Exploring Risks Transferred from Cloud-Based Information Systems: A Quantitative and Longitudinal Model

With the growing popularity of Internet of Things (IoT) and Cyber-Physical Systems (CPS), cloud- based systems have assumed a greater important role. However, there lacks formal approaches to modeling the risks transferred through information systems implemented in a cloud-based environment. This paper explores formal methods to quantify the risks associated with an information system and evaluate its variation throughout its implementation. Specifically, we study the risk variation through a quantitative and longitudinal model spanning from the launch of a cloud-based information systems project to its completion. In addition, we propose to redefine the risk estimation method to differentiate a mitigated risk from an unmitigated risk. This research makes valuable contributions by helping practitioners understand whether cloud computing presents a competitive advantage or a threat to the sustainability of a company.


Introduction
The growing popularity of Internet of Things (IoT) and Cyber-Physical Systems (CPS) has demanded more systems to be deployed in cloud-based environments in order to facilitate workflows and system functions in a large-scale network [1,2]. Developed from the convergence of several massive information processing technologies, cloud computing has become a paradigm in organizational transformation, particularly influencing small-and medium-sized businesses that use public cloud-based systems. The impact of cloud computing on the outsourcing process of information systems (IS) poses complex questions for market players in the digital economy.
Issues of cloud computing such as loss of data control and ambiguity concerning its legal framework have revealed more and more of its disadvantages during its adoption. Many managers are suspicious of cloud computing when it comes to organizational, technological, and environmental risks [3,4]. Therefore, it is important to clearly understand the internal and external risks associated with adopting a cloud-based IS, particularly through a theoretical, quantitative, and longitudinal framework.
Prior studies have developed frameworks of risk management to help the migration to a cloud-based system from various perspectives [3,5,6]. Nevertheless, these studies have not yet formally quantified and evaluated the risks within a real IS migration project. This study attempts to address this research gap by developing a conceptual model to quantify the risks resulted from a cloud computing context. Through mathematical modeling, our approach captures and investigates the variations of risks during the implementation of a cloud-based IS migration project. In summary, prior research has evaluated the dependencies among different factors as well as identifying the risks in a cloud computing framework. However, existing studies have not systematically quantified the risks associated with a cloud-based IS and assessed the variations of risks before and after its adoption. Therefore, we propose to evaluate such risks through a quantitative and longitudinal model which spans the entire life cycle of a cloud-based IS project from its launch to completion. Our goal is to better understand whether migrating to a cloud computing system can bring competitive advantages or pose a threat to a company.

Research Model
Risk is defined by a triggering event (risk factor) and the scope of the affected component. It is expressed through the probability of the scenario occurrence and the impact severity on the component. The risk exposure measure proposed by Boehm [26] in software engineering is suggested as risk exposure: E(R i ) = P(R i ) × I(R i ), where P(R i ) denotes the scenario probability and I(R i ) represents the severity of impact of the risks. In finance, risk is defined as results' distribution variance [27,28] and the estimation of this occurrence probability is normally based on historical data [29]. Other fields have also attempted to subjectively estimate the probability of the risk factors [30].
Some characteristics of cloud risks intersect with those in supply chain networks or the financial sector [18]. For instance, in a cloud context, customers may be exposed to a risk of default from their cloud providers [3,29]. According to Cloud Harmony's performance indicators, in 2014 Microsoft Azure scored 103 breakdowns that affected a large number of its customers for a total of 42.94 h of downtime. Therefore, we can estimate the probability of the downtime risk of a cloud service based on vendor history. For other types of risks such as environmental or malicious accidents, the estimate can only be based on subjective criteria. The subjectivity of risk management methods is still criticized [30][31][32]. Some authors found that several frameworks are not scientific or do not adequately address the system risks. Moreover, these methods are concerned with their focus on a technical aspect by considering the social aspects as a simple obstacle to overcome [31,33].
Current risk management methods can be divided into three generations [30]: The first two generations focus on the general requirements for systemic risks based on good practices or checklists, whereas the third generation exceeds the application of generic standards by integrating organizational requirements such as the human component [31,34].
Although risks often result from human behavior directly or indirectly, the human component has long been neglected by systemic risks studies [35,36]. An interpretive perspective within risk management is called for because it would lead to a multidimensional view [37] that goes beyond the simplistic explanations provided by the functionalist paradigm.
Indeed, the risk estimate is evaluated without considering the reduction factors that include the human component like preventive, deterrent, palliative, and containment measures. Therefore, it is important to distinguish between mitigated and unmitigated risks and to redefine exposure to risks by taking these measures into account.
Preventive and dissuasive measures act on the factors that reduce the event occurrence probability, while palliative and containment measures act on the impact reduction factors on the component. Consequently, we suggest that the exposure to attenuated risk is defined as follows: where M(Pr,Ds) = 0 and M(Pl,Cn) = 0 and the notations used in the formula are shown in Table 1. We argue that the risk exposure formula suggested by Boehm [26] is only applicable to estimate the exposure to unmitigated risk: If M(Pr,Ds) = 0 and M(Pl,Cn) = 0 <=> E(RiA) = E(RiNA) Therefore, we note the estimate of the non-attenuated risk by E(RiNA) and we propose a first hypothesis: To quantify IT risks, we need to understand IT governance methodologies. IT governance has gained significant research interest since the application of US Sarbanes-Oxley or HIPPA laws to mitigate IT risks [38]. Although no governance model covers all possible controls, each model responds to some requirements that affect either procedures, objectives, or scope of coverage.

