近年來，在科技及電子設備的快速進步下，傳統電腦設備已無法滿足人們快速成長的服務需求，因而促成雲端服務的崛起。雲端服務具有許多足以取代傳統設備的優點，尤其是以網路即可迅速取得高效率的服務，且以pay-as-you-go的計費方式也有助於企業節省支出，使其在全球廣為發展且漸受人們重視。

    然而，雲端服務仍隱含著數種不同的潛在風險，例如：個人資料的隱私、儲存伺服器的中斷或機密資料遭駭客盜取等等。但目前各國並無專門為雲端服務所設計的保單，能夠完全承保所有的雲端風險，僅能以網路安全險(Network security coverage)或資訊業專業責任保險(Technology professional liability)去做部份承保。因此，本研究之目的為辨識及評估各種雲端服務的潛在風險，以提供企業決策者在風險管理時必要的資訊，並做出最適之風險管理計劃之建議。

    本研究之第一階段會使用德菲法(Delphi Method)，透過專家訪談去辨別出雲端服務之潛在風險，並依此做為風險評估之架構；第二階段則是以網路層級分析法(Analysis Network Process method)去辨別出雲端風險在損失頻率與損失幅度上的相對權重；第三階段會依前述得到之損失頻率與幅度，將各雲端風險列在風險管理矩陣中，以方便找出個別雲端風險最合適之應對方法；最後階段則是以歐美地區的專家訪談及保單資料彙整，找出目前此類保單對各雲端風險的承保狀況，並理解現行保單所能提供的保障與企業實際需求之間是否有保障缺口(Gap)，及是否能透過保單來處理該雲端風險。

  透過上述方法，我們將11種雲端風險分類到風險矩陣之四個象限後，就能依各象限的損失幅度與頻率找出相應的風險管理方法；另外，透過歐美專家訪談與保單整理之結果，亦能將各風險的實際承保狀況分為高度承保(Highly Insurable)與極少承保(Rarely Insurable)兩種，最終會綜合風險矩陣和承保狀況來彙總判斷各雲端風險最適合之風險管理方法。

Cloud computing is not only a brand-new conception of information technology, but also a service that can improve people’s life obviously.  Enterprises can acquire the cloud services they need directly by internet.  The system using pay-as-you-go as payment method also has advantage on both cost-efficiency and flexibility for cloud service users.  Therefore, it seems an unavoidable trend that traditional computer facilities will be replaced by cloud computing recently.  Cloud services may help the enterprise in many ways, but it also inevitably triggers some loss exposure.

    Unfortunately, there is little objective scientific research focused on identifying and evaluating the loss exposures that result from cloud computing.  The major research objective is to identify the loss exposures of cloud computing services using scientific and objective methods, and measure loss exposures with regard to the application of cloud computing.  Furthermore, using our finding to suggest essential risk management strategies that can be employed to control or reduce losses attributable to the application of cloud computing.
    In order to reach research’s purposes, the major employed methods are Delphi study, Analysis Network Process method (ANP), and expert interview.  This study, first of all, conduct Delphi study and ANP method to identify the potential cloud risks and to find the relative weigh of each risk.  Second, by locating the identified loss exposures in the risk management matrix, this research develop appropriate treatments to the risks of cloud computing.  Finally, by interview the underwriters of insurance companies in U.S.A and Europe and comparing the identified risks of cloud computing, this study can find the gap between coverage providing and coverage needs.  Combining those results, the findings of this study can help the enterprises or cloud users to manage those risks, and offer the insurers sufficient information to design a cloud policy.

CONTENTS

Ch1. INTRODUCTION …………………………………………………………    1
Ch2. LITERATURE REVIEW ………………………………………………...    2
2-1. Risk Management …………………………………………………….....    2
2-2. Risk Identification ………………………………………………………...    3
2-3. Risk Assessment and Plotting the Risk Management Matrix ……....4
2-4. Risks of Cloud Computing Services …………………………………...    5
Ch3. METHOLOLOGY …………………………………………………….....    7
Ch4. RESULTS ………………………………………………………………..14
4-1. Results from the First Delphi Study …………………………………..   14
4-2. Results from the Second Delphi Study ……………………………….   16
4-3. The Relative Weight of Each Identified Risk’s Severity …………….  17
4-4. The Relative Weight of Each Identified Risk’s Frequency …………. 21
4-5. The Relative Weights of Severity and Frequency
 at Each Identified Risk ………………………………………….........    22
4-6. Develop Customized Risk Management Matrix ……………………..    22
4-7. The Gap between Coverage providing and Coverage giving ………..    24
Ch5. CONCLUSIONS AND IMPLICATIONS ……………………………...25
REFERENCE ………………………………………………………………..    28
APPENDIX ……………………………………………………………………   33

