=Paper=
{{Paper
|id=Vol-1576/184
|storemode=property
|title=Towards a quantitative model of cloud computing risks and benefits
|pdfUrl=https://ceur-ws.org/Vol-1576/184.pdf
|volume=Vol-1576
|authors=Yuriy Zelenkov
}}
==Towards a quantitative model of cloud computing risks and benefits==
https://ceur-ws.org/Vol-1576/184.pdf
Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
Towards a quantitative model of cloud computing risks and
benefits
Y. Zelenkov
Financial University under the Government of Russian Federation
Migrating to the cloud is the main direction of enterprise IT optimization today. Many re-
search papers confirm that cloud computing provides economic benefits, because it enhances
flexibility and reduces costs. In other studies, cloud-specific risks are identified and their
impact on the customer business is evaluated. However, most often, benefits and risks are
considered separately. Model that allows simultaneously evaluate these factors is proposed
here. Key factors of tangible and intangible benefits and risks are identified that allows to
estimate joint impact of costs and risks on cloud adoption. Simple rules that help to quantify
these factors and compute consistent pairwise comparison matrices are also proposed. Usage
of proposed method is demonstrated with simple example.
Keywords: cloud computing, cloud computing risks, cloud computing benefits, multi criteria
decision making.
1. Introduction
Migrating to the cloud is the main trend of enterprise IT optimization today. Many research papers
show that cloud computing provides significant tangible and intangible economic benefits, namely re-
duced costs and enhanced flexibility of enterprise IT [1]
An increasing number of companies choose a model of public clouds, physical resources (servers,
data storages…) in that model are owned cloud service provider. Public clouds have given consumers
the potential advantage of reallocating their large capital IT expenditures and upfront planning over-
heads into manageable operational spending and planning. For public cloud providers as well, there are
advantages, owing to economies of scale and better utilization of their resources [2,3].
Literature analysis shows that research papers can be split into two directions. The first examines
the economical benefits of the cloud, the second studies the risks that arise in the migration of infor-
mation resources in the cloud. In both directions the models, which help to assess the efficiency of the
clouds, are developed. However, there are very few studies that consider the economical benefits and
risks together.
Very often a very complex theoretical models that involve the collection of large amounts of data
and complex calculations are proposed. However, in practice it is difficult to collect and measure all
required parameters, so such sophisticated techniques are of limited use. Therefore, practice requires a
fairly simple method that allows to compare different alternatives (public cloud, private cloud, own IT,
etc.) on the basis of simple expert evaluations of potential benefits and risks.
Comparison of few alternatives is the problem of Multi Criteria Decision Making (MCDM). Solu-
tion of any MCDM problem consists from few steps [4]. The first step is to define the set of alternatives
and the set of decision criteria that the alternatives need to be evaluated with. Definition of alternatives
in practice usually does not cause the difficulties. Following options usually should be analysed in par-
ticular case of cloud computing: the usage of own IT services, transfer of IT services to the cloud, and
different combination of these scenarios.
Next very critical step is to accurately estimate the pertinent data. Very often these data cannot be
known in terms of absolute values, and it is very difficult to quantify it correctly. Therefore, many
MCDM methods attempt to determine relative importance of alternatives.
Last step is to compare identified alternatives with help of one of MCDM method.
31
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
Goals of presented research are: (1) to propose a simple set of criteria to assess the feasibility of
cloud computing that can be used in practice, and (2) to propose rules to determine relative importance
of alternatives in terms of each criterion involved in a MCDM problem.
2. Research literature review
Many articles contributing to technical aspects have appeared in research literature of cloud com-
puting. But in a related review, Yang and Tate [5] concluded that the organization of research pertaining
to business aspects of cloud computing is still in a nascent stage, as compared to technical aspects.
Karunakaran et all [3] collected 155 articles related to business view of cloud, which were published
until 2012, and classified them into a classification framework that is a refinement of that found in
Marston et al. [1]. According to their findings main themes of research are: pricing (32 papers), adoption
(24 papers), economic value (20 papers), and sourcing (17 papers). Both issues what are the subject of
our research (economic benefits and risks) are studied together only in several papers concerned to cloud
service provider selection (the sourcing theme in classification of [3]). Nevertheless, Karunkaran et al.
[3] argue, that the themes cost, quality of service (QoS) and risks appear intertwined and hence future
research should focus on providing holistic solutions.
2.1 Economical benefits of cloud computing
Most common used methods within economical estimation of cloud computing are: profitability
indicators (such as ROI—Return of Investment), NPV (Net Present Value), TCO (Total Cost of Own-
ership) and productivity per employee.
For example, Tak et al. [6] identify a comprehensive set of factors affecting the costs of a deploy-
ment choice (in-house, cloud, and combination), and use NPV-based cost analysis for adoption recom-
mendations. Due to the complexity of quantifying associated security risk encountered with deployment
choices, they do not include the risk factor in their current version of analysis.
