Organizational cloud security and control: a proactive approach

Purpose The purpose of this paper is to unfold the perceptions around additional security in cloud environments by highlighting the importance of controlling mechanisms as an approach to the ethical use of the systems. The study focuses on the effects of the controlling mechanisms in maintaining an overall secure position for the cloud and the mediating role of the ethical behavior in this relationship. Design/methodology/approach A case study was conducted, examining the adoption of managed cloud security services as a means of control, as well as a large-scale survey with the views of IT decision makers about the effects of such adoption to the overall cloud security. Findings The findings indicate that there is indeed a positive relationship between the adoption of controlling mechanisms and the maintenance of overall cloud security, which increases when the users follow an ethical behavior in the use of the cloud. A framework based on the findings is built suggesting a research agenda for the future and a conceptualization of the field. Research limitations/implications One of the major limitations of the study is the fact that the data collection was based on the perceptions of IT decision makers from a cross-section of industries; however the proposed framework should also be examined in industry-specific context. Although the firm size was indicated as a high influencing factor, it was not considered for this study, as the data collection targeted a range of organizations from various sizes. Originality/value This study extends the research of IS security behavior based on the notion that individuals (clients and providers of cloud infrastructure) are protecting something separate from themselves, in a cloud-based environment, sharing responsibility and trust with their peers. The organization in this context is focusing on managed security solutions as a proactive measurement to preserve cloud security in cloud environments.

[1]  Paul A. Pavlou,et al.  Evidence of the Effect of Trust Building Technology in Electronic Markets: Price Premiums and Buyer Behavior , 2002, MIS Q..

[2]  Nicolaj Siggelkow Persuasion with case studies , 2007 .

[3]  Xianjun Geng,et al.  Mandatory Standards and Organizational Information Security , 2016, Inf. Syst. Res..

[4]  Mark Christopher Shaw,et al.  Information security policies in the UK healthcare sector: a critical evaluation , 2012, Inf. Syst. J..

[5]  Jingguo Wang,et al.  Insider Threats in a Financial Institution: Analysis of Attack-Proneness of Information Systems Applications , 2015, MIS Q..

[6]  J. Osborne What is Rotating in Exploratory Factor Analysis? , 2015 .

[7]  Wayne G. Lutters,et al.  Developing expertise for network intrusion detection , 2009, Inf. Technol. People.

[8]  Rania Fahim El-Gazzar,et al.  A Literature Review on Cloud Computing Adoption Issues in Enterprises , 2014, TDIT.

[9]  Neil F. Doherty,et al.  The information security policy unpacked: A critical study of the content of university policies , 2009, Int. J. Inf. Manag..

[10]  I. Coyne Sampling in qualitative research. Purposeful and theoretical sampling; merging or clear boundaries? , 1997, Journal of advanced nursing.

[11]  Florian Kerschbaum,et al.  Secure and Sustainable Benchmarking in Clouds , 2011, Bus. Inf. Syst. Eng..

[12]  Gary Garrison,et al.  Success factors for deploying cloud computing , 2012, CACM.

[13]  Yajiong Xue,et al.  Understanding Security Behaviors in Personal Computer Usage: A Threat Avoidance Perspective , 2010, J. Assoc. Inf. Syst..

[14]  Detmar W. Straub,et al.  Institutional Influences on Information Systems Security Innovations , 2012, Inf. Syst. Res..

[15]  Haralambos Mouratidis,et al.  Empirical evaluation of a cloud computing information security governance framework , 2015, Inf. Softw. Technol..

[16]  I. Ajzen The theory of planned behavior , 1991 .

[17]  Cheolho Yoon,et al.  Understanding computer security behavioral intention in the workplace: An empirical study of Korean firms , 2013, Inf. Technol. People.

[18]  Mikko T. Siponen,et al.  Six Design Theories for IS Security Policies and Guidelines , 2006, J. Assoc. Inf. Syst..

[19]  Mikko T. Siponen,et al.  Improving Employees' Compliance Through Information Systems Security Training: An Action Research Study , 2010, MIS Q..

[20]  Jason W. Osborne,et al.  Best practices in exploratory factor analysis: four recommendations for getting the most from your analysis. , 2005 .

[21]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[22]  István Mezgár,et al.  The challenge of networked enterprises for cloud computing interoperability , 2014, Comput. Ind..

[23]  P. Mell,et al.  SP 800-145. The NIST Definition of Cloud Computing , 2011 .

[24]  Detmar W. Straub,et al.  An Update and Extension to SEM Guidelines for Admnistrative and Social Science Research , 2011 .

[25]  R. Bagozzi,et al.  On the evaluation of structural equation models , 1988 .

[26]  Robert LaRose,et al.  Promoting personal responsibility for internet safety , 2008, CACM.

[27]  Younghwa Lee,et al.  Threat or coping appraisal: determinants of SMB executives’ decision to adopt anti-malware software , 2009, Eur. J. Inf. Syst..

[28]  Dennis F. Galletta,et al.  User Awareness of Security Countermeasures and Its Impact on Information Systems Misuse: A Deterrence Approach , 2009, Inf. Syst. Res..

