论文信息 - Assessing information security risks in the cloud: A case study of Australian local government authorities

Assessing information security risks in the cloud: A case study of Australian local government authorities

Abstract Cloud computing enables cost-effective and scalable growth of IT services that can enhance government services. Despite the Australian Federal Government's ‘cloud-first’ strategy and policies, and the Queensland State Government's ‘digital-first’ strategy, cloud services adoption at local government level has been limited—largely due to data security concerns. We reviewed the ISO 27002 Information Security standard with extant literature and found that operational security, individual awareness and compliance matters pose more significant government challenges than the often-highlighted technical and process-oriented cloud security requirements. This study identifies and explores the critical factors associated with information security requirements of cloud services within the Australian regional local government context. We conducted 21 field interviews with IT managers, and surveyed 480 IT staff from Australia's 47 regional local governments. We propose a conceptual cloud computing security requirements model with four components – data security; risk assessment; legal & compliance requirements; and business & technical requirements – in order to promote a balanced view on cloud security for governments. Using this model, governments can work together to demand uniform security requirements for adopting cloud services.

[1] Björn Niehaves,et al. Business process management capabilities in local governments: A multi-method study , 2013, Gov. Inf. Q..

[2] Rami Bahsoon,et al. A Systematic Review of Service Level Management in the Cloud , 2015, ACM Comput. Surv..

[3] L. G. Pee,et al. Interactions among factors influencing knowledge management in public-sector organizations: A resource-based view , 2016, Gov. Inf. Q..

[4] Hsin Hsin Chang,et al. Technical and management perceptions of enterprise information system importance, implementation and benefits , 2006, Inf. Syst. J..

[5] Brian Hayes,et al. What Is Cloud Computing? , 2019, Cloud Technologies.

[6] Erwin Laure,et al. Security and Privacy of Sensitive Data in Cloud Computing: A Survey of Recent Developments , 2015, NeTCoM 2015.

[7] C. Teddlie,et al. Foundations of mixed methods research , 2013 .

[8] Rajkumar Buyya,et al. SLA-oriented resource provisioning for cloud computing: Challenges, architecture, and solutions , 2011, 2011 International Conference on Cloud and Service Computing.

[9] Rossouw von Solms,et al. Information security requirements - Interpreting the legal aspects , 2008, Comput. Secur..

[10] Athanasios V. Vasilakos,et al. Security in cloud computing: Opportunities and challenges , 2015, Inf. Sci..

[11] P. Bentler,et al. Significance Tests and Goodness of Fit in the Analysis of Covariance Structures , 1980 .

[12] John Hulland,et al. Use of causal models in marketing research: A review , 1996 .

[13] V. B. Singh,et al. E-Governance: Past, Present and Future in India , 2012, ArXiv.

[14] Will Venters,et al. A critical review of cloud computing: researching desires and realities , 2012, J. Inf. Technol..

[15] B. Thompson. Exploratory and Confirmatory Factor Analysis: Understanding Concepts and Applications , 2004 .

[16] C. Perry,et al. Convergent interviewing: a starting methodology for an enterprise research program , 2007 .

[17] Kenneth L. Kraemer,et al. Post-Adoption Variations in Usage and Value of E-Business by Organizations: Cross-Country Evidence from the Retail Industry , 2005, Inf. Syst. Res..

[18] Paul T. Jaeger,et al. Information policy, information access, and democratic participation: The national and international implications of the Bush administration's information politics , 2007, Gov. Inf. Q..

[19] Cong Wang,et al. Security Challenges for the Public Cloud , 2012, IEEE Internet Computing.

[20] Junping Du,et al. Adaptive and attribute-based trust model for service level agreement guarantee in cloud computing , 2013, IET Inf. Secur..

[21] Ray Hackney,et al. Towards an e-Government efficiency agenda: the impact of information and communication behaviour on e-Reverse auctions in public sector procurement , 2007, Eur. J. Inf. Syst..

[22] R. Buyya,et al. Market-Oriented Grid and Utility Computing , 2009 .

[23] Gail-Joon Ahn,et al. Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[24] Mário M. Freire,et al. Security issues in cloud environments: a survey , 2014, International Journal of Information Security.

[25] Paul T. Jaeger,et al. Cloud Computing and Information Policy: Computing in a Policy Cloud? , 2008 .

[26] Data Security and Privacy Protection Issues in Cloud Computing , 2015 .

[27] S Ramgovind,et al. The management of security in Cloud computing , 2010, 2010 Information Security for South Africa.

[28] Dag I. K. Sjøberg,et al. Confronting the myth of rapid obsolescence in computing research , 2010, Commun. ACM.