KhajehHosseini et al. [7] compare TCO reduction for different scenarios of IT services deployment
(purchasing a physical servers, leasing, using the cloud), similar approach is used by Williams [8]
Mirsa and Mondal [9] developed a general ROI model, which takes into consideration various in-
tangible impacts of Cloud Computing, apart from the cost. Their model includes some of the key char-
acteristics of the resources possessed by a company: (1) Size of the IT resources, (2) The utilization
pattern of the resources, (3) Sensitivity of the data they are handling, and (4) Criticality of work done
by the company. Based on this position they developed weighted sum model of economical benefits.
Maresova [10] adopted general steps of Cost-Benefit Analysis (CBA) for cloud computing pur-
poses. She proposed a system of criteria, which is divided into three levels: economic, operational and
technical criteria, to specify a cloud computing deployment. These criteria should help to decide which
subjects are related to the impacts of the project, describe the differences between current IT and cloud
computing, and identify and quantify all related costs and benefits. Examples of costs are: expenditure
of time for implementation, support service, User-dependent basic charges, storage capacity, data trans-
fer and etc. Examples of benefits: reduction in operating costs of IT department, energy saving, etc.
There are also studies that evaluate the effectiveness of the clouds with the help of non-economic
criteria. Garg et al. [11] propose a framework that measure the quality and rank cloud services offering
by different providers. They use parameters like service response time, sustainability, suitability, accu-
racy, etc. Each individual parameter affects the service selection process, and its impact on overall rank-
ing depends on its priority in the overall selection process. To address this MCDM problem, they pro-
pose an Analytic Hierarchy Process (AHP) based ranking mechanism to solve the problem of assigning
weights to features considering the interdependence between them, thus providing a much-needed quan-
titative basis for the ranking of cloud services.
Sundarraj and Venkatraman [12] integrate an information system success model [13] with prefer-
ence elicitation techniques drawn from MCDM literature. This helps them to combine in one model four
technical qualitative criteria viz. information quality, system quality, service quality and risk mitigation
features with financial quantitative criteria (NPV).
Note, however, that in all cited works threats associated with the possible loss of information or
with unauthorized access to it are not considered.
32
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
2.2 Security risks of cloud computing
A lot of research is devoted to the identification of cloud-specific risks and assessment of their
impact on the business of the customer. Here are some of them.
Takabi et al. [14] argue that although clouds allow customers to avoid start-up costs, reduce oper-
ating costs, and increase their agility by immediately acquiring services and infrastructural resources
when needed, their unique architectural features also raise various security and privacy concerns. They
note that cloud computing environments are multidomain environments in which each domain can use
different security, privacy, and trust requirements and potentially employ various mechanisms, inter-
faces, and semantics. They identified six security and privacy challenges, namely: authentication and
identity management, access control accounting, trust management and policy integration, secure-ser-
vice management, privacy and data protection, and organization security management.
European Network and Information Security Agency (ENISA) report [15] discusses assessment of
the security risks and benefits of using cloud computing-providing security guidance for potential and
existing users of cloud computing. It identifies most important classes of cloud-specific risks, between
them:
Lost of governance, when client necessarily cedes control to the Cloud Provider (CP) on a num-
ber of issues which may affect security;
Lock-in of standards and procedures that can make it difficult for the customer to migrate from
one provider to another or migrate data and services back to an in-house IT environment;
Isolation failure. This risk category covers the failure of mechanisms separating storage,
memory, routing and even reputation between different tenants;
Management interface compromise: customer management interfaces of a public cloud provider
are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting
providers) and therefore pose an increased risk, especially when combined with remote access and web
browser vulnerabilities;
Cloud computing poses several data protection risks for cloud customers and providers;
Insecure or incomplete data deletion;
Malicious insider.
Risk level in cited paper [15] is measured as a sum of qualitative estimations of the business impact
and likelihood of the incident.
Subashine et al. [16] present a survey of the different security risks that pose a threat to the cloud.
They conclude that there are yet many practical problems which have to be solved, and an integrated
security model targeting different levels of security of data for a typical cloud infrastructure is under
research.
Hashizume et al. [17] argue, that cloud computing presents an added level of risk because essential
services are often outsourced to a third party, which makes it harder to maintain data security and pri-
vacy, support data and service availability, and demonstrate compliance. Cloud computing leverages
many technologies (SOA, virtualization, Web 2.0); it also inherits their security issues.
In practitioner publications also lot of cloud risks are mentioned, see for example [18] and [19], but
hereinafter we will follow Martens and Teuteberg [20], which formalized three most common IT secu-
rity objectives: confidentiality, integrity and availability.
