Conference PaperPDF Available

The Effect of Continuous Cloud Service Certification on Cloud Service Customers (Doctoral Consortium Paper)

Authors:

Abstract and Figures

Continuous service certification (CSC) of cloud services enables certification authorities to immediately react to changes or events concerning the cloud service and to adjust their certification reports based on assessment of these changes and events. Performing CSC is beneficial for cloud providers, certification authorities and customers altogether. Yet, CSC currently remains underexplored and evaluated in trials only, and is therefore on its pre-diffusion stage. To enhance the diffusion of CSC, I'm trying to identify characteristics of CSC that will influence cloud service customers during my dissertation. Therefore, I'm developing an explanatory theoretical model that describes and explains the effects of CSC on customers' perceptions by applying a mixed method research approach. Initial findings reveal that CSC exhibits unique characteristics (i.e., timeliness of results, scope and risks) that influence customers' perceptions about a certification and the certified cloud service.
Content may be subject to copyright.
13th International Conference on Wirtschaftsinformatik,
February 12-15, 2017, St. Gallen, Switzerland
The Effect of Continuous Cloud Service Certification
on Cloud Service Customers
PhD candidate: Sebastian Lins, Department of Information Systems, University of Cologne1
Supervisor: Prof. Dr. Ali Sunyaev, Chair for Information Systems and Systems Engineering,
Research Center for IS Design (ITeG), University of Kassel2
lins@wiso.uni-koeln.de
sunyaev@uni-kassel.de
Abstract. Continuous service certification (CSC) of cloud services enables certification authorities to
immediately react to changes or events concerning the cloud service and to adjust their certification reports
based on assessment of these changes and events. Performing CSC is beneficial for cloud providers,
certification authorities and customers altogether. Yet, CSC currently remains underexplored and evaluated in
trials only, and is therefore on its pre-diffusion stage. To enhance the diffusion of CSC, I’m trying to identify
characteristics of CSC that will influence cloud service customers during my dissertation. Therefore, I’m
developing an explanatory theoretical model that describes and explains the effects of CSC on customers
perceptions by applying a mixed method research approach. Initial findings reveal that CSC exhibits unique
characteristics (i.e., timeliness of results, scope and risks) that influence customers’ perceptions about a
certification and the certified cloud service.
Keywords: Cloud Computing, Continuous Certification, Mixed Methods.
1
1 Introduction
Cloud service certifications are good means to address organization’s security, privacy and reliability concerns
when adopting cloud services by establishing trust and increasing transparency of the cloud market [1]. A
certification is defined as a third party attestation of products, processes, systems or persons that verifies
conformity to specified requirements [2]. Several cloud service certifications have evolved that attempt to assure
a high level of security, reliability and legal compliance over a validity period of one to three years. To increase
the reliability and trustworthiness of issued certifications and to overcome drawbacks of traditional certifications
in dynamic cloud environments (see [3]), researchers (i.e., [46]) and organizations (i.e., Cloud Security Alliance
[7] and EuroCloud [8]) just recently started to develop and design innovative continuous cloud services
certification processes. Continuous cloud service certification enables certification authorities to immediately react
to changes or events concerning the cloud service and to adjust their certification reports based on an assessment
of these changes and events [3]. A continuous service certification (CSC) comprises automated monitoring and
auditing techniques as well as mechanisms for a transparent provision and presentation of certification-relevant
information to continuously attest adherence to certification requirements. Performing CSC is beneficial for cloud
providers, certification authorities and customers (i.e., organizations that use cloud services) alike: providers can
improve their cloud systems by evaluating ongoing feedback about their performance; certification authorities
actively detect and investigate critical certification deviations as they occur, thus increasing certification reliability;
and finally CSC counteracts customers’ lack of control by increasing the transparency of providers’ operations.
Yet, CSC currently remains underexplored and evaluated in trials only, and is therefore on its pre-diffusion
stages [9, 10]. To enhance adoption and maturity of CSC processes and systems, my dissertation project focuses
on identifying requirements and deriving guidelines for performing efficient and reliable CSC processes, and more
importantly, on the development of theoretical models that explain and foster the diffusion of CSC. For CSC of
cloud services to become widely adopted, on the one hand it must be technologically and economically feasible.
On the other hand, providers as well as certification authorities must be motivated and have expertise to participate.
Especially if an increasing amount of customers demand trustworthy (certified) cloud services, they may start to
adopt CSC. However, it is still unclear how and why CSC will actually have an impact on customers.
Consequently, to enhance diffusion of CSC, I’m currently focusing on the following important research question
during my dissertation: How will continuous cloud service certification influence customers?
To answer this research question, I’m currently developing an explanatory theoretical model that describes and
explains the effects of CSC on customers. In the context of certifications, prior studies have concentrated on
investigating certification effects on improving customers’ perceived assurance, trust perception and purchase
intention [11]. However, prior theoretical models have only analyzed whether or not the presence of a certification
will change customers’ perceptions of a product or service (i.e., embedding a certification seal into the website
[1217]). Thus, prior research only analyzes the impact of certifications from a black box perspective (i.e., certified
vs. not certified), and lacks the capabilities to understand why certain characteristics of a certification will lead or
will not lead to certain effects on customers. To overcome shortcomings of theoretical models, especially because
CSC exhibits unique characteristics that differ from traditional certifications (i.e., on-demand certification
validation capabilities for customers, up to date certification results, and new security and privacy risks [4]), I will
answer the research question by applying a mixed method research approach [18, 19]: first, applying a qualitative
approach by conducting interviews with cloud experts to open the black box and derive a detailed theoretical model
of certifications characteristics and their impact on customers; second, validating this model by using a
quantitative online experiment.