[29] M. Patton. Qualitative research and evaluation methods , 1980 .

[30] Hsiu-Fang Hsieh,et al. Three Approaches to Qualitative Content Analysis , 2005, Qualitative health research.

[31] Subhajyoti Bandyopadhyay,et al. Cloud computing - The business perspective , 2011, Decis. Support Syst..

[32] A. Scupola,et al. The Adoption of Internet Commerce by SMEs in the South of Italy: An Environmental, Technological and Organizational Perspective , 2003 .

[33] Muthu Ramachandran,et al. Towards Achieving Data Security with the Cloud Computing Adoption Framework , 2016, IEEE Transactions on Services Computing.

[34] Colin Robson,et al. Real World Research: A Resource for Social Scientists and Practitioner-Researchers , 1993 .

[35] K. Schermelleh-Engel,et al. Evaluating the Fit of Structural Equation Models: Tests of Significance and Descriptive Goodness-of-Fit Measures. , 2003 .

[36] Zhihai Zhang,et al. An instrument for measuring TQM implementation for Chinese manufacturing companies , 2000 .

[37] Patrick Y. K. Chau,et al. A perception-based model for EDI adoption in small businesses using a technology-organization-environment framework , 2001, Inf. Manag..

[38] Hong Zhao,et al. Data Security and Privacy Protection Issues in Cloud Computing , 2012, 2012 International Conference on Computer Science and Electronics Engineering.

[39] Tim Mather,et al. Cloud Security and Privacy - An Enterprise Perspective on Risks and Compliance , 2009, Theory in practice.

[40] Jun-jie Wang,et al. Security issues and countermeasures in cloud computing , 2011, Proceedings of 2011 IEEE International Conference on Grey Systems and Intelligent Services.

[41] Myeonggil Choi,et al. Information Security Management as a Bridge in Cloud Systems from Private to Public Organizations , 2015 .

[42] Peter E.D. Love,et al. Risks and rewards of cloud computing in the UK public sector: A reflection on three Organisational case studies , 2017, Information Systems Frontiers.

[43] Michael D. Myers,et al. Qualitative Research in Information Systems , 1997, MIS Q..

[44] Sevgi Özkan,et al. e-Government adoption model based on theory of planned behavior: Empirical validation , 2011, Gov. Inf. Q..

[45] Mcdp Mathieu Weggeman,et al. Determinants of the Level of Knowledge Application: A Knowledge‐Based and Information‐Processing Perspective* , 2005 .

[46] Siani Pearson,et al. Taking account of privacy when designing cloud computing services , 2009, 2009 ICSE Workshop on Software Engineering Challenges of Cloud Computing.

[47] Christopher G. Reddick,et al. Why e-government projects fail? An analysis of the Healthcare.gov website , 2016, Gov. Inf. Q..

[48] Zahir Irani,et al. Evaluating the use and impact of Web 2.0 technologies in local government , 2015, Gov. Inf. Q..

[49] Ragib Hasan,et al. Verifiable Data Redundancy in the Cloud , 2016, 2016 IEEE International Conferences on Big Data and Cloud Computing (BDCloud), Social Computing and Networking (SocialCom), Sustainable Computing and Communications (SustainCom) (BDCloud-SocialCom-SustainCom).

[50] B. Byrne. A Primer of Lisrel: Basic Applications and Programming for Confirmatory Factor Analytic Models , 1989 .

[51] E. B. Zechmeister,et al. Research Methods in Psychology. , 1990 .

[52] Samuel J. Best,et al. The Effect of Risk Perceptions on Online Political Participatory Decisions , 2008 .

[53] Mary Tate,et al. A Descriptive Literature Review and Classification of Cloud Computing Research , 2012, Commun. Assoc. Inf. Syst..

[54] Christian Leuprecht,et al. Beyond the Castle Model of cyber-risk and cyber-security , 2016, Gov. Inf. Q..

[55] Wayne A. Jansen,et al. Cloud Hooks: Security and Privacy Issues in Cloud Computing , 2011, 2011 44th Hawaii International Conference on System Sciences.

[56] Rex B. Kline,et al. Principles and Practice of Structural Equation Modeling , 1998 .

[57] Anol Bhattacherjee,et al. Understanding Changes in Belief and Attitude Toward Information Technology Usage: A Theoretical Model and Longitudinal Test , 2004, MIS Q..

[58] C. D. J. Waters. Quantitative Methods for Business , 1997 .

[59] Monica J. Garfield,et al. The Adoption and Use of GSS in Project Teams: Toward More Participative Processes and Outcomes , 2003, MIS Q..