2.3 Models of the joint assessment of economic benefit and risk
Different authors offer a different approach, which allows to consider various aspects of the prob-
lem, but we must admit that none of them is both holistic and simple.
Given security and reliability concerns, Kantarcioglu et al. [21] explored the optimal decision rule
for moving certain IT function to public clouds. They assumed that value from the cloud computing
adoption are governed by a mixed Brownian/jump process with mean arrival rate of the loss and size of
the loss, which are set as parameters. On base of this model they concluded that entrepreneur will attempt
to shift to cloud computing sooner than later if he anticipates the probability of negative events is high
and the loss is substantial in traditional on-site deployment. But concrete monetization model for the
33
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
benefits of both computing paradigms, the cloud computing deployment and the traditional on-site com-
puting deployment, is not presented in this paper.
Saripalli and Pingalli [22] argue, that cloud adoption decisions tend to involve multiple, conflicting
criteria (attributes) with incommensurable units of measurements, which must be compared among mul-
tiple alternatives using imprecise and incomplete available information. They present a multi-attribute
decision making framework for cloud adoption. It requires the definition of Attributes, Alternatives and
Attribute Weights, to construct a Decision Matrix and arrive at a relative ranking to identify the optimal
alternative. Several important attributes are taken in consideration in this paper, but possible risks did
not include in that attribute list.
Martens and Teuteberg [20] developed a sophisticated formal mathematical decision model that
supports the selection of cloud computing services in a multisourcing scenario. They consider cost as
well as risk factors which are relevant to the decision scope. Coordination costs, IT service costs, mainte-
nance costs and the costs of taken risks were compared. Risks are modeled by means of the three com-
mon security objectives: integrity, confidentiality and availability. In cited work, each IT service is con-
sidered separately as well as its sourcing options, the relative importance of service is calculated as
number of business processes that depend from it. This model can be viewed as an enough full presen-
tation of problem, but the number of its parameters is extremely big, so its usage in practice, most likely,
is highly limited.
3. Decision making model for selection of cloud services
We can conclude from discussion in previous section that all reviewed models and methods have
some drawbacks. Part of them is based on only qualitative assessments, in quantitative models point
estimations are used very often that leads to the flaw of averages [23], the risks and benefits are estimated
separately. To close this gap new approach is needed, which can estimate jointly risks and benefits on
one hand, and which is simple enough to be used in practice on other.
As it was stated before, selection of optimal way of IT services development is the MCDM problem.
The most important steps are: the definition of criteria to make an informed choice from the available
alternatives, and quantitative assessment of each alternative under the selected criteria. Usually these
steps cause the greatest difficulties in practice.
Many researchers state that advantages of cloud computing can be split on two parts: tangible and
intangible economic benefits. Tangible benefits are due to reduction of costs of ownership. Intangible
benefits arise as a result of increasing the speed of changes, improving flexibility and the ability to adapt
new technologies. Since the cloud computing is associated with the risks, they also have to be included
in consideration.
Thus, the minimum acceptable set of criteria should include:
Tangible economical benefits or cost saving;
Intangible benefits or flexibility;
Risks.
The relative importance of the criteria depends on the requirements and priorities of a particular
company and is determined for each practical case separately. To determine relative performance of
alternatives in terms of each single criterion we will use approach that is based on pairwise comparisons,
which was proposed by Saaty [24]. But for the comparative evaluations of alternatives for each criterion
the rules are needed, which form the basis for the comparison. The main problem here is to ensure the
consistency of all judgements.
Let 𝐴1 , 𝐴2 , … , 𝐴𝑛 be n entities (alternatives or criteria) to be compared. To evaluate the relative
weights of the above entities they are compared with each other in terms of a single common character-
istic. Results of comparison are represented in matrix A, each entry of which represents a pairwise com-
parison (judgement). Specifically, the entry 𝑎𝑖𝑗 denotes the number that estimates the relative im-
portance of element 𝐴𝑖 when it is compared with element 𝐴𝑗 , and 𝑎𝑖𝑗 = 𝑤𝑖 ⁄𝑤𝑗 , where 𝑤𝑘 denotes the
actual weight of importance of element 𝐴𝑘 . Obviously, 𝑎𝑖𝑗 = 1⁄𝑎𝑗𝑖 and 𝑎𝑖𝑖 = 1. For consistent case
following condition should be satisfied:
𝑎𝑖𝑗 = 𝑎𝑖𝑘 𝑎𝑘𝑗 , 𝑖 ∈ [1, 𝑛], 𝑗 ∈ [1, 𝑛], 𝑘 ∈ [1, 𝑛].
