Cloud-based systems are prone to be attacked because they share the same cloud infrastructure, where there may exist hackers and malicious users. As a result, cloud system owners need an on-going security risk assessment mechanism to monitor the risk of their systems so that they can be mitigated in a timely manner to ensure the business continuity. Existing methods of cloud system risk assessment usually do not fully consider the dependencies of the system’s cloud resources or the conflictions of the threats on the system. In this paper we propose an application-aware cloud system risk assessment method, called ARA-Assessor, for performing security risk assessment for cloud systems. ARA-Assessor includes a cloud system model used to specify the significance value of each system component and their dependencies. With this application-aware model, the cloud system owners are able to continuously assess the risk of their systems. We evaluate ARA-Assessor with three typical cloud systems on AWS. The experimental results show that our method is capable of continuously assessing the runtime risk for multiple types of cloud systems.