European Conference on Information Systems ( ECIS ) Summer 10-6-2011 TAXONOMY OF TECHNOLOGICAL IT OUTSOURCING RISKS : SUPPORT FOR RISK IDENTIFICATION AND QUANTIFICATION

The past decade has seen an increasing interest in IT outsourcing as it promises companies many economic benefits. In recent years, IT paradigms, such as Software-as-a-Service or Cloud Computing using third-party services, are increasingly adopted. Current studies show that IT security and data privacy are the dominant factors affecting the perceived risk of IT outsourcing. Therefore, we explicitly focus on determining the technological risks related to IT security and quality of service characteristics associated with IT outsourcing. We conducted an extensive literature review, and thoroughly document the process in order to reach high validity and reliability. 149 papers have been evaluated based on a review of the whole content and out of the finally relevant 68 papers, we extracted 757 risk items. Using a successive refinement approach, which involved reduction of similar items and iterative re-grouping, we establish a taxonomy with nine risk categories for the final 70 technological risk items. Moreover, we describe how the taxonomy can be used to support the first two phases of the IT risk management process: risk identification and quantification. Therefore, for each item, we give parameters relevant for using them in an existing mathematical risk quantification model

[1]  Bandula Jayatilaka,et al.  Information systems outsourcing: a survey and analysis of the literature , 2004, DATB.

[2]  Björn Niehaves,et al.  Reconstructing the giant: On the importance of rigour in documenting the literature search process , 2009, ECIS.

[3]  Ayman I. Kayssi,et al.  Privacy as a Service: Privacy-Aware Data Storage and Processing in Cloud Computing Architectures , 2009, 2009 Eighth IEEE International Conference on Dependable, Autonomic and Secure Computing.

[4]  Wonseok Oh,et al.  The Market's Perception of the Transactional Risks of Information Technology Outsourcing Announcements , 2006, J. Manag. Inf. Syst..

[5]  Ian Sommerville,et al.  Software engineering, 8th Edition , 2007, International computer science series.

[6]  D. Pinto Secrets and Lies: Digital Security in a Networked World , 2003 .

[7]  Leslie P. Willcocks,et al.  A review of the IT outsourcing literature: Insights for practice , 2009, J. Strateg. Inf. Syst..

[8]  Wendy L. Currie,et al.  DELIVERING BUSINESS CRITICAL INFORMATION SYSTEMS THOUGH APPLICATION SERVICE PROVIDERS: THE NEED FOR A MARKET SEGMENTATION STRATEGY , 2001 .

[9]  Eric K. Clemons,et al.  Just Right Outsourcing: Understanding and Managing Risk , 2005, Proceedings of the 38th Annual Hawaii International Conference on System Sciences.

[10]  Umesh Gulla,et al.  Deciding Information Systems (IS) Outsourcing: A Multi-Criteria Hierarchical Approach , 2009 .

[11]  Jonathan P. Doh,et al.  The evolution of risk in information systems offshoring: the impact of home country risk, firm learning, and competitive dynamics , 2009 .

[12]  Qingxiong Ma,et al.  An exploratory study into factors of service quality for application service providers , 2005, Inf. Manag..

[13]  Suresh L. Konda,et al.  Taxonomy-Based Risk Identification , 1993 .

[14]  Gerard Briscoe,et al.  Digital ecosystems in the clouds: Towards community cloud computing , 2009, 2009 3rd IEEE International Conference on Digital Ecosystems and Technologies.

[15]  Ravi Dharwadkar,et al.  Information Systems Outsourcing: Linking Transaction Cost and Institutional Theories , 2007, Commun. Assoc. Inf. Syst..

[16]  王慧 Privacy-Preserving Data Sharing in Cloud Computing , 2010 .

[17]  Samuel Greengard,et al.  Cloud computing and developing nations , 2010, Commun. ACM.

[18]  W. Currie A knowledge-based risk assessment framework for evaluating web-enabled application outsourcing projects , 2003 .

[19]  Bing Sun,et al.  The Fitness Evaluation Model of SAAS for Enterprise Information System , 2009, 2009 IEEE International Conference on e-Business Engineering.

[20]  Xinwen Zhang,et al.  Securing elastic applications on mobile devices for cloud computing , 2009, CCSW '09.

[21]  Leslie P. Willcocks,et al.  Exploring ASP as sourcing strategy: theoretical perspectives, propositions for practice , 2002, J. Strateg. Inf. Syst..

[22]  Larisa Shwartz,et al.  Dynamic management of outsourced service processes’ QoS in a service provider - service supplier environment , 2008, 2008 3rd IEEE/IFIP International Workshop on Business-driven IT Management.

[23]  Marios D. Dikaiakos,et al.  Cloud Computing: Distributed Internet Computing for IT and Scientific Research , 2009, IEEE Internet Computing.

[24]  E. Beybutov Managing of information security with outsource service provider , 2009, 2009 International Siberian Conference on Control and Communications.