With this study, I provide a two-fold contribution. For research, I want to open up the black box perspective of
previous research on certification effectiveness, and therefore derive a mid-ranged theory [20] that explains in
detail why and how a (continuous) certification has an impact on cloud service customers. For practice, I want to
highlight the benefits and the impact of CSC to motivate providers to participate in CSC processes, ultimately
increasing CSC diffusion. I believe introducing a CSC for cloud services is one possible way to address current
gaps and issues in cloud computing. It is a step forward to a more trustworthy and transparent cloud computing
environment and corresponding certifications.
2
2 Theoretical Background
2.1 Certification of Cloud Services
Cloud computing enables ubiquitous, on-demand network access to a shared pool of configurable computing
resources that can be rapidly provisioned and released with minimal management effort or service provider
interaction [21]. These computing resources typically refer to hardware (Infrastructure as a Service; IaaS),
development platforms (Platform as a Service; PaaS) and applications (Software as a Service; SaaS). Cloud
computing entails five essential characteristics, that are the provision of (i) on-demand self-service access to (ii)
virtualized, shared and managed IT resources that are (iii) scalable on-demand, (iv) available over a network and
(v) priced on a pay-per-use basis. On the one hand these characteristics make cloud computing an attractive
alternative to traditional IT usage for organizations [22]. On the other hand they challenge contemporary security
and privacy risk assessment approaches [5, 23, 24]. Therefrom, cloud computing faces a broad range of risks
including lack of accessibility and reliability, virtualization and application vulnerabilities, privacy and control
issues as well as issues related to data integrity, segregation and confidentiality [2527].
One widespread strategy to reduce customers’ security, privacy and reliability uncertainty as well as to signal
trustworthiness is to adopt certifications, which is particularly important for small and medium-sized cloud
providers [1, 28]. A certification is defined as a third party attestation of products, processes, systems or persons
that verifies the conformity to specified requirements [2]. During a certification process, certification authorities
employ provider independent and accredited auditors to perform comprehensive, manual checks to test adherence
according to a defined set of certification requirements. If a provider adheres to specified requirements, the
certification authority awards a formal written certificate, and providers are allowed to embed a graphical
certification seal on their website.
A variety of certifications has already been developed and market tested to signal that a cloud service provider
has adopted their standards and complies with their certification audits (e.g., EuroCloud ‘StarAudit’, Cloud
Security Alliance Security, Trust & Assurance Registry, and Stichting Zeker-Online Keurmerk Zeker-OnLine).
Typically, cloud service certifications are constituted of security, privacy and reliability requirements and related
standards (e.g., ISO 27001, ISO 27017, basic IT protection standards and ITIL), and aim to ensure availability,
integrity and confidentiality of provisioned cloud services for a validity period of one to three years [1, 4, 29, 30].
2.2 The Need for Continuous Certification
Existing cloud service certifications represent only a retrospective look at the fulfillment of technical and
organizational measures at the time of their issuing. Conditions and requirements of certifications may no longer
be met throughout these validity periods because cloud services are confronted with continuously emerging
environmental dynamics. These dynamics in turn threaten certification reliability and trustworthiness over time.
Environmental dynamics refer to changes that are difficult to predict, that lead to an instability of an environment,
and that create uncertainty for customers or providers [31, 32]. The premise behind these assumptions is that
external environments impact organization performance, and organizations must take into account environmental
characteristics and emerging dynamics when formulating strategies and structures as well as during daily
operations [3335]. Nowadays in particular, organizations are threatened by a highly dynamic and ever-changing
environment, and thus have to sense and to respond to steadily emerging environmental dynamics quickly [36].
As such, inherent cloud computing characteristics (e.g., entangled supply chains), fast technology life cycles
leading to ongoing architectural changes, the emergence of environmental threats (i.e., new software
vulnerabilities) or changes in legal and regulatory landscape can be regarded as environmental dynamics that might
have an impact on actions taken by a provider and therefore on long-term certification reliability [3, 4]. If the
assumptions under which a certification was awarded have changed, reliability has to be re-evaluated over time
[37]. Consequently, I believe that CSC is required to deal with the ever-changing environment, and to assure
continuously reliable and trustworthy cloud services.
CSC is a methodology that enables certification authorities to react and to adjust their certification reports
simultaneously with the occurrence of environmental dynamics influencing the cloud service [3]. A CSC process
typically comprises automated monitoring and auditing techniques as well as mechanisms for a transparent
provision of certification-relevant information to continuously attest adherence to certification requirements [3, 4].
3
Figure 1 summarizes the process of CSC. First, (semi-)automated data gathering and transmission are required. In
order to achieve a CSC, a cloud service provider has to establish an internal monitoring and auditing department.
This department should perform extensive continuous monitoring operations, such as monitoring of virtualized
environments, intrusion detection, service level agreement, and compliance monitoring as well as network
monitoring. In addition to an establishment of monitoring processes, the department might implement internal
auditing processes and systems to gather monitoring data across different systems, and to aggregate, filter, and
anonymize certification-relevant data. Moreover, certification authorities and auditors might perform (limited)
external continuous auditing to gather relevant data themselves. Lins, Thiebes, Schneider and Sunyaev (2015) [38]
and Lins, Schneider and Sunyaev (2017) [4] reviewed various continuous monitoring and auditing methodologies
and evaluate their applicability in the context of CSC. Second, (semi-)automated data analysis is required. Auditing
mechanisms (e.g., decision support systems) and processes have to be implemented to automatically assess the
cloud services status, to cope with identified deviations, and to trigger alerts in cases of non-adherence. Third,
results of a CSC should be visible for customers. Certification authorities have to provide cloud customers with
ongoing information about certification (non-)adherence. Finally, the process of CSC has to be continuously
adjusted to cope with dynamics of an ever-changing environment. On the one hand, emerging environmental
threats or changes in legal and regulatory landscape might induce certification authorities to adjust their auditing
scope by, for example, adding new certification criteria. On the other hand, architectural changes of cloud services
(e.g., adding hardware components or new service functionalities) can cause providers, certification authorities
and auditors to adjust their monitoring and auditing processes.