[60] B. Byrne. Structural Equation Modeling with LISREL, PRELIS, and SIMPLIS: Basic Concepts, Applications, and Programming , 1998 .

[61] Kenneth J. Knapp,et al. Key issues in data center security: An investigation of government audit reports , 2011, Gov. Inf. Q..

[62] P. Bentler,et al. Evaluating model fit. , 1995 .

[63] R. Chenail,et al. Values in Qualitative and Quantitative Research , 2009 .

[64] Xuejie Zhang,et al. Information Security Risk Management Framework for the Cloud Computing Environments , 2010, 2010 10th IEEE International Conference on Computer and Information Technology.

[65] Marijn Janssen,et al. Challenges for adopting cloud-based software as a service (saas) in the public sector , 2011, ECIS.

[66] Gordon B. Davis,et al. Testing the Determinants of Microcomputer Usage via a Structural Equation Model , 1995, J. Manag. Inf. Syst..

[67] Matt Bishop,et al. What Is Computer Security? , 2003, IEEE Secur. Priv..

[68] Dimitrios Zissis,et al. Securing e-Government and e-Voting with an open cloud computing architecture , 2011, Gov. Inf. Q..

[69] Steven Johnson,et al. Everything Bad Is Good for You , 2005 .

[70] K. Popovic,et al. Cloud computing security issues and challenges , 2010, The 33rd International Convention MIPRO.

[71] Marijn Janssen,et al. Connecting cloud infrastructures with shared services , 2010, DG.O.

[72] Lori M. Kaufman,et al. Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[73] Dimitrios Zissis,et al. Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[74] Paul T. Jaeger,et al. Identifying the security risks associated with governmental use of cloud computing , 2010, Gov. Inf. Q..

[75] Hennie A. Kruger,et al. A prototype for assessing information security awareness , 2006, Comput. Secur..

[76] Geoff Walsham,et al. Doing interpretive research , 2006, Eur. J. Inf. Syst..

[77] Tharam S. Dillon,et al. Cloud Computing: Issues and Challenges , 2010, 2010 24th IEEE International Conference on Advanced Information Networking and Applications.

[78] Wynne W. Chin. Issues and Opinion on Structural Equation Modeling by , 2009 .

[79] Thomas F. Stafford,et al. Online tax payment systems as an emergent aspect of governmental transformation , 2011, Eur. J. Inf. Syst..

[80] John Mylopoulos,et al. Security and privacy requirements analysis within a social setting , 2003, Proceedings. 11th IEEE International Requirements Engineering Conference, 2003..

[81] Marios D. Dikaiakos,et al. Cloud Computing: Distributed Internet Computing for IT and Scientific Research , 2009, IEEE Internet Computing.

[82] B. Tabachnick,et al. Using Multivariate Statistics , 1983 .

[83] Brent Lagesse,et al. Challenges in securing the interface between the cloud and pervasive systems , 2011, 2011 IEEE International Conference on Pervasive Computing and Communications Workshops (PERCOM Workshops).

[84] Viswanath Venkatesh,et al. Bridging the Qualitative-Quantitative Divide: Guidelines for Conducting Mixed Methods Research in Information Systems , 2013, MIS Q..

[85] Tiago Oliveira,et al. Understanding e-business adoption across industries in European countries , 2010, Ind. Manag. Data Syst..

[86] John Krumm,et al. A survey of computational location privacy , 2009, Personal and Ubiquitous Computing.

[87] Eric Hand,et al. Head in the clouds , 2007, Nature.

[88] A. Onwuegbuzie,et al. Mixed Methods Research: A Research Paradigm Whose Time Has Come , 2004 .

[89] Saudi Arabia,et al. Cloud Based E-Government: Benefits and Challenges , 2013 .

[90] W. Zikmund. Business Research Methods , 1984 .

[91] J. Hair. Multivariate data analysis , 1972 .

[92] Rajkumar Buyya,et al. Market-Oriented Cloud Computing: Vision, Hype, and Reality for Delivering IT Services as Computing Utilities , 2008, 2008 10th IEEE International Conference on High Performance Computing and Communications.

[93] Paul De Hert,et al. The new General Data Protection Regulation: Still a sound system for the protection of individuals? , 2016, Comput. Law Secur. Rev..

[94] Iliya Markov,et al. Risk perception and risk management in cloud computing: Results from a case study of Swiss companies , 2013, Int. J. Inf. Manag..

[95] Bo Fan,et al. Exploring open government data capacity of government agency: Based on the resource-based theory , 2018, Gov. Inf. Q..

[96] Siani Pearson,et al. Privacy, Security and Trust Issues Arising from Cloud Computing , 2010, 2010 IEEE Second International Conference on Cloud Computing Technology and Science.

