Cloud federations allow Cloud Service Providers (CSPs) to deliver more efficient service performance by interconnecting their Cloud environments and sharing their resources. However, the security of the federated service could be compromised if the resources are shared with relatively insecure CSPs, and violations of the Security Service Level Agreement (Security-SLA) might occur. In this paper, we propose a Cloud federation formation model that considers the security level of CSPs. We start by applying the Goal-Question-Metric (GQM) method to develop a set of parameters that quantitatively describes the Security-SLA in the Cloud, and use it to evaluate the security levels of the CSPs and formed federations with respect to a defined Security-SLA baseline, while taking into account CSPs’ customers’ security satisfaction. Then, we model the Cloud federation formation process as a hedonic coalitional game with a preference relation that is based on the security level and reputation of CSPs. We propose a federation formation algorithm that enables CSPs to join a federation while minimizing their loss in security, and refrain from forming relatively insecure federations. Experimental results show that our model helps maintaining higher levels of security in the formed federations and reducing the rate and severity of Security-SLA violations.