Towards a Legal Risk Assessment

  • Marcelo Corrales CompagnucciEmail author
Part of the Perspectives in Law, Business and Innovation book series (PLBI)


This chapter presents an SLA brokering framework that includes innovative risk-aware assessment techniques which facilitate the clarification of database and “ownership” rights of data and evaluate the probability of SLA failure. It uses the web service agreement specification (WS-Agreement) as a template and extends prior work on risk metrics from the OPTIMIS project to facilitate SLA creation between service consumers and providers within typical cloud brokerage scenarios. However, since the WS-Agreement allows for an automated mechanism between only two parties and does not cover the use of an intermediary within the agreement process, I use the specific work carried out in the AssessGrid project that includes a brokerage mechanism and pays considerable attention to addressing a risk assessment.


  1. Alhadeff J et al (2010) Requirements: privacy, governance and contractual options, pp 1–122, TAS3 Deliverable, WP6, D6.1, Version 3.0 Accessed May 10, 2019
  2. Andrieux A et al (2007) Web Services Agreement Specification (WS-Agreement), Global Forum American Heritage Dictionary Accessed May 10, 2019
  3. Barnatt C (2010) A brief guide to cloud computing: an essential guide to the next computing revolution. Kindle Edition, s.l, p 11Google Scholar
  4. Batre D et al (2007) Gaining Users’ Trust by Publishing Failure Probabilities. Security and Privacy in Communications Networks and the Workshops, SecureComm 2007. Proceedings of the Third International Conference on Security and Privacy in Communication Networks, Nice, p 193Google Scholar
  5. Beckers K (2015) Pattern and security requirements: engineering-based establishment of security standards. Springer, Cham, p 457Google Scholar
  6. Bonewell D (2006) Security and privacy for data warehouses: opportunity or threat? In: Tipton H, Krause M (eds) Information security management handbook, 5th edn. Auerbach Publications, Boca Ratón, p 1178Google Scholar
  7. Bradshaw S, Millard C, Waelden I (2010) Contracts for Clouds: Comparison and Analysis of the Terms and Conditions of Cloud Computing Services, Queen Mary School of Law Legal Studies Research Paper No. 63/2010, pp. 31–32 Accessed May 10, 2019
  8. Burnett R (2005) Legal risk management for the it industry. Comput Law Secur Report 21(1):61–67CrossRefGoogle Scholar
  9. Caralli R et al (2007) Introducing OCTAVE Allegro: Improving the Information Security Risk Assessment Process, Technical Report. Software Engineering Institute, Carnegie Mellon, s.lGoogle Scholar
  10. Cattedu D, Hogben G (2009) Cloud Computing: Benefits, Risks and Recommendations for Information Security, ENISA (European Network and Information Security Agency) Accessed May 10 2019
  11. Chung L et al (2000) Non-functional requirements in software engineering. Springer, New YorkCrossRefGoogle Scholar
  12. Chung L, Sampaio do Prado Leite J (2009) On non-functional requirements in software engineering. In: Borgida A et al (eds) Conceptual modeling: foundations and applications, Essays in Honor of John Mylopoulos, Lecture Notes in Computer Science/Information Systems and Applications, incl. Internet/Web, and HCI (Book 5600). Springer, BerlinCrossRefGoogle Scholar
  13. Ciborra C (2005) Digital Technologies and the Duality of Risk, Centre for Analysis of Risk and Regulation. London School of Economics and Political Science, LondonGoogle Scholar
  14. Ciborra C (2007) Digital technologies and risk: a critical review. In: Hanseth O, Ciborra C (eds) Risk, complexity and ICT. Edgar Elgar Publishing, Cheltenham, p 27Google Scholar
  15. Ciborra C (2009) Imbrication of representations: risks and digital technologies. In: Avgerou C, Lanzara F, Willcocks L (eds) Bricolage, care and information systems: Claudio Ciborra’s legacy in information systems research. Palgrave MacMillan, New York, p 78CrossRefGoogle Scholar
  16. Corrales M (2012) Privacy risk impact assessment: a new requirement for safer clouds. Beck-Online, ZD-Aktuell, p 03036Google Scholar
  17. Davison M (2003) The legal protection of databases. Cambridge University Press, Cambridge, p. 97Google Scholar