[25]  Ralf Steinmetz,et al.  A Generic Metamodel for IT Security Attack Modeling for Distributed Systems , 2010, 2010 International Conference on Availability, Reliability and Security.

[26]  Butler W. Lampson,et al.  Usable Security: How to Get It , 2009 .

[27]  Wendy L. Currie,et al.  Logicality of ASP in healthcare: the NHS case study , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[28]  Antonio Puliafito,et al.  Virtual business networks with Cloud Computing and virtual machines , 2009, 2009 International Conference on Ultra Modern Telecommunications & Workshops.

[29]  L. Hedges,et al.  The Handbook of Research Synthesis and Meta-Analysis , 2009 .

[30]  Yair Levy,et al.  A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research , 2006, Informing Sci. Int. J. an Emerg. Transdiscipl..

[31]  Ulrich Faisst,et al.  An optimization model for the management of security risks in banking companies , 2005, Seventh IEEE International Conference on E-Commerce Technology (CEC'05).

[32]  Kemal Altinkemer,et al.  Information systems outsourcing: Issues and evidence , 1994 .

[33]  Alan Fowler,et al.  Examining information systems outsourcing: a case study from the United Kingdom , 1998, J. Inf. Technol..

[34]  Catherine Everett,et al.  Cloud computing – A question of trust , 2009 .

[35]  Kweku-Muata Osei-Bryson,et al.  Managing risks in information systems outsourcing: An approach to analyzing outsourcing risks and structuring incentive contracts , 2006, Eur. J. Oper. Res..

[36]  Thomas A. Longstaff,et al.  A common language for computer security incidents , 1998 .

[37]  Lori M. Kaufman,et al.  Data Security in the World of Cloud Computing , 2009, IEEE Security & Privacy.

[38]  Yücel Karabulut,et al.  Secure Enterprise Services Consumption for SaaS Technology Platforms , 2009, 2009 IEEE 25th International Conference on Data Engineering.

[39]  Jaak Jurison The role of risk and return in information technology outsourcing decisions , 1995, J. Inf. Technol..

[40]  Ravi Patnayakuni,et al.  Why license when you can rent? Risks and rewards of the application service provider model , 2001, SIGCPR '01.

[41]  Kweku-Muata Osei-Bryson,et al.  Making the information systems outsourcing decision: A transaction cost approach to analyzing outsourcing decision problems , 1999, Eur. J. Oper. Res..

[42]  Cong Wang,et al.  Ensuring data storage security in Cloud Computing , 2009, 2009 17th International Workshop on Quality of Service.

[43]  Ian Sommerville,et al.  Software Engineering: (Update) (8th Edition) (International Computer Science) , 2006 .

[44]  Carlos Becker Westphall,et al.  SLA Perspective in Security Management for Cloud Computing , 2010, 2010 Sixth International Conference on Networking and Services.

[45]  Jens B. Schmitt,et al.  Heterogeneous Network Quality of Service Systems , 2001 .

[46]  Kenneth R. Walsh,et al.  Analyzing the application ASP concept: technologies, economies, and strategies , 2003, CACM.

[47]  Seymour E. Goodman,et al.  Global Sourcing of IT Services and Information Security: Prudence before Playing , 2007, Commun. Assoc. Inf. Syst..

[48]  Ling Liu,et al.  Preserving data privacy in outsourcing data aggregation services , 2007, TOIT.

[49]  Zahir Irani,et al.  Outsourcing information systems: drawing lessons from a banking case study , 2001, Eur. J. Inf. Syst..

[50]  Yue Zhang,et al.  Offshore Software Outsourcing Risk Evaluation: An Experimental Approach Base on Linear Mixed Model , 2009, 2009 Sixth International Conference on Fuzzy Systems and Knowledge Discovery.

[51]  Nikolay Borissov,et al.  Cloud Computing – A Classification, Business Models, and Research Directions , 2009, Bus. Inf. Syst. Eng..

[52]  Ravi S. Behara,et al.  Business risk perspectives on information systems outsourcing , 2003, Int. J. Account. Inf. Syst..

[53]  Bin Wang,et al.  Research on ASP-Based Information Security System , 2008, 2008 International Symposium on Computer Science and Computational Technology.

[54]  Heiko Gewald,et al.  Risks and benefits of business process outsourcing: A study of transaction services in the German banking industry , 2009, Inf. Manag..

[55]  Maris G. Martinsons Outsourcing information systems: A strategic partnership with risks , 1993 .

[56]  M. J. Earl,et al.  The Risks of Outsourcing IT , 1996 .

[57]  Wendy L. Currie,et al.  Knowledge process outsourcing in financial services:: The vendor perspective , 2008 .

[58]  Sameer Kumar,et al.  Application of a process methodology and a strategic decision model for business process outsourcing , 2007, Inf. Knowl. Syst. Manag..