Hypothesis 1 (H1). Information System risk quantification is included in an interval
IT governance in a cloud computing context requires a new definition of organizational policies. It must explicitly describe roles and responsibilities for the management of technologies, business processes, and applications. Indeed, the cloud computing adoption does not change the objectives set by IT governance standards. However, it introduces to cloud providers a new relational element [8] that must be included in IT governance deployment. So, traditional IT governance models (COSO, CobiT, ENISA, ITIL and ISO) are not altered by implementing cloud solutions, but they must be adapted to such a new context.
In 2011, the Information Systems Audit and Control Association (ISACA) tried to adapt the Cobit repository to a cloud context. They suggested a new publication of IT governance titled "IT control objectives for cloud computing". The study described the technological and organizational requirements of setting up a repository including cloud computing systems. In addition, COSO has submitted an enterprise risk management framework (ERM framework) for the governance of cloud computing through seven guidelines, which can be tailored to business process, deployment models, and cloud service models, and can also be merged with the Cloud Cube Model suggested by the Open Group to include the four characteristic dimensions of the service instead of the cloud options ISO has also published two new standards in adequacy with the requirements of cloud computing: ISO/IEC 27017 and ISO/IEC 27018. The first provides guidelines for the implementation of information security controls for cloud services in addition to the initial guide defined by ISO 27002. The second encompasses best practices for protecting of personal identifiable information (PII) in public cloud computing. The 2700× series of ISO/IEC standards are often associated with the harmonized method of risk analysis (MEHARI), which is developed by CLUSIF. Through personalized measures, MEHARI suggests analyzing corporate business challenges to reduce risk exposure. The method reached its sixth version and shows an advanced maturity in risk management.
To develop our model, we retain some suggestions in the MEHARI 2010 version (see Appendix A). First, we construct a comprehensive list of IS risks based on the MEHARI 2010 event typology. Then, we add to the list the five incidents that can arise in a cloud computing context and finally we integrate risks related to project management [18]. Secondly, we develop a matrix in which rows represent the list of event triggers of risk and columns the temporal phases of a cloud computing project. The temporal definition of actions is a key element in studying the phenomenon course [39]. So, it is important to break down the timeframe and define appropriate periods to match the project evolution. We consider time as a social construct and retain the organizational transformation model suggested by Besson and Rowe [40] to define the four-phase migration project: Uprooting, exploration and construction of the new solution, stabilization and the institutionalization of the new solution, and optimization of new routines. Finally, by applying the formula E(RiA), we specify a type for each event and each phase (external, internal, or both at the same time), a maximum estimate (i.e., the risk is unmitigated), and a minimum estimate (i.e., the risk is mitigated). Appendix B shows the precise values of all the parameters and Appendix C summarizes the measures of theoretical risk estimation with respect to the type and σ E(Ri).
Alter and Sherer [41] distinguish between a permanent and a temporary risk, but we consider that any risk is a temporary risk since its probability or impact may be zero at a specific time t. In addition, we add the estimates of events to each organizational transformation phase to quantify the evolution of internal risks and external risks. If a risk is both external and internal, we divide its estimate by two. For each phase, we obtain two values for each type of risk: A minimum value (attenuated risk) and a maximum value (non-attenuated risk). These values make it possible to define a variation interval [RiA; RiNA]. There is a gradual increase of 1/2 of the external risks and a reduction of 1/3 of the internal risks. It is also important to note that the internal risk represents approximately 75% of the total risk at the beginning of a cloud computing project and the external risk represents 25% (see Table 2). These probabilities are reversed at the end of the project. Therefore, we propose the second hypothesis as follows. Hypothesis 2 (H2). The internal IS risk represents 3/4 of the total risk before launching a project to migrate to the cloud, but 1/4 of the project's completion.
We observe that the variation of internal risks and external risks over time is a geometric sequence of respective reasons 2/3 and 3/2 (see Figures 1 and 2). So, we can propose a new hypothesis and express the sequences of internal risk (Rin) and external risk (Rex) as:  The number of intervals between the phases (4 points) is 3. Therefore, we induce the geometric sequence increases or decreases per unit of time. To generalize: when n denotes the number of intervals (or unit of time) and n > 1, Rint = (n − 1/n) × Rint−1 and Rext = (n/n − 1) × Rext-1 According to a numerical analysis, we note the expression of the internal risk and the external risk at a time t as:  The number of intervals between the phases (4 points) is 3. Therefore, we induce the geometric sequence increases or decreases per unit of time. To generalize: when n denotes the number of intervals (or unit of time) and n > 1, Rint = (n − 1/n) × Rint−1 and Rext = (n/n − 1) × Rext-1 According to a numerical analysis, we note the expression of the internal risk and the external risk at a time t as: Rin(t) = (n − 1/n) t × Rin(0) and Rex(t) = (n/n − 1) t × Rex(0) (5) The number of intervals between the phases (4 points) is 3. Therefore, we induce the geometric sequence increases or decreases per unit of time. To generalize: when n denotes the number of intervals (or unit of time) and n > 1, Rint = (n − 1/n) × Rin t−1 and Rex t = (n/n − 1) × Rex t−1 (4) According to a numerical analysis, we note the expression of the internal risk and the external risk at a time t as: Hence, we next propose the third and fourth hypotheses (see Figures 3 and 4).

