL: http: //www.infoworld. com / article/2614369/security / the- 5-cloud-risks-you-have-to-stop-ignoring.html (accessed: 07.02.2016).
20. Martens B., Teuteberg F.: Decision-Making in Cloud Computing Environments: A Cost and Risk Based Approach. Information Systems Frontiers. 2012. vol. 14, no. 4. pp. 871893.
21. Kantarcioglu M., Bensoussan A., Hoe S. Impact of Security Risks On Cloud Computing Adoption. 49th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 2011. pp. 670-674.
22. Saripalli P., Pingali G.: MADMAC: Multiple Attribute Decision Methodology for Adoption of Clouds. 2011 IEEE International Conference on Cloud Computing. IEEE, 2011. pp. 316-323.
23. Savage S. L. The Flaw of Averages: Why We Underestimate Risk in The Face of Uncertainty. John Wiley & Sons, 2009.
24. Saaty T. L. Axiomatic Foundation of the Analytic Hierarchy Process. Management Sciences. 1986. no. 32. pp. 841-855.
25. Aivazyan S.A., Yenyukov I.S., Meshalkin L.D. Applied statistics. Bases of modeling and initial data processing. Financy i statisitca, 1983. 471 p.
26. Bonham S. S. Actionable Strategies Through Integrated Performance, Process, Project, And Risk Management. Artech House, 2008.
27. Hackathorn R.: Minimizing Action Distance. Data Administration Newsletter, February 1, 2004. URL: www.tdan.com/i025fe04.htm (accessed: 07.02.2016).
28. Zelenkov Y. Components of Enterprise IT Strategy: Decision-Making Model and Efficiency Measurement. International Journal of Information Systems and Change Management. 2014. vol. 7, no. 2. pp. 150-166.
29. Zelenkov Y. Business and IT Alignment in Turbulent Business Environment. Business Information Systems Workshops, LNBIP. Springer, 2015. vol. 228. pp. 101-112.
30. Ciborra C. The Labyrinths of Information: Challenging the Wisdom of System. Oxford University Press, 2002.
31. Maurer C. Goodhue D. A Theoretical Model of the Enterprise System Agility Life Cycle. AMCIS 2010 Proceedings, 2010. Paper 231.
32. Luftman J., Kempaiah R. An Update on Business-IT Alignment: "A Line" Has Been Drawn. MIS Quarterly Executive. 2007. vol. 6, no. 3. pp. 165-177.
33. Murer S., Bonati B., Furrer F.J. Managed Evolution: A Strategy for Very Large Information Systems. Springer, 2011.
34. Gordon L.A., Loeb M.P. The Economics of Information Security Investment. ACM Transactions on Information and System Security, 2002. vol. 5, no. 4. pp. 438-457.
35. Matsuura K. Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model. M.E. Johnson (ed.), Managing Information Risk and the Economics of Security. Springer, 2009. pp. 99-119.
Received March 1, 2016.
Bulletin of the South Ural State University Series "Computational Mathematics and Software Engineering"
2016, vol. 5, no. 2, pp. 68-83
УДК 65.011.56 DOI: 10.14529/cmse160206
0 КОЛИЧЕСТВЕННОЙ МОДЕЛИ РИСКОВ
И ПРЕИМУЩЕСТВ ОБЛАЧНЫХ ВЫЧИСЛЕНИЙ
Ю.А. Зеленков
Перенос вычислительной инфраструктуры в облака стал сегодня одним из ключевых направлений оптимизации корпоративных ИТ. Обширный ряд исследований доказывает, что облачные вычисления обеспечивают экономическую выгоду, поскольку они повышают гибкость инфраструктуры и снижаю затраты на ее поддержание. Другие исследовательские работы посвящены обсуждению рисков, связанных с облаками, и их влиянию на бизнес. Однако, в большинстве случаев преимущества и риски облачных вычислений обсуждаются раздельно. В работе предложена модель, которая позволяет оценить одновременное влияние всех факторов. Идентифицированы материальные и нематериальные преимущества и риски адаптации к облаку, предложены простые правила, позволяющие оценить их количественно и построить непротиворечивую матрицу попарного сравнения. Использование предложенного метода иллюстрируется на простом примере.
