Risk assessment is the process by which variables are evaluated to determine the amount and type of risk present. Such assessments are used for decision making as well as for resource management. Critical components of cloud computing risk assessments include cataloging and analyzing IT assets, identifying and understanding threats, and determining any vulnerabilities that might exist.

Risk assessments identify, quantify, and prioritize risks measured against the organization's tolerance for risk. One mechanism to identify weaknesses is a vulnerability assessment, which systematically evaluates an environment (hardware or software) to determine its susceptibility to vulnerabilities that might expose the network or data to unauthorized access.

Evaluating risks for cloud computing purposes should not be limited to the computer network environment; the process should also include the people and the physical environment, both of which can introduce risks. Operational security (OPSEC) focuses on identifying and protecting critical information that might disclose details that could be used for the purposes of exploitation, while physical security identifies and protects the physical environment against unauthorized entry.