Hypothesis 3 (H3)
. The internal risk decreases by 1/3 from one phase to the next within a four-stage cloud computing project.
Hypothesis 4 (H4). The external risk increases by 1/2 from one phase to the next within a four-stage cloud migration project.
We induce that cloud computing does not expose the company to new risks. However, with cloud computing, risks transfer from the inside to the outside. A cloud computing choice is in fact an agreement of IS risk outsourcing to cloud providers. Therefore, we propose the following final hypothesis:   Hypothesis 4 (H4). The external risk increases by 1/2 from one phase to the next within a four-stage cloud migration project.

Hypothesis 5 (H5). The sum of internal risks and external risks is always the same throughout the four stages of a cloud computing project.
We induce that cloud computing does not expose the company to new risks. However, with cloud computing, risks transfer from the inside to the outside. A cloud computing choice is in fact an agreement of IS risk outsourcing to cloud providers. Therefore, we propose the following final hypothesis:   Hypothesis 4 (H4). The external risk increases by 1/2 from one phase to the next within a four-stage cloud migration project.

Hypothesis 5 (H5). The sum of internal risks and external risks is always the same throughout the four stages of a cloud computing project.
We induce that cloud computing does not expose the company to new risks. However, with cloud computing, risks transfer from the inside to the outside. A cloud computing choice is in fact an agreement of IS risk outsourcing to cloud providers. Therefore, we propose the following final hypothesis: Hypothesis 5 (H5). The sum of internal risks and external risks is always the same throughout the four stages of a cloud computing project.