34
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
Fulfillment of this condition is difficult to achieve in practice, because when the set of entities to be
compared contains n elements, the estimation of 𝑛(𝑛 − 1)⁄2 pairwise comparisons is required. A meas-
ure of closeness to the consistency for the pairwise comparison matrix has been provided by Saaty [24]
in terms of the principal eigenvalue 𝜆𝑚𝑎𝑥 :
𝜆𝑚𝑎𝑥 − 𝑛
𝐶𝐼 = ,
𝑛−1
and right eigenvector 𝑤 = {𝑤1 , 𝑤2 , … , 𝑤𝑛 } associated with 𝜆𝑚𝑎𝑥 has been considered as weighting vec-
tor. Here 𝐶𝐼 - consistency index and 𝑛 - number of entities in matrix. Saaty shows that more 𝐶𝐼 is close
to zero, the more the ratios 𝑤𝑖 ⁄𝑤𝑗 are close to the preference ratio 𝑎𝑖𝑗 . Many techniques of deriving
consistent comparison matrix A are developed [4], but all of them are based on a-posterior quantifying
of qualitative non-consistent data. These approaches are based on subjective judgments and require
enough sophisticated calculations, that sometimes causes difficulties in practice. So practitioners need
a simple method of consistent evaluation of all criteria and alternatives.
To solve formulated problem, according to the above considerations, it is necessary to propose rules
of consistent matrices 𝐂, 𝐒, 𝐅 and R calculation. Entries 𝑐𝑖𝑗 of matrix 𝐂 represent a relative weights of
criteria, entries 𝑠𝑖𝑗 of matrix 𝐒 represent a relative weights of alternatives under the cost saving criterion,
entries 𝑓𝑖𝑗 of matrix 𝐅 represent a relative weights of alternatives under the flexibility criterion, and
entries 𝑟𝑖𝑗 of matrix 𝐑 represent a relative weights of alternatives under the risk criterion. Procedures
for assessing all of these parameters should be as simple as possible and based on available data. For
this it is necessary to do two things: firstly, to select those parameters which can be easily quantified,
and secondly, to determine measurement scale for each parameter.
3.1 Evaluation of cost saving criterion
To quantify the cost reductions, the discounted cash flows, which form the total cost of ownership,
are generally considered, and their Net Present Value (NPV) is calculated [8-10]:
𝑛
𝑇𝐶𝑂𝑖𝑗
𝑁𝑃𝑉𝑗 = ∑
(1 + 𝑅)𝑖
𝑖=1
here 𝑁𝑃𝑉𝑗 - NPV of alternative j; 𝑇𝐶𝑂𝑖𝑗 – the net cash flow, which is defined as total cost of ownership
for alternative 𝑗 in time period 𝑖; 𝑅 – the discount rate; 𝑛 - the number of time periods.
The relative cost of ownership of two alternatives 𝐴𝑘 and 𝐴𝑙 in time period 𝑖 is:
𝑑𝑖,𝑘𝑙 = 𝑇𝐶𝑂𝑖𝑘 ⁄𝑇𝐶𝑂𝑖𝑙
Suppose, that 𝑇𝐶𝑂𝑖𝑗 is the normally distributed random variable with mean 𝑚𝑗 and variance σj , it
value can be presented via 𝜓(𝛼) - inverse cumulative distribution function of standard normal distribu-
tion [25]: 𝑇𝐶𝑂𝑖𝑗 (𝛼; 𝑚𝑗 , 𝜎𝑗 ) = 𝑚𝑗 + 𝜎𝑗 𝜓(𝛼), here 𝛼 is probability. So, relative attractiveness of two al-
ternatives in any time period can be estimated as:
𝑚𝑘 + 𝜎𝑘 𝜓(𝛼)
𝑑𝑘𝑙 = (1)
𝑚𝑙 + 𝜎𝑙 𝜓(𝛼)
Therefore, relative cost of two different alternatives can be obtained if mean and variance of their
TCO are known. When these data are not available, preliminary estimation of the expected mean can be
used. We can conclude also from the equation (1) that linear scale should be used for comparing the
relative costs of alternatives.
35
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
Obviously, lower value of TCO corresponds to the more attractive alternative. Therefore, in order
to transform this problem into a problem of maximization, we should consider the cost saving value
𝑠𝑘𝑙 = 1⁄𝑑𝑘𝑙 for comparison of alternatives.
3.2 Evaluation of flexibility criterion
As was stated above, this criterion assesses the speed of response to changes in IT services require-
ments. In order to form a basis for it, we will use following considerations. In the context of the con-
temporary turbulent business environment most important challenge is the need to keep track of coming
changes and update IT services accordingly. Once a business event occurs, the value-add of reacting to
that event decreases over time. Therefore, it would be in a business’s best interest to reduce the time
between business events and decisions made about them [26-28]. Zelenkov [29] reviewed the process
of IT service change, he postulated that this time gap is made up of three components: change detection,
change analysis and solution development, and solution implementation. General model of change,
which summarizes the results of [26-29], is presented in Fig. 1.