  18. Dean J (2014) Big data, data mining and machine learning: value creation for business leaders and practitioners. Wiley, Hoboken, p 10Google Scholar
  19. Djemame K et al (2011a) Brokering of risk-aware service level agreements in grids. Concurr Comput: Pract Exp 23(13):1558–1582CrossRefGoogle Scholar
  20. Djemame K et al (2011b) A risk assessment framework and software toolkit for cloud service ecosystems, The Second International Conference on Cloud Computing, GRIDs, and Virtualization, p 119 Accessed May 10, 2019
  21. Djemame K et al (2012) Legal issues in the cloud: towards a risk inventory. Philos Trans R Soc A 371(1983)Google Scholar
  22. Djemame K et al (2013) Legal issues in clouds: towards a risk inventory. Phil Trans R Soc A 371(1983) Accessed May 10, 2019CrossRefGoogle Scholar
  23. Djemame K (2016) A risk assessment framework for cloud computing. IEEE Trans Cloud Comput 4(3):265–278CrossRefGoogle Scholar
  24. Drissi S, Houmani H, Medromi H (2013) Survey: risk assessment for cloud computing. Int J Adv Comput Sci Appl (IJACSA) 4(12):143–148Google Scholar
  25. Fellows W (2013) Cloud Brokers: Now Seeking Ready-to-Pay Customers, 451 Research Accessed May 10, 2019
  26. Fellows W (2014) Cloud Brokers: Making ITaaS a Practical Reality? 451 Research Accessed May 10, 2019
  27. Forgó N et al (2010) Ethical and legal requirements for transnational genetic research. Beck, MunichCrossRefGoogle Scholar
  28. Garner B (ed) (2014) Black’s Law dictionary, 10th edn. Thomson Reuters, St. PaulGoogle Scholar
  29. Gouch J, Nettleton D (2010) Managing the documentation maze: answers to questions you didn’t even know. Wiley, Hoboken, p 149Google Scholar
  30. Gough J, Nettleton D (2010) Managing the documentation maze: answers to questions you didn’t even know. Wiley, HobokenGoogle Scholar
  31. Gourlay I et al (2008) Reliability and risk in grid resource brokering. In: Second IEEE International Conference on Digital Ecosystems and Technologies (IEEE DEST 2008)Google Scholar
  32. Gourlay I, Djemame J, Padgett J (2009) Evaluating provider reliability in grid resource brokering. In: 11th IEEE international conference on high performance computing and communications, p 36 Accessed May 10, 2019
  33. Griffith R (2012) A short introduction to cloud computing: everything you need to know in around 1000 Words, locs. 21 and 29. Kindle EditionGoogle Scholar
  34. Grosan C, Abraham A (2011) Ruled-Based Expert Systems. In: Grosan C, Abraham C (eds) Intelligent systems: a modern approach, intelligent systems reference library, vol 17. Springer, Berlin, pp 149–185CrossRefGoogle Scholar
  35. Grossman J, Seehusen F (2015) Combining security risk assessment and security testing based on standards. In: Seehusen F et al (eds) Risk assessment and risk-driven testing, third international workshop, RISK 2015, Berlin Germany. Springer, Cham, p 23Google Scholar
  36. Gutwirth S, Hildebrandt M (2010) Some caveats on profiling. In: Gutwirth S, Poullet Y, Paul de Hert P (eds) Data Protection in a Profiled World. Springer, Dordrecht, p 33CrossRefGoogle Scholar
  37. Holzinger A et al (2013) Combining HCI, natural language processing, and knowledge discovery—potential of ibm content analytics as an assistive technology in the biomedical field. In: Holzinger A, Pasi G (eds) Human computer interaction and knowledge discovery in complex, unstructured, big data, third international workshop, HCI-KDD 2013, Maribor, Slovenia, July 2013, Proceedings. Springer, Heidelberg, p 13CrossRefGoogle Scholar
  38. Ishikawa H (2015) Social big data mining. CRC Press, Boca RatónCrossRefGoogle Scholar
  39. Jackson P (1998) Introduction to expert systems, 3rd edn. Addison-Wesley, HarlowGoogle Scholar
  40. Jentzsch N (2007) Financial privacy: an international comparison of credit reporting systems, 2nd edn. Springer, Berlin, p 27Google Scholar
  41. Jones B, Bird I (2013) Data-intensive production grids. In: Critchlow T, Kleese van Dam K (eds) Data-intensive science. Chapman & Hall (CRC Press), Boca Ratón, pp 160 et seqGoogle Scholar
  42. Jrad F (2014) A service broker for intercloud computing, Doctoral Thesis, Karlsruhe Institute of Technology, KIT, p 4 Accessed May 10, 2019
  43. Kasemsap K, Sunandha S (2015) The role of cloud computing adoption in global business. In: Chang V, Walter R, Wills G (eds) Delivery and adoption of cloud computing services in contemporary organizations. Information Science Reference (IGI Global), Hershey, p 33Google Scholar
