Perceived IT Security Risks of Cloud Computing: Conceptualization and Scale Development

Despite increasing interest in IT outsourcing (ITO) and the various benefits it promises, Cloud Computing (CC) as the currently most prevalent ITO paradigm still entails serious IT security risks. Little attention has been paid so far to fully and unambiguously capture the complex nature of IT security risks and how to measure it. Against this backdrop, we first propose a comprehensive conceptualization of Perceived IT Security Risks (PITSR) in the CC context that is based on six distinct risk dimensions grounded on an extensive literature review, Q-sorting, and expert interviews. Second, a multiple-indicators and multiple-causes analysis of data collected from 356 organizations is found to support the proposed conceptualization as a second-order aggregate construct. The results of our study contribute to IT security and ITO research, help (potential) adopters to assess risks, and enable CC providers to develop targeted strategies to mitigate risks perceived as crucial.

[1]  M. S. Cunningham The Major Dimensions of Perceived Risk , 1967 .

[2]  D. F. Blankertz,et al.  Risk taking and information handling in consumer behavior , 1969 .

[3]  J. Bettman Perceived Risk and Its Components: A Model and Empirical Test , 1973 .

[4]  Daniel Kahneman,et al.  Availability: A heuristic for judging frequency and probability , 1973 .

[5]  J. P. Peter,et al.  A Comparative Analysis of Three Consumer Decision Strategies , 1975 .

[6]  Michael J. Ryan,et al.  An Investigation of Perceived Risk at the Brand Level , 1976 .

[7]  B. Muthén,et al.  Assessing Reliability and Stability in Panel Models , 1977 .

[8]  Terry S. Overton,et al.  Estimating Nonresponse Bias in Mail Surveys , 1977 .

[9]  I. Ajzen,et al.  Belief, Attitude, Intention, and Behavior: An Introduction to Theory and Research , 1977 .

[10]  Paul Slovic,et al.  Newspaper Coverage of Causes of Death , 1979 .

[11]  Gilbert A. Churchill A Paradigm for Developing Better Measures of Marketing Constructs , 1979 .

[12]  I. Ajzen,et al.  Understanding Attitudes and Predicting Social Behavior , 1980 .

[13]  C. Fornell,et al.  Evaluating structural equation models with unobservable variables and measurement error. , 1981 .

[14]  L. Phillips Assessing Measurement Error in Key Informant Reports: A Methodological Note on Organizational Analysis in Marketing , 1981 .

[15]  E. Carmines,et al.  Analyzing models with unobserved variables: analysis of covariance structures , 1981 .

[16]  F. M. Andrews Construct Validity and Error Components of Survey Measures: A Structural Modeling Approach , 1984 .

[17]  Icek Ajzen,et al.  From Intentions to Actions: A Theory of Planned Behavior , 1985 .

[18]  P. M. Podsakoff,et al.  Self-Reports in Organizational Research: Problems and Prospects , 1986 .

[19]  P. Slovic Perception of risk. , 1987, Science.

[20]  Michaela Koller Risk as a Determinant of Trust , 1988 .

[21]  Fred D. Davis Perceived Usefulness, Perceived Ease of Use, and User Acceptance of Information Technology , 1989, MIS Q..

[22]  R. P. McDonald,et al.  Structural Equations with Latent Variables , 1989 .

[23]  William J. Havlena,et al.  On the Measurement of Perceived Consumer Risk , 1991 .

[24]  James C. Anderson,et al.  Predicting the performance of measures in a confirmatory factor analysis with a pretest assessment of their substantive validities. , 1991 .

[25]  B. Boehm Software risk management: principles and practices , 1991, IEEE Software.

[26]  Izak Benbasat,et al.  Development of an Instrument to Measure the Perceptions of Adopting an Information Technology Innovation , 1991, Inf. Syst. Res..

[27]  M. Browne,et al.  Alternative Ways of Assessing Model Fit , 1992 .

[28]  Tomas Olovsson,et al.  A Structured Approach to Computer Security , 1992 .

[29]  Gerald F. Smith,et al.  Towards a theory of managerial problem solving , 1992, Decis. Support Syst..

[30]  Suresh L. Konda,et al.  Taxonomy-Based Risk Identification , 1993 .

[31]  V. Mitchell,et al.  Risk Perception and Reduction in the Purchase of Consumer Services , 1993 .

[32]  R. MacCallum,et al.  The use of causal indicators in covariance structure models: some practical issues. , 1993, Psychological bulletin.

[33]  R. Gregory,et al.  Perceived Risk, Dread, and Benefits , 1993 .

[34]  Ruth N. Bolton Pretesting Questionnaires: Content Analyses of Respondents' Concurrent Verbal Protocols , 1993 .

[35]  M. J. Earl,et al.  The Risks of Outsourcing IT , 1996 .

