Software systems are invariably vulnerable to exploits, thus the need to assess their security in order to quantify the associated risk their usage entails. However, existing vulnerability assessment approaches e.g., vulnerability analyzers, have two major constraints: (a) they need the system to be already deployed to perform the analysis and, (b) they do not consider the criticality of the system within the business processes of the organization. As a result, many users, in particular small and medium-sized enterprizes are often unaware about assessing the actual technical and economical impact of vulnerability exploits in their own organizations, before the actual system's deployment. Drawing upon threat modeling techniques (i.e., attack trees), we propose a user-centric methodology to quantitatively perform a software configuration's security assessment based on (i) the expected economic impact associated with compromising the system's security goals and, (ii) a method to rank available configurations with respect to security. This paper demonstrates the feasibility and usefulness of our approach in a real-world case study based on the Amazon EC2 service. Over 2000 publicly available Amazon Machine Images are analyzed and ranked with respect to a specific business profile, before deployment in the Amazon's Cloud. © 2014 Springer International Publishing Switzerland.