Factors that determine the speed of change
Easiness of
Degree of
communication Qualification of
Ability to uniqueness of
Business between business analytics
detect weak business model
value signals
and IT
Level of details
Analysis and
required for
modeling tools
Business understanding
event
Value of real-time action
Ability of users to
IT tools
adapt to new rules
Qualification of IT Business and IT
specialists legacy systems
Time
Change Analysis and Solution
recognition solution implementation
development
Unmanaged change Managed change
Fig. 1. General model of IT service change
If the implementation of the changes is delayed, users are trying to adapt existing applications to
new challenges [30]. In that case changes are unmanageable, that leads to fragmentation of enterprise
IT system, harmony of its original design is lost [31] due to the unforeseen scenarios of usage, incre-
mental improvements, patches, etc. In such situation, the management should be focused on ensuring
compliance of IT with the requirements of the organization [32] and, therefore, on managed evolution
of enterprise IT system [33]. The rate of change of enterprise IT services must match the speed of
changes in the requirements of business [29]. Cloud computing in this case can provide additional value
in the form of intangible benefits which are the result of acceleration of IT services change.
To estimate the losses, associated with a delay of changes, let us consider the following variables:
36
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
𝑣0 - the value that an organization would have received if the change were implemented imme-
diately, at the moment of business event;
𝜏 - the time spent on the implementation of changes;
𝑣(𝜏) - the value that an organization receives if the change is realized over time 𝜏.
It is followed from Fig. 1 that the desired function must satisfy the following conditions:
𝜏 = 0: 𝑣(𝜏) = 𝑣0
𝜏 → ∞: 𝑣(𝜏) → 0
For example, power law 𝑣(𝜏) = 𝑣0 𝑒 −𝜏 satisfy these conditions, where e is the base of of the natural
logarithm (Euler’s number). Hence, loss due to delays in the implementation of the changes over time τ
are:
𝐿(𝜏) = 𝑣0 − 𝑣(𝜏) = 𝑣0 − 𝑣0 𝑒 −𝜏 = 𝑣0 (1 − 𝑒 −𝜏 ) (2)
It follows from equation (2) that the quick reaction to the changes provide a significant impact to
the organization, but after a while, the potential of IT service change is exhausted. This may mean that
users found alternative way of action under the new conditions, for example, they acquired the IT tools
from third-party, without the consent of the IT department, or developed own applications based on
spreadsheets and etc.
Equation (2) can be used as a basis for comparison of the intangible benefits of different options of
sourcing IT services. Suppose that the expected values of reaction time of the two alternatives 𝐴𝑘 and
𝐴𝑙 are 𝜏𝑘 and 𝜏l respectively. Therefore, relative performance of alternatives under flexibility criterion
is:
𝑣0 𝑒 −𝜏𝑘
𝑓𝑘𝑙 = = 𝑒 (𝜏𝑙 −𝜏𝑘)
𝑣0 𝑒 −𝜏𝑙
So exponential scale should be used for comparing the alternatives and relative performance of
alternative is defined by reduction of reaction time, which it promises. These data can be obtained from
the system of change tracing (for existing IT services), service level agreements (for service in the
cloud), or on the basis of expert assessments.
3.3 Evaluation of risk criterion
To develop a method for evaluating the potential risks of various alternatives, we will use the sem-
inal model of Gordon and Loeb [34] with additions made Matsuura [35].
Let us consider a one-period economic model of a firm contemplating the additional security efforts
to protect a given information set. The information set is characterized by the following three parame-
ters:
𝜆 - the monetary loss conditioned on a breach occurring.
𝑡 - the threat probability, defined as the probability of a threat occurring, since t is a prob-
ability, 0 ≤ 𝑡 ≤ 1. So the potential loss 𝐿 is defined as 𝐿 = 𝜆𝑡.
v - the vulnerability, defined as the conditional probability that a threat once realized
would be successful. Since v is a probability, 0 ≤ v ≤ 1.
Let 𝑧 > 0 denote the monetary investment in information security to protect the given information
set, measured in the same units used to measure the potential loss 𝐿 The purpose of the investment z is
to lower the probability that the information set will be breached. Let 𝑆(𝑧, 𝑣) denote the probability that
an information set with vulnerability 𝑣 will be breached, conditional on the realization of a threat and
given that the firm has made an information security investment of 𝑧 to protect that information. The
expected benefits of an investment in information security, denoted as 𝐸𝐵𝐼𝑆, are equal to the reduction
in the firm’s expected loss attributable to the extra security. That is:
𝐸𝐵𝐼𝑆(𝑧) = [𝑣 − 𝑆(𝑧, 𝑣)]𝐿 = 𝜆[𝑣𝑡 − 𝑆(𝑧, 𝑣)𝑡]
37
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
Matsuura [35] noted that the information security investment z can reduce the threat probability and
that the reduction depends only on the investment z and the current level of threat probability t. So let
𝑇(𝑧, 𝑡) denote the probability that a threat occurring, given that the firm has made an investment of z.
