Security risk assessment is done to identify the vulnerabilities of a client's application and develop strong security measures within budgetary constraints. However, while migrating to the Cloud platform, a generic notion of their publicly available security policies make it challenging for clients to assess the security threats solely relevant to their applications. Additionally, traditional risk assessment techniques cannot address these challenges as they neither consider cloud security domains as assessment criteria nor identifies critical system resources that need to be protected in the likelihood of a successful attack. In order to address these challenges, this paper presents a risk assessment framework for clients’ applications that is characterized by the inclusion of cloud security metrics to perform risk assessment during the design phase of an application by incorporating the techniques of cloud misuse patterns. It also helps improve the security requirements phase that precedes risk assessment, by illustrating clients how different attack scenarios can spread through the applications by using the concepts of percolation centrality and probabilistic state transition diagrams. One of the key findings this work address is how to systematically gain a distinction between multiple system resources belonging to the same security defense priority level.