Risk Assessment for Big Data in Cloud: Security,
Privacy and Trust
Hazirah Bee bt Yusof Ali
Kulliyah of Information and Communication Technology
International Islamic University Malaysia
+6019 2229179
hazirahbee@gmail.com
Mira Kartiwi
Kulliyah of Information and Communication Technology
International Islamic University Malaysia
+6016 2928314
mira@iium.edu.my
ABSTRACT
The alarming rate of big data usage in the cloud makes data
exposed easily. Cloud which consists of many servers linked to
each other is used for data storage. Having owned by third parties,
the security of the cloud needs to be looked at. Risks of storing
data in cloud need to be checked further on the severity level.
There should be a way to access the risks. Thus, the objective of
this paper is to use SLR so that we can have extensive background
of literatures on risk assessment for big data in cloud computing
environment from the perspective of security, privacy and trust.
CCS Concepts
• Software and its engineering ➝ Software organization and
properties ➝ Software system structures ➝ Distributed
systems organizing principles ➝ Cloud computing
• Software and its engineering ➝ Software creation and
management ➝ Software development process management
➝ Risk management
• Security and privacy ➝ Formal methods and theory of
security ➝ Trust frameworks
Keywords
Risk Assessment; Big Data; Cloud; Security; Privacy; Trust
1. INTRODUCTION
The increasing usage of big data in cloud computing environment
Permission to make digital or hard copies of all or part of this work for
personal or classroom use is granted without fee provided that copies are
not made or distributed for profit or commercial advantage and that copies
bear this notice and the full citation on the first page. Copyrights for
components of this work owned by others than ACM must be honored.
Abstracting with credit is permitted. To copy otherwise, or republish, to
post on servers or to redistribute to lists, requires prior specific permission
and/or a fee. Request permissions from Permissions@acm.org.
AICCC '18, December 21–23, 2018, Tokyo, Japan
© 2018 Association for Computing Machinery.
ACM ISBN 978-1-4503-6623-6/18/12...$15.00
DOI: https://doi.org/10.1145/3299819.3299841
63
Lili Marziana bt Abdullah
Kulliyah of Information and Communication Technology
International Islamic University Malaysia
+6016 2928314
lmarziana@iium.edu.my
Azlin Nordin
Kulliyah of Information and Communication Technology
International Islamic University Malaysia
+6016 2928314
azlinnordin@iium.edu.my
today makes us wonder if the existing security measures can still
be applied. Big data is very different compared to traditional
databases where it is measured by volume, variety, velocity and
value [1]. Big data’s architecture of “highly distributed, real time,
ad-hoc queries, parallel and power programming language, move
the code, nonrelational data, auto-tiering and variety of input data
sources” causes the increasing amount of data to be managed in
the internet [1].
As big data needs to be stored in the cloud, the cloud computing
distributes the computing tasks to other servers in the internet [2] .
Cloud users use resources, access servers and storage based on
demand [2].Cloud computing provides fast, efficient and cheap
computing power while maximizing user’s need of storage [2].
Cloud as a storage reduces the cost of operations since the
companies do not have to buy and to manage servers themselves
[2].
Besides being used as a storage, cloud usage increases the
companies’ performance. Cloud’s features of shared infrastructure,
shared platform and shared software enable companies to operate
efficiently regardless of storage location. Not only that, cloud also
improves scalability, availability and techniques especially when
lost information need to be recovered [3].
Both big data and cloud computing together benefit companies
and because of that, the usage of big data increases drastically in
the cloud. With the drastic increase, there are few emerging
security concerns. Big data is much more vulnerable compared to
traditional database [1] as it is now stored in servers owned by the
cloud provider in the cloud. The speed of data creation, the
structured and unstructured data format and the various usage of
data make protecting big data in the cloud become intolerable [1].
The leakages of big data to irrelevant parties increase by the day
and the probability of data leaks become higher than expected[4].
Leakages of big data are mainly due to increased risks. Therefore,
it is important for us to understand what risk is. The classic
definition of risk associated to an incident is:
RISK(I) = IMPACT(I) * PROBABILITY(I)
The formula is enough if we know exactly, the number of
occurrences to get the probability and the number of victims to get
the value for impact [4]. Unfortunately, this is not happening for
big data in the cloud. The formula is not suitable for big data in
the cloud computing environment as the occurrence of security
leakages can happen continuously [4]. Not only that, the victim
can be a single victim and can also be a mass victim. Therefore,
calculating risks accurately for big data in the cloud can turn out
to be a nightmare.