So in his extended model:
𝐸𝐵𝐼𝑆(𝑧) = 𝜆[𝑣𝑡 − 𝑆(𝑧, 𝑣)𝑇(𝑧, 𝑡)] (3)
Equation (3) can be used as a basis for quantitative comparison of risks of various alternatives.
Suppose that the expected values of threat and vulnerability of the two alternatives 𝐴𝑘 and 𝐴𝑙 are
𝑣𝑘 𝑡𝑘 and 𝑣𝑙 𝑡𝑙 respectively. Therefore, relative performance of alternatives is:
𝑣𝑙 𝑡𝑙
𝑟𝑘𝑙 =
𝑣𝑘 𝑡𝑘
Lower value of 𝑣𝑗 𝑡𝑗 corresponds to the more attractive alternative, therefore, in order to go to the
maximization problem, we should consider the reciprocal values under risk criterion. Linear scale should
be used for comparing the alternatives under risk criterion.
3.4 Evaluation of priorities of criteria
In case of relative importance of criteria comparison, it is necessary to take in consideration a re-
quirement of normality:
𝑤1 + 𝑤2 + ⋯ + 𝑤𝑛 = 1,
where 𝑤𝑖 - the actual weight of importance of criterion 𝐶i .
As formulated above, in case of cloud computing we deal with only 𝑛 = 3 parameters. Therefore,
following simple procedure can be used in practice. The first step is to assign weights 𝑤𝑖 and 𝑤𝑗 to two
random criteria 𝐶𝑖 and 𝐶𝑗 based on their relative importance. The values of the weights are selected to
satisfy the conditions 0 ≤ 𝑤𝑖 + 𝑤𝑗 ≤ 1. The third criterion weight is calculated as 𝑤𝑘 = 1 − (𝑤𝑖 + 𝑤𝑗 ).
Easy to check that in this case condition of consistency is satisfied, because 𝑐𝑖𝑗 =
𝑐𝑖𝑘 ⁄𝑐𝑘𝑗 = (𝑤𝑖 ⁄𝑤𝑘 )⁄(𝑤𝑘 ⁄𝑤𝑗 ). If obtained values 𝑐𝑖𝑗 do not satisfy the decision maker for some reasons,
the entire procedure must be performed again, starting with the definition of new values of actual
weights 𝑤𝑖 , 𝑖 = 1, . . , 𝑛.
4. Example
For example, suppose, that some company considers three options:
Use of its own IT infrastructure (alternative 𝐴1 );
Migration of all IT services to the public cloud (alternative 𝐴2 );
Migration of only non-critical IT services to a public cloud (alternative 𝐴3 ).
Absolute values of alternatives in terms of each criterion were estimated by experts, these values
are shown in Table 1.
Table 1. Absolute values of alternatives
Criterion 𝑻𝑪𝑶 (million dollars 𝝉 (days) 𝒗𝒕 (probability)
per month)
𝑨𝟏 0,5 3 0,20
𝑨𝟐 0,2 1 0,30
𝑨𝟑 0,4 2 0,22
In accordance with rules proposed in Section 3, the entries of 𝐒, 𝐅 and R can be calculated as fol-
lows:
38
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
𝑠𝑖𝑗 = 𝑇𝐶𝑂𝑗 ⁄𝑇𝐶𝑂𝑖 , 𝑓𝑖𝑗 = 𝑒 (𝜏𝑗 −𝜏𝑖) , 𝑟𝑖𝑗 = 𝑣𝑗 𝑡𝑗 ⁄𝑣𝑖 𝑡𝑖 .
Matrices S, F and R are presented in Table 2.
Table 2. Pairwise comparison matrices
Alternatives 𝑨𝟏 𝑨𝟐 𝑨𝟑
Matrix S
𝑨𝟏 1 0,4 0,8
𝑨𝟐 2,5 1 2
𝑨𝟑 1,25 0,5 1
Matrix F
𝑨𝟏 1 0,135 0,368
𝑨𝟐 7,389 1 2,718
𝑨𝟑 2,718 0,368 1
Matrix R
𝑨𝟏 1 1,500 1,100
𝑨𝟐 0,667 1 0,733
𝑨𝟑 0,909 1,364 1
Suppose that after discussion company experts decided that actual weight of cost saving importance
is 𝑤𝑆 = 0,3 and actual weight of flexibility is 𝑤𝑓 = 0,15. In accordance with Section 3.4, actual weight
of risk is 𝑤𝑟 = 1 − (𝑤𝑠 + 𝑤𝑓 ) = 0,55.
