Abstract
We propose a method for quantitative security analysis of service-based computing systems based on probabilistic and information theoretical approaches. We focus on the pattern of the user's behaviours with the service providers. We build probabilistic models from system observations at various levels of abstraction depending on the confidentiality preserving mechanisms applied by the system. The probabilistic models allow us to quantify a system's observable behaviours under any given security preserving mechanisms. We present a number of measurements on the confidentiality loss of the computing system. We show how such measurement can be used to determine the degree of protection provided by the computing solution.