Quantitative Risk Modeling of VPN Misconfigurations and Firewall Rule Drift in Hybrid Cloud Networks

Abstract

This study addresses the persistent security problem that hybrid cloud networks often accumulate VPN misconfigurations and firewall rule drift, which jointly weaken trust-boundary enforcement and increase exposure to unintended reachability and lateral movement. The purpose was to quantify how VPN misconfiguration and firewall rule drift predict hybrid cloud risk exposure, and to examine whether Protection Motivation Theory–based governance (protection motivation) is associated with lower exposure. Using a quantitative cross-sectional, case-based design, data were collected from cloud and enterprise hybrid-network operational cases with N = 132 valid practitioner responses spanning network engineering, security operations, cloud administration, and governance roles. Key variables were VPN Misconfiguration (VMS), Firewall Rule Drift (FDS), Risk Exposure (RE), and Protection Motivation (PMS) measured via multi-item 5-point Likert constructs with strong reliability (α = .88 VMS, α = .91 FDS, α = .87 RE, α = .85 PMS). The analysis plan applied descriptive statistics, Pearson correlations, and multiple regression with multicollinearity checks (VIFs within acceptable ranges). Baseline levels were above neutral for VMS (M = 3.62, SD = 0.71), FDS (M = 3.74, SD = 0.66), and RE (M = 3.58, SD = 0.69), with moderate PMS (M = 3.41, SD = 0.62). Headline findings showed strong positive associations between exposure and both VMS (r = .61, p < .001) and FDS (r = .68, p < .001), while PMS was negatively associated with exposure (r = −.42, p < .001). Regression indicated substantial explanatory power (R² = .58, Adj. R² = .56, F = 58.7, p < .001) with significant effects for VMS (β = .33, p < .001) and FDS (β = .46, p < .001) and a protective effect for PMS (β = −.21, p = .001). Segment analysis localized higher composite exposure to the remote-access VPN zone (CREI M = 3.81) and the on-prem to cloud interconnect boundary (CREI M = 3.73). Implications indicate that drift reduction should be prioritized alongside VPN configuration verification and automation-based validation to lower boundary-driven exposure and improve auditability in hybrid-cloud security governance.