Companies looking to adopt cloud computing could cut their chances of being compromised by using a statistical framework to assess risk according to Runaware. Concerns about security are the main inhibitors for companies looking to adopt cloud technology, yet a simple methodology could be employed to reduce exposure said Dr Prasad Saripilli, the VP for Runaware.

He said that the quantitative impact and risk assessment framework (QUIRC) was a framework that could be usefully employed to mitigate exposure to security breaches. The technique is based on a long-standing methodology, the Delphi wideband method, although he conceded that it had not been used to assess cloud security risk before.

The Delphi wideband framework is used extensively in other industries. It works by assigning numerical values to the probability of an attack, and its severity. The assessments are made by experts in the field – it's used in fields such as climate change for example, said Saripalli. The experts decide the risks, hear each other assessments and reappraise their own thinking until they arrive at a consensus.

Although it's not been used in cloud computing, Saripalli said that companies could use this method to determine the impact an attack would have on a cloud provider. "If you move to a cloud-based model , you have to work out the risks. If that site went down for three minutes, what is the impact, you'll get different experts defining that impact."

Where the framework will prove particularly useful said Saripalli, "is in comparing cloud offerings from two or more different cloud vendors (providers) for a given customer. Since QUIRC results are quantitative, this can be achieved by comparing the metrics. "

Saripalli said that one of the key tasks was to encourage the framework to be adopted as a standard. He said that he was already in conversation with the IEEE about the possibility. He said that the more people who used the framework the better it would become. "The confidence in the methodology improves – and new knowledge comes back. For example, in assessing which are the real critical threats to watch out for."