Figure 1. Continuous service certification process (adapted from [3])
In regard to the diffusion of CSC, it can be assumed that CSC currently remains on its pre-diffusion stages [9,
10]. In recent years, several research projects have started that aim to design and evaluate continuous certification
processes and systems (e.g., Next Generation Certification [8] and CUMULUS [39]), leading to the invention of
CSC. To explore and develop CSC concepts, researchers are working in close cooperation with certification
authorities (i.e., EuroCloud and Cloud Security Alliance), and cloud service and technology providers (i.e., Fujitsu
and Infineon Technologies). As a result, several prototypical CSC systems have been integrated into IT
infrastructures and evaluated afterwards, resulting in ongoing (technical) refinements of CSC services. Yet,
certification authorities hesitate to start a first introduction of CSC services in the market. On the one hand,
certification authorities demand a critical mass of (potential) customers that are willing to participate in CSC
processes before they consider entering the market (e.g., because authorities face high initial investments in
required IT infrastructure). On the other hand, CSC service offerings are (desperately) needed to establish this
critical mass of cloud service providers in the first place, resulting in the traditional ‘chicken-and-egg’ problem,
ultimately preventing commercialization and wide-scale diffusion of CSC. To resolve this struggle, providers as
well as certification authorities must be motivated and have expertise to participate. Especially if an increasing
amount of customers demand trustworthy (certified) cloud services, they may start to adopt CSC. However, it is
remains unclear how and why CSC will actually have an impact on customers. Hence, a deep understanding about
the factors that will influence customers is required.
4
2.3 Related Work
Prior e-commerce studies have already concentrated on investigating certifications impact on customers’
perceived assurance, trust perception and purchase intention [11]. However, the academic e-commerce literature
presents a pattern of inconsistent findings with regard to the intended effects [11, 13, 40]. On the one hand, a group
of studies found significant effects from certifications on perceived assurance [41, 42], trust [13, 16], and purchase
intention [41, 43]. On the other hand, a different group of studies found no significant effects on perceived
assurance [40, 44], trust [14, 15], or purchase intention [17]. Hence, empirical evidence is inconclusive to date and
a deeper understanding of certifications effectiveness is required.
In the context of cloud computing, little research has (empirically) analyzed the impact of certifications on
customers. For example, Lansing and Sunyaev (2013) [45] derive a theoretical model that assumes a cloud service
certification will increase customers’ trust and thereby payed price premiums. Moreover, Lansing, Schneider and
Sunyaev (2013) [45] investigate consumer’s preferences for assurances provided by cloud service certifications,
and thus focus on the content of certifications. In addition, Sturm, Lansing and Sunyaev (2014) [11] have
conducted a systematic literature review and interviews with cloud practitioners to derive a conceptual model of
the outcomes and contingency factors that explain the effect mechanisms of cloud service certifications.
Nevertheless, prior theoretical models in e-commerce or cloud service contexts have only analyzed whether or
not the presence of a certification will change customers perceptions of a product or service (i.e., embedding a
certification seal into the website [1217]). For example, McKnight, Kacmar and Choudhury (2004) [15] showed
university students a website that provides legal advice, during their experiment. In the certification seal treatment
group, the students saw a certification seal on this legal advice website (either TRUST-e or ATLA) as depicted in
Figure 2. The seals were sized to be noticeable and visible on each screen visited while exploring the website. In
their study, they analyzed the effectiveness of certifications by comparing treatment groups that did not saw any
certification seal with the treatment groups that saw a certification seal. Similar, Özpolat et al. (2013) [12] ran a
randomized A/B seal test in which a certification seal was turned on and off on an online retailer’s website
randomly. Thus, prior research only analyzes the impact of certifications from a black box perspective (i.e.,
certified vs. not certified), and lacks the capabilities to understand why certain characteristics of a certification will
lead or will not lead to certain effects on customers.
(a) (b)
Figure 2. Example of black box perspective to analyze the impact of certifications on customers
during experiments (adapted from [15]).
(a) treatment group with a certification seal; (b) treatment group without a certification seal
5
3 Research Approach
To overcome shortcomings of prior theoretical models and to advance the understanding of certification’s effects,
I will apply a mixed method research approach [18, 19] (see Figure 3): first, applying a qualitative approach by
conducting interviews with cloud experts to open the black box and derive a detailed theoretical model of
certifications characteristics and their impact on customers; second, validating the derived theoretical model by
using a quantitative online experiment.
Figure 3. Illustration of research approach
3.1 Opening the Black Box and Derive a Theoretical Model Qualitative Approach
The innovative idea of continuous cloud service certification has just recently gained importance in literature and
remains underexplored and evaluated in trials only [9, 10]. To derive a theoretical model on the impact of CSC on
customers, and to identify relevant dependent and independent variables, I’m applying a qualitative research
approach by conducting a literature review, focus group interviews with cloud service providers, consultants and
certification authorities, and one-to-one interviews with customers (see Figure 4).
Figure 4. Illustration of qualitative research approach to develop the theoretical model
First, I have reviewed related literature to build my research model on kernel theories that were used to measure
the impact of certifications on customers previously. However, because prior theoretical models have treated
certifications like a black box (i.e., they only analyzed whether or not the presence of a certification has an impact
on customers), I currently conduct focus group interviews with cloud service provider, consultants and certification
authorities to identify characteristics of (continuous) certifications that might have an impact on customers. Based
on findings from these interviews, I’m able to open the black box perspective of previous research by developing
a second-order theoretical understanding of the phenomenon [46, 47]. In addition, I currently conduct one-to-one
interviews with cloud service customers to identify (new) effects on customers due to (innovative) CSC
characteristics. Overall, my qualitative research approach can be characterized as inductive and interpretive in that
sense that it takes the interview partners’ experiences with consuming or providing cloud services, conducting
cloud service certification audits, or consulting cloud service providers. In doing so, I apply a less procedural
version of the grounded theory methodology [48] as proposed by Sarker and Sarker (2009) [49] to develop an
understanding of the CSC concept and to clarify how CSC influences customers.
