Risk perception and risk management in cloud computing: Results from a case study of Swiss companies

• We provide a definition of cloud computing and describe its main characteristics.
• We review the main risks associated with it and the relevant mitigation practices.
• We present reports on Swiss firms analyzing their prospective use of cloud services.
• There is a sufficient understanding of cloud-related risks and the appropriate controls.
• Firm size, expertise and needs influence the reports’ analysis and recommendations.

In today's economic turmoil, the pay-per-use pricing model of cloud computing, its flexibility and scalability and the potential for better security and availability levels are alluring to both SMEs and large enterprises. However, cloud computing is fraught with security risks which need to be carefully evaluated before any engagement in this area. This article elaborates on the most important risks inherent to the cloud such as information security, regulatory compliance, data location, investigative support, provider lock-in and disaster recovery. We focus on risk and control analysis in relation to a sample of Swiss companies with regard to their prospective adoption of public cloud services. We observe a sufficient degree of risk awareness with a focus on those risks that are relevant to the IT function to be migrated to the cloud. Moreover, the recommendations as to the adoption of cloud services depend on the company's size with larger and more technologically advanced companies being better prepared for the cloud. As an exploratory first step, the results of this study would allow us to design and implement broader research into cloud computing risk management in Switzerland.