Research Methodology
We apply a qualitative research methodology by focusing on a longitudinal case study of a cloud computing project. The longitudinal approach has a confirmatory character for our deductive approach. It precisely defines the phases of a project, so we can measure the risks at the appropriate time. Its objective is to understand the outcome of a phenomenon through the definition of three key elements: Context, actions, and the temporal interconnection between actions [39].
First, we identified around ten French SMEs offering PaaS and (or) IaaS cloud services that could be interested in our work. The selection criteria were the size of the company, the geographical accessibility of the servers, and the simplicity of the communication with their potential customers. Two of them showed interest and engaged in the study process. However, one field research had to be terminated because of the contradictions between data provided and the data collected. Typically, managers are uncomfortable when asked to communicate on IS security issues, so their participation rates in studies do not exceed 1.8% [42].
To develop our remaining case study in the second company, several of its customers were contacted. The cloud provider was not in direct contact with them and lacked data to assess the risks in the first phase. The selection criteria were their sizes, their sectors of activities, and the nature of the cloud computing project.
First, our empirical study was based on the processing of primary data through several semi-directive interviews, with the technical director and the IT security manager of the cloud provider to contextualize the project and define the major purposes of our empirical research. Second, we conducted another semi-structured interview with the customer's CIO. Then we organized a working session at the local cloud provider with the IT security manager. Another work session was also planned with the client's CIO. They were conducted as directional interviews so that the IT security manager and the CIO could correctly estimate the probability and impact of each event.
The objective was to quantify the risks with the best precision through the evaluation grid that we previously suggested.
The research proposal and evaluation grids were sent to the interviewees before the interviews so that they could assess the research project in advance. In the meantime, we had exchanged information by telephone and e-mail to meet our expectations. We had also used several sources to collect secondary data such as press releases, data available on the Internet, and the configuration documents offered in free access on GitHub. In addition, we watched several videos describing the datacenter. Excluding guided tours during the Heritage Days, access to the site was restricted for security reasons. Therefore, it was not possible to evaluate the risk management measures except through the video and photo footage suggested.
The longitudinal study lasted approximately 5 months. Finally, we were able to compare the risk measures taken by the cloud provider's CISO and the client's CIO with our comments.

A Longitudinal Study
The first step in a longitudinal study is to complete a monograph of the process studied [43]. The studied process is a transfer of IS risks during a migration project to the cloud. It is important to describe in detail the sequence of events and thus to understand the temporal interconnections between these events. The cloud computing projects used in companies generally correspond to a support use. Few companies take the risk of outsourcing core activities to a hosted service. However, our case study is different because our empirical study is not a study of auxiliary activities but the follow-through of the core business migration.
We studied a trading platform initially developed in-house by a French start-up in 2010. Its objective was to offer a communication tool through social networks or websites to companies who wish to create a direct link with their permanent or potential customers. Thanks to this platform, the synchronization of communications between companies and customers will, in the long term, increase user satisfaction and loyalty.
Currently, the start-up company employs 200 people (see the client features in Table 3). In 2015, it rationalized its offer of customer intermediation and acquired another French start-up offering a social network monitoring service. The platform also offered a connector to synchronize its tools with the Salesforce CRM solution. In 2010, before its implementation of cloud computing projects, the platform prototype development lasted several months. The start-up was one of the cloud provider's first customers. This initial internal development took a relatively long time compared to the duration needed to host the solution within the cloud provider's data-centers. However, we prefer a social construction chronology to a standard time one [44]. We also retain, as we did in our theoretical proposition, the transformation organizational structure model suggested by Besson and Rowe [40].
The process studied must be subdivided into several phases that fit a relatively homogeneous set [45]. Internal development then corresponds to the phase of uprooting or "revolution" [40]. We break-down the implementation phase into two phases: A phase of construction which begins with the first set-up operations and a stabilization phase at the end of these operations and the completion of the stabilization tests. A final step, the optimization phase, is defined by the launch of the product to the general public during the year 2011.
The empirical study was mainly carried out at the cloud computing provider's premises. Our exchanges with the customer CIO focused on risk measures during the uprooting phase. We also validated the internal risk measures suggested by the cloud provider.
The cloud provider is a French company, created in 2010 and located in the same region as its customer. It offers a Platform as a Service (PAAS) cloud solution supporting the programming languages: PHP, Java, Ruby and Scala. Its pricing system is based on energy costs automatically adjusting to potential load increases (see the cloud provider's features in Table 4). The PaaS provider started its services based on a partnership with a French telephone company that has five data centers based in Paris. In 2014, it launched another data-center in Canada to target the US market. The data of French customers is always hosted in France.
Although the cloud provider stated that French data-centers were Tier IV certified, we cloud only identify one Tier III certified data-center. There remains, however, a high security guarantee. A Tier III data-center offers 99.98% availability within 1.6 h of outage per year. Its configuration provides maintainability of all data-center components without impact on service continuity. Note that it has a partial redundancy of N + 1 in contrast to Tier IV which has a 2N + 1 redundancy.
The four-tier certification is issued by a US private organization, the uptime institute, based on design documents and building construction. The institute is limited to climate and electrical redundancies and does not take into account data replication software or clustered servers. Therefore, the security guarantee is partial and costs a hundred thousand Euros per data-center.
Many data-center manufacturers have abandoned the certification process to self-proclaim as Tier III + or Tier IV. They are based on the 2N + 1 redundancy model or prefer to apply a standard of the ISO 270xx series. ISO 27017 and ISO 27018 offer specific guides to cloud computing and guarantee a security policy for application services. In France there are only three data-centers certified partly third III or IV.
On the application side, the cloud provider has opted for hypervisor-based virtualization. Their customers' applications are thus partitioned to their own virtual machines. They guarantee a total isolation of each application distribution. This strategic choice is driven by security reasons. Indeed, virtualization techniques can be categorized into two major families: Container virtualization and hypervisor-based virtualization. Although container virtualization offers a lighter, more powerful virtual environment [46], it poses a problem of isolation between applications and the host kernel [47]. It exposes hosted data to an intrusion risk.
We have chosen to organize the risk transfer process in a matrix shape so as to simplify taking measures for CIOs. The four phases of the project are displayed in columns and the different events triggering an IS risk in rows. The narrative text is spread over several pages and does not facilitate the comparison of one or more variables over several periods. Such narratives are criticized for structuring a longitudinal study [48]. Therefore, we used the chronological matrix, expressing at each phase a type of risk (external, internal, or both), its probability, and its impact.