[36]  T. E. Dinero Scale development. , 1996, Journal of health & social policy.

[37]  Timothy R. Hinkin,et al.  A Brief Tutorial on the Development of Measures for Use in Survey Questionnaires , 1998 .

[38]  P. Bentler,et al.  Cutoff criteria for fit indexes in covariance structure analysis : Conventional criteria versus new alternatives , 1999 .

[39]  H. Winklhofer,et al.  Index Construction with Formative Indicators: An Alternative to Scale Development , 2001 .

[40]  Izak Benbasat,et al.  Research Report: Empirical Test of an EDI Adoption Model , 2001, Inf. Syst. Res..

[41]  P. Pavlou,et al.  Perceived Information Security, Financial Liability and Consumer Trust in Electronic Commerce Transactions , 2002 .

[42]  Albert H. Segars,et al.  An Empirical Examination of the Concern for Information Privacy Instrument , 2002, Inf. Syst. Res..

[43]  T. S. Ragu-Nathan,et al.  The Q-Sort Method: Assessing Reliability And Construct Validity Of Questionnaire Items At A Pre-Testing Stage , 2002 .

[44]  Todd R. Zenger,et al.  Do Formal Contracts and Relational Governance Function as Substitutes or Complements , 2002 .

[45]  Cheryl Burke Jarvis,et al.  A Critical Review of Construct Indicators and Measurement Model Misspecification in Marketing and Consumer Research , 2003 .

[46]  Paul A. Pavlou,et al.  Predicting E-Services Adoption: A Perceived Risk Facets Perspective , 2002, Int. J. Hum. Comput. Stud..

[47]  Detmar W. Straub,et al.  Trust and TAM in Online Shopping: An Integrated Model , 2003, MIS Q..

[48]  Panagiotis Georgiadis,et al.  An approach to modeling Web service QoS and provision price , 2003, Fourth International Conference on Web Information Systems Engineering Workshops, 2003. Proceedings..

[49]  Gonzalo Álvarez,et al.  A new taxonomy of Web attacks suitable for efficient encoding , 2003, Comput. Secur..

[50]  W. Currie A knowledge-based risk assessment framework for evaluating web-enabled application outsourcing projects , 2003 .

[51]  Suzanne Rivard,et al.  The information technology outsourcing risk: a transaction cost and agency theory-based perspective , 2003, J. Inf. Technol..

[52]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[53]  Bandula Jayatilaka,et al.  Determinants of ASP choice: an integrated perspective , 2003, Eur. J. Inf. Syst..

[54]  Gordon B. Davis,et al.  User Acceptance of Information Technology: Toward a Unified View , 2003, MIS Q..

[55]  Ellen Rose,et al.  An Empirical Examination of the Concern for Information Privacy Construct in the New Zealand Context , 2004, IASSIST Conference.

[56]  Wendy L. Currie,et al.  Customer evaluation of application services provisioning in five vertical sectors , 2004, J. Inf. Technol..

[57]  Carl E. Landwehr,et al.  Basic concepts and taxonomy of dependable and secure computing , 2004, IEEE Transactions on Dependable and Secure Computing.

[58]  G. Gigerenzer Dread Risk, September 11, and Fatal Traffic Accidents , 2004, Psychological science.

[59]  Detmar W. Straub,et al.  Validation Guidelines for IS Positivist Research , 2004, Commun. Assoc. Inf. Syst..

[60]  B. Bahli,et al.  Validating measures of information technology outsourcing risk factors , 2005 .

[61]  Weidong Xia,et al.  Complexity of Information Systems Development Projects: Conceptualization and Measurement Development , 2005, J. Manag. Inf. Syst..

[62]  Qingxiong Ma,et al.  An exploratory study into factors of service quality for application service providers , 2005, Inf. Manag..

[63]  Joseph S. Valacich,et al.  Is that authentic or artificial? Understanding consumer perceptions of risk in e‐service encounters , 2006, Inf. Syst. J..

[64]  Carlos Flavián,et al.  Consumer trust, perceived security and privacy policy: Three basic elements of loyalty to a web site , 2006, Ind. Manag. Data Syst..

[65]  Yair Levy,et al.  A Systems Approach to Conduct an Effective Literature Review in Support of Information Systems Research , 2006, Informing Sci. Int. J. an Emerg. Transdiscipl..

[66]  T. Weitzel,et al.  The Influence of Perceived Risk on Banking Managers’ Intention to Outsource Business Processes , 2006 .

[67]  Ryad Titah,et al.  Information System Use - Related Activity: An Expanded Behavioral Conceptualization of Individual-Level Information System Use , 2007, Inf. Syst. Res..

[68]  Ying Fan STRATEGIC OUTSOURCING: , 2007 .