Our investigation of the literatures started with systematic
literature mapping [5] and continued with systematic literature
review to understand previous researches being done on risk
assessment of big data in the cloud. Section 1 introduces the
research, Section 2 presents the methodology, Section 3 presents
the results, Section 4 presents the findings and finally Section 5
concludes the research.
2. METHODOLOGY
2.1 Systematic Literature Mapping
We started our research with systematic literature mapping
(Mapping) to map researches that had been done so that we can
identify gaps for further research [6]. Mapping is done prior to
SLR where it helps to answer the research questions so that we
can get a wider scope of the research and to continue with SLR
[6].
We adopted Mapping process done by [7] and the steps taken are
define the research questions, conduct the search, screening of
papers, keywording using abstracts and finally data extraction and
mapping process.
After going through all the processes used by [7], we found that
few literatures discussed on risk assessment . Therefore, we
decided to focus on risk assessment for the SLR.
2.2 Systematic Literature Review
Systematic Literature Review (SLR) helps to identify, to evaluate
and to interpret all literatures related to the research questions [8].
Research questions that relate to the title of the research provide
us with related literatures. The literatures being reviewed using
SLR enable us to see the gaps for future research [8]. Besides that,
SLR also provides us with extensive background of literatures so
that we really understand the research we are focusing on [8].
[9] explained the differences of Mapping and SLR. Mapping
summarizes previous researches, describes and classifies what has
been produced by the literatures while SLR critically examines •
the contributions of previous researches, explains the results and •
finally clarifies different views of previous researches [9].
• Research approaches or types
SLR processes are similar to Mapping where we must define the
research questions, conduct the search, screening of papers,
keywording using abstracts and data extraction [8].
2.2.1 Review Question
Our questions for this research focus on risk assessment for big
data in cloud. The review questions should be able to lead us on
what to research. In order to do that, they should follow the five
elements as listed below [10]:
Table 1: PICOC Table
1 Population (P) Big data offerings on cloud
. Methods include framework, modeling approach, modelling
64
2 Intervention (I) Risks assessment of security, privacy
. and trust
3 Comparison (C) Nil
.
4 Outcomes (O) Effectiveness of risk assessment
.
5 Context (C) Big data in cloud
.
RQ1: What areas of risk assessment for big data in cloud
computing that has been addressed?
RQ2: What was developed to achieve advances in risk
assessment for big data in cloud computing?
RQ3: What approaches / types were applied in risk assessment
in big data and cloud computing?
2.2.2 Search Strategy and Selection Criteria
Through mapping, we reduced the number of literatures from
1802 to 56. Since, conducting search in mapping is applicable to
conducting search in SLR and the same search string is being used,
the same number of literatures is used for SLR. The search string
focus on population, intervention and outcome from the PICOC
table.
Search string for SLR is as stated below.
(“risk assessment” OR “risk analysis” OR “risk management” OR
“risk treatment” OR “risk mitigation”) AND “big data” AND
cloud
Inclusion criteria for this research includes security, privacy and
trust in big data with the cloud together and risk assessment
framework in big data and cloud.
Exclusion criteria are those criteria to be excluded from the
research. Both inclusion and exclusion criteria enable us to focus
on risk, big data and cloud together with security, privacy and
trust.
2.2.3 Classification Scheme
The classification scheme coincides with the review questions that
focus on risk assessment for big data in cloud. As we are
interested on risk assessment for big data in cloud computing
environment, we classify the literatures into 3 categories.
Areas of risk assessment for big data in cloud computing
Achievement of literatures in the focus area
The first category is “areas of risk assessment for big data in cloud
computing”. Areas include: Storage, Software/System
Development, Visualization, Application/Solution, Analytics,
Virtualization, Data, Network and Provider. This category will
help to answer RQ1.
The second category is the “achievement of the literatures in the
focus area” that includes Processes, Methods, Models, Metrics
and Tools [11]. This category will answer RQ2.
Processes describe flow of activities [12].
Methods describe the blueprint of building models of situations.
guideline and best practice where they are guidelines to build Out of 56, only 12 studies focus on risk assessment. Almost half
models [9]. focus on Application/Solution while the least number of studies
focus on Provider.
Models originate from constructs and models to enable situations
to be generalized into patterns for application of similar domains
[9]. Conceptual models, abstractions and representations are in Bar Chart 2
this category [9] . 6 5
Metrics measure important variables [12] and finally, Tools 4
support software variability [12]. 4
2
The third category is research approaches or types. This will help
2 1
to answer RQ3.
