Although cloud computing technologies provide many advantages for organizations, security is still a barrier for wide-spread adoption to the public. Many cloud systems suffer from various attacks, including unauthorized data modification, denial of service, etc. The existing researches use risk assessments to evaluate the security of a cloud environment either from a CSP's viewpoint or from a user's point of view. The results of these works may not be precise enough, nor can they satisfy both CSP's and user's security requirements. We propose an Adjustable Cloud Risk Assessment systeM (ACRAM) for Cloud Service Providers (CSPs) and users to assess the cloud security. ACRAM consists of a risk assessment module running at two modes (Offline or Online mode) with the help of Security Service Level Agreement (SecSLA) signed by the CSP and the cloud user. The Offline mode is used for assessing the risk of a cloud based on the historical software vulnerabilities, while the Online mode is for assessing the risk of a cloud system at RUNTIME. To explain how ACRAM works for altering the potential threats in a cloud system, we conduct an experiment using different weights in Confidentiality (C), Integrity (I) and Availability (A). The results show that 1) CSP can protect future users from being co-located with a possible attacker, 2) CSP can take some risk mitigation to meet a user's requirements and keep the user from being attacked.