Clearly delimitate the perimeter of the considered organization. Include the parts of the Information System that are externalized in the Cloud.
Consider the assets of the organization, group them in consistent groups, and for each group imagine the threats that can affect these assets, based on DICT.
Use your favorite methodology to assess the risk induced by each threat.
While focusing on malicious threats, don't forget that negligence or naivety of collaborators can be leveraged by attackers.
Try to be realistic on both impact and probability. Keep in mind that you are dealing with statistic distributions, and that higher impact is possible, but with a lower probability.
If you prefer a rigorous statistical approach, go for OpenFAIR.