In total, there are 3 categories and the objective of the categories 0
is to ensure that we can answer RQ1, RQ2 and RQ3 with ease. Risk Assessment for Big Data in Cloud

2.2.4 Data Extraction Application/Solution Data Network Provider

As our interest is on risk assessment for big data in cloud
computing environment, we classify the literatures into 3
Bar Chart 2 shows 12 literatures on risk assessment. Here the
categories: areas, achievement and research approaches as stated
literatures discuss on Application/Solution, Data, Network and
in the classification scheme.
Provider. 5 literatures focus on Application/Solution, 4 literatures
3. RESULTS focus on Data, 2 literatures focus on Network and 1 literature
focuses on Provider.
3.1 Answer to the SLR questions
RQ1: What areas of risk assessment for big data in cloud RQ2: What was developed to achieve advances in risk
computing that has been addressed? assessment for big data in cloud computing?

The literature discussing research on risk assessment for big data The studies’ contributions can be grouped according to Process,
in cloud computing can be classified following the asset Method, Model, Metric and Tool [12]. Process tells us about the
components of big data and cloud computing which cover storage, flow of activities or actions, Method describes the rules of how
software/system development, visualization, application/solution, certain jobs need to be done, Model resembles a replica of the real
analytics, virtualization, data, network and provider. situation, Metric measures any variable and finally, tool provides
software tool to support software variability [12].
Bar Chart 1 25
Bar Chart 3
20 28
30
20
20
13
15 8
10 6
1
9 9 10 0
8
SLR Literatures for Big Data in Cloud
Process Method Model Metric Tool
3 3 5
2 During our segregation of literatures based on the contribution, we
1 1 found that 28 literatures contribute to Model, followed by 13
0 literatures contribute to Process, 8 literatures contribute to Metric,
SLR Literatures for big data in cloud 6 literatures contribute to Method and finally 1 literature
contributes to Tool.
Storage Software/System Development Bar Chart 4
Visualization Application/Solution
Analytics Virtualization
10
6
Data Network
Provider 5 3
2
1
Bar Chart 1 displays all the 56 literatures that we get from SLR. 0
More literatures focus on Application/Solution compared to Risk Assessment for Big Data in Cloud
Storage and Visualization.

Process Method Model Metric

65

In Bar Chart 4, we found that 6 literatures contribute to Process, 1
literature contributes to Method, 2 literatures contribute to Model
and 3 literatures contribute to Metric. None of the risk assessment
literatures discussed on Tool.
RQ3: What research approaches / types were applied in risk
assessment in big data and cloud computing?
Research approach that can be applied for risk assessment for big
data in cloud computing are Validation, Philosophical, Experience
and Evaluation [9][12].
Before we can segregate the literatures into these research
approaches, we need to understand their meanings and usage.
Validation research is applied if the technique is novel and yet to
be tested and implemented [7][13]. The research technique
involves collecting and analyzing data to assess the accuracy of
the instrument. Example of validation research are techniques
used for experiments which are done in the lab [12].
Philosophical research involves looking at new ways of doing
things and proposes a framework [7][12].
Evaluation research on the other hand, evaluates the techniques
implemented in real situation [7][13] so that we know the
advantages and disadvantages of the research in actual
environment [13][12].
Experience research is the research that has been done before [12].
Usually, it comes from the authors’ experiences themselves [12].
Bar chart 5
10
6 included in the risk assessment.
5 3
2 replace the continuous risk monitoring. Therefore, [17] proposed
1
0 deployment of different security controls. The procedure can
Risk Assessment for Big Data in Cloud
Validation Philosophical Experience Evaluation
By analyzing Bar Chart 5, it is found that 6 literatures use
Validation, 3 literatures use Experience, 2 literatures use
Philosophical and 1 research uses Evaluation as the research
approach.
Many literatures focus on Validation to compare the accuracy of
the instruments with the real environment. Validation has the
highest number of literatures followed by Experience,
Philosophical and finally Evaluation.
4. FINDINGS AND GAPS
Not many literatures focus on Storage, Software/System
development, Visualization, Analytics and Virtualization. None of
the literatures is looking into Tools as contribution.
Past researches do contribute to risk assessment for big data and
cloud. Out of 56 literatures, 12 literatures investigate risk
assessment and below are some of the findings.
[14] proposed an improved cloud matter-element model. Data
involved in information security evaluation is processed by
calculating the correlation between sample cloud and the grade
66
limit[14]. Using comprehensive weight method, weigth vector is
obtained [14]. The improved model not just look after the
“dynamic and fuzzy” of information security evaluation but also
solve the problem of expert evaluation and the lack of “objective
and comprehensive” evaluation [14]. This is a comprehensive
method that can overcome the weaknesses of a single weight
method [14] . The analysis of the model shows that lack of control
have a positive correlation to risk [14]. The improved cloud
matter-element model uses confidentiality, integrity and
availability as indicator of its assets value to control the risk [14].
