IT Security Risk Management in the Context of Cloud Computing

IT Security Risk Management in

the Context of Cloud Computing

André Loske

IT Security Risk

Management in the

Context of Cloud

Computing

Towards an Understanding

of the Key Role of Providers’ IT

Security Risk Perceptions

With a foreword by Prof. Dr. Peter Buxmann

André Loske

Darmstadt, Germany

Dissertation, TU Darmstadt, 2015

Hochschulkennziffer D17

ISBN 978-3-658-11339-1 ISBN 978-3-658-11340-7 (eBook)

DOI 10.1007/978-3-658-11340-7

Library of Congress Control Number: 2015954946

Springer Vieweg

© Springer Fachmedien Wiesbaden 2015

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or

part of the material is concerned, speci¿ cally the rights of translation, reprinting, reuse of illus￾trations, recitation, broadcasting, reproduction on micro¿ lms or in any other physical way, and

transmission or information storage and retrieval, electronic adaptation, computer software, or by

similar or dissimilar methodology now known or hereafter developed.

The use of general descriptive names, registered names, trademarks, service marks, etc. in this

publication does not imply, even in the absence of a speci¿ c statement, that such names are

exempt from the relevant protective laws and regulations and therefore free for general use.

The publisher, the authors and the editors are safe to assume that the advice and information in this

book are believed to be true and accurate at the date of publication. Neither the publisher nor the

authors or the editors give a warranty, express or implied, with respect to the material contained

herein or for any errors or omissions that may have been made.

Printed on acid-free paper

Springer Vieweg is a brand of Springer Fachmedien Wiesbaden

Springer Fachmedien Wiesbaden is part of Springer Science+Business Media

(www.springer.com)

Foreword

Cloud Computing is one of the most strongly growing types of IT outsourcing and companies,

governments, and non-profit organizations alike are increasingly leveraging this emerging

paradigm. For example, SAP recently announced a major strategy change and invests heavily

in the expansion of its Cloud business. Most of the SAP applications will be readily available

as a service in the near future. However, the acceptance of Cloud solutions by clients lags far

behind the predictions of leading market analysts. In the last years, the promised technological

and economic advantages of the Cloud were once too often accompanied by serious IT securi￾ty incidents which not only jeopardized the reputation of the respective service providers but

also daunted many clients for the long term. Considering the existence-threatening conse￾quences of IT security incidents in the context of the Cloud, it could be expected that the ser￾vice providers do everything in their power to mitigate these risks. Nonetheless, a closer look

at the security whitepapers of well-established Cloud services in many cases reveals a lack of

crucial IT security measures, which are, for example, defined as minimum IT security stand￾ards for service providers by the Federal Office for Information Security. Intrigued by this

observation, the thesis investigates whether the possibility that the providers’ decision makers

underestimate their services’ IT security risks can explain the failure to implement necessary

safeguarding measures in Cloud services.

Therefore, the primary research objective of this thesis is to analyze the effects of decision

makers’ subjective risk perception on the providers’ IT security management. In this thesis’s

first part, drawing on organizational IT security planning models and findings of previous

technology threat avoidance research, a conceptual model of the influence of decision makers’

risk perception on providers’ IT security risk investment decisions is developed. A quantita￾tive empirical survey is used to examine how the responsible decision makers of the service

providers perceive risks and how these risk estimations affect the IT security investment be￾havior. By transferring well-established approaches from psychological research, Mr. Loske

afterwards demonstrates that the decision makers of Cloud providers exhibit a systematic un￾derestimation of the IT security risks that their organizations are exposed to, resulting in un￾derinvestment in safeguarding measures.

The second part of this thesis alters the view and investigates how the providers’ assessment

of their Cloud services’ IT security risk exposure influences the adoption behavior of client

companies. Therefore, a theoretical model is developed which integrates the providers’ IT

security assessments in a technology acceptance model for Cloud services in terms of percep￾tual incongruence between the providers’ perceptions and those of the clients. Based on an

empirical survey with potential client companies’ executives, Mr. Loske demonstrates that the

VI Foreword

underestimation of the risks by the providers not only causes an underinvestment in IT securi￾ty but also facilitates a disagreement among the providers and their clients on the IT security

risks of the services. In particular, the perceptual gap between the providers and their clients is

shown to both considerably increase the IT security risk perceptions of the clients and signifi￾cantly inhibit their intentions to use those providers’ Cloud services.