6
Figure 5. Overview of interviews conducted
At the moment, I have conducted three focus group interviews with cloud experts in collaboration with other
researchers during a research project on CSC [8]. Please note that these focus group interviews were conducted
for other studies on CSC [4] in the first place; yet, they still provide important information about CSC
characteristics. Conducting focus group interviews enables us to get collective views on a certain defined topic of
interest from a group of people who are known to have certain experiences [50]. Furthermore, focus groups allow
participants to engage in thoughtful discussions, hence generating practical oriented and rich data. During these
focus group interviews, the concept of CSC was lively discussed and exemplarily transferred to individual use
cases of practitioners. A focus group interview lasted 4 hours and 30 minutes on average. In total, eleven cloud
service providers, eight representatives of cloud service certification authorities, and five cloud service consultants
participated (see Figure 5). The cloud service providers are operating on a national and global scale providing
infrastructure, platform and software cloud services. Providers’ sizes ranged from medium to large enterprises.
Representatives of cloud service certification authorities have multi-year experience in conducting cloud service,
infrastructure as well as data security and privacy certification audits. Further on, they are employed by large
certification or auditing organizations, or work as independent auditors. Finally, participating consultants advise
providers when deciding whether to get certified or not. Especially consultants were asked to represent a
customer’s perspective since no cloud service customer participated. Additionally, providers steadily reported on
customer requests and opinions that they lately experienced. Please note that I considered the absence of customers
in my data analyses later on. Practitioners participated in our focus group interviews are non-adopters of CSC at
the current research stage, but are currently interested in or striving for the innovative development of CSC.
Interview partners were spread to gain as many insights as possible and triangulate data from different sources and
perspectives as recommended by methodologist [51]. This highly diverse setting of practitioners helped me to
gather various information on CSC characteristics and their impact on customers.
In addition, I have conducted and analyzed ten semi-structured one-to-one interviews with cloud service
customers to identify (new) effects on cloud customers (see Figure 5). One-to-one interviews allow gathering of
rich data from people in different roles [50]. Furthermore, semi-structured interviews involve use of pre-formulated
questions but allow improvisation for emerging topics during conversation. Interviewees are IT managers from
medium to large enterprises and different sectors including IT, health and finance. An interview lasted on average
53 minutes. No cloud customer was interviewed twice.
Each (focus group) interview was conducted based on an interview guide and was recorded [52]. The interview
guide kept interactions focused while allowing individual experiences to emerge and thus, best used the limited
time available in the interview situation [53]. Hence, the interview guide served as a reminder regarding the
information that needs to be collected [52]. After each interview, the interview guide was adapted in case new
concepts have emerged. For example, cloud customers were asked questions regarding important characteristics
of CSC (i.e., scope and degree of automation) and whether these will influence customers’ perceptions about
certifications. Participants in the focus group interviews were asked questions about potential use cases of CSC, a
CSC scope, about potential architectures and processes to provide certification-relevant information, and risks and
limitations of CSC among others.
Interviews were transcribed and analyzed by following the key methodological guidelines from Sarker and
Sarker (2009) [49]. I use the constant comparative analysis to identify initial concepts and link this evolving set of
concepts to higher-level categories that eventually derives relevant constructs for the theoretical model [54]. The
analysis of the interview transcripts revealed important characteristics of CSC (independent variables) as well as
major effects (dependent variables). Section 4 will summarize initial findings.
7
3.2 Validate the Theoretical Model Quantitative Approach
Finally, I will validate the derived theoretical model through an online experiment with IT managers from
organizations that are currently deciding to adopt or already using cloud services. I plan to design a between-
subject experiment that will provide the subjects with varying information about a (continuous) cloud service
certification and its characteristics. Through systematic variation of the characteristics and their dimensions, I
measure the impact of a characteristic on customer’s perceptions (i.e., trust perception). For example, the
experiment will provide participants a website that shows information about a (fictional) CSC. As I identified
certification scope as one important characteristic that might have an impact on customers (see Section 4), I will
embed information on the certification scope. Then, I will systematically modify these information across
treatment groups (e.g., indicating a broad vs. a narrow certification scope), to analyze and detect whether this
variation will have an impact on customers perceptions. Thereby, I will be able to validate the assumptions from
the theoretical model. I rely on the factorial survey methodology [55, 56] that is considered to be the state-of-the-
art approach for conducting experiments with a high number of manipulations, and I align my experimental design
with best practices from previous research (i.e., [57, 58]). Nevertheless, a factorial survey design has its limitations
because I will only analyze customers perceptions at a given point in time. As a CSC will provide customers with
ongoing information about the cloud service in practice, the effects of CSC might vary over time. Hence, future
studies might analyze the impact of CSC on customers at different points in time, for example, by applying a
repeated measure experimental design (see [59]).
4 Initial Findings
The literature review revealed that prior studies have concentrated on investigating certifications impact on
customers’ perceived assurance, trust perception and purchase intention. Table 1 summarizes important studies
and related effects. Building on prior research, the effects (1) trust, (2) perceived assurance, and (3) purchase
intention will be included in my theoretical model.