  44. Kattan I, Nunu A, Saleh K (2011) A stochastic model for improving information security in supply chain systems. In: Wang J (ed) Supply chain optimization, management and integration: emerging applications. Business Science Reference, Hershey, p 199Google Scholar
  45. Khan A et al (2012) Security risks and their management in cloud computing. In: 2012 IEEE 4th international conference on cloud computing technology and science, IEEE computer society, p 122 Accessed May 10, 2019
  46. Kirkham T et al (2012a) Assuring data privacy in cloud transformations, trust, security and privacy in computing and communications (TrustCom). In: 2012 IEEE 11th international conference on digital object identifier, pp 1063–1069 Accessed May 10, 2019
  47. Kirkham T et al (2012b) Risk based SLA management in clouds: a legal perspective, The 7th International Conference for Internet Technology and Secured Transactions, IEEE (ICITST 2012), pp 156–160 Accessed May 10, 2019
  48. Kirkham T et al (2013) Richer requirements for better clouds. In: 2013 IEEE international conference on cloud computing technology and science. IEEE Computer Society, p 7. Accessed May 10, 2019
  49. Kitchin R (2014) The data revolution: big data, open data. Data Infrastructures & Their Consequences. Sage Publications Ltd., Los AngelesGoogle Scholar
  50. Kousiouris G et al (2013) A cloud provider description schema for meeting legal requirements in cloud federation scenarios. In: Douligeris et al (eds) Collaborative, Trusted and Privacy-Aware e/m-Services, 12th IFIP WG 6.11 conference on e-business, e-services, and esociety, I3E 2013, Athens, Greece, Apr 25–26 2013, Proceedings. Springer, HeidelbergGoogle Scholar
  51. Krishnan K (2013) Data warehousing in the age of big data. Elsevier, Amsterdam, p 5CrossRefGoogle Scholar
  52. Li T, Singh M (2014) Hybrid trust framework for loss of control in cloud management. In: Jeong H et al (eds) Advances in computer science and its applications: CSA 2013. Springer, Heidelberg, p 670Google Scholar
  53. Leber D, Hermann J (2013) Decision analysis methods for selecting consumer services with attribute value uncertainty. In: Lee M et al (eds) Risk assessment and evaluation of predictions. Springer, New York, p 406CrossRefGoogle Scholar
  54. Lohr S (2015) Data-ism: the revolution transforming decision making, consumer behavior, and almost everything else. HarperCollins Publishers, New YorkGoogle Scholar
  55. Lund M, Solhaug B, Stolen K (2011) Model-driven risk analysis: the CORAS approach. Springer, Heidelberg, p 131 et seqCrossRefGoogle Scholar
  56. Luiijf E (2016) Threats in industrial control systems. In: Colbert E, Kott A (eds) Cybersecurity of SCADA and other industrial control systems. Springer, Cham, p 69Google Scholar
  57. Mckelvey N et al (2015) Cloud computing and security in the future. In: Zhu S, Hill R. Trovati M (eds) Guide to security assurance for cloud computing. Springer, Cham, p 100Google Scholar
  58. Mahmood Z (2014) (ed) Continued rise of the cloud: advances and trends in cloud computing. Springer, LondonGoogle Scholar
  59. Majkic Z (2014) Big data integration theory: theory and methods of database mappings, programming languages, and semantics. Springer, ChamCrossRefGoogle Scholar
  60. Nwankwo S (2014) Developing a Risk Assessment Methodology for Data Protection, IRI Blog Accessed May 10, 2019
  61. Pearson S, Yee G (2013) (eds) Privacy and security for cloud computing, computer communications and networks series. Springer, LondonGoogle Scholar
  62. Radizeski P (2012) Sellecom 2: selling cloud services, Rad-Info, Inc., p 22Google Scholar
  63. Rejas-Muslera R, Cuadraro-Gallego J, Rodriguez D (2007) Defining a legal risk management strategy: process, legal risk and lifecycle. In: Abrahamsson P et al (eds) Software process improvement, vol 2007. Lecture Notes in Computer Science, Programming and Software Engineering, Proceeding of the 14th European Software Process Improvement Conference, EuroSPI 2007, Potsdam, Germany, September. Springer, Berlin, pp 118–124CrossRefGoogle Scholar
  64. Ridley E (2015) Big data and risk assessment. In: Kalyvas J, Overly M (eds) Big data: a business and legal guide. CRC Press, Boca Ratón, p 79CrossRefGoogle Scholar