Altogether, Mr. Loske makes several significant contributions to information systems science.

This thesis offers theoretical explanation and empirical support for the impact of decision

makers’ subjective IT security risk perceptions on the results of the organizational IT security

risk management. Beyond that, the work offers a new perspective on IT security risk percep￾tions by demonstrating that there are typically two perspectives which are independently as￾sociated with downstream beliefs and behavior. Moreover, the thesis adds to the body of

knowledge about the formation of IT security risk perceptions by showing that these percep￾tions are often subject to systematic errors in terms of unrealistic optimism. Additionally, this

work advances our understanding of how perceptual differences between providers and their

clients concerning IT security risks affect adoption decisions of the clients by transferring the

established concepts of perceptual concurrence and cognitive dissonance to the field of IT

security. Furthermore, this work highlights the importance for researchers to incorporate both

parts of the dyad, i.e. the clients and the providers, when studying questions related to the IT

security of modern IT delivery models, such as the Cloud.

Both empirical studies and the statistical analyses show a high degree of methodological rigor

and provide numerous interesting results. This thesis will be valuable to readers in both, aca￾demia and practice, as it suggests concrete recommended actions for providers and clients that

can help to increase the IT security of services and eventually improve the market success of

Cloud Computing. Therefore, I wish this thesis a widespread distribution.

Darmstadt, May 2015 Prof. Dr. Peter Buxmann

Acknowledgements

This thesis was written during my work as a research assistant at the Chair of Information

Systems | Software Business & Information Management at the Technical University of

Darmstadt. The progress and completion of my dissertation would not have been possible

without the support of many people, whom I sincerely wish to thank with the following ac￾knowledgments.

First, I am especially grateful to my supervisor Prof. Dr. Peter Buxmann, who greatly sup￾ported me and made my dissertation possible in the first place. Likewise, I would like to thank

and express my deepest gratitude to my advisor Dr. Thomas Widjaja, who challenged me to

achieve my highest potential and helped me to deal with those challenges by providing his

fullest guidance and support. I sincerely appreciate that he always found the time to devote to

our long research meetings, answer all my questions, and provide insightful and prompt feed￾back despite his busy schedule. I also would like to express my appreciation to my second

referee Prof. Dr. Alexander Benlian for his valuable advises and our productive research col￾laboration.

Furthermore, I would like to thank Prof. Dr. Izak Benbasat and Prof. Dr. Hasan Cavusoglu,

who invited me to work as a visiting researcher for the MIS division of the Sauder School of

Business at the University of British Columbia. I feel very fortunate that I have had the oppor￾tunity to work together with these experienced researchers which did not only broaden my

horizon but also enhanced my abilities of conducting good research.

Additionally, I thank the CASED graduate school for granting me a PhD scholarship as well

as the numerous CASED postdocs and PhD students with whom I conducted the pre-studies.

My special thanks go to my friends and colleagues Adrian, Alexander, Anton, Christoph,

Helena, Hendrik, Jasmin, Jin, Markus, Markus, Martin, Nicole, Nihal, Rabea, Ruth, Stefan,

Thorsten, Tobias, and Tobias with whom I have had many interesting and fruitful discussions

and who have provided valuable feedback on my research.

Finally, I would like to express a large gratitude to my beloved wife, my family, and to my

parents for their invaluable support and thoughtfulness. They all gave me the necessary

strength to persist through challenging times.