While [14] provided a solution to evaluate information security
risk, [15] presented a framework to show various information
objects involved in ISO27005 risk management standard. [15]
classified the information using the guidelines of UNINETT
scheme. The classification helps to segregate information based
on its “sensitivity and importance” [15]. The classification helps
to identify the information that needs to be protected and the level
of protection required. Besides that, the classification also helps in
providing the storage time and serves as a disposal guideline[15].
Finally, the classification helps the companies to protect the
information’s confidentiality, integrity and availability where
personal information is segregated and therefore, privacy can be
preserved [15].
[16] on the other hand, investigated risk assessment and
management of information system. Systematic analysis of threats
and vulnerabilities is required so that system security can be
assured [16] and the occurrence of risks that comes from
confidentiality, integrity and availability can be easily managed
[16]. [16] claimed that monitoring risk continuously is needed so
that risk assessment activity can produce correct information on
information security risks. [16] also believed that privacy control
is becoming more important that privacy protection needs to be
[17] claimed that current cloud assurance standards can never
using risk assessment procedure to processes obtained with the
provide automatic assessment of costs and risk factors [17]. Not
only that, the procedure enables us to have risk aware design and
cloud-based services deployment easily [17].
[18] provided security risk assessment algorithm for cyber
physical power system. [18] used “rough set and gene expression”
programming. [18] claimed that the algorithm makes “high
efficiency of function mining, accuracy of security risk level
prediction and strong practicality” [18] .
[19] demonstrated how trust and control can help to mitigate the
risk of cloud computing adoption for highly sensitive data. [19]
stated that trust and control are factors for cloud adoption where
the two types of trust which are competent trust and goodwill trust
together with formal control can reduce the risk [19]. Increasing
goodwill trust and competence trust can bring the perceived risk
of cloud adoption to an acceptable level [19].
[20] introduced continuous assessment techniques so that cloud
service customers can have the security and privacy assurances of
cloud service providers. Metrics usage as a tool provides security
assurance and transparency to the cloud service customer [20].
Metrics improve cloud service customers’ risk evaluation and the
improvement technique enables cloud service customers to choose
the best cloud service providers [20]. This situation resulted in the
increase of cloud service customers’ trust to the chosen cloud
service providers [20].
To summarize, all the literatures above discuss on risk assessment
from various perspectives. 4 literatures contribute to risk
assessment model, algorithm, metrics and tool. [14] used risk
evaluation model to solve the dynamic and fuzzy of security
evaluation and also solve the problem of expert evaluation. [18]
used security risk assessment algorithm to predict security risk
level. [20] used metrics to assess risk and continuous assessment
techniques to ensure cloud service customers’ trust on the security
and privacy assurances of cloud service providers. [17] used risk
assessment procedure to processes obtained with the deployment
of different security controls to provide automatic assessment of
costs and risk factors.[16] used systematic analysis of threats and
vulnerabilities in risk assessment to provide a better security. [15]
used classification to segregate information based on the
importance and level of protection required to protect privacy.
Finally, [19] used trust and control to reduce risk of cloud
adoption.
5. CONCLUSION
Security of using big data in the cloud is a factor for companies in
deciding whether to use or not to use the facilities of big data in
the cloud. From the literatures, it is found that, privacy is being
discussed everywhere. Even though companies know the benefits
of using big data in the cloud and the benefits of open access
infrastructure of the cloud, they still need their privacy. Privacy
contradicts with the freedom of using big data in the cloud and
when security and privacy are being investigated seriously, trust
gradually emerge. Trust enables companies to trust the cloud and
make full use of the cloud facilities without any question of
cloud’s credibility.
Literatures on trust for big data in the cloud are lacking. Thus, we
need to put more efforts on it so that we can trust the big data
even though they are residing in the cloud.
6. ACKNOWLEDGMENTS
This research has been funded by Fundamental Research Grant
Scheme (FRGS16-022-0521) supported by Ministry of Higher
Education.
7. REFERENCES
[1] M. Paryasto, A. Alamsyah, and B. Rahardjo, “Big-data
security management issues,” 2014 2nd Int. Conf. Inf.
Commun. Technol., pp. 59–63, 2014.