Let use weighted production model (WPM) to define relative attractiveness of alternatives. WPM
is one of best known and simplest MCDM method for evaluating number of alternatives in terms of a
number decision criteria. Suppose that a given MCDM problem is defined on m alternatives and n de-
cision criteria, and all the criteria are benefit criteria, that is, the higher the values are, the better it is.
Let 𝑤𝑗 denotes the relative weight of importance of the criterion 𝐶𝑗 and 𝑎𝑗𝑘𝑙 is the relative performance
value of alternative 𝐴𝑘 regarding alternative 𝐴𝑙 when they are evaluated in terms of criterion 𝐶𝑗 . So, to
compare the two alternatives 𝐴k and 𝐴𝑙 the following product has to be calculated [4]:
𝑛
𝑃(𝐴𝑘 ⁄𝐴𝑙 ) = ∏ 𝑎𝑗𝑘𝑙 𝑤𝑗 𝑓𝑜𝑟 𝑘, 𝑙 = 1,2, … , 𝑚.
𝑗=1
If the ratio 𝑃(𝐴𝑘 ⁄𝐴𝑙 ) is greater than or equal to the value 1, then it indicates that alternative 𝐴𝑘 is
more desirable than alternative 𝐴𝑙 , the best alternative is the one that is better than or at least equal to
all other alternatives.
With given 𝐂, 𝐒, 𝐅 and R: 𝑃(𝐴1 ⁄𝐴2 ) = 0,703, 𝑃(𝐴1 ⁄𝐴3 ) = 0,848, and 𝑃(𝐴2 ⁄𝐴3 ) = 1,206. There-
fore, with given criteria priorities and parameters estimations the best alternative is 𝐴2 , because it is
superior to all the other alternatives. The ranking of alternatives is as follows: 𝐴2 > 𝐴3 > 𝐴1 .
5. Conclusion
The main goal of paper is to propose simple model that can be used in practice. Three criteria (cost
of ownerships saving, intangible benefits that associated with speed of reaction to change and security
risks) that have been proposed here are enough simple and all necessary data can be obtained from
accounting system, contract conditions, statistics and expert opinions. The proposed method helps easy
to get a consistent matrix of pairwise comparisons. All of this leads to the conclusion that the proposed
method can be used in practice.
39
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
References
1. Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., Ghalsasi, A. Cloud Computing: The Business
Perspective // Decision Support Systems. 2011. Vol. 51, No. 1. P. 176-189.
2. Armbrust, M., Fox, A., Griffith, R., Joseph, A. D., Katz, R., Konwinski, A. A View of Cloud
Computing // Communications of the ACM. 2010. Vol. 53, No. 4. P. 50-58.
3. Karunakaran, S., Krishnaswamy, V., Sundarraj, R. P. Business View of Cloud: Decisions, Models
and Opportunities – a Classification and Review of Research // Management Research Review.
2015. Vol. 38, No. 6. P. 582-604.
4. Triantaphyllou, E. Multi-Criteria Decision Making: A Comparative Study. Kluwer, 2000. 320 p.
5. Yang, H., Tate, M. A Descriptive Literature Review and Classification of Cloud Computing Re-
search // Communications of the Association for Information Systems. 2012. Vol. 31, No. 1. Pa-
per 2.
6. Tak, B. C., Urgaonkar, B., Sivasubramaniam, A. To Move or not to Move: The Economics of
Cloud Computing // Proceedings of the 3rd USENIX conference on Hot topics in cloud compu-
ting. 2011. P. 5-5.
7. Khajeh-Hosseini, A., Greenwood, D., Smith, J. W., Sommerville, I. The Cloud Adoption Toolkit:
Supporting Cloud Adoption Decisions in the Enterprise // Software: Practice and Experience.
2012. Vol. 42, No. 4. P. 447-465.
8. Williams, B. The Economics of Cloud Computing. Cisco Press, 2011.
9. Misra, S. C., Mondal, A. Identification of A Company’s Suitability for The Adoption of Cloud
Computing and Modelling Its Corresponding Return On Investment // Mathematical and Com-
puter Modelling. 2011. Vol. 53, No. 3. P. 504-521.
10. Marešová, P. Cost Benefit Analysis Approach for Cloud Computing. // Advanced Computer and
Communication Engineering Technology. Springer, 2016, P. 913-923.
11. Garg, S. K., Versteeg, S., Buyya, R. A Framework for Ranking of Cloud Computing Services
// Future Generation Computer Systems. 2013. Vol. 29, No. 4. P. 1012-1023.
12. Sundarraj, R. P., Venkatraman, S.: On Integrating an IS Success Model and Multicriteria Prefer-
ence Analysis into a System for Cloud-Computing Investment Decisions // Outlooks and Insights
on Group Decision and Negotiation. Springer, 2015. P. 357-368.