Darmstadt, May 2015 André Loske

Table of Contents

1 Introduction ....................................................................................................................... 1

1.1 Problem Description and Motivation ........................................................................ 1

1.2 Objectives and Benefits ............................................................................................. 5

1.3 Structure of the Thesis ............................................................................................... 9

2 Foundations ..................................................................................................................... 15

2.1 Cloud Computing .................................................................................................... 15

2.1.1 Essential Characteristics .............................................................................. 16

2.1.2 Delivery Models........................................................................................... 17

2.1.3 Deployment Models ..................................................................................... 18

2.2 IT Security Risk Perception .................................................................................... 20

2.2.1 The Nature of Perceived Risks .................................................................... 21

2.2.2 Perceived IT Security Risks in the Context of the Cloud ............................ 23

2.3 Organizational IT Security Risk Management ........................................................ 26

2.3.1 Phase I: Identification of IT Security Threat ............................................... 27

2.3.2 Phase II: IT Security Risk Analysis ............................................................. 28

2.3.3 Phase III: Solution Analysis ......................................................................... 30

2.3.4 Phase IV: Decision ....................................................................................... 31

2.3.5 Phase V: Implementation ............................................................................. 33

3 Part I: The Inhibiting Role of Unrealistic Optimism in Providers’ IT Security

Risk Management ........................................................................................................... 35

3.1 Theoretical Background and Hypotheses Development ......................................... 35

3.1.1 Organizational IT Security Risk Management ............................................ 36

3.1.2 Technology Threat Avoidance Theory ........................................................ 37

3.1.3 Institutional Theory ...................................................................................... 46

3.1.4 Decision Makers’ IT Security Risk Perceptions .......................................... 50

3.1.5 Unrealistic Optimism in Decision Makers’ IT Security Risk Perceptions .. 55

3.2 Research Methodology ............................................................................................ 59

3.2.1 Measurement Model .................................................................................... 59

3.2.1.1 Measurement of Absolute Unrealistic Optimism ........................ 60

3.2.1.2 Measurement of Comparative Unrealistic Optimism .................. 66

3.2.2 Survey Administration ................................................................................. 67

3.2.3 Sample Characteristics ................................................................................. 67

3.2.4 Data Analyses .............................................................................................. 69

X Table of Contents

3.3 Results ..................................................................................................................... 71

3.3.1 Impacts of Decision Makers’ IT Security Risk Perceptions on

Providers’ IT Security Risk Management.................................................... 71

3.3.1.1 Assessment of Measurement Validation ..................................... 71

3.3.1.2 Results of the Structural Model Testing ...................................... 73

3.3.2 Existence of Unrealistic Optimism in the IT Security Risk Perceptions

of Providers’ Decision Makers .................................................................... 79

3.3.2.1 Analysis of Absolute Unrealistic Optimism ................................ 79

3.3.2.2 Analysis of Comparative Unrealistic Optimism ......................... 85

3.4 Discussion of Study Findings .................................................................................. 88

4 Part II: Perceptual Incongruences regarding the IT Security Risks as a Barrier

to Cloud Adoption ........................................................................................................... 93

4.1 Theoretical Background and Hypotheses Development ......................................... 93

4.1.1 Perceptual Congruence ................................................................................ 93

4.1.2 Perceptual Incongruences regarding the IT Security Risks ......................... 95

4.1.3 Cognitive Dissonance Theory ...................................................................... 97

4.1.4 Expectation Confirmation Theory ............................................................... 99

4.1.5 Cloud Adoption .......................................................................................... 100

4.2 Research Methodology .......................................................................................... 103

4.2.1 Measurement Model .................................................................................. 103

4.2.2 Survey Administration ............................................................................... 104

4.2.3 Sample Characteristics ............................................................................... 105

4.2.4 Data Analyses ............................................................................................ 107

4.3 Results ................................................................................................................... 109

4.3.1 Existence of Perceptual Incongruences between Providers and

Customers regarding the IT Security Risks ............................................... 109

4.3.2 Impacts of Perceptual Incongruences between Providers and Customers

regarding the IT Security Risks on Cloud Adoption ................................. 111

4.3.2.1 Assessment of Measurement Validation ................................... 112

4.3.2.2 Results of the Structural Model Testing .................................... 113

4.4 Discussion of Study Findings ................................................................................ 116

5 Conclusion and Summary of Key Findings ................................................................ 119

5.1 Implications for Theory and Research .................................................................. 119

5.2 Implications for Practice ....................................................................................... 123

