Laypeople and Experts risk perception of Cloud Computing Services

Cloud computing is revolutionising the way software services are procured and used by Government organizations and SMEs. Quantitative risk assessment of Cloud services is complex and undermined by specific security concerns regarding data confidentiality, integrity and availability. This study explores how the gap between the quantitative risk assessment and the perception of the risk can produce a bias in the decision-making process about Cloud computing adoption. The risk perception of experts in Cloud computing (N=37) and laypeople (N=81) about ten Cloud computing services was investigated using the psychometric paradigm. Results suggest that the risk perception of Cloud services can be represented by two components, called dread risk and unknown risk, which may explain up to 46% of the variance. Other factors influencing the risk perception were perceived benefits, trust in regulatory authorities and technology attitude. This study suggests some implications that could support Government and non-Government organizations in their strategies for Cloud computing adoption.

💡 Research Summary

The paper investigates how risk perception of cloud computing services differs between experts and laypeople, and how this perception may bias decision‑making about cloud adoption. Using the psychometric paradigm—a well‑established framework in risk research—the authors surveyed two groups: 37 cloud‑computing professionals (with experience in security, architecture, or consulting) and 81 non‑technical participants. Respondents evaluated ten representative cloud services (including public IaaS, private PaaS, hybrid SaaS, etc.) on eight psychological attributes (severity, loss probability, controllability, immediacy, uncertainty, understandability, trustworthiness, and complexity) using a 7‑point Likert scale.

Exploratory factor analysis (EFA) revealed two underlying dimensions that together explained 46 % of the variance in risk ratings. The first dimension, labeled “dread risk,” loaded heavily on items such as high severity, high potential loss, low controllability, and immediacy. The second, “unknown risk,” captured low understandability, low trust, high complexity, and high uncertainty. Confirmatory factor analysis (CFA) confirmed the adequacy of the two‑factor model (CFI = 0.97, TLI = 0.96, RMSEA = 0.045, SRMR = 0.032).

Beyond these core dimensions, the authors examined additional predictors of risk perception through multiple regression. Perceived benefits of cloud services, trust in regulatory authorities, and a positive technology attitude each significantly reduced both dread and unknown risk scores (p < 0.05). Demographic variables (age, education, organization size) showed no significant effect, suggesting that psychological factors dominate perception differences. Notably, laypeople scored significantly higher on unknown risk (mean difference = 0.67, p < 0.001) and also higher on dread risk (mean difference = 0.42, p < 0.01) compared with experts, indicating a pronounced over‑estimation of uncertainty and potential harm among non‑experts.

The findings have several practical implications. First, the gap between quantitative risk assessments (often performed by experts) and subjective risk perception (especially among lay stakeholders) can lead to overly cautious or, conversely, insufficiently protective cloud‑adoption strategies. Policymakers and organizational leaders should therefore design targeted communication and education programs that demystify cloud architectures, clarify security controls, and present concrete benefit cases. Emphasizing transparency—e.g., publishing certification results, audit reports, and incident‑response procedures—can reduce the unknown‑risk component. Second, strengthening trust in regulatory bodies (through clear standards, third‑party certifications, and consistent enforcement) directly lowers perceived risk, facilitating smoother adoption. Third, highlighting tangible benefits (cost savings, scalability, innovation enablement) can counterbalance fear‑based judgments.

The authors acknowledge limitations: the sample size is modest and confined to a single national context, the survey focuses on quantitative risk attributes while neglecting cultural or organizational nuances, and the cross‑sectional design cannot capture how risk perception evolves after actual cloud deployment. Future research should expand to multi‑country samples, incorporate longitudinal tracking of perception before and after migration, and explore emerging service categories such as edge computing, AI‑as‑a‑service, and serverless platforms.

In summary, the study demonstrates that risk perception of cloud services is structured around dread and unknown dimensions, explains a substantial portion of variance, and is further shaped by perceived benefits, regulatory trust, and technology attitude. Recognizing and addressing these perceptual factors can help governments, NGOs, and private firms develop more balanced, evidence‑based cloud‑adoption policies and reduce the decision‑making bias that stems from mismatched expert assessments and layperson fears.