Risk Evaluation Using Nominal Group Technique for Cloud Computing Risk Assessment in Healthcare

Nurbaini Zainuddin, Rasimah Che Mohd Yusuff, Ganthan Narayana Samy


Emerging of cloud computing with flexibility, improve accessing data, and cost-saving makes this technology accessible and growing fast. As a result of the emergence of cloud computing bring interest to industries to used cloud computing. Although cloud computing brings so many benefits to customers, the previous study reveals that cloud computing penetration in the Healthcare area is still low. With effective cloud risk assessment methodology will gain the confidence to cloud users in this technology. Study in cloud risk assessment methodology still infant and the complexity in identifying security risk still debating. This paper explores the risk assessment process by highlighting the method in the risk evaluation process. Risk evaluation is an essential phase in the risk assessment process. It compares the result from the risk analysis process and determines whether to accept or tolerate the risk criteria to decide on the risk analysis. In this study, the Nominal Group Technique (NGT) is introduced to compare risk analysis results in the earlier phase. Since risk evaluation based on organizational objectives, external and internal context and stakeholders' views, NGT is promising for effective results. This study not only contributing to the prioritizing list of risks and threats in a systematical manner but indirectly NGT process makes stakeholders aware of the current cloud security risk situation in the organization. Equal opportunity expressing views in this focus group discussion is hope can generate a brilliant solution in risk assessment results.


cloud computing; risk assessment; nominal group technique; STRIDE-DREAD model; risk evaluation.

Full Text:



Intelligence Unit, “Ascending Cloud The adoption of cloud computing in five industries,” Econ., 2016.

K. A. Ratnam and P. D. D. Dominic, “Adoption of cloud computing to enhance the healthcare services in Malaysia,” in 2014 International Conference on Computer and Information Sciences, ICCOINS 2014 - A Conference of World Engineering, Science and Technology Congress, ESTCON 2014 - Proceedings, 2014.

F. Sadoughi and L. Erfannia, “Health information system in a cloud computing context,” Stud. Health Technol. Inform., vol. 236, no. 6, pp. 290–297, 2017.

H. Tang, J. Yang, X. Wang, and Q. Zhou, “A Research for Cloud Computing Security Risk Assessment,” Open Cybern. Syst. J., vol. 10, 2017.

B. M. Dioubate, N. N. A. Molok, S. Talib, and A. O. M. Tap, “Risk assessment model for organizational information security,” ARPN J. Eng. Appl. Sci., vol. 10, no. 23, pp. 17607–17613, 2015.

F. M. M. Alturkistani and A. Z. Z. Emam, “A review of security risk assessment methods in cloud computing,” in Advances in Intelligent Systems and Computing, 2014, vol. 1, pp. 443–453.

T. K. Damenu, “Cloud Security Risk Management - A critical Review,” 2015.

A. Ali, D. Warren, and L. Mathiassen, “Cloud-based business services innovation: A risk management model,” Int. J. Inf. Manage., vol. 37, no. 6, pp. 639–649, 2017.

S. Drissi, S. Benhadou, and H. Medromi, “A new shared and comprehensive tool of cloud computing security risk assessment,” Lect. Notes Electr. Eng., vol. 366, no. January 2016, pp. 155–167, 2016.

M. Nada and B. Youssef, “Survey: Risk assessment models for cloud computing : evaluation criteria,” in Cloud Computing Technologies and Applications (CloudTech), 2017 3rd International Conference of, 2017, vol. 1, pp. 3–7.

S. H. Albakri, B. Shanmugam, G. N. Samy, N. B. Idris, and A. Ahmed, “Security risk assessment framework for cloud computing environments,” Secur. Commun. Networks, 2014.

R. Latif, H. Abbas, S. Assar, and Q. Ali, “Cloud computing risk assessment: A systematic literature review,” in Lecture Notes in Electrical Engineering, 2014.

R. Alosaimi and M. Alnuem, “Risk Management Framework for Cloud Computing : A Critical Review,” Int. J. Comput. Sci. Inf. Technol., vol. 8, no. 4, pp. 01–11, 2016.

M. Almorsy, J. Grundy, and A. S. Ibrahim, “Collaboration-based cloud computing security management framework,” Proc. - 2011 IEEE 4th Int. Conf. Cloud Comput. CLOUD 2011, pp. 364–371, 2011.

P. Saripalli and B. Walters, “QUIRC: A quantitative impact and risk assessment framework for cloud security,” in Proceedings - 2010 IEEE 3rd International Conference on Cloud Computing, CLOUD 2010, 2010.

MS ISO/IEC 27005:2012 Information technology -- Security techniques -- Information security risk management. 2012.

K. Djemame, D. Armstrong, J. Guitart, and M. Macias, “A Risk Assessment Framework for Cloud Computing,” IEEE Trans. Cloud Comput., 2016.

J. Li, Y. Bai, and N. Zaman, “A fuzzy modeling approach for risk-based access control in eHealth cloud,” Proc. - 12th IEEE Int. Conf. Trust. Secur. Priv. Comput. Commun. Trust. 2013, pp. 17–23, 2013.

G. Stergiopoulos, V. Kouktzoglou, M. Theocharidou, and D. Gritzalis, “A process-based dependency risk analysis methodology for critical infrastructures,” Int. J. Crit. Infrastructures, 2017.

M. H. Drissi S. Houmani H., “Survey: Risk Assessment for Cloud Computing,” Int. J. Adv. Comput. Sci. Appl., vol. 4, no. 12, pp. 143–148, 2013.

P. Anand, J. Ryoo, H. Kim, and E. Kim, “Threat assessment in the cloud environment - A quantitative approach for security pattern selection,” in ACM IMCOM 2016: Proceedings of the 10th International Conference on Ubiquitous Information Management and Communication, 2016.

A. Singhal and H. Banati, “Fuzzy Logic Approach for Threat Prioritization in Agile Security Framework using DREAD Model,” vol. 8, no. 4, pp. 182–190, 2011.

S. S. McMillan, M. King, and M. P. Tully, “How to use the nominal group and Delphi techniques,” Int. J. Clin. Pharm., Feb. 2016.

N. Evans et al., “Using the nominal group technique to involve young people in an evidence synthesis which explored ‘risk’ in inpatient mental healthcare,” Res. Involv. Engagem., 2017.

V. H. Dang, “The Use of Nominal Group Technique: Case Study in Vietnam,” World J. Educ., vol. 5, no. 4, 2015.

S. S. McMillan et al., “Using the Nominal Group Technique: how to analyse across multiple groups,” Heal. Serv. Outcomes Res. Methodol., vol. 14, no. 3, pp. 92–108, 2014.

N. Harvey and C. A. Holmes, “Nominal group technique: An effective method for obtaining group consensus,” Int. J. Nurs. Pract., 2012.

J. Hugé and N. Mukherjee, “The nominal group technique in ecology & conservation: Application and challenges,” Methods Ecol. Evol., vol. 9, no. 1, pp. 33–41, 2018.

DOI: http://dx.doi.org/10.18517/ijaseit.10.1.10169


  • There are currently no refbacks.

Published by INSIGHT - Indonesian Society for Knowledge and Human Development