「雲端運算」(Cloud Computing)及其相關應用服務受到業界相當重視。同時各國政府也相繼推出國家型計劃發展雲端運算產業。然而許多文獻告訴我們，雲端運算在資訊安全議題上也需要被重視。在雲端運算架構下的資訊安全又與過去有些許不同，值得被提出來研究。歐洲網路與資訊安全機構(European Network and Information Security Agency, ENISA)在2009年已經提出一份雲端服務風險評估報告(CCSRA, Cloud Computing Security Risk Assessment)，此份報告也被推出業界第一套雲端服務風險標準(CCSK, Certificate of Cloud Security Knowledge)的雲端安全聯盟(CSA, Cloud Security Alliance)所引用。這份評估報告已經相當完整定義各風險和其前因後果，但卻沒有完整的量化模式供組織進行量化評估、或預測整個雲端服務風險系統運作。因此本研究目的如下：1.建立一個量化模式，預測雲端服務風險相關風險，供企業主及早採取因應措施。2.以皮爾森相關係數法(Pearson Correlation Coefficient)分析各個風險、弱點、和資產間因果影響程度，讓組織在分配資源時作為參考。

“Cloud Computing” and its application services are considered important by industries. Governments have also launched plans to develop the cloud computing industry. However, the literature tells us that cloud computing security issues also need to be noticed. Security issues in the cloud computing architecture are different from those in traditional information system, so they are worth to be studied. In2009, European Network and Information Security Agency(ENISA) has announced a report named "Cloud Computing Security Risk Assessment", and this report was referenced by Cloud Security Alliance(CSA). The report is quite complete for the definition of each risk, its causes and effects. But there does not exist a complete quantitative model for the organization to assess or predict its cloud service risk. Therefore, the purposes of this study are as follows: 1. developing a cloud service risk assessment model to predict cloud service risks, 2. use Pearson Correlation Coefficient to analyze the impact between risks, vulnerabilities and assets for allocation of resources.

林育震(2010)，『掌控風險 發揮雲端效益』，Communications of the CCISA，16卷4期，138~149頁
張春雄、林顯達、黃新宗、劉美芳(2003)，『風險管理』，吉田出版社
陳瑞&周林毅(2007)，『風險評估與決策管理』，五南圖書出版公司
黃清賢(2003)，『危害分析與風險評估操作手冊』，新文京開發出版股份有限公司
蔡一郎(2010)，『雲端運算與雲端服務風險架構』，Communications of the CCISA，16卷4期，84~93頁
賴世培、詹志禹(2011)，『應用統計(全)』，中華電視股份有限公司
A.Avizienis, J.Laprie, B.Randell.(2000), ‘Fundamental concepts of dependability’, In Proceedings of the 3rd Information Survivability Workshop
A.Rosenthal, P.Mork, M.H.Li, J.Stanford, D.Koester, P.Reynolds(2010), ‘A new business paradigm for biomedical information sharing’, Journal of Biomedical Informatics(43:2), pp.324-353.
IBM(2009), ‘Red Book ─ Cloud Security Guidance ─ IBM Recommendations for the Implementation of Cloud Security’, IBM
C.S.Yoo(2011), ‘Cloud Computing: Architectural and Policy Implications’, Rev Ind Organ(38:4), pp.405-421.
CSA(2010), ‘Top Threats To Cloud Computing’, Cloud Security Alliance
ENISA(2009), ‘Cloud Computing Security Risk Assessment’, European Network and Information Security Agency
D.Zissis & D.Lekkas(2011), ‘Securing e-Government and e-Voting with an open cloud computing architecture’, Government Information Quarterly(28), pp.239-251.
European Parliament(1995), ‘Directive 95/46/EC of the European Parliament’, European Parliament
L.Iuga(2010), ‘The Analysis Of The Correlation Between The Level Of The Bank Fees For Cards And The Number Of Active Cards, Conducted With The Help Of The Pearson Coefficient’, Annales Universitatis Apulensis Series Oeconomica(12:1), pp.397-404.
L.Egghe, L.Leydesdorff(2009), ‘The Relation Between Pearson's Correlation Coefficient r and Salton's Cosine Measure.＂ Journal Of The American Society For Information Science And Technology(60:5), pp.1027-1036.
L.M.Vaquero, L.Rodero-Merino, D.Morán(2011), ‘Locking the sky: a survey on IaaS cloud Security’ Computing(91:1), pp.93-118.
L.M.Vaquero, L.Rodero-Merino, J.Caceres, M.Lindner(2009), ‘A Break in the Clouds: Towards a Cloud Definition’, ACM SIGCOMM Computer Communication Review(39:1), 2009, pp.50-55.
N.Mayer, P.Heymans, R.Matulevičius(2007), ‘Design of a Modelling Language for Information System Security Risk Management’, Proceedings of the 1st International Conference on Research Challenges in Information Science(RCIS 2007), Ouarzazate, Morocco, April
NIST SAJACC and BUC Working Groups(2011), ‘NIST US Government Cloud Computing Technology Roadmap Volume III - Technical Considerations for USG Cloud Computer Deployment Decisions’, National Institute of Standards and Technology
OWASP Cloud Top Ten Project(2012), ‘Cloud Top 10 Security Risks＂, The Open Web Application Security Project
NIST(2011), ‘NIST Definition of Cloud Computing’, National Institute of Standard and Technology
G.Purdy(2010), ‘ISO 31000:2009—Setting a New Standard for Risk Management.＂ Risk Analysis(30:6), pp.881-886
R.K.Chellappa & A.Gupta(2002), ‘Managing computing resources in active intranets’, International Journal Of Network Management(12:2), pp.117-128.
S.Paquette, P.T.Jaeger, S.C.Wilson(2010), ‘Identifying the security risks associated with governmental use of cloud computing’, Government Information Quarterly(27:3), pp.245-253.
T.Schoenherr(2009), ‘LOGISTICS AND SUPPLY CHAIN MANAGEMENT APPLICATIONS WITHIN A GLOBAL CONTEXT: AN OVERVIEW’, Journal of Business Logistics(30:2), pp.1-IVV.
Y.C.Stamatiou, E.Henriksen, M.S.Lund, E.Mantzouranis, M.Psarros, E.Skipenes, N.Stathiakis, K.Stølen(2002), ‘Experiences from using model-based risk assessment to evaluate the security of a telemedicine application’, Proceedings of Telemedicine in Care Delivery(TICD)
L.O.Yusuf, O.Folorunso, A.Akinwale,I.A.Adejumobi(2011), ‘Visualizing and Assessing a Compositional Approach to Service-Oriented Business Process Design Using Unified Modelling Language(UML) ‘, Computer and Information Science(4:3), pp.43-59.