[29]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[30]  Matthew B. Miles,et al.  Qualitative Data Analysis: An Expanded Sourcebook , 1994 .

[31]  Duane T. Wegener,et al.  Evaluating the use of exploratory factor analysis in psychological research. , 1999 .

[32]  David F. Larcker,et al.  Structural Equation Models with Unobservable Variables and Measurement Error: Algebra and Statistics: , 1981 .

[33]  Dimitrios Zissis,et al.  Addressing cloud computing security issues , 2012, Future Gener. Comput. Syst..

[34]  David Clarke,et al.  Advancements in Research Synthesis Methods: From a Methodologically Inclusive Perspective , 2009 .

[35]  M. Engle Book Review: Qualitative Data Analysis: An Expanded Sourcebook (2nd Ed.) , 1999 .

[36]  Kuang-Wei Wen,et al.  Organizations' Information Security Policy Compliance: Stick or Carrot Approach? , 2012, J. Manag. Inf. Syst..

[37]  Scott B. MacKenzie,et al.  Common method biases in behavioral research: a critical review of the literature and recommended remedies. , 2003, The Journal of applied psychology.

[38]  Hassan Takabi,et al.  Policy Management as a Service: An Approach to Manage Policy Heterogeneity in Cloud Computing Environment , 2012, 2012 45th Hawaii International Conference on System Sciences.

[39]  Luis Miguel Vaquero Gonzalez,et al.  Locking the sky: a survey on IaaS cloud security , 2010, Computing.

[40]  R. Yin Case Study Research: Design and Methods , 1984 .

[41]  Feng Li,et al.  Cloud computing adoption by SMEs in the north east of England: A multi-perspective framework , 2013, J. Enterp. Inf. Manag..

[42]  Merrill Warkentin,et al.  An Enhanced Fear Appeal Rhetorical Framework: Leveraging Threats to the Human Asset Through Sanctioning Rhetoric , 2015, MIS Q..

[43]  Thatiana Helena de Lima,et al.  Exploratory and confirmatory factor analysis of the , 2017 .

[44]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[45]  W. Ouchi A Conceptual Framework for the Design of Organizational Control Mechanisms , 1979 .

[46]  Paul Benjamin Lowry,et al.  The Role of Extra-Role Behaviors and Social Controls in Information Security Policy Effectiveness , 2015, Inf. Syst. Res..

[47]  Athanasios V. Vasilakos,et al.  Security in cloud computing: Opportunities and challenges , 2015, Inf. Sci..

[48]  Izak Benbasat,et al.  Information Security Policy Compliance: An Empirical Study of Rationality-Based Beliefs and Information Security Awareness , 2010, MIS Q..

[49]  Merrill Warkentin,et al.  Fear Appeals and Information Security Behaviors: An Empirical Study , 2010, MIS Q..

[50]  Luis Miguel Vaquero Gonzalez,et al.  Building safe PaaS clouds: A survey on security in multitenant software platforms , 2012, Comput. Secur..

[51]  Richard E. Boyatzis,et al.  Transforming Qualitative Information: Thematic Analysis and Code Development , 1998 .

[52]  Evangelos A. Kiountouzis,et al.  Analyzing Trajectories of Information Security Awareness , 2012, Inf. Technol. People.

[53]  Seyyed-Abdolhamid Mirhosseini,et al.  Designing Qualitative Studies , 2020 .

[54]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[55]  Gail-Joon Ahn,et al.  Security and Privacy Challenges in Cloud Computing Environments , 2010, IEEE Security & Privacy.

[56]  John Karat,et al.  Privacy, Security, and Trust : Human-Computer Interaction Challenges and Opportunities at Their Intersection , 2012 .

[57]  Wanda J. Orlikowski,et al.  Studying Information Technology in Organizations: Research Approaches and Assumptions , 1991, Inf. Syst. Res..

[58]  Rajkumar Buyya,et al.  Article in Press Future Generation Computer Systems ( ) – Future Generation Computer Systems Cloud Computing and Emerging It Platforms: Vision, Hype, and Reality for Delivering Computing as the 5th Utility , 2022 .

[59]  Paul A. Pavlou,et al.  Understanding and Predicting Electronic Commerce Adoption: An Extension of the Theory of Planned Behavior , 2006, MIS Q..

[60]  Aparna Gupta,et al.  A Secure Cloud Internetwork Model with Economic and Social Incentives (SCIMES) , 2012, AMCIS.

[61]  Hemantha S. B. Herath,et al.  Investments in Information Security: A Real Options Perspective with Bayesian Postaudit , 2008, J. Manag. Inf. Syst..

[62]  Izak Benbasat,et al.  The Case Research Strategy in Studies of Information Systems , 1987, MIS Q..

[63]  Alain Bensoussan,et al.  When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination , 2011, Inf. Syst. Res..

[64]  Joseph S. Valacich,et al.  The Behavioral Roots of Information Systems Security: Exploring Key Factors Related to Unethical IT Use , 2015, J. Manag. Inf. Syst..

