Risk in modern IT service landscapes: Towards a dynamic model

The “Cloud Computing” paradigm is gaining ground with new IT service providers and traditional IT out-sourcing providers alike. Customers want to use cloud computing solutions with all their advertised advantages and without the hassle of traditional long term outsourcing migration and contracting. Risk is at the center of attention when dealing with the adoption of cloud services. Because of the security concerns and the consequential reservations towards the acceptance of public cloud computing platforms, a lot has been done to improve security and trust in these environments. However, most of the implementations and research regarding this issue is concerning technical security risks with a focus on preventing perimeter-based attacks. Security and trust issues beyond perimeter based security risks have gained little attention. This paper identifies the need to look beyond technical issues and turns the attention to improving compliance and governance in cloud environments. In this process the focus is set on the discontinuity cap between existing methods to identify and evaluate IT risks and the treatment of these risks with Service Level Agreements. To close this cap a model for a dynamic view on current IT risk is proposed to comply with modern IT environments that are composed of an ampleness of different services. The model has a strong corporate context and will help companies to evaluate their current risk exposure and thus make better decisions when choosing their services.