Results and Implications
Our empirical results indicate that the measured external and internal risks vary within the range [20,100], which confirms the first hypothesis (see Table 5 for results in summary and Appendix D for results in in details). The first contribution of our work suggests a definition of a risk interval for a cloud project migration. This proposal is also useful for quantifying IS risks in a global way within an organization. Exceeding the indicated threshold may alert the company to a possible problem in its risk management approach.
We next perform a covariance analyzes, including all the measured variables and expected theoretical variables, to validate the rest of the hypotheses. The objective is to model the homogeneity between the measured values and the theoretical values. Figures 5 and 6 visually present the results generated.  First, we drew regression curves for changes in measured internal and external risks. Hence, it is possible to estimate the first two theoretical values Rex(1) and Rin (1). From applying the two formulas Rex(t) and Rin(t) suggested in the theoretical framework, we can generate these two new sets of theoretical values. Therefore, we define the regression line of the external risks' variation as Yex = 25.35 × Xex − 2.5, (6) and the regression line of the internal risks variation with respect to time as: Yin = (−17.65) × Xin + 90.75.
The expected values of Rex(1) and Rin(1) are 23 and 73. We can thus construct two sets of expected theoretical values and then compare the distributions of internal and external risks to confirm our model (see Table 6 for the theoretical risk variation).  First, we drew regression curves for changes in measured internal and external risks. Hence, it is possible to estimate the first two theoretical values Rex(1) and Rin (1). From applying the two formulas Rex(t) and Rin(t) suggested in the theoretical framework, we can generate these two new sets of theoretical values. Therefore, we define the regression line of the external risks' variation as Yex = 25.35 × Xex − 2.5, (6) and the regression line of the internal risks variation with respect to time as: Yin = (−17.65) × Xin + 90.75.
The expected values of Rex(1) and Rin(1) are 23 and 73. We can thus construct two sets of expected theoretical values and then compare the distributions of internal and external risks to confirm our model (see Table 6 for the theoretical risk variation). First, we drew regression curves for changes in measured internal and external risks. Hence, it is possible to estimate the first two theoretical values Rex(1) and Rin (1). From applying the two formulas Rex(t) and Rin(t) suggested in the theoretical framework, we can generate these two new sets of theoretical values. Therefore, we define the regression line of the external risks' variation as The expected values of Rex(1) and Rin(1) are 23 and 73. We can thus construct two sets of expected theoretical values and then compare the distributions of internal and external risks to confirm our model (see Table 6 for the theoretical risk variation).  33 22 Finally, a bivariate analysis is carried out to define the dependence between the theoretical model and the results obtained. The distribution parameters used in this approach are the covariance, the correlation coefficient, and the coefficient of determination. The coefficient of determination is an indicator that allows approving the model quality through the adequacy between the latter and the observed data. Therefore, it will be of great value for validation of the hypotheses.
The correlation coefficient and coefficient of determination R2 measurements are 0.999 and 0.999 for the internal risk model and they are 0.988 and 0.976 for the external risk model. We can therefore confirm both hypotheses H3 and H4.
However, the second hypothesis H2 remains rejected since the internal risk represents 3/4 of the total risk before the launch of the project but not the 1/4 at the end. Indeed, the coefficient of variation of external risks (0.466) is higher than that of internal risks (0.429). The rapid increase in external risks has shifted the balance established to reduce internal risks to 1/5 of total risks at the end of project (see Figure 7). So, it is possible to confirm that the internal risk is significantly higher than the external risk before the launch of the cloud project. This dispersion is reversed at the end of the project without specifying the distributions. The reality can be known only in a probabilistic way and the verification is not probative [49].   External Risk  23  35  53  79   Internal Risk  73  49  33  22 Finally, a bivariate analysis is carried out to define the dependence between the theoretical model and the results obtained. The distribution parameters used in this approach are the covariance, the correlation coefficient, and the coefficient of determination. The coefficient of determination is an indicator that allows approving the model quality through the adequacy between the latter and the observed data. Therefore, it will be of great value for validation of the hypotheses.