[65]  Jongwoo Kim,et al.  An emote opportunity model of computer abuse , 2014, Inf. Technol. People.

[66]  James A. Thom,et al.  Cloud Computing Security: From Single to Multi-clouds , 2012, 2012 45th Hawaii International Conference on System Sciences.

[67]  V. Braun,et al.  Using thematic analysis in psychology , 2006 .

[68]  Mikko T. Siponen,et al.  Motivating IS security compliance: Insights from Habit and Protection Motivation Theory , 2012, Inf. Manag..

[69]  Ritu Agarwal,et al.  Practicing Safe Computing: A Multimedia Empirical Examination of Home Computer User Security Behavioral Intentions , 2010, MIS Q..

[70]  Qing Hu,et al.  The Role of Self-Control in Information Security Violations: Insights from a Cognitive Neuroscience Perspective , 2015, J. Manag. Inf. Syst..

[71]  V. Kavitha,et al.  A survey on security issues in service delivery models of cloud computing , 2011, J. Netw. Comput. Appl..

[72]  Yajiong Xue,et al.  Avoidance of Information Technology Threats: A Theoretical Perspective , 2009, MIS Q..

[73]  Jason W. Osborne,et al.  Extended Time Test Accommodation: Directions for Future Research and Practice , 2005 .

[74]  Fatemeh Zahedi,et al.  Individuals' Internet Security Perceptions and Behaviors: Polycontextual Contrasts Between the United States and China , 2016, MIS Q..

[75]  J. Nunnally,et al.  Psychometric Theory: NY. , 1978 .

[76]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[77]  Siani Pearson,et al.  Privacy, Security and Trust in Cloud Computing , 2013 .

[78]  Max Mühlhäuser,et al.  Trust as a facilitator in cloud computing: a survey , 2012, Journal of Cloud Computing: Advances, Systems and Applications.

[79]  Laurie J. Kirsch,et al.  If someone is watching, I'll do what I'm asked: mandatoriness, control, and information security , 2009, Eur. J. Inf. Syst..

[80]  David M. Nicol,et al.  Trust mechanisms for cloud computing , 2013, Journal of Cloud Computing: Advances, Systems and Applications.

[81]  Detmar W. Straub,et al.  Neural Correlates of Protection Motivation for Secure IT Behaviors: An fMRI Examination , 2016, J. Assoc. Inf. Syst..

[82]  H. Raghav Rao,et al.  Protection motivation and deterrence: a framework for security policy compliance in organisations , 2009, Eur. J. Inf. Syst..

[83]  Tero Vartiainen,et al.  What levels of moral reasoning and values explain adherence to information security rules? An empirical study , 2009, Eur. J. Inf. Syst..

[84]  Tejaswini Herath,et al.  Understanding Employee Responses to Stressful Information Security Requirements: A Coping Perspective , 2014, J. Manag. Inf. Syst..

[85]  Jeffry Stephen Babb,et al.  Examining the Continuance of Secure Behavior: A Longitudinal Field Study of Mobile Device Authentication , 2016, Inf. Syst. Res..

[86]  Mo Adam Mahmood,et al.  Employees' Behavior towards IS Security Policy Compliance , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[87]  Straub,et al.  Editor's Comments: An Update and Extension to SEM Guidelines for Administrative and Social Science Research , 2011 .

[88]  Subhajyoti Bandyopadhyay,et al.  Cloud computing - The business perspective , 2011, Decis. Support Syst..

[89]  Tejaswini Herath,et al.  A review and analysis of deterrence theory in the IS security literature: making sense of the disparate findings , 2011, Eur. J. Inf. Syst..

[90]  Farrukh Shahzad,et al.  State-of-the-art Survey on Cloud Computing Security Challenges, Approaches and Solutions , 2014, EUSPN/ICTH.

[91]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[92]  Huseyin Cavusoglu,et al.  Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems , 2009, Inf. Syst. Res..

[93]  Dennis F. Galletta,et al.  What Do Systems Users Have to Fear? Using Fear Appeals to Engender Threats and Fear that Motivate Protective Security Behaviors , 2015, MIS Q..

[94]  Richard Baskerville,et al.  A Design Theory for Secure Information Systems Design Methods , 2006, J. Assoc. Inf. Syst..

[95]  James C. Anderson,et al.  STRUCTURAL EQUATION MODELING IN PRACTICE: A REVIEW AND RECOMMENDED TWO-STEP APPROACH , 1988 .

[96]  Detmar W. Straub,et al.  Security lapses and the omission of information security measures: A threat control model and empirical test , 2008, Comput. Hum. Behav..

[97]  Steven Furnell,et al.  Insider Threat Prediction Tool: Evaluating the probability of IT misuse , 2002, Comput. Secur..

[98]  H. Suri Purposeful sampling in qualitative research synthesis , 2011 .

[99]  Mikko T. Siponen,et al.  Neutralization: New Insights into the Problem of Employee Systems Security Policy Violations , 2010, MIS Q..