5.2.1 Implications and Recommended Actions for Providers ............................ 123

5.2.2 Implications and Recommended Actions for (Potential) Customers ......... 126

5.3 Limitations and Future Research Directions ......................................................... 127

Table of Contents XI

5.4 Résumé .................................................................................................................. 130

Appendix ............................................................................................................................... 133

A.1 Supporting Material for Part I (Chapter 3) ............................................................ 133

A.1.1 Measurement Items .................................................................................... 133

A.1.2 Validity Analysis ....................................................................................... 138

A.1.3 Consistency Analysis of the Absolute Unrealistic Optimism Classifier ... 139

A.1.4 Multi-Group Analysis of the Structural Model .......................................... 140

A.2 Supporting Material for Part II (Chapter 4) .......................................................... 141

A.2.1 Measurement Items .................................................................................... 141

A.2.2 Validity Analysis ....................................................................................... 142

A.2.3 Formation of IT Security Risk Perceptions in the Context of the Cloud ... 143

References ............................................................................................................................. 145

List of Tables

Table 1-1: Mapping of Research Questions to Parts and Chapters .......................................... 13

Table 2-1: Perceived IT Security Risks in the Context of the Cloud ....................................... 25

Table 3-1: The Faces of Unrealistic Optimism ........................................................................ 56

Table 3-2: Variables of the Classifier for Absolute Unrealistic Optimism .............................. 65

Table 3-3: Sample Characteristics of the IT Security Risk Management Study ...................... 69

Table 3-4: Assessment of the IT Security Risk Management Measurement Model ................ 72

Table 3-5: Effects of Absolute Unrealistic Optimism on IT Security Risk Management ....... 82

Table 3-6: Existence of Comparative Unrealistic Optimism ................................................... 86

Table 4-1: Sample Characteristics of the Perceptual Incongruence Study ............................ 106

Table 4-2: Perceptual Incongruences regarding the IT Security Risk Dimensions ............... 111

Table 4-3: Assessment of the Perceptual Incongruence Measurement Model ...................... 112

Table A-1: Measurement Items of the IT Security Risk Management Study ........................ 133

Table A-2: Correlation Statistics of the IT Security Risk Management Study ...................... 138

Table A-3: Effects of Different Thresholds of Error on the Results of the Classifier ........... 139

Table A-4: Effects of Absolute Unrealistic Optimism on the Structural Model Results ....... 140

Table A-5: Measurement Items of the Perceptual Incongruence Study ................................. 141

Table A-6: Correlation Statistics of the Perceptual Incongruence Study ............................... 142

List of Figures

Figure 1-1: Structure and Brief Research Summary of the Thesis .......................................... 10

Figure 2-1: Organizational IT Security Risk Management ...................................................... 26

Figure 3-1: Theoretical Foundations of the IT Security Risk Management Model ................. 36

Figure 3-2: Research Model of the IT Security Risk Management Study ............................... 43

Figure 3-3: Effect of Comparative Risk on Competitive Pressure Perceptions ....................... 54

Figure 3-4: Example of Absolute Unrealistic Optimism Classification .................................. 64

Figure 3-5: Empirical Testing of IT Security Risk Management Model ................................. 76

Figure 4-1: Research Model of Perceptual Incongruence Study .............................................. 97

Figure 4-2: Perceptual Incongruences regarding the IT Security Risk Items ........................ 110

Figure 4-3: Empirical Testing of Perceptual Incongruence Model ........................................ 114

Figure A-1: Formation of IT Security Risk Perceptions in the Context of the Cloud ........... 143