Table 1. Excerpt of literature review findings on studies dealing with effects of certifications on customers
(T = trust; PA = perceived assurance; PI = purchase intention; + = (significant) positive effect; o = no (significant) effect)
Studies
Outcome
Measure
Context
Product Category
T
PA
PI
Nöteberg et al. 2003 [43]
+
Online shopping
Various (including books,
video cameras, travel tours)
Kaplan and Nieschwietz
(2003) [41]
+
+
Online shopping
Clothing
McKnight et al. 2004 [15]
o
Service
information
Legal advice
Rifon et al. 2005 [44]
o
o
o
Online shopping
Music (especially compact
discs)
Yang et al. 2006 [42]
+
Online shopping
Web cameras
Hui et al. (2007) [17]
o
Product
information
Mobile computing
Kim et al. (2008) [14]
o
Online shopping
Various
Hu et al. (2010) [13]
+
Online shopping
Various (including textbooks,
computers, apparel,
accessories, perfume)
Kim and Kim (2011) [16]
+
+
Online shopping
Running shorts
Lowry et al. (2012) [40]
o
Online booking
Travels (including flight and
hotel arrangements)
8
Effects of Continuous Certifications
By analyzing interviews to open the certification black box perspective, I identified several innovative
characteristics of a CSC compared to a traditional certification. First, a limited certification scope (1). Not every
certification requirement should or can be continuously certified. Lins, Schneider and Sunyaev (2017) [4] have
reviewed existing cloud service certification schemes and embedded requirements, and their findings reveal that
only 25% of embedded requirements should be continuously validated because they might be affected by
environmental dynamics. In addition, CSC cannot be realized solely manually due to high costs and considerable
expenditures, hence, requiring (semi-) automated processes [38]. Nevertheless, not every certification requirement
can be automatically validated at the current research stage. Second, the timeliness of results is an important
characteristic (2). CSC provides customers with up-to-date information about certification requirement adherence
as well as cloud service operation in general. Third, CSC might enable quick penalties in case of certification non-
adherence (3). Certification authorities actively detect and investigate critical certification deviations as they occur,
and thus can impose penalties quickly. Fourth, CSC requires a high degree of (process) automation. However,
interviews revealed that customers do not like a fully automated certification process, instead they demand manual
validation checks of certification results by the certification authority (4). Fifth, CSC can provide customers (and
certification authorities) with the means to perform on-demand certification checks to validate provider’s
adherence to certification requirements at any time (5). Customers might be able to start automated certification
procedures on demand by using a web interface. Finally, CSC might result in new security and privacy risks for
customer’s data (6). Automated certification procedures might threaten customers’ data (e.g., data leakage or
disclosure). These six characteristics can be seen as independent variables in my model because they might
influence customers’ perceptions about CSC.
In regard to certification effects, interview findings confirm that a (continuous) certification impacts customers’
perceived assurance, trust and purchase intention (dependent variables), as proposed in previous literature. In
addition, based on my interviews with customers, I identified novel effects of continuous cloud service certification
including increased customers’ control over the cloud service, involvement in certification processes, and higher
perceptions about provider’s legal compliance (e.g., due to on-demand certification and up-to-date information)
as well as increased insight into cloud service operation due to higher transparency (e.g., due to multifarious cloud
service information in regard to availability, security, and privacy). Figure 6 highlights important constructs that
emerged and might be relevant for an explanatory theoretical model.
Figure 6. Contemporary theoretical model (grey filled rectangles are derived from literature)
Continuous Certification
Characteristics
Certification Scope
Quick Penalties
Automation Degree
Security and Privacy
Risks
On-Demand
Certification
Timeliness of Results
Perceived Assurance
Trust
Purchase Intention
Legal Compliance
Customer’s Control
Certification Process
Involvement
Transparency
9
5 Discussion and Future Work
Initial findings highlight various CSC characteristics that might influence customers. In addition, I’ve identified
several new effects that might emerge in the context of continuous cloud service certification. With this study, I
provide a two-fold contribution. For research, I want to open up the black box perspective of previous research on
certification effectiveness, and therefore derive a mid-ranged theory [20] that explains in detail why and how a
CSC has an impact on cloud customers. Study findings will not only deepen the understanding of the effects of
continuous cloud service certifications but also will have implications for traditional certifications. For practice,
study findings will guide certification authorities in regard to which characteristics they should focus on when
promoting certifications and certifying cloud services. Moreover, I want to highlight the benefits and the impact
of CSC to motivate providers to participate in CSC processes, ultimately increasing CSC diffusion. I believe
introducing a CSC for cloud services is one possible way to address current gaps and issues in cloud computing.
It is a step forward to a more trustworthy and transparent cloud computing environment and corresponding
certifications.
From a theoretical perspective, I currently search for a theory from social sciences that reinforces the
assumptions made in the theoretical model, especially in regard to the effects of continuous information provision.
Signaling Theory [60, 61] has compellingly demonstrated that certifications can be considered and deliberately
shaped as credible indicators of vendors’ attributes, thereby reducing information asymmetries and allowing
potential customers to make informed purchase decisions. Consequently, an ever-increasing amount of research
has analyzed how (online) vendors can effectively use certifications to reduce the uncertainty from a Signaling
Theory perspective (see for example [1, 12, 15]). Signaling Theory is fundamentally concerned with reducing
information asymmetries between two parties by performing actions to intentionally communicate positive,
imperceptible qualities of a signaler (i.e., the provider) [61]. The provider projects one or a combination of signals
to represent unobservable attributes and to deal with given information asymmetry. A signal is a cue (i.e., a
certification) that conveys information credibly about unobservable quality to a receiver (i.e., the customer) [62].
Signaling Theory provides a good foundation for the study, and study findings might enhance its theoretical basis,
for example, in regard to generic characteristics of signals that will have an influence on a signal receiver.
Nevertheless Signaling Theory has some limitations. Current Signaling Theory research has primarily focused on
identifying and assessing the effectiveness of certifications at a given point in time, and thus they are essentially
regarded as static snapshots pointing to unobservable attributes [6365]. Hence, in my future research I will
analyze whether Signaling Theory can be extended to consider the dynamic nature of cloud services and the
ongoing signaling effect of continuous cloud service certifications (see [59]), or whether a related theory exist that
is able to provide needed theoretical groundings.