Lists of Table

Table 1: Expert’s Background…………………………...........................14
Table 2. Descriptive Statistics for Attitudes toward Each Risk 
in Interview Rounds 2 and 3……………………………… .........................15
Table 3:Pair-wise Comparison Matrix for Level2 of Risk Severity………….17 
Table 4: Eigenvectors(weights) for Level2 and Level3 of Risk Severity……17
Table 5: Inner Dependence Matrix of Criteria W22 of Risk Severity……....18
Table 6: Inner Dependence Matrix of Criteria, W33…………...................19
Table 7: The Synthesized results from the Super-Matrix (Severity)……....20
Table 8: The Synthesized results from the Super-Matrix (Frequency)……21
Table 9: The Relative Weights of Severity and Frequency at 
Each Identified Risk…...................................22
Table 10:Expert’s Background…………………………………………………24
Table 11: The insurable companies and location of each cloud risk………25

Lists of Figure

Figure 1: Risk Management Matrix……………………………4
Figure 2: Theoretical Approach Adopted in This Study……8
Figure 3: Hierarchical Structure to 
          Assess the Risk Frequency and Risk………………………16
Figure 4: Inner Dependence among Criteria………………18
Figure 5: Inner Dependence among Sub criteria…………19
Figure 6: Generalized super-matrix…………………………20
Figure 7: Risk Management Matrix…………………………23

REFERENCE
1. Adler, M. and Ziglio, E. (1996), Gazing into the oracle, Jessica Kingsley Publishers: Bristol, PA.

2. Armburst, M.; Fox, A.; Griffith, R.; Joseph, A. D.; Katz, R. and Konwinski, A. et al. (2009), Above the clouds: a Berkley view of Cloud Computing. Retrieved on Dec 5, 2011 from http://radlab.cs.berkekey.edu/

3. Aven, T. and Renn, O. (2009), The Role of Quantitative Risk Assessments for Characterizing Risk and Uncertainty and Delineating Appropriate Risk Management Options, with Special Emphasis on Terrorism Risk, Risk Analysis: An International Journal, 29(4), p.p.587-600.

4. Awati, K. (2009), Cox’s risk matrix theorem and its implications for project risk management. Retrieved on Dec 18, 2011 from http://eight2late.wordpress.com/2009/07/01/cox%E2%80%99s-risk-matrix-theorem-and-its-implications-for-project-risk-management/

5. Buyya R. and Parashar M. (2010), User Requirements for Cloud Computing Architecture, Proc. 10th IEEE/ACM International Conference on Cluster, Cloud and Grid Computing, Melbourne, Australia, 17-20 May 2010, p.p. 625-30.

6. Carothers, D. C. (2008), Risk Identification Methods - From Checklists to Experts. Retrieved on Dec 5, 2011 from http://praxiom.hubpages.com/hub/From-Checklists-to-Experts-The-Risk-Identificaton-Phase

7. Cox, L. A. (2008), What’s wrong with risk Matrices? Risk Analysis, 28(2), p.p.497-515.

8. Cornish, E. (1977), The study of the future. World Future Society: Washington, D.C.

9. Hand, J. D. (2007), Principles of Data Mining, Adis Data Information BV.

10. Dalkey, N. C. (1969), The Delphi Method: An Experimental Study of Group Opinion, prepared for United States Air Force Project Rand, Santa Monica.

11. Bublitz, E. (2010),Catching The Cloud: Managing Risk When Utilizing Cloud Computing, National Underwriter Property & Casualty November 8, 2010, p.12, p.13, p.16 .

12. Freeman, E. Q. (2000), Identification of Cyber Risks, Financial Executive, 16(3), p.p.32-48.

13. Fowles, J. (1978), Handbook of futures research. Greenwood Press: Connecticut.

14. Lackermair, G. (2011), Hybrid cloud architectures for the online commerce Original Research Article, Procedia Computer Science, 3, p.p.550-5.

15. GAIA Project Governance Seminars (2010), Workshops & Training/ Impact/Probability Matrix, GAIA R&D Limited, Dublin City University. Retrieved on Dec 20, 2011 from http://www.gaiainvent.com/services.html  

16. Gutierrez, O. (1989), Experimental Techniques for Information Requirement Analysis, Information and Management, 16, p.p.31-43.

17. Jaeger, P. T.; Grimes, J. M.; Lin, J. and Simmons, S. N. (2009), Where is the Cloud? Geography, Economics, Environment, and Jurisdiction in Cloud Computing. First Monday, 14(5), p.p.4-15.

18. Janssens, Pim M. W. and Cheung, K. S. (2009), Approaching risk analysis and risk management in the fertility laboratory and semen bank. International Journal of Andrology, 32(6), p.p.656-65.

19. Casale, J. (2010), Business Insurance; 9/27/2010, 44(38), p.17.

20. Johnson, B. and Christensen, L. (2000), Educational research. Boston, MA: Allyn and Bacon.

21. Knorr, E. and Gruman, G. (2011), What Cloud Computing Really Means. Retrieved on Dec 5, 2011 from http://www.infoworld.com/d/cloud-computing/wht-cloud-computing-really-means-031

22. Kloss-Grote, B. and Moss, M. A. (2008), How to Measure the Effectiveness of Risk Management in Engineering Design Projects? Researches Engineering Design, 19(2/3), p.p. 71-100.

