Risk Assessment Techniques

This chapter reviews the risk assessment techniques given in ISO/IEC 31010 and other standards to support risk identification, analysis, and evaluation of cloud user service quality risks facing cloud service customers (CSCs). These techniques are organized into the following categories: general risk identification and analysis techniques, specialized risk identification and analysis techniques, risk control analysis techniques, risk evaluation techniques, and additional techniques. The following techniques are generally useful for identification and analysis of user service quality risks of cloud-based applications: influence diagrams, cause-and-effect analysis, failure mode effect analysis, structured interview and brainstorming, SWIFT—structured "what-if" technique, and fault tree analysis. Identifying applicable risk controls and estimating their effectiveness is an important aspect of risk assessment. Layers-of-protection analysis (LOPA) is covered in Annex B.18 of ISO/IEC 31010. LOPA considers the independent protection layers (IPLs) between a particular cause of harm and an adverse consequence. Hazard analysis and critical control points (HACCP) analysis is covered in Annex B.7 of ISO/IEC 31010.