Ключевые слова: облачные вычисления, риски облачных вычислений, преимущества облачных вычислений, мультикритериальное принятие решений.
ОБРАЗЕЦ ЦИТИРОВАНИЯ
Zelenkov Y.A. Towards a Quantitative Model of Cloud Computing Risks and Benefits / /
Вестник ЮУрГУ. Серия: Вычислительная математика и информатика. 2016. Т. 5, № 2.
С. 68-83. DOI: 10.14529/cmse160206.
Литература
1 Marston S., Li Z., Bandyopadhyay S., Zhang J., Ghalsasi A. Cloud Computing: The Business Perspective // Decision Support Systems. 2011. Vol. 51, No. 1. P. 176-189.
2 Armbrust M., Fox A., Griffith R., Joseph A.D., Katz R., Konwinski A. A View of Cloud Computing // Communications of the ACM. 2010. Vol. 53, No. 4. P. 50-58.
3 Karunakaran S., Krishnaswamy V., Sundarraj R.P. Business View of Cloud: Decisions, Models and Opportunities - a Classification and Review of Research // Management Research Review. 2015. Vol. 38, No. 6. P. 582-604.
4 Triantaphyllou E. Multi-Criteria Decision Making: A Comparative Study. Kluwer, 2000. 320 p.
5 Yang H., Tate M. A Descriptive Literature Review and Classification of Cloud Computing Research // Communications of the Association for Information Systems. 2012. Vol. 31, No. 1. Paper 2.
6 Tak B.C., Urgaonkar B., Sivasubramaniam A. To Move or not to Move: The Economics of Cloud Computing // Proceedings of the 3rd USENIX conference on Hot topics in cloud computing. 2011. P. 5-5.
7 Khajeh-Hosseini A., Greenwood D., Smith J.W., Sommerville I. The Cloud Adoption Toolkit: Supporting Cloud Adoption Decisions in the Enterprise / / Software: Practice and Experience. 2012. Vol. 42, No. 4. P. 447-465.
8 Williams B. The Economics of Cloud Computing. Cisco Press, 2011.
9 Misra S.C., Mondal A. Identification of A Company's Suitability for The Adoption of Cloud Computing and Modelling Its Corresponding Return On Investment // Mathematical and Computer Modelling. 2011. Vol. 53, No. 3. P. 504-521.
10 Maresová P. Cost Benefit Analysis Approach for Cloud Computing. / / Advanced Computer and Communication Engineering Technology. Springer, 2016, P. 913-923.
11 Garg S. K., Versteeg S., Buyya R. A Framework for Ranking of Cloud Computing Services // Future Generation Computer Systems. 2013. Vol. 29, No. 4. P. 1012-1023.
12 Sundarraj R.P., Venkatraman S. On Integrating an IS Success Model and Multicriteria Preference Analysis into a System for Cloud-Computing Investment Decisions / / Outlooks and Insights on Group Decision and Negotiation. Springer, 2015. P. 357-368.
13 Delone W.H., McLean E.R. The Delone and Mclean Model of Information Systems Success: A Ten-Year Update // Journal of management information systems. 2003. Vol. 19, No. 4. P. 9-30.
14 Takabi H., Joshi J.B., Ahn G.J. Security and Privacy Challenges in Cloud Computing Environments // IEEE Security & Privacy. 2010. No. 6. P. 24-31.
15 Catteddu D., Hogben G. Cloud Computing: Benefits, Risks and Recommendations for Information Security. ENISA, 2009. URL: www.enisa.europa.eu/act/rm/files/ deliverables/cloud-computing-risk-assessment/at_download/fullReport (accessed: 07.02.2016).