[97] Jason W Beckstead,et al. Factor analysis as a tool for survey analysis using a professional role orientation inventory as an example. , 2004, Physical therapy.

[98] The Role of Information Technology in the Business Sector , 2014 .

[99] Sheena Asthana,et al. Allocating resources for health and social care: the significance of rurality. , 2003, Health & social care in the community.

[100] H. Russell Johnston,et al. Developing Capabilities to Use Information Strategically , 1988, MIS Q..

[101] Jasmeet Singh,et al. Cloud Data Security using Authentication and Encryption Technique , 2013 .

[102] Emanouil I. Atanassov,et al. Security issues of the combined usage of Grid and Cloud resources , 2012, 2012 Proceedings of the 35th International Convention MIPRO.

[103] William C. Barker,et al. Volume I: Guide for Mapping Types of Information and Information Systems to Security Categories , 2008 .

[104] T. Brown,et al. Exploratory Factor Analysis: A Five-Step Guide for Novices , 2010 .

[105] Michael Grimsley,et al. e-Government information systems: Evaluation-led design for public value and client trust , 2007, Eur. J. Inf. Syst..

[106] Jeffrey Soar,et al. Perceived potential for value creation from cloud computing: a study of the Australian regional government sector , 2018, Behav. Inf. Technol..

[107] Kenneth A. Bollen,et al. Structural Equations with Latent Variables , 1989 .

[108] Dong-Hee Shin,et al. User centric cloud service model in public sectors: Policy implications of cloud services , 2013, Gov. Inf. Q..

[109] Avinash Sonule,et al. Development of servers in cloud computing to solve issues related to security and backup , 2011, 2011 IEEE International Conference on Cloud Computing and Intelligence Systems.

[110] Michael Hall,et al. Security and Control in the Cloud , 2010, Inf. Secur. J. A Glob. Perspect..

[111] Barbara M. Byrne,et al. Structural equation modeling with EQS : basic concepts, applications, and programming , 2000 .

[112] Abdulaziz Aljabre. Cloud Computing for Increased Business Value , 2012 .

[113] Jörg Schwenk,et al. On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[114] Akhil Behl. Emerging security challenges in cloud computing: An insight to cloud security challenges and their mitigation , 2011, 2011 World Congress on Information and Communication Technologies.

[115] D L Morgan,et al. Practical Strategies for Combining Qualitative and Quantitative Methods: Applications to Health Research , 1998, Qualitative health research.

[116] A. Onwuegbuzie,et al. Toward a Definition of Mixed Methods Research , 2007 .

[117] Xiaohua Zhu,et al. The failure of an early episode in the open government data movement: A historical case study , 2017, Gov. Inf. Q..

[118] Jeffrey C. Carrico,et al. Licensed to ILL , 2004 .

[119] Shuhua Monica Liu,et al. Special issue on internet plus government: New opportunities to solve public problems? , 2018, Gov. Inf. Q..

[120] Kathryn E. Newcomer,et al. Handbook of Practical Program Evaluation , 2010 .

[121] N. B. Anuar,et al. The rise of "big data" on cloud computing: Review and open research issues , 2015, Inf. Syst..

[122] Saad Mubeen,et al. Management of Service Level Agreements for Cloud Services in IoT: A Systematic Mapping Study , 2018, IEEE Access.

[123] Serge Gutwirth,et al. Computers, Privacy and Data Protection: an Element of Choice , 2011 .

[124] Daniel Perez González,et al. Cloud computing in industrial SMEs: identification of the barriers to its adoption and effects of its application , 2013, Electron. Mark..

[125] R. Udayakumar,et al. Cloud Security and Compliance - A Semantic Approach in End to End Security , 2017 .

[126] M. Grimmer,et al. The mix of qualitative and quantitative research in major marketing journals, 1993‐2002 , 2007 .

[127] Tim Storer,et al. Cloud Security Challenges: Investigating Policies, Standards, And Guidelines In A Fortune 500 Organization , 2013, ECIS.

[128] Paul T. Jaeger,et al. Transparency and technological change: Ensuring equal and sustained public access to government information , 2010, Gov. Inf. Q..

[129] E. Rogers. Diffusion of Innovations , 1962 .

[130] Kenneth L. Kraemer,et al. Review: Information Technology and Organizational Performance: An Integrative Model of IT Business Value , 2004, MIS Q..

[131] Matthew N. O. Sadiku,et al. Cloud Computing: Opportunities and Challenges , 2014, IEEE Potentials.