I currently prepare to conduct one additional focus group interview with service providers and certification
authority representatives to reach theoretical saturation [66, 67] with regard to emerging characteristics. Moreover,
I’m conducting more interviews with cloud customers as well to discuss the importance of CSC characteristics
and effects that might impact customers’ perceptions about certifications. When deriving the theoretical model, it
is important to identify and consider potential meditation and moderation effects. Furthermore, I have to design
the online experiment to test the derived theoretical model. Besides focusing on customers, future work might start
to analyze what determinants drive the CSC adoption intention of cloud service providers and certification
authorities to foster its diffusion (see [9, 10]).
6 Acknowledgements
This research is funded by the German Federal Ministry for Education and Research (grant no. 16KIS0079).
10
References
1. Sunyaev, A., Schneider, S.: Cloud Services Certification. Communications of the ACM 56, 3336 (2013)
2. ISO: Conformity Assessment -- Vocabulary and General Principles. ISO/IEC17000:2004 (2004)
3. Lins, S., Grochol, P., Schneider, S., Sunyaev, A.: Dynamic Certification of Cloud Services: Trust, but
Verify! IEEE Security and Privacy 14, 6771 (2016)
4. Lins, S., Schneider, S., Sunyaev, A.: Trust is Good, Control is Better: Creating Secure Clouds by Continuous
Auditing. IEEE Transactions on Cloud Computing, forthcoming, 114 (2017)
5. Stephanow, P., Fallenbeck, N.: Towards Continuous Certification of Infrastructure-as-a-Service Using Low-
level Metrics. In: Proceedings of the 12th IEEE International Conference on Advanced and Trusted
Computing (2015)
6. Flittner, M., Balaban, S., Bless, R.: CloudInspector: A Transparency-as-a-Service Solution for Legal Issues
in Cloud Computing. In: Proceedings of the 2016 IEEE International Conference on Cloud Engineering
Workshop (2016)
7. Cloud Security Alliance: CSA Security, Trust & Assurance Registry (STAR) Continuous,
cloudsecurityalliance.org/star/continuous/
8. NGCert Consortium: NGCert - Next Generation Certification, http://www.ngcert.eu/
9. Lins, S., Teigeler, H., Sunyaev, A.: Towards a Bright Future: Enhancing Diffusion of Continuous Cloud
Service Auditing by Third Parties. In: Proceedings of 24th European Conference on Information Systems
(2016)
10. Quinting, A., Lins, S., Szefer, J., Sunyaev, A.: Advancing the Adoption of a New Generation of
Certifications A Theoretical Model to Explain the Adoption of Continuous Cloud Service Certification by
Certification Authorities. In: Proceedings of Wirtschaftsinformatik (WI 2017), pp. 112 (2017)
11. Sturm, B., Lansing, J., Sunyaev, A.: Moving in the Right Direction? Mapping Literature on Cloud Service
Certifications’ Outcomes with Practitioners’ Perceptions. In: Proceedings of the 22nd European Conference
on Information Systems (2014)
12. Özpolat, K., Gao, G., Jank, W., Viswanathan, S.: The Value of Third-Party Assurance Seals in Online
Retailing: An Empirical Investigation. Information Systems Research 24, 11001111 (2013)
13. Hu, X., Wu, G., Wu, Y., Zhang, H.: The Effects of Web Assurance Seals on Consumers' Initial Trust in an
Online Vendor: A Functional Perspective. Decision Support Systems 48, 407418 (2010)
14. Kim, D.J., Ferrin, D.L., Rao, H.R.: A Trust-Based Consumer Decision-Making Model in Electronic
Commerce: The Role of Trust, Perceived Risk, and Their Antecedents. Decision Support Systems 44, 544
564 (2008)
15. McKnight, D.H., Kacmar, C.J., Choudhury, V.: Shifting Factors and the Ineffectiveness of Third Party
Assurance Seals: A Two-Stage Model of Initial Trust in a Web Business. Electronic Markets 14, 252266
(2004)
16. Kim, K., Kim, J.: Third-party Privacy Certification as an Online Advertising Strategy: An Investigation of
the Factors Affecting the Relationship between Third-party Certification and Initial Trust. Journal of
Interactive Marketing 25, 145158 (2011)
17. Hui, K.L., Teo, H.-H., Lee, S.-Y.T.: The Value of Privacy Assurance: An Exploratory Field Experiment.
MIS Quarterly 31, 1933 (2007)
18. Tashakkori, A., Teddlie, C.: Sage Handbook of Mixed Methods in Social & Behavioral Research. Sage
Publications, Los Angeles, Calif. (2010)
19. Creswell, J.W.: Research Design. Qualitative, Quantitative, and Mixed Methods Approaches. Sage
Publications, Thousand Oaks (2013)
20. Gregor, S.: The Nature of Theory in Information Systems. MIS Quarterly 30, 611642 (2006)
21. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. Gaithersburg, Montgomery, USA (2011)
22. Schneider, S., Sunyaev, A.: Determinant factors of cloud-sourcing decisions. Reflecting on the IT
outsourcing literature in the era of cloud computing. Journal of Information Technology 31 (2016)
23. Kaliski, J.B.S., Pauley, W.: Toward Risk Assessment as a Service in Cloud Environments. In: Proceedings
of the 2nd USENIX Conference on Hot Topics in Cloud Computing (HotCloud'10), pp. 17 (2010)
24. Windhorst, I., Sunyaev, A.: Dynamic Certification of Cloud Services. In: Proceedings of the Eighth
International Conference on Availability, Reliability and Security (ARES) (2013)
