{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,15]],"date-time":"2026-05-15T16:18:36Z","timestamp":1778861916152,"version":"3.51.4"},"reference-count":114,"publisher":"Association for Computing Machinery (ACM)","issue":"12","license":[{"start":{"date-parts":[[2026,5,15]],"date-time":"2026-05-15T00:00:00Z","timestamp":1778803200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/legalcode"}],"funder":[{"name":"NWO: MASCOT","award":["CS.014"],"award-info":[{"award-number":["CS.014"]}]},{"name":"NWO: CATRIN","award":["NWA.1215.18.003"],"award-info":[{"award-number":["NWA.1215.18.003"]}]},{"name":"Netherlands Organization for Scientific Research"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Comput. Surv."],"published-print":{"date-parts":[[2026,9,30]]},"abstract":"<jats:p>\n                    This systematic literature review explores the landscape of risks and risk management techniques in cloud outsourcing, with a focus on assisting enterprise cloud consumers in understanding and mitigating both technical and non-technical risks, despite having limited control over the infrastructures. From a comprehensive analysis of 55 academic articles, spanning the period from January 2013 to September 2022, we identify and characterize risks using established frameworks from ENISA and Cebula et\u00a0al. [\n                    <jats:xref ref-type=\"bibr\">20<\/jats:xref>\n                    ]. Using ISO31000 and the classification proposed by Ardagna et\u00a0al. [\n                    <jats:xref ref-type=\"bibr\">4<\/jats:xref>\n                    ], we also summarize and characterize 23 main strategies in risk management techniques feasible for cloud consumers, including technical and non-technical measures. We observe a significant emphasis on technical risks in the literature, while non-technical risks, including legal, organizational, and policy aspects, are relatively underrepresented. Threats to data confidentiality dominate the technical risks and mostly originate from shared infrastructure issues. In addition, non\u2011technical issues such as vendor lock\u2011in also pose catastrophic risks to the continuity and business operations of cloud consumers. We also observe that encryption still plays a key role in the existing techniques, next to other techniques such as auditing, risk-aware software development, and assessments of third parties.\n                  <\/jats:p>","DOI":"10.1145\/3808691","type":"journal-article","created":{"date-parts":[[2026,4,14]],"date-time":"2026-04-14T10:34:47Z","timestamp":1776162887000},"page":"1-36","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Cloud Outsourcing Risk Management for Cloud Consumers: A Systematic Literature Review"],"prefix":"10.1145","volume":"58","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-6697-6645","authenticated-orcid":false,"given":"Muhammad Yasir Muzayan","family":"Haq","sequence":"first","affiliation":[{"name":"University of Twente","place":["Enschede, Netherlands"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-2579-5495","authenticated-orcid":false,"given":"Siraj","family":"Anand","sequence":"additional","affiliation":[{"name":"University of Twente","place":["Enschede, Netherlands"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6438-7756","authenticated-orcid":false,"given":"L.J.M.","family":"Nieuwenhuis","sequence":"additional","affiliation":[{"name":"University of Twente","place":["Enschede, Netherlands"]}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7122-3103","authenticated-orcid":false,"given":"Abhishta","family":"Abhishta","sequence":"additional","affiliation":[{"name":"University of Twente","place":["Enschede, Netherlands"]}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2026,5,15]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.22667\/JOWUA.2020.06.30.003"},{"key":"e_1_3_3_3_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eij.2024.100519"},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2016.10.005"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/2767005"},{"key":"e_1_3_3_6_2","unstructured":"Cambridge University Press & Assessment. 2023. Definition of Risk - Cambridge Dictionary. Retrieved December 12 2023 from https:\/\/dictionary.cambridge.org\/dictionary\/english\/risk"},{"key":"e_1_3_3_7_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICST46399.2020.00046"},{"key":"e_1_3_3_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNET.2019.2891528"},{"key":"e_1_3_3_9_2","unstructured":"AWS. 2026. What is Containerization? - Containerization Explained - AWS. Retrieved January 1 2026 from https:\/\/aws.amazon.com\/what-is\/containerization\/"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1007\/s12525-018-0284-7"},{"key":"e_1_3_3_11_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-013-0174-7"},{"key":"e_1_3_3_12_2","volume-title":"Site Reliability Engineering: How Google Runs Production Systems","author":"Beyer Betsy","year":"2016","unstructured":"Betsy Beyer, Chris Jones, Jennifer Petoff, and Niall Richard Murphy. 