13. Delone, W. H., McLean, E. R. The Delone and Mclean Model of Information Systems Success: A
Ten-Year Update // Journal of management information systems. 2003. Vol. 19, No. 4. P. 9-30.
14. Takabi, H., Joshi, J. B., Ahn, G. J. Security and Privacy Challenges in Cloud Computing Environ-
ments // IEEE Security & Privacy. 2010. No. 6. P. 24-31.
15. Catteddu, D., Hogben, G. Cloud Computing: Benefits, Risks and Recommendations for Infor-
mation Security. ENISA, 2009. URL: www.enisa.europa.eu/act/rm/files/deliverables/cloud-com-
puting-risk-assessment/at_download/fullReport (accessed: 07.02.2016).
16. Subashini, S., Kavitha, V. A Survey On Security Issues in Service Delivery Models of Cloud
Computing // Journal of Network and Computer Applications. 2011. Vol. 34, No. 1. P. 1-11.
17. Hashizume, K., Rosado, D. G., Fernández-Medina, E., Fernandez, E. B. An Analysis of Security
Issues for Cloud Computing // Journal of Internet Services and Applications. 2013. Vol. 4, No.1.
P. 1-13.
18. Angeles, S. 8 Reasons to Fear Cloud Computing // Business News Daily, 2013. URL:
http://www.businessnewsdaily.com/5215-dangers-cloud-computing.html (accessed: 07.02.2016).
40
�Параллельные вычислительные технологии (ПаВТ’2016) || Parallel computational technologies (PCT’2016)
agora.guru.ru/pavt
19. Grimes, R. The 5 Cloud Risks You Have to Stop Ignoring // InfoWorld, 2013. URL:
http://www.infoworld.com/article/2614369/security/the-5-cloud-risks-you-have-to-stop-ignor-
ing.html (accessed: 07.02.2016).
20. Martens, B., Teuteberg, F.: Decision-Making in Cloud Computing Environments: A Cost and Risk
Based Approach // Information Systems Frontiers. 2012. Vol. 14, No. 4. P. 871-893.
21. Kantarcioglu, M., Bensoussan, A., Hoe, S. Impact of Security Risks On Cloud Computing Adop-
tion // 49th Annual Allerton Conference on Communication, Control, and Computing. IEEE,
2011. P. 670-674.
22. Saripalli, P., Pingali, G.: MADMAC: Multiple Attribute Decision Methodology for Adoption of
Clouds // 2011 IEEE International Conference on Cloud Computing. IEEE, 2011. P. 316-323.
23. Savage, S. L. The Flaw of Averages: Why We Underestimate Risk in The Face of Uncertainty.
John Wiley & Sons, 2009.
24. Saaty, T. L. Axiomatic Foundation of the Analytic Hierarchy Process // Management Sciences.
1986. No. 32. P. 841-855.
25. Aivazyan, S.A., Yenyukov, I.S., Meshalkin, L.D. Applied statistics. Bases of modeling and initial
data processing. Financy i statisitca, 1983. 471 p.
26. Bonham, S. S. Actionable Strategies Through Integrated Performance, Process, Project, And Risk
Management. Artech House, 2008.
27. Hackathorn, R.: Minimizing Action Distance // Data Administration Newsletter, February 1, 2004.
URL: www.tdan.com/i025fe04.htm (accessed: 07.02.2016).
28. Zelenkov Y. Components of Enterprise IT Strategy: Decision-Making Model and Efficiency
Measurement // International Journal of Information Systems and Change Management. 2014.
Vol. 7, No. 2, P.150–166.
29. Zelenkov, Y. Business and IT Alignment in Turbulent Business Environment // Business Infor-
mation Systems Workshops, LNBIP, vol. 228. Springer, 2015. P. 101-112.
30. Ciborra, C. The Labyrinths of Information: Challenging the Wisdom of System. Oxford Univer-
sity Press, 2002.
31. Maurer, C. Goodhue, D. A Theoretical Model of the Enterprise System Agility Life Cycle //
AMCIS 2010 Proceedings, 2010. Paper 231.
32. Luftman, J., Kempaiah, R. An Update On Business-IT Alignment: “A Line” Has Been Drawn
// MIS Quarterly Executive. 2007. Vol. 6, No. 3. P. 165-177.
33. Murer, S., Bonati, B., Furrer, F.J. Managed Evolution: A Strategy for Very Large Information
Systems. Springer, 2011.
34. Gordon, L.A., Loeb, M.P. The Economics of Information Security Investment // ACM Transac-
tions on Information and System Security, 2002. Vol. 5, No. 4. P. 438-457.
35. Matsuura, K. Productivity Space of Information Security in an Extension of the Gordon-Loeb’s
Investment Model // M.E. Johnson (ed.), Managing Information Risk and the Economics of Secu-
rity. Springer, 2009. P. 99 – 119.
41
