How to Manage Cloud Risks Based on the BMIS Model

  • Song, Youjin ;
  • Pang, Yasheng
  • Received : 2013.04.24
  • Accepted : 2013.12.11
  • Published : 2014.03.31


Information always comes with security and risk problems. There is the saying that, "The tall tree catches much wind," and the risks from cloud services will absolutely be more varied and more severe. Nowadays, handling these risks is no longer just a technology problem. So far, a good deal of literature that focuses on risk or security management and frameworks in information systems has already been submitted. This paper analyzes the causal risk factors in cloud environments through critical success factors, from a business perspective. We then integrated these critical success factors into a business model for information security by mapping out 10 principles related to cloud risks. Thus, we were able to figure out which aspects should be given more consideration in the actual transactions of cloud services, and were able to make a business-level and general-risk control model for cloud computing.


Cloud Risk;Risk Control;Cloud Computing;BMIS;CSFs


  1. Antonio Colella, Clara Colombini, "Security Paradigm in Ubiquitous Computing", 2012 Sixth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing, pp 634-638, available at:
  2. Office of the Comptroller of the Currency, "Management Information Systems", 1995, available at:
  3. Wikipedia, available at:
  4. Mohammed Alhamad, Tharam Dillon, Elizabeth Chang, "Conceptual SLA Framework for Cloud Computing", 4th IEEE International Conference on Digital Ecosystems and Technologies, 2010, pp 606-610, available at:
  5. Zhitao Huang, Pavol Zavarsky, Ron Ruhl, "An Efficient Framework for IT Controls of Bill 198 (Canada Sarbanes-Oxley) Compliance by Aligning COBIT 4.1, ITIL v3 and ISO/IEC 27002", International Conference on Computational Science and Engineering, 2009, pp 386-391, available at:
  6. Shamsul Sahibudin, Mohammad Sharifi, Masarat Ayat, "Combining ITIL, COBIT and ISO/IEC 27002 in Order to Design a Comprehensive IT Framework in Organizations", Second Asia International Conference on Modelling & Simulatio, 2008, pp 749-753, available at: http://ieeexplore.
  7. Gang Zhao, "Holistic Framework of Security Management for Cloud Service Providers", 10th IEEE International Conference, 2012, pp 852-856, available at: stamp/stamp.jsp? tp=&arnumber=6301237
  8. Zhiyun Guo, Meina Song, Junde Song, "A Governance Model for Cloud Computing", Management and Service Science (MASS), 2010 International Conference, available at: stamp/stamp.jsp?tp=&arnumber=5576281
  9. Jing-Jang Hwang, Hung-Kai Chuang, Yi-Chang Hsu, Chien-Hsing Wu, "A Business Model for Cloud Computing Based on a Separate Encryption and Decryption Service", Information Science and Applications (ICISA), 2011 International Conference, available at: stamp.jsp?tp=&arnumber=5772349
  10. Chiao-chun Lo, "Information Security and Its Impact on Business", 2006, available at: %94%E6%A1%88%E4%B8%8B%E8%BC%89
  11. Ramgovind S, Eloff MM, Smith E, "The Management of Security in Cloud Computing", 2010, available at:
  12. ISACA, 2010, available at: Releases/2010/ Pages/ISACA-Issues-New-Comprehensive-Business-Model-for-Information-Security.aspx
  13. Daniel, D. Ronald, "Management Information Crisis," Harvard Business Review, Sept.-Oct., 1961.
  14. ISACA, "An Introduction to the Business Model for Information Security", available at:
  15. Wikipedia, available at:
  16. CSA, "Top Threats to Cloud Computing V1.0", 2010, available at: topthreats/csathreats.v1.0.pdf
  17. Rockart, John F. "Chief Executives Define their Own Data Needs", published in "Harvard Business Review", March 1979, available at: 3%D6%B0%ED%B0%E6%BF%B5%C0%DA%B0%A1+%BF%F8%C7%CF%B4%C2+%C1%A4 %BA%B8.pdf&key=53&dir=board_data/tb_ib_2541&mode=DOWN
  18. Rockart, John F. "A Primer on Critical Success Factors", published by the Center for Information Systems Research, 1981, available at: 08368993-CISR-069.pdf?sequence=1
  19. Wikipedia, available at:
  20. Richard A. Caralli , "The Critical Success Factor Method: Establishing a Foundation for Enterprise Security Management", published by Carnegie Mellon University, 2004, available at:
  21. JenSheng Wang, CheHung Liu, Grace TR Lin, "How to Manage Information Security in Cloud Computing", Systems, Man, and Cybernetics (SMC), 2011 IEEE International Conference, pp 1405- 1410, available at:
  22. David Vohradsky, "Cloud Risk-10 Principles and a Framework for Assessment", ISACA JOURNAL VOLUME 5, 2012, pp. 31-41, available at: uploads/2012/09/12v5-Cloud-Risk-10-Principles.pdf
  23. Iliana Iankoulova, Maya Daneva, "Cloud Computing Security Requirements:a Systematic Review", Research Challenges in Information Science (RCIS), 2012 Sixth International Conference, available at:
  24. Donald Firesmith, "Specifying Reusable Security Requirements", JOURNAL OF OBJECT TECHNOLOGY, Vol.3, No.1, 2004, pp. 61-75.
  25. Rolf Von Rossing, "Applying BMIS to Cloud Security", ISSE 2010 Securing Electronic Business Processes, 2011, pp. 101-112, available at: 9788-6_10
  26. PwC, "2010 Global state of information security", available at: issue-12/securing-information-downturn.jhtml
  27. Prasad Saripalli, Ben Walters, "QUIRC: A Quantitative Impact and Risk Assessment Framework for Cloud Security", 2010 IEEE 3rd International Conference on Cloud Computing, pp. 280-288.

Cited by

  1. A Secure Storage System for Sensitive Data Protection Based on Mobile Virtualization vol.11, pp.2, 2015,
  2. A Generic Software Development Process Refined from Best Practices for Cloud Computing vol.7, pp.5, 2015,
  3. Social control through deterrence on the compliance with information security policy vol.22, pp.20, 2018,