16 Subashini S., Kavitha V. A Survey on Security Issues in Service Delivery Models of Cloud Computing // Journal of Network and Computer Applications. 2011. Vol. 34, No. 1. P. 1-11.
17 Hashizume K., Rosado D.G., Fernández-Medina E., Fernandez E.B. An Analysis of Security Issues for Cloud Computing / / Journal of Internet Services and Applications. 2013. Vol. 4, No.1. P. 1-13.
18 Angeles S. 8 Reasons to Fear Cloud Computing // Business News Daily, 2013. URL: http: //www.businessnewsdaily.com /5215-dangers-cloud-computing.html (accessed: 07.02.2016).
19 Grimes R. The 5 Cloud Risks You Have to Stop Ignoring // InfoWorld, 2013. URL: http: //www.infoworld. com / article/2614369/security / the- 5-cloud-risks-you-have-to-stop-ignoring.html (accessed: 07.02.2016).
20 Martens B., Teuteberg F.: Decision-Making in Cloud Computing Environments: A Cost and Risk Based Approach // Information Systems Frontiers. 2012. Vol. 14, No. 4. P. 871-893.
21 Kantarcioglu M., Bensoussan A., Hoe S. Impact of Security Risks On Cloud Computing Adoption // 49th Annual Allerton Conference on Communication, Control, and Computing. IEEE, 2011. P. 670-674.
22 Saripalli P., Pingali G.: MADMAC: Multiple Attribute Decision Methodology for Adoption of Clouds // 2011 IEEE International Conference on Cloud Computing. IEEE, 2011. P. 316-323.
23 Savage S.L. The Flaw of Averages: Why We Underestimate Risk in The Face of Uncertainty. John Wiley & Sons, 2009.
24 Saaty T.L. Axiomatic Foundation of the Analytic Hierarchy Process / / Management Sciences. 1986. No. 32. P. 841-855.
25 Aivazyan S.A., Yenyukov I.S., Meshalkin L.D. Applied statistics. Bases of modeling and initial data processing. Financy i statisitca, 1983. 471 p.
26 Bonham S. S. Actionable Strategies through Integrated Performance, Process, Project, And Risk Management. Artech House, 2008.
27 Hackathorn R. Minimizing Action Distance / / Data Administration Newsletter, February 1, 2004. URL: www.tdan.com/i025fe04.htm (accessed: 07.02.2016).
28 Zelenkov Y. Components of Enterprise IT Strategy: Decision-Making Model and Efficiency Measurement / / International Journal of Information Systems and Change Management. 2014. Vol. 7, No. 2, P.150-166.
29 Zelenkov Y. Business and IT Alignment in Turbulent Business Environment // Business Information Systems Workshops, LNBIP, vol. 228. Springer, 2015. P. 101-112.
30 Ciborra C. The Labyrinths of Information: Challenging the Wisdom of System. Oxford University Press, 2002.
31 Maurer C., Goodhue D. A Theoretical Model of the Enterprise System Agility Life Cycle // AMCIS 2010 Proceedings, 2010. Paper 231.
32 Luftman J., Kempaiah R. An Update on Business-IT Alignment: "A Line" Has Been Drawn // MIS Quarterly Executive. 2007. Vol. 6, No. 3. P. 165-177.
33 Murer S., Bonati B., Furrer F.J. Managed Evolution: A Strategy for Very Large Information Systems. Springer, 2011.
34 Gordon L.A., Loeb M.P. The Economics of Information Security Investment // ACM Transactions on Information and System Security, 2002. Vol. 5, No. 4. P. 438-457.
35 Matsuura K. Productivity Space of Information Security in an Extension of the Gordon-Loeb's Investment Model // M.E. Johnson (ed.), Managing Information Risk and the Economics of Security. Springer, 2009. P. 99 - 119.
Зеленков Юрий Александрович, д.т.н., заведующий кафедрой прикладной информатики, Финансовый университет при Правительстве Российской Федерации,
yzelenkovûfa. ru
Поступила в редакцию 1 марта 2016 г.