23. Leavitt, N. (2009), Is Cloud Computing really ready for prime time? Computer, 42(1),p.p.15–20.

24. Lackennair, G. (2010), Hybrid Cloud Architectures for the Online Commerce, Procedia Computer Science,3, p.p.550-5.

25. Lim, S.H. (2011), Risks in the North Korean Special Economic Zone: Context, Identification, and Assessment, Emerging Markets Finance & Trade, 47(1), p.p.50-66.

26. Mandal, S. (2011), Supply Chain Risk Identification and Elimination: A Theoretical Perspective, IUP Journal of Supply Chain Management, 8(1), pp.68-86.

27. Marshall, M. I. and Alexander, C., Using a contingency plant to combat human resource risk" Journal of Extension [On-line], 44(2) Article 2IAW 1. Retrieved on Dec 5, 2011 from http://www.joe.org/joe/2006april/iw1.shtml (2006).

28. Masser, I. and Foley, P. (1987), Delphi Revisited: Expert Opinion in Urban Analysis, Urban Studies, Vol. 24, p.p.217-25.

29. Mac Crimmon K. R. and Wehrung, D. A. (1986), Taking Risks: The Management of Uncertainty, Free Press, New York.

30. Naughton, J. (2009), There's a silver lining to Google's Cloud Computing glitch, Retrieved on 15 Aug 2011 from http://www.guardian.co.uk/technology/2009/mar/01/gmail-outage-cloud-computing

31. Picado, F.; Barmen, G.; Bengtsson, G. Cuadra, S.; Jakobsson, K.; and Mendoza, A. (2010), Ecological, Groundwater, and Human Health Risk Assessment in a Mining Region of Nicaragua, Risk Analysis: An International Journal, 30(6), p.p.916-33.

32. Pintar, K. D. M.; Charron, D. F.;Fazil, A.; McEwen, S. A.; Pollari, F.; Waltner-Toews, D. (2010), A Risk Assessment Model to Evaluate the Role of Fecal Contamination in Recreational Water on the Incidence of Cryptosporidiosis at the Community Level in Ontario, Risk Analysis: An International Journal, Jan2010, 30(1), p.p.49-64.

33. Rejda, G. E. (2011), Principles of Risk Management and Insurance. 11th Edition, New Jersey: Prentice Hall.

34. Reij, M. W. and Schothorst, M. (2000), Critical Notes on Microbiological Risk Assessment of Food. Brazilian Journal of Microbiology, 31(1), p.p.1-33.

35. Rowe, G., Wright, G. and F. Bolger (1991), Delphi: A re-evaluation of Research and Theory, Technological Forecasting, 39, p.p.235-51.

36. Saaty T. L. (1980), The Analytic Hierarchy Process, McGraw Hill Publications.

37. Saaty T. L. (1996), Decision making with dependence and feedback: The analytic network process, RWS Publications, Pittsburgh.

38. Saaty T. L. (1999), Fundamentals of the analytic network process, ISAHP, Kobe Japan.

39. Paquette, S.; Jaeger, P. T. and Wilson, S. C. (2010), Identifying the security risks associated with governmental use of Cloud Computing, Government Information Quarterly 27 , p.p. 245-53.

40. Sinha, P. R.; Malzahn, D. and Whitman, L. E. (2004), Methodology to Mitigate Supplier Risk in an Aerospace Supply China, Supply Chain Management: An International Journal, 9 (2), p.p. 154-68.

41. Singh, D. and Chandnary, F. S. (1986), Theory and analysis of sample survey designs. New York: John Wiley & Sons.

42. Spears, J. L. and Barki, H. (2010), User Participation in Information Systems Security Risk Management, MIS Quarterly, 34(3), p.p.503-22.

43. Subashini, S. and Kavitha, V. (2011), A survey on Security Issues in Service Delivery Models of Cloud computing, Journal of Network and Computer Applications, 34, p.p. 1-11.

44. Svantesson, D. and Clarke, R. (2010), Privacy and Consumer Risks in Cloud Computing, Computer Law & Security Review, 26, p.p. 391-7.

45. Tisnovsky, R. (2010), Risk versus Value in Outsourced Cloud computing, Financial Executive, November, p.p. 64-5.

46. Ward, B. T. and Sipior, J. C. (2010), The Internet Jurisdiction Risk of Cloud Computing, Information Systems Management, 27, p.p. 334-9.

47. Wang, J.; Liu, J.; Liao, Z. and Tang, P. (2009), Identification of Key Liability Risks of supervision Engineers in China, Construction Management & Economics, 27(12), p.p.1157-73.

48. Williams, B. (1978), A sampler on sampling. New York: John Wiley & Sons.

49. Woudenberg, F. (1991), An Evaluation of Delphi, Technological Forecasting and Social Change, Vol. 40, p.p.131-50.

50. Zou, P. X. W. and Li, J. (2010), Risk Identification and Assessment in Subway Project : Case Study of Nanjing Subway Line 2, Construction Management & Economics, 28(12), p.p.1219-38.

51. Zissis, D. and Lekkas, D. (2011), Addressing Cloud Computing Security Issues, Future Generation Computer Systems, 28, p.p. 583-92.