2016. Site Reliability Engineering: How Google Runs Production Systems. \u201cO\u2019Reilly Media, Inc.\u201d. Google-Books-ID: _4rPCwAAQBAJ."},{"key":"e_1_3_3_13_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid49817.2020.00-51"},{"key":"e_1_3_3_14_2","unstructured":"European Data Protection Board. 2021. Dutch DPA fines OLVG hospital for inadequate protection of medical records | European Data Protection Board. Retrieved September 2 2023 from https:\/\/edpb.europa.eu\/news\/national-news\/2021\/dutch-dpa-fines-olvg-hospital-inadequate-protection-medical-records_en"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.5195\/jmla.2018.283"},{"key":"e_1_3_3_16_2","doi-asserted-by":"publisher","DOI":"10.1145\/1134285.1134500"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.12694\/scpe.v17i4.1200"},{"key":"e_1_3_3_18_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2018.04.081"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-16120-9_9"},{"key":"e_1_3_3_20_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13677-016-0064-x"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","DOI":"10.21236\/ADA609863"},{"key":"e_1_3_3_22_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2015.09.031"},{"key":"e_1_3_3_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2017.2703626"},{"key":"e_1_3_3_24_2","doi-asserted-by":"publisher","DOI":"10.1145\/3652597"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1109\/MPRV.2013.72"},{"key":"e_1_3_3_26_2","unstructured":"European Commision. 2023. Directive on Measures for a High Common Level of Cybersecurity Across the Union (NIS2 Directive) | Shaping Europe\u2019s digital future. Retrieved December 1 2023 from https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/nis2-directive"},{"key":"e_1_3_3_27_2","unstructured":"European Commision. 2023. EU Cyber Resilience Act | Shaping Europe\u2019s digital future. Retrieved December 1 2023 from https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/cyber-resilience-act"},{"key":"e_1_3_3_28_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.101905"},{"key":"e_1_3_3_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/AKGEC62572.2024.10868483"},{"key":"e_1_3_3_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGRID.2017.144"},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-13701-8_1"},{"key":"e_1_3_3_32_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2014.2344653"},{"key":"e_1_3_3_33_2","unstructured":"Grace Donnelly. 2023. Edge Computing Impact: Which Verticals Will Adopt First? Retrieved December 1 2023 from https:\/\/stlpartners.com\/articles\/edge-computing\/edge-computing-impact\/"},{"key":"e_1_3_3_34_2","volume-title":"Committee Draft of ISO 31000 \u201cRisk management - Guidelines on principles and implementation of risk management\u201d","author":"Standardization International Organization for","year":"2009","unstructured":"International Organization for Standardization. 2009. Committee Draft of ISO 31000 \u201cRisk management - Guidelines on principles and implementation of risk management\u201d. International Organization for Standardization. Technical Report. Retrieved from https:\/\/web.archive.org\/web\/20090325160441http:\/\/www.nsai.ie\/uploads\/file\/N047_Committee_Draft_of_ISO_31000.pdf"},{"key":"e_1_3_3_35_2","unstructured":"International Organization for Standardization. 2018. ISO 31000:2018. Retrieved May 1 2022 from https:\/\/www.iso.org\/cms\/render\/live\/en\/sites\/isoorg\/contents\/data\/standard\/06\/56\/65694.html"},{"key":"e_1_3_3_36_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-417159-6.00002-X"},{"key":"e_1_3_3_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2018.2879605"},{"key":"e_1_3_3_38_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2015.2415794"},{"key":"e_1_3_3_39_2","doi-asserted-by":"publisher","DOI":"10.1145\/581271.581274"},{"key":"e_1_3_3_40_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jbusres.2018.06.006"},{"key":"e_1_3_3_41_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2010.115"},{"key":"e_1_3_3_42_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW59978.2023.00060"},{"key":"e_1_3_3_43_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW61312.2024.00044"},{"key":"e_1_3_3_44_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSPW55150.2022.00039"},{"key":"e_1_3_3_45_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2500193"},{"key":"e_1_3_3_46_2","doi-asserted-by":"publisher","DOI":"10.1109\/RCIS.2012.6240421"},{"key":"e_1_3_3_47_2","doi-asserted-by":"publisher","DOI":"10.1145\/3715001"},{"key":"e_1_3_3_48_2","doi-asserted-by":"publisher","DOI":"10.1145\/3131365.3131383"},{"key":"e_1_3_3_49_2","unstructured":"Naveen Joshi. 