[59]  John Hood,et al.  Risk and the Outsourcing of Risk Management Services: The Case of Claims Management , 2003 .

[60]  Jemal H. Abawajy,et al.  A Layered Security Approach for Cloud Computing Infrastructure , 2009, 2009 10th International Symposium on Pervasive Systems, Algorithms, and Networks.

[61]  A. Yalaho,et al.  Risk management in offshore outsourcing of software production using the ICT-supported unified process model: A cross-case study , 2008, PICMET '08 - 2008 Portland International Conference on Management of Engineering & Technology.

[62]  John Viega,et al.  Cloud Computing and the Common Man , 2009, Computer.

[63]  David C. Chou,et al.  Information systems outsourcing life cycle and risks analysis , 2009, Comput. Stand. Interfaces.

[64]  Thomas Hess,et al.  The Risks of Sourcing Software as a Service - An Empirical Analysis of Adopters and Non-Adopters , 2010, ECIS.

[65]  V. Goncalves,et al.  An exploratory analysis of Software as a Service and Platform as a Service models for mobile operators , 2009, 2009 13th International Conference on Intelligence in Next Generation Networks.

[66]  Zhang Yang,et al.  Security Scheme for Sensitive Data in Management-Type SaaS , 2009, 2009 International Conference on Information Management, Innovation Management and Industrial Engineering.

[67]  B. Bahli,et al.  Validating measures of information technology outsourcing risk factors , 2005 .

[68]  Lubka Tchankova,et al.  Risk identification – basic stage in risk management , 2002 .

[69]  Liyun Xu,et al.  Research on the authentication strategy of ASP mode-based networked manufacturing system , 2008, 2008 IEEE/ASME International Conference on Advanced Intelligent Mechatronics.

[70]  Suzanne Rivard,et al.  The information technology outsourcing risk: a transaction cost and agency theory-based perspective , 2003, J. Inf. Technol..

[71]  Bandula Jayatilaka,et al.  A Conjoint Approach to Understanding IT Application Services Outsourcing , 2009, J. Assoc. Inf. Syst..

[72]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[73]  Paul Hofmann,et al.  Cloud computing and electricity , 2010, Commun. ACM.

[74]  Siani Pearson,et al.  A client-based privacy manager for cloud computing , 2009, COMSWARE '09.

[75]  Panagiotis Georgiadis,et al.  An approach to modeling Web service QoS and provision price , 2003, Fourth International Conference on Web Information Systems Engineering Workshops, 2003. Proceedings..

[76]  Wendy L. Currie,et al.  From Application Outsourcing to Infrastructure Management:: Extending the Offshore Outsourcing Service Portfolio , 2005 .

[77]  Yan Zhao,et al.  Providing privacy preserving in Cloud computing , 2010, 3rd International Conference on Human System Interaction.

[78]  T. S. Ragu-Nathan,et al.  The Q-Sort Method: Assessing Reliability And Construct Validity Of Questionnaire Items At A Pre-Testing Stage , 2002 .

[79]  Butler W. Lampson Privacy and securityUsable security , 2009, Commun. ACM.

[80]  Joy M. Field,et al.  Sourcing practices and boundaries of the firm in the financial services industry , 2008 .

[81]  Cong Wang,et al.  Achieving Secure, Scalable, and Fine-grained Data Access Control in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[82]  J. Hao IT outsourcing risk assessment for Chinese enterprises based on service sciences and factor analysis , 2009, 2009 IEEE International Conference on Grey Systems and Intelligent Services (GSIS 2009).

[83]  Bandula Jayatilaka,et al.  Determinants of ASP choice: an integrated perspective , 2003, Eur. J. Inf. Syst..

[84]  Edward G. Amoroso,et al.  Fundamentals of computer security technology , 1994 .

[85]  Leslie P. Willcocks,et al.  IT outsourcing in insurance services: risk, creative contracting and business advantage , 1999, Inf. Syst. J..

[86]  Cui Dong,et al.  Enhance the User Data Privacy for SAAS by Separation of Data , 2009, 2009 International Conference on Information Management, Innovation Management and Industrial Engineering.

[87]  Robert Benefield Agile Deployment: Lean Service Management and Deployment Strategies for the SaaS Enterprise , 2009 .

[88]  Cong Wang,et al.  Privacy-Preserving Public Auditing for Data Storage Security in Cloud Computing , 2010, 2010 Proceedings IEEE INFOCOM.

[89]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[90]  Christoph Meinel,et al.  Infrastructure as a service security: Challenges and solutions , 2010, 2010 The 7th International Conference on Informatics and Systems (INFOS).

[91]  Robbie T. Nakatsu,et al.  A comparative study of important risk factors involved in offshore and domestic outsourcing of software development projects: A two-panel Delphi study , 2009, Inf. Manag..

[92]  Wendy L. Currie,et al.  Exploring the supply-side of IT outsourcing: evaluating the emerging role of application service providers , 2001, Eur. J. Inf. Syst..