Abstract
Cloud adoption necessitates relinquishing data control to cloud service providers (CSPs), involving diverse stakeholders with varying security and privacy (S&P) needs and responsibilities. Building upon previously published work, this paper addresses the persistent challenge of a lack of standardized, transparent methods for consumers to select and quantify appropriate S&P measures. This work introduces a stakeholder-centric methodology to identify and address S&P challenges, enabling stakeholders to assess their cloud service protection capabilities. The primary contribution lies in the development of new classifications and updated considerations, along with tailored S&P features designed to accommodate specific service models, deployment models, and stakeholder roles. This novel approach shifts from data or infrastructure perspectives to comprehensively account for S&P issues arising from stakeholder interactions and conflicts. A prototype framework, utilizing a rule-based taxonomy and the Goal–Question–Metric (GQM) method, recommends essential S&P attributes. Multi-criteria decision-making (MCDM) is employed to measure protection levels and facilitate benchmarking. The evaluation of the implemented prototype demonstrates the framework’s effectiveness in recommending and consistently measuring security features. This work aims to reduce consumer apprehension regarding cloud migration, improve transparency between consumers and CSPs, and foster competitive transparency among CSPs.