2019. Fog vs Edge vs Mist computing. Which one is the most suitable? Retrieved December 13 2023 from https:\/\/www.allerin.com\/blog\/fog-vs-edge-vs-mist-computing-which-one-is-the-most-suitable-for-your-business. Section: My Voice."},{"key":"e_1_3_3_50_2","doi-asserted-by":"publisher","DOI":"10.1007\/s00766-013-0166-7"},{"key":"e_1_3_3_51_2","doi-asserted-by":"publisher","DOI":"10.13052\/jcsm2245-1439.731"},{"key":"e_1_3_3_52_2","doi-asserted-by":"publisher","DOI":"10.1023\/A:1022445108617"},{"key":"e_1_3_3_53_2","unstructured":"Barbara A. Kitchenham. 2004. Procedures for Performing Systematic Reviews. Keele University."},{"key":"e_1_3_3_54_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2013.07.010"},{"key":"e_1_3_3_55_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cosrev.2019.05.002"},{"key":"e_1_3_3_56_2","unstructured":"Scimago Lab. 2022. Scimago Journal & Country Rank. Retrieved November 16 2022 from https:\/\/www.scimagojr.com\/"},{"key":"e_1_3_3_57_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2021.102869"},{"key":"e_1_3_3_58_2","doi-asserted-by":"publisher","DOI":"10.2307\/2529310"},{"key":"e_1_3_3_59_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid.2013.28"},{"key":"e_1_3_3_60_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSMC.2020.3002930"},{"key":"e_1_3_3_61_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2018.03.006"},{"key":"e_1_3_3_62_2","doi-asserted-by":"publisher","DOI":"10.1109\/JSYST.2020.2978146"},{"key":"e_1_3_3_63_2","unstructured":"Fang Liu Jin Tong Jian Mao Robert B. Bohn John V. Messina Mark L. Badger and Dawn M. Leaf. 2011. NIST cloud computing reference architecture. (Sept.2011). Retrieved May 20 2021 from https:\/\/www.nist.gov\/publications\/nist-cloud-computing-reference-architecture. Last Modified: 2018-11-10T10:11-05:00."},{"key":"e_1_3_3_64_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2025.3634981"},{"key":"e_1_3_3_65_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2015.11.012"},{"key":"e_1_3_3_66_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2021.3062204"},{"key":"e_1_3_3_67_2","unstructured":"Bansal Megha. 2023. What is Private Cloud? Types Process Benefits Examples. Retrieved September 26 2023 from https:\/\/www.knowledgehut.com\/blog\/cloud-computing\/what-is-private-cloud"},{"key":"e_1_3_3_68_2","doi-asserted-by":"publisher","DOI":"10.6028\/NIST.SP.800-145"},{"key":"e_1_3_3_69_2","unstructured":"Inc. Merriam-Webster. 2023. Definition of Risk - Merriam-Webster Dictionary. Retrieved December 18 2023 from https:\/\/www.merriam-webster.com\/dictionary\/risk"},{"key":"e_1_3_3_70_2","doi-asserted-by":"publisher","DOI":"10.1016\/B978-0-12-809710-6.00006-8"},{"key":"e_1_3_3_71_2","doi-asserted-by":"publisher","DOI":"10.1093\/ijlit\/eaac003"},{"key":"e_1_3_3_72_2","doi-asserted-by":"publisher","DOI":"10.1109\/WiSPNET.2017.8299880"},{"key":"e_1_3_3_73_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2016.06.003"},{"key":"e_1_3_3_74_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2013.03.011"},{"key":"e_1_3_3_75_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10270-019-00747-8"},{"key":"e_1_3_3_76_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2012.180"},{"key":"e_1_3_3_77_2","unstructured":"NASCIO. 2021. A Fresh Look: Capitals in the Clouds. Retrieved December 13 2023 from https:\/\/www.nascio.org\/resource-center\/resources\/a-fresh-look-capitals-in-the-clouds\/"},{"key":"e_1_3_3_78_2","unstructured":"NASCIO. 2023. Capitals in the Cloud Part II: Changing the Cloud Conversation. Retrieved December 13 2023 from https:\/\/www.nascio.org\/resource-center\/resources\/capitals-in-the-cloud-part-ii-changing-the-cloud-conversation\/"},{"key":"e_1_3_3_79_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102266"},{"key":"e_1_3_3_80_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13677-016-0054-z"},{"key":"e_1_3_3_81_2","doi-asserted-by":"publisher","DOI":"10.3390\/bdcc7010001"},{"key":"e_1_3_3_82_2","unstructured":"Carter Pape. 2022. 