[2] D. Zhe, W. Qinghong, S. Naizheng, and Z. Yuhan,
“Study on Data Security Policy Based on Cloud Storage,”
2017 IEEE 3rd Int. Conf. Big Data Secur. Cloud
(BigDataSecurity), IEEE Int. Conf. High Perform. Smart
Comput. IEEE Int. Conf. Intell. Data Secur., pp. 145–149,
2017.
[3] L. R. Techio and M. Misaghi, “EMSCLOUD - An
evaluative model of cloud services cloud service
management,” 5th Int. Conf. Innov. Comput. Technol.
INTECH 2015, no. Intech, pp. 100–105, 2015.
[4] E. Damiani, “Toward big data risk analysis,” 2015 IEEE
Int. Conf. Big Data (Big Data), pp. 1905–1909, 2015.
[5] H. B. Yusof Ali, L. M. Abdullah, M. Kartiwi, A. Nordin,
N. Salleh, and N. S. A. A. Bakar, “A Systematic
Literature Mapping of Risk Analysis of Big Data in
Cloud Computing Environment,” J. Phys. Conf. Ser., vol.
67
1018, no. 1, 2018.
[6] D. Budgen, M. Turner, P. Brereton, and B. Kitchenham,
“Using Mapping Studies in Software Engineering,” Proc.
PPIG, vol. 2, pp. 195–204, 2008.
[7] S. Zein, N. Salleh, and J. Grundy, “A systematic
mapping study of mobile application testing techniques,”
J. Syst. Softw., vol. 117, pp. 334–356, 2016.
[8] Kitchenham, “Performing systematic literature reviews in
software engineering,” Proceeding 28th Int. Conf. Softw.
Eng. - ICSE ’06, vol. 45, no. 4ve, p. 1051, 2007.
[9] Verdonck and F. Gailly, “An Exploratory Analysis on the
Comprehension of 3D and 4D Ontology-Driven
Conceptual Models,” Concept. Model. - ER 2016, Lect.
Notes Comput. Sci. vol. 9975, vol. 9975, no. 2, pp. 163–
172, 2016.
[10] M. Petticrew and H. Roberts, Systematic Reviews in the
Social Sciences: A Practical Guide. 2006.
[11] K. Petersen, R. Feldt, S. Mujtaba, and M. Mattsson,
“Systematic mapping studies in software engineering,”
EASE’08 Proc. 12th Int. Conf. Eval. Assess. Softw. Eng.,
pp. 68–77, 2008.
[12] S. Mujtaba, K. Petersen, R. Feldt, and M. Mattsson,
“Software product line variability: A systematic mapping
study,” Sch. Eng. Blekinge Inst. Technol., no. November
2015, 2008.
[13] K. Petersen, R. Feldt, S. Mujtaba, and M. Mattsson,
“Systematic Mapping Studies in Software Engineering,”
12Th Int. Conf. Eval. Assess. Softw. Eng., vol. 17, p. 10,
2008.
[14] D. Zong-you, Z. Wen-long, S. Yan-an, and W. Hai-tao,
“The application of cloud matter #x2014; Element in
information security risk assessment,” 2017 3rd Int. Conf.
Inf. Manag., pp. 218–222, 2017.
[15] V. Agrawal, “A Framework for the Information
Classification in ISO 27005 Standard,” Proc. - 4th IEEE
Int. Conf. Cyber Secur. Cloud Comput. CSCloud 2017
3rd IEEE Int. Conf. Scalable Smart Cloud, SSC 2017, pp.
264–269, 2017.
[16] Lulu Liang, Wang Ren, Jing Song, Huaming Hu, Qiang
He, and Shuo Fang, “The state of the art of risk
assessment and management for information systems,”
2013 9th Int. Conf. Inf. Assur. Secur., pp. 66–71, 2013.
[17] V. Bellandi, S. Cimato, E. Damiani, G. Gianini, and A.
Zilli, “Toward economic-aware risk assessment on the
cloud,” IEEE Secur. Priv., vol. 13, no. 6, pp. 30–37, 2015.
[18] S. Deng, D. Yue, X. Fu, and A. Zhou, “Security risk
assessment of cyber physical power system based on
rough set and gene expression programming,” IEEE/CAA
J. Autom. Sin., vol. 2, no. 4, pp. 431–439, 2015.
[19] A. Khosravani, “A case study analysis of risk, trust and
control in cloud computing,” … Conf. (SAI), 2013, pp.
879–887, 2013.
[20] R. Trapero, J. Luna, and N. Suri, “Quantifiably Trusting
the Cloud: Putting Metrics to Work,” IEEE Secur. Priv.,
vol. 14, no. 3, pp. 73–77, 2016.