11
25. Subashini, S., Kavitha, V.: A Survey on Security Issues in Service Delivery Models of Cloud Computing.
Journal of Network and Computer Applications 34, 111 (2011)
26. ENISA: Cloud Computing. Benefits, Risks and Recommendations for Information Security,
https://resilience.enisa.europa.eu/cloud-security-and-resilience/publications/cloud-computing-benefits-risks-
and-recommendations-for-information-security
27. Cloud Security Alliance: ‘The Treacherous Twelve’ Cloud Computing Top Threats in 2016,
https://cloudsecurityalliance.org/download/the-treacherous-twelve-cloud-computing-top-threats-in-2016/
28. Khan, K.M., Malluhi, Q.: Trust in Cloud Services: Providing More Controls to Clients. Computer 46, 9496
(2013)
29. Schneider, S., Lansing, J., Gao, F., Sunyaev, A.: A Taxonomic Perspective on Certification Schemes. In:
Proceedings of the 47th Hawaii International Conference on System Sciences (HICSS 2014), pp. 110
(2014)
30. Gao, F., Schneider, S.: Cloud Frameworks: An Information Systems Perspective. In: Proceedings of ConLife
Academic Conference 2012 (ConLife 2012) (2012)
31. Dess, G.G., Beard, D.W.: Dimensions of Organizational Task Environments. Administrative Science
Quarterly 29, 5273 (1984)
32. Miles, R.E., Snow, C.C., Pfeffer, J.: Organization-Environment: Concepts and Issues. Industrial Relations: A
Journal of Economy and Society 13, 244264 (1974)
33. Burns, T., Stalker, G.M.: The Management of Innovation. Oxford University Press, Oxford, New York
(1994)
34. Lawrence, P.R., Garrison, J.S., Lorsch, J.W.: Organization and Environment. Managing Differentiation and
Integration. Div. of Research, Graduate School of Business Administration, Harvard Univ, Boston (1967)
35. Thompson, J.D.: Organizations in Action. Social Science Bases of Administrative Theory. Transaction
Publishers, New Brunswick, NJ (2003)
36. Lee, O.-K., Sambamurthy, V., Lim, K.H., Wei, K.K.: How Does IT Ambidexterity Impact Organizational
Agility? Information Systems Research 26, 398417 (2015)
37. Janney, J.J., Folta, T.B.: Moderating Effects of Investor Experience on the Signaling Value of Private Equity
Placements. Journal of Business Venturing 21, 2744 (2006)
38. Lins, S., Thiebes, S., Schneider, S., Sunyaev, A.: What is Really Going on at Your Cloud Service Provider?
In: Proceddings of the 48th Hawaii International Conference on System Science (HICSS 2015), pp. 110
(2015)
39. CUMULUS Consortium: CUMULUS - Certification Infrastructure for Multi-layer Cloud Services,
http://cumulus-project.eu/
40. Lowry, P.B., Moody, G., Vance, A., Jensen, M., Jenkins, J., Wells, T.: Using an Elaboration Likelihood
Approach to Better Understand the Persuasiveness of Website Privacy Assurance Cues for Online
Consumers. Journal of the American Society for Information Science and Technology 63, 755776 (2012)
41. Kaplan, S.E., Nieschwietz, R.J.: A Web Assurance Services Model of Trust for B2C E-Commerce.
International Journal of Accounting Information Systems 4, 95114 (2003)
42. Yang, S.-C., Hung, W.-C., Sung, K., Farn, C.-K.: Investigating Initial Trust Toward E-Tailers From the
Elaboration Likelihood Model Perspective. Psychology & Marketing 23, 429445 (2006)
43. Nöteberg, A., Christiaanse, E., Wallage, P.: Consumer Trust in Electronic Channels: The Impact of
Electronic Commerce Assurance on Consumers' Purchasing Likelihood and Risk Perceptions. e-Service
Journal 2, 4667 (2003)
44. Rifon, N., La Rose, R., Choi, S.M.: Your Privacy Is Sealed: Effects of Web Privacy Seals on Trust and
Personal Disclosures. Journal of Consumer Affairs 39, 339362 (2005)
45. Lansing, J., Schneider, S., Sunyaev, A.: Cloud Service Certifications: Measuring Consumers’ Preferences
for Assurances. In: Proceedings of the 21st European Conference on Information Systems (ECIS 2013)
(2013)
46. Lee, A.S.: Integrating Positivist and Interpretive Approaches to Organizational Research. Organization
Science 2, 342365 (1991)
47. Sarker, S., Sarker, S., Sahaym, A., Bjørn-Andersen, N.: Exploring Value Cocreation in Relationships
Between an ERP Vendor and Its Partners: A Revelatory Case Study. MIS Quarterly 36, 317338 (2012)
48. Bryant, A., Charmaz, K.: The SAGE Handbook of Grounded Theory. SAGE, Los Angeles, London (2007)
12
49. Sarker, S., Sarker, S.: Exploring Agility in Distributed Information Systems Development Teams: An
Interpretive Study in an Offshoring Context. Information Systems Research 20, 440461 (2009)
50. Myers, M.D.: Qualitative Research in Business & Management. SAGE, London (2013)
51. Patton, M.Q.: Qualitative Research & Evaluation Methods. Integrating Theory and Practice. SAGE
Publications, Inc, Thousand Oaks, California (2015)
52. Yin, R.K.: Case Study Research. Design and Methods. SAGE, Los Angeles, London (2014)
53. Gorden, R.L.: Interviewing. Strategy, Techniques, and Tactics. Dorsey Press; Irwin-Dorsey Ltd, Homewood,
Ill., Georgetown, Ont. (1980)