Uprooting Construction Stabilization Optimization
The correlation coefficient and coefficient of determination R2 measurements are 0.999 and 0.999 for the internal risk model and they are 0.988 and 0.976 for the external risk model. We can therefore confirm both hypotheses H3 and H4.
However, the second hypothesis H2 remains rejected since the internal risk represents 3/4 of the total risk before the launch of the project but not the 1/4 at the end. Indeed, the coefficient of variation of external risks (0.466) is higher than that of internal risks (0.429). The rapid increase in external risks has shifted the balance established to reduce internal risks to 1/5 of total risks at the end of project (see Figure 7). So, it is possible to confirm that the internal risk is significantly higher than the external risk before the launch of the cloud project. This dispersion is reversed at the end of the project without specifying the distributions. The reality can be known only in a probabilistic way and the verification is not probative [49]. The last hypothesis implies that the variable "sum of risks" is independent of the variable "time". Consequently, the covariance value of the two series tends to zero. Although the covariance, equal to 9.87, is relatively small, it cannot validate the hypothesis. An approximate increase of 1/5 of the total risk is noticed at the completion of cloud computing project. The hypothesis H5 is to be rejected, and it is, therefore, conceivable that cloud computing exposes the company to new risks. Other case studies should be planned to confirm or reject this hypothesis. Only the refutation of the hypotheses is conclusive [49]. The last hypothesis implies that the variable "sum of risks" is independent of the variable "time". Consequently, the covariance value of the two series tends to zero. Although the covariance, equal to 9.87, is relatively small, it cannot validate the hypothesis. An approximate increase of 1/5 of the total risk is noticed at the completion of cloud computing project. The hypothesis H5 is to be rejected, and it is, therefore, conceivable that cloud computing exposes the company to new risks. Other case studies should be planned to confirm or reject this hypothesis. Only the refutation of the hypotheses is conclusive [49].

Conclusions
Our work indicates a redefinition of the risk estimation formula suggested by Boehm [26], including probability reduction factors and impact reduction factors. We distinguished between mitigated and unmitigated risks. The factors of probability reduction are conditioned by preventive and dissuasive measures, whereas the factors of the impact reduction are conditioned by palliative and containment measures. Therefore we suggest that the exposure to attenuated risk is defined as: E(RiA) = [P(Ri) − M(Pr,Ds)] × [I(Ri) − M(Pl,Cn)], which allows an interval of variation between maximum risk and minimum risk. Apart from its contribution to the validation of the theoretical model during the empirical study, this interval can serve as a reference for several companies to limit an IS risk threshold.
Our positivist approach also revealed a transfer of IS risk from the inside to the outside during a cloud computing project through a longitudinal mathematical model. We have shown that the variation of the internal risk and external risk are mutually dependent and obeys a logic of geometric sequences of respective reasons 2/3 and 3/2 for a four-phase organizational transformation model (three intervals). Therefore, we have determined a general expression of this variation: Rin(t) = (n − 1/n)t × Rin(1) and Rex(t) = (n/n − 1)t × Rex (1).
On the other hand, we rejected the hypothesis that the sum of internal and external risks is stable throughout a migration project to cloud computing. An approximate increase of 1/5 of the total risk is noticed at the completion of the cloud computing project. It is, therefore, conceivable that cloud computing exposes the company to new risks.