[69]  Carlos Flavián,et al.  The impact of participation in virtual brand communities on consumer trust and loyalty: The case of free software , 2007, Online Inf. Rev..

[70]  Paul A. Pavlou,et al.  Understanding and Mitigating Uncertainty in Online Exchange Relationships: A Principal-Agent Perspective , 2007, MIS Q..

[71]  Detmar W. Straub,et al.  Specifying Formative Constructs in Information Systems Research , 2007, MIS Q..

[72]  H. Raghav Rao,et al.  A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents , 2008, Decis. Support Syst..

[73]  Adamantios Diamantopoulos,et al.  Advancing formative measurement models , 2008 .

[74]  John Viega,et al.  Cloud Computing and the Common Man , 2009, Computer.

[75]  Jonathan P. Doh,et al.  The evolution of risk in information systems offshoring: the impact of home country risk, firm learning, and competitive dynamics , 2009 .

[76]  Björn Niehaves,et al.  Reconstructing the giant: On the importance of rigour in documenting the literature search process , 2009, ECIS.

[77]  Bandula Jayatilaka,et al.  A Conjoint Approach to Understanding IT Application Services Outsourcing , 2009, J. Assoc. Inf. Syst..

[78]  Jörg Schwenk,et al.  On Technical Security Issues in Cloud Computing , 2009, 2009 IEEE International Conference on Cloud Computing.

[79]  V. Goncalves,et al.  An exploratory analysis of Software as a Service and Platform as a Service models for mobile operators , 2009, 2009 13th International Conference on Intelligence in Next Generation Networks.

[80]  Butler W. Lampson,et al.  Usable Security: How to Get It , 2009 .

[81]  L. Hedges,et al.  The Handbook of Research Synthesis and Meta-Analysis , 2009 .

[82]  Heiko Gewald,et al.  Risks and benefits of business process outsourcing: A study of transaction services in the German banking industry , 2009, Inf. Manag..

[83]  Kenneth A. Bollen,et al.  Causal Indicator Models: Identification, Estimation, and Testing , 2009 .

[84]  Leslie P. Willcocks,et al.  A review of the IT outsourcing literature: Insights for practice , 2009, J. Strateg. Inf. Syst..

[85]  Lennart Sjöberg,et al.  Risk Perception and Movies: A Study of Availability as a Factor in Risk Perception , 2010, Risk analysis : an official publication of the Society for Risk Analysis.

[86]  Xin Luo,et al.  Examining multi-dimensional trust and multi-faceted risk in initial acceptance of emerging technologies: An empirical study of mobile banking services , 2010, Decis. Support Syst..

[87]  Christoph Meinel,et al.  Infrastructure as a service security: Challenges and solutions , 2010, 2010 The 7th International Conference on Informatics and Systems (INFOS).

[88]  Randy H. Katz,et al.  A view of cloud computing , 2010, CACM.

[89]  Kenneth A. Bollen,et al.  Evaluating Effect, Composite, and Causal Indicators in Structural Equation Models , 2011, MIS Q..

[90]  Scott B. MacKenzie,et al.  Construct Measurement and Validation Procedures in MIS and Behavioral Research: Integrating New and Existing Techniques , 2011, MIS Q..

[91]  P. Mell,et al.  The NIST Definition of Cloud Computing , 2011 .

[92]  Thomas Hess,et al.  Opportunities and risks of software-as-a-service: Findings from a survey of IT executives , 2011, Decis. Support Syst..

[93]  Ralf Steinmetz,et al.  European Conference on Information Systems ( ECIS ) Summer 10-6-2011 TAXONOMY OF TECHNOLOGICAL IT OUTSOURCING RISKS : SUPPORT FOR RISK IDENTIFICATION AND QUANTIFICATION , 2017 .

[94]  Gaurav Bansal Security Concerns in the Nomological Network of Trust and Big 5: First Order Vs. Second Order , 2011, ICIS.

[95]  Subhajyoti Bandyopadhyay,et al.  Cloud computing - The business perspective , 2011, Decis. Support Syst..

[96]  Adamantios Diamantopoulos,et al.  Incorporating Formative Measures into Covariance-Based Structural Equation Models , 2011, MIS Q..

[97]  Richard P. Bagozzi,et al.  Measurement and Meaning in Information Systems and Organizational Research: Methodological and Philosophical Foundations , 2011, MIS Q..

[98]  Young U. Ryu,et al.  Unrealistic optimism on information security management , 2012, Comput. Secur..

[99]  Thomas Hess,et al.  Service Quality in Software-as-a-Service: Developing the SaaS-Qual Measure and Examining Its Role in Usage Continuance , 2011, J. Manag. Inf. Syst..

[100]  Jason Bennett Thatcher,et al.  Conceptualizing models using multidimensional constructs: a review and guidelines for their use , 2012, Eur. J. Inf. Syst..