  65. Rosenberg J, Mateos A (2011) The cloud at your service: the when, how, and why of enterprise cloud computing. Manning Publications Co., Greenwich, p 1Google Scholar
  66. Sakr S, Gaber M (2014) (eds) Large scale and big data: processing and management. CRC Press, Boca RatónGoogle Scholar
  67. Sangrasi A, Djemame K, Jokhio I (2012) Aggregating Node Level Risk Assessment in Grids Using an R-out-of-N Model. In: Chowdhry B et al (eds) Emerging trends and applications in information communication technologies: second international multi topic conference, IMTIC 2012, Jamshoro, Pakistan, March 2012, proceedings, communications in computer and information science, vol 281. Springer, Heidelberg, pp 445–452CrossRefGoogle Scholar
  68. Shantz J (2005) Beyond risk and boredom: reflections on claudio ciborra and sociology. Eur J Inf Syst 14:510–514CrossRefGoogle Scholar
  69. Sharif A, Basri S (2011) Software risk assessment: a review on small and medium software projects. In: Zain J, Mohd W, El-Qawasmeh E (eds) Software engineering and computer systems, Second International Conference ICSECS 2011, Kuantan, Pahang, Malaysia, June 2011, Proceedings Part 2. Springer, Heidelberg, p 222Google Scholar
  70. Smoot S, Tan N (2012) Private cloud computing: consolidation, virtualization, and service-oriented infrastructure. Elsevier, WalthamGoogle Scholar
  71. Stone R (2005) The modern law of contract, 6th edn. Cavendish Publishing, London, p 14Google Scholar
  72. Summer J, Ross T, Ababouchi L (2004) Application of risk assessment in the fish industry, FAO Fisheries Technical Paper No. 442, Part 1, p 6Google Scholar
  73. Sundara Rajan M (2011) Moral rights: principles, practice and new technology. Oxford University Press, Oxford, p 286Google Scholar
  74. Susskind R (1998) The future of law. Oxford University Press, Oxford, p 290Google Scholar
  75. Taubenberger S (2011) Problem analysis of traditional it-security risk assessment methods—an experience report from the insurance and auditing domain. In: Camensich J et al (eds) future challenges in security and privacy for academia and industry, 26th IFIP TC 11 international information security conference, SEC 2011, Lucerne Switzerland, June 2011, Proceedings. Springer, Heidelberg, p 260Google Scholar
  76. Teng F, Magoules F (2010) Future of grids resources management. In: Frederic Magoules (ed) Fundamentals of grid computing: theory, algorithms and technologies. Chapman and Hall (CRC Press), Boca Ratón, p 126Google Scholar
  77. Toosizadeh S, Farshchi R (2011) Ruled-based programming for building expert systems: how do you create an expert system? LAP Lambert Academic Publishing, s.lGoogle Scholar
  78. Vashist R (2015) Cloud Computing infrastructure for massive data: a gigantic task ahead. In: Hassanien A et al (eds) Big data in complex systems: challenges and opportunities, studies in big data, Vol 9. Springer, Cham, p 1Google Scholar
  79. Vraalsen F et al (2005) Specifying legal risk scenarios using the CORAS threat modeling language: experiences and the way forward. In: Herrmann P, Issarny V, Shiu S (eds) Trust management, third international conference, iTrust 2005, Paris, France, May 23–26, 2005. Proceedings, Series Vol 3477. Springer, Berlin, pp 45–60Google Scholar
  80. Wahlgren P (2007) Legislative Techniques, p. 91, In: Wintgens L (ed) Legislation in Context: Essays in Legisprudence, Applied Legal Philosophy. Ashgate Pub Co., HampshireGoogle Scholar
  81. Williams P (2013) Information security governance: a risk assessment approach to health information systems protection. In: Hovenga E, Grain H (eds) Health information governance in a digital environment. IOS Press, Amsterdam, p 187Google Scholar
  82. Wright D, De Hert P (2012) (eds) Privacy impact assessment, law, governance and technology series, vol 6. Springer, DordrechtGoogle Scholar
  83. Wu L et al (2013) Automated SLA negotiation framework for cloud computing. In: Cluster, cloud and grid computing (CCGrid), 2013 13th IEEE/ACM international symposium, May 2013, pp 235–244 Accessed May 10, 2019

Copyright information

© Springer Nature Singapore Pte Ltd. 2020

Authors and Affiliations

  1. 1.Centre for Advanced Studies in Biomedical Innovation Law (CeBIL)University of CopenhagenCopenhagenDenmark

Personalised recommendations