7 Data Breach Reporting Rules Banks Need to Understand. Retrieved February 7 2024 from https:\/\/www.americanbanker.com\/list\/7-data-breach-reporting-rules-banks-need-to-understand"},{"key":"e_1_3_3_83_2","doi-asserted-by":"publisher","DOI":"10.1109\/SP46214.2022.9833784"},{"key":"e_1_3_3_84_2","doi-asserted-by":"publisher","DOI":"10.1109\/TDSC.2024.3381973"},{"key":"e_1_3_3_85_2","unstructured":"Oxford University Press. 2023. Definition of Risk - Oxford Learner\u2019s Dictionary. Retrieved December 18 2023 from https:\/\/www.oxfordlearnersdictionaries.com\/definition\/english\/risk_1"},{"key":"e_1_3_3_86_2","doi-asserted-by":"publisher","DOI":"10.1109\/TSC.2016.2553668"},{"key":"e_1_3_3_87_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2019.2911679"},{"key":"e_1_3_3_88_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11432-016-0322-7"},{"key":"e_1_3_3_89_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13677-017-0076-1"},{"key":"e_1_3_3_90_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.infsof.2014.10.003"},{"key":"e_1_3_3_91_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid54584.2022.00038"},{"key":"e_1_3_3_92_2","unstructured":"Doug [R-GA-9 Rep. Collins. 2018. H.R.4943-115th Congress (2017-2018): CLOUD Act. Retrieved December 19 2023 from https:\/\/www.congress.gov\/bill\/115th-congress\/house-bill\/4943. Archive Location: 2018-02-06."},{"key":"e_1_3_3_93_2","unstructured":"Computing Research and CORE Inc. Education Association of Australasia. 2022. CORE Rankings Portal. Retrieved November 16 2022 from https:\/\/www.core.edu.au\/conference-portal"},{"key":"e_1_3_3_94_2","doi-asserted-by":"publisher","DOI":"10.1186\/s13677-020-00192-9"},{"key":"e_1_3_3_95_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comcom.2019.05.018"},{"key":"e_1_3_3_96_2","doi-asserted-by":"publisher","DOI":"10.4018\/IJSSMET.2019070103"},{"key":"e_1_3_3_97_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2015.01.018"},{"key":"e_1_3_3_98_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid.2013.109"},{"key":"e_1_3_3_99_2","unstructured":"Neenan Sarah and Bigelow Stephen. 2023. What is Hybrid Cloud? The Ultimate Guide | TechTarget. Retrieved September 26 2023 from https:\/\/www.techtarget.com\/searchcloudcomputing\/definition\/hybrid-cloud"},{"key":"e_1_3_3_100_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jisa.2020.102617"},{"key":"e_1_3_3_101_2","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359176"},{"key":"e_1_3_3_102_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.csi.2025.103975"},{"key":"e_1_3_3_103_2","doi-asserted-by":"publisher","DOI":"10.1145\/3382190"},{"key":"e_1_3_3_104_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2016.03.022"},{"key":"e_1_3_3_105_2","doi-asserted-by":"publisher","DOI":"10.1007\/s40171-021-00292-8"},{"key":"e_1_3_3_106_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2016.01.009"},{"key":"e_1_3_3_107_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2020.102124"},{"key":"e_1_3_3_108_2","unstructured":"Stanford University. 2023. Definition of Risk | Office of the Chief Risk Officer. Retrieved December 18 2023 from https:\/\/ocro.stanford.edu\/enterprise-risk-management-erm\/key-definitions\/definition-risk"},{"key":"e_1_3_3_109_2","doi-asserted-by":"publisher","DOI":"10.1504\/IJWGS.2018.088396"},{"key":"e_1_3_3_110_2","doi-asserted-by":"publisher","DOI":"10.1145\/3388922"},{"key":"e_1_3_3_111_2","doi-asserted-by":"publisher","DOI":"10.1109\/TCC.2014.2372758"},{"key":"e_1_3_3_112_2","doi-asserted-by":"publisher","DOI":"10.1080\/01559982.2020.1783047"},{"key":"e_1_3_3_113_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.future.2014.10.006"},{"key":"e_1_3_3_114_2","doi-asserted-by":"publisher","DOI":"10.1007\/s10723-022-09606-1"},{"key":"e_1_3_3_115_2","doi-asserted-by":"publisher","DOI":"10.1109\/CCGrid.2015.12"}],"container-title":["ACM Computing Surveys"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3808691","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,15]],"date-time":"2026-05-15T16:03:40Z","timestamp":1778861020000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3808691"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,15]]},"references-count":114,"journal-issue":{"issue":"12","published-print":{"date-parts":[[2026,9,30]]}},"alternative-id":["10.1145\/3808691"],"URL":"https:\/\/doi.org\/10.1145\/3808691","relation":{},"ISSN":["0360-0300","1557-7341"],"issn-type":[{"value":"0360-0300","type":"print"},{"value":"1557-7341","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,15]]},"assertion":[{"value":"2024-02-07","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-04-06","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2026-05-15","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}