List of Abbreviations

API Application Programming Interface

ASP Application Service Provision

AVE Average Variance Extracted

BC Bootstrap Confidence

BPO Business Process Outsourcing

CA Cronbach’s Alpha

CaaS Communication as a Service

CB-SEM Covariance-Based Structural Equation Modeling

CDT Cognitive Dissonance Theory

CEO Chief Executive Officer

CIO Chief Information Officer

Cloud Cloud Computing

CMB Common Method Bias

CO Comparative Optimism

CPR Calculated Protection Ranking

CPU Central Processing Unit

CR Composite Reliability

CRM Customer Relationship Management

CSA Cloud Security Alliance

ECT Expectation Confirmation Theory

EDI Electronic Data Interchange

EFA Exploratory Factor Analyses

ENISA European Network and Information Security Agency

EPPM Extended Parallel Process Model

ERP Enterprise Resource Planning

HBM Health Belief Model

HRA Health Risk Appraisal

HTMT Heterotrait-Monotrait

IaaS Infrastructure as a Service

IEEE Institute of Electrical and Electronics Engineering

IS Information System(s)

ISO International Organization for Standardization

IT Information Technology

ITO Information Technology Outsourcing

XVIII List of Abbreviations

ITSR Information Technology Security Risk

LISREL Linear Structural Relations

MIMIC Multiple Indicators, Multiple Causes

MIS Management Information Systems

MTMM Multitrait-Multimethod

NIST National Institute of Standards and Technology

OLS Ordinary Least Squares

PaaS Platform as a Service

PITSR Perceived Information Technology Security Risk

PLS Partial Least Squares

PMT Protection Motivation Theory

PPR Perceived Protection Ranking

ROI Return on Investment

ROSI Return on Security Investment

RQ Research Question

SaaS Software as a Service

SD Standard Deviation

SEM Structural Equation Modeling

SIEM Security Information and Event Management

SLA Service Level Agreement

TAM Technology Acceptance Model

TTAT Technology Threat Avoidance Theory

UO Unrealistic Optimism

VAR Variance

VIF Variance Inflation Factor

XaaS Everything as a Service

Abstract

Although providers’ decision makers constantly emphasize a low IT security risk (ITSR) in

the Cloud, numerous serious IT security incidents have occurred over the last few years. Con￾sidering the theoretical availability of effective safeguards against most of these risks, it

seems that in many cases, the Cloud providers’ decision makers may have underestimated the

ITSRs. The psychological research terms comparable phenomena “unrealistic optimism”.

While prior research has intensively studied the ITSR perceptions of (potential) Cloud cus￾tomers, the provider side has been completely neglected. In general, even though correct IT

security risk assessments are the foundation for effective IT security risk management in or￾ganizations, no research has been dedicated to the effects of organizational decision makers’

subjective ITSR perceptions on the implementation of necessary safeguards. Even more im￾portantly, little or no attention has been paid to the existence and consequences of possible

systematic errors in ITSR perceptions.

Against this backdrop, the first part of this thesis adds a new perspective to the stream of or￾ganizational IT security risk management literature, one that sheds light on the importance of

decision makers’ ITSR perceptions. Drawing on psychological risk perception theory, we

propose an extended theoretical IT security risk management model that explicates how the

subjective ITSR perceptions of decision-makers predict the outcome of providers’ IT security

risk management. Additionally, we transfer established methods of measuring unrealistic op￾timism to the IT context, which enables us to systematically capture and analyze a potential

underestimation of the ITSRs at the provider side. Based on a large-scale empirical study of

Cloud providers located in North America, we reveal that in many cases, the providers’ deci￾sion makers significantly underestimate their services’ ITSR exposure, which inhibits the im￾plementation of necessary safeguarding measures.

We also demonstrate that even though the prevalence of ITSR perceptions among customers

considering Cloud adoption is widely recognized, providers only pay very limited attention to

the concerns expressed by customer companies. In this regard, the specific characteristics of

the Cloud and the systematic underestimation of ITSRs by providers’ decision makers are

likely to cause serious disagreements with (potential) customers about the ITSRs of the

Cloud. Drawing on perceptual congruence literature, the second part of this thesis examines

matched survey responses of Cloud providers and their (potential) customers located in Ger￾many, showing a consistent pattern of perceptual differences across all ITSRs relevant to the

Cloud. In this context, this thesis proposes an extended theoretical model of Cloud adoption

that reveals that this disagreement has strong adverse effects on important downstream beliefs