54. Charmaz, K.: Grounded Theory: Objectivist and Constructivist Methods. In: Denzin, N.K., Lincoln, Y.S.
(eds.) Handbook of Qualitative Research, pp. 509535. Sage Publications, Thousand Oaks, CA, US (2000)
55. Rossi, P.H.: Vignette Analysis: Uncovering the Normative Structure of Complex Judgments. In: Merton,
R.K., Coleman, J.S., Rossi, P.H. (eds.) Qualitative and Quantitative Social Research, pp. 176186. The Free
Press, New York, USA (1979)
56. Jasso, G.: Factorial Survey Methods for Studying Beliefs and Judgments. Sociological Methods & Research
34, 334423 (2006)
57. Vance, A., Benjamin Lowry, P., Eggett, D.: Increasing Accountability Through User-Interface Design
Artifacts. MIS Quarterly 39 (2015)
58. Vance, A., Lowry, P.B., Eggett, D.: Using Accountability to Reduce Access Policy Violations in
Information Systems. Journal of Management Information Systems 29, 263290 (2013)
59. Lins, S., Benlian, A., Sunyaev, A.: The Shifts of Fortune Test the Reliability of Friends The Brittle Nature
of Signal Reliability in Electronic Markets. Working Paper (2017)
60. Spence, M.: Signaling in Retrospect and the Informational Structure of Markets. The American Economic
Review 92, 434459 (2002)
61. Spence, M.: Job Market Signaling. The Quarterly Journal of Economics 87, 355 (1973)
62. Rao, A.R., Qu, L., Ruekert, R.W.: Signaling Unobservable Product Quality through a Brand Ally. Journal of
Marketing Research 36, 258268 (1999)
63. Bacharach, M., Gambetta, D.: Trust in Signs. In: Cook, K.S. (ed.) Trust in Society, pp. 148184. Russel
Sage Foundation, New York, NY, USA (2001)
64. Connelly, B.L., Certo, S.T., Ireland, R.D., Reutzel, C.R.: Signaling Theory: A Review and Assessment.
Journal of Management 37, 3967 (2011)
65. Etzion, D., Pe'er, A.: Mixed Signals. A Dynamic Analysis of Warranty Provision in the Automotive
Industry, 1960-2008. Strat. Mgmt. J. 35, 16051625 (2014)
66. Glaser, B.G., Strauss, A.L.: The Discovery of Grounded Theory. Strategies for Qualitative Research. Aldine
Pub. Co, Chicago (1967)
67. Corbin, J.M., Strauss, A.L.: Basics of Qualitative Research. Techniques and Procedures for Developing
Grounded Theory. SAGE, Los Angeles (2015)
ResearchGate has not been able to resolve any citations for this publication.
Conference Paper
Full-text available
Signaling theory has compellingly demonstrated that embedding internet signals (i.e., web assurance seals, privacy policies, consumer feedback) by cloud service providers can be considered as credible indicators of provider's attributes, thereby reducing uncertainties and information asymmetries in cloud service markets. However, cloud service providers are operating in a dynamic environment characterized by fast technology life cycles , ongoing service improvements, and a steady emergence of new environmental vul-nerabilities. Those dynamics might threaten the long-term reliability of embedded inter-net signals. We believe that traditional assumptions of signaling theory might not be necessarily applicable to cloud service markets, and thus try to investigate how signal reliability can be ensured in the long run in dynamic environments. In particular, we argue that signal reliability will decline over time as cloud service providers constantly have to cope with emerging changes in the market environment resulting in a low signaling fit or low signaler's honesty.
Conference Paper
Full-text available
Cloud certifications are a good means to assure users of high level of security and reliability of certified cloud services. However, cloud environments are highly dynamic due to the challenging cloud characteristics and fast technology life-cycles. We believe that current certifications fail to cope with an ever-changing cloud environment because assessments are based only on manual expert assessments and periodic spot checks. We argue that continuous service certification (CSC) is required to assure reliable and trustworthy cloud services. To understand and enhance CSC's rate of adoption, we examine the adoption process of CSC from the perspective of certification authorities by building on the Diffusion of Innovations theory and the Technology-Organization-Environment framework. Our findings reveal that the innovation's characteristics, organizational and environmental influences will affect the adoption of CSC by certification authorities. We advance the understanding of the CSC adoption process by providing a synthesis and discussion of important factors.
Conference Paper
Full-text available
Using cloud services empowers organizations to achieve various financial and technical benefits. Nonetheless, customers are faced with a lack of control since they cede control over their IT resources to the cloud providers. Independent third party assessments have been recommended as good means to counteract this lack of control. However, current third party assessments fail to cope with an ever-changing cloud computing environment. We argue that continuous auditing by third parties (CATP) is required to assure continuously reliable and secure cloud services. Yet, continuous auditing has been applied mostly for internal purposes, and adoption of CATP remains lagging behind. Therefore, we examine the adoption process of CATP by building on the lenses of diffusion of innovations theory as well as conducting a scientific database search and various interviews with cloud service experts. Our findings reveal that relative advantages, a high degree of compatibility and observability of CATP would strongly enhance adoption, while a high complexity and a limited trialability might hamper diffusion. We contribute to practice and research by advancing the understanding of the CATP adoption process by providing a synthesis of relevant attributes that influence adoption rate. More importantly , we provide recommendations on how to enhance the adoption process.
Conference Paper
Given the omnipresent role of information technology in today's society, interdisciplinary approaches to system design become increasingly indispensable. Unilateral assessments coming from one discipline are creating the risk that important issues are overlooked. Current cloud security is hard to assess, because virtualization technology also implies losing control and transparency over data and processes running in the cloud. This lack of transparency is undermining the tenants' trust in cloud-based systems. Techno-legal solutions are thus necessary in order to avoid that developed technologies lack essential compliance requirements. In this techno-legal article, we highlight the necessity of providing more transparency for tenants of cloud systems and present CloudInspector as a solution in this direction.
Article
Although intended to ensure cloud service providers' security, reliability, and legal compliance, current cloud service certifications are quickly outdated. Dynamic certification, on the other hand, provides automated monitoring and auditing to verify cloud service providers' ongoing adherence to certification requirements.