[132] Jennifer Caroline Greene,et al. Defining and describing the paradigm issue in mixed‐method evaluation , 1997 .

[133] V. Kavitha,et al. A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[134] Bernd Grobauer,et al. Understanding Cloud Computing Vulnerabilities , 2011, IEEE Security & Privacy.

[135] Michele Bush Kimball. Mandated state-level open government training programs , 2011, Gov. Inf. Q..

[136] M. Al-Hariri,et al. Impact of students' use of technology on their learning achievements in physiology courses at the University of Dammam , 2016, Journal of Taibah University Medical Sciences.

[137] Reza Curtmola,et al. Provable data possession at untrusted stores , 2007, CCS '07.

[138] Kenneth L. Kraemer,et al. Information Technology Payoff in E-Business Environments: An International Perspective on Value Creation of E-Business in the Financial Services Industry , 2004, J. Manag. Inf. Syst..

[139] Yikai Liang,et al. Exploring the determinant and influence mechanism of e-Government cloud adoption in government agencies in China , 2017, Gov. Inf. Q..

[140] Zheng Yan,et al. Factors affecting response rates of the web survey: A systematic review , 2010, Comput. Hum. Behav..

[141] Jeffrey Soar,et al. Challenges and issues that are perceived to influence cloud computing adoption in local government councils , 2017, 2017 IEEE 21st International Conference on Computer Supported Cooperative Work in Design (CSCWD).

[142] R. P. McDonald,et al. Goodness-of-fit indexes in confirmatory factor analysis : The effect of sample size , 1988 .

[143] C. Perry,et al. Qualitative Marketing Research , 2001 .

[144] K. Brazil,et al. Revisiting the Quantitative-Qualitative Debate: Implications for Mixed-Methods Research , 2002, Quality & quantity.

[145] Nils Urbach,et al. Structural Equation Modeling in Information Systems Research Using Partial Least Squares , 2010 .

[146] Eduardo B. Fernández,et al. A survey of compliance issues in cloud computing , 2016, Journal of Internet Services and Applications.

[147] Raouf Boutaba,et al. Cloud computing: state-of-the-art and research challenges , 2010, Journal of Internet Services and Applications.

[148] Kostas E. Psannis,et al. Secure integration of IoT and Cloud Computing , 2018, Future Gener. Comput. Syst..

[149] Keith Punch,et al. Introduction to Social Research: Quantitative and Qualitative Approaches , 1998 .

[150] Andy P. Field,et al. Discovering Statistics Using SPSS , 2000 .

[151] Athanasios V. Vasilakos,et al. A Survey of Security and Privacy Challenges in Cloud Computing: Solutions and Future Directions , 2015, J. Comput. Sci. Eng..

[152] Marijn Janssen,et al. Building Cybersecurity Awareness: The need for evidence-based framing strategies , 2017, Gov. Inf. Q..

[153] B MilesMatthew,et al. Qualitative Data Analysis , 2009, Approaches and Processes of Social Science Research.

[154] R. Henson,et al. Use of Exploratory Factor Analysis in Published Research , 2006 .

[155] Liesbet van Zoonen,et al. Privacy concerns in smart cities , 2016, Gov. Inf. Q..

[156] Bo Ai,et al. The issues of cloud computing security in high-speed railway , 2011, Proceedings of 2011 International Conference on Electronic & Mechanical Engineering and Information Technology.

[157] Karl G. Jöreskog,et al. Lisrel 8: Structural Equation Modeling With the Simplis Command Language , 1993 .

[158] Jan Schilling. On the Pragmatics of Qualitative Assessment , 2006 .

[159] Zaigham Mahmood,et al. Data Location and Security Issues in Cloud Computing , 2011, 2011 International Conference on Emerging Intelligent Data and Web Technologies.

[160] Jeffrey Soar,et al. An investigation of the challenges and issues influencing the adoption of cloud computing in Australian regional municipal governments , 2016, J. Inf. Secur. Appl..

[161] Irit Hadar,et al. Applying ontology-based rules to conceptual modeling: a reflection on modeling decision making , 2007, Eur. J. Inf. Syst..

[162] G. Gaskell,et al. Individual and Group Interviewing , 2000 .

[163] Herbert J. Mattord,et al. Principles of Information Security , 2004 .

[164] Sanjay Kumar Madria,et al. Challenges in Secure Sensor-Cloud Computing , 2011, Secure Data Management.

[165] Yolanda Gil,et al. A survey of trust in computer science and the Semantic Web , 2007, J. Web Semant..

[166] V. T. Raja,et al. Protecting the privacy and security of sensitive customer data in the cloud , 2012, Comput. Law Secur. Rev..