Conference PaperPDF Available

Advancing the Adoption of a New Generation of Certifications – A Theoretical Model to Explain the Adoption of Continuous Cloud Service Certification by Certification Authorities

Authors:

Abstract and Figures

Cloud certifications are a good means to assure users of high level of security and reliability of certified cloud services. However, cloud environments are highly dynamic due to the challenging cloud characteristics and fast technology life-cycles. We believe that current certifications fail to cope with an ever-changing cloud environment because assessments are based only on manual expert assessments and periodic spot checks. We argue that continuous service certification (CSC) is required to assure reliable and trustworthy cloud services. To understand and enhance CSC's rate of adoption, we examine the adoption process of CSC from the perspective of certification authorities by building on the Diffusion of Innovations theory and the Technology-Organization-Environment framework. Our findings reveal that the innovation's characteristics, organizational and environmental influences will affect the adoption of CSC by certification authorities. We advance the understanding of the CSC adoption process by providing a synthesis and discussion of important factors.
Content may be subject to copyright.
13th International Conference on Wirtschaftsinformatik,
February 12-15, 2017, St. Gallen, Switzerland
Advancing the Adoption of a New Generation of
Certifications A Theoretical Model to Explain the
Adoption of Continuous Cloud Service Certification
by Certification Authorities
Andrea Quinting1, Sebastian Lins1, Jakub Szefer2, and Ali Sunyaev3
1 University of Cologne, Department of Information Systems, Cologne, Germany
{quinting,lins}@wiso.uni-koeln.de
2 Yale University, Department of Electrical Engineering, New Haven, CT, U.S.
jakub.szefer@yale.edu
3 University of Kassel, Research Center for IS Design (ITeG), Kassel, Germany
sunyaev@uni-kassel.de
Abstract. Cloud certifications are a good means to assure users of high level of
security and reliability of certified cloud services. However, cloud environments
are highly dynamic due to the challenging cloud characteristics and fast technol-
ogy life-cycles. We believe that current certifications fail to cope with an ever-
changing cloud environment because assessments are based only on manual ex-
pert assessments and periodic spot checks. We argue that continuous service cer-
tification (CSC) is required to assure reliable and trustworthy cloud services. To
understand and enhance CSC’s rate of adoption, we examine the adoption pro-
cess of CSC from the perspective of certification authorities by building on the
Diffusion of Innovations theory and the Technology-Organization-Environment
framework. Our findings reveal that the innovation’s characteristics, organiza-
tional and environmental influences will affect the adoption of CSC by certifica-
tion authorities. We advance the understanding of the CSC adoption process by
providing a synthesis and discussion of important factors.
Keywords: Continuous Certification, Cloud Services, Diffusion of Innovations
Theory, Technology-Organization-Environment Framework
1 Introduction
Several cloud service certifications have recently evolved and attempt to assure users
of a high level of security, availability and legal compliance of the certified cloud ser-
vice. Certifications aim to reduce cloud customers’ concerns, increase trust as well as
to enhance transparency in the cloud service markets. These cloud service markets have
become increasingly popular because they offer a vast selection of IT services (e.g.,
online storage, office software and collaboration tools) that are instantly available and
that can withstand unexpected fluctuations in demand for the service, e.g., quickly spin-
ning up new resources when demand increases. Certifications in general are well-rec-
ognized means for organizations to assess goods and services [1, 2], and their im-
portance and number steadily increase in recent years [3].
Yet, current research has primarily focused on identifying and assessing the effec-
tiveness of certifications at a given point in time, and thus they are essentially regarded
as static snapshots of attributes of providers and their services [46]. However, cloud
service environments are highly dynamic, resulting from challenging cloud computing
characteristics (e.g., on-demand provisioning and entangled supply chains), fast tech-
nology life cycles and ongoing architectural changes [68]. Likewise, cloud services
are faced with dynamically emerging environmental challenges and with changes in
legal landscape which might threaten certification effectiveness and reliability in the
medium to long term.
We believe that current certifications fail to cope with an ever-changing cloud envi-
ronment because certification assessments are based only on static, manual expert as-
sessments and periodic spot checks, and may not be actually valid for longer periods of
time since certification. Therefore, we argue that continuous service certification (CSC)
is required to assure reliable and trustworthy certifications and cloud services.
CSC is beneficial for cloud certification authorities, service providers and customers
altogether [7, 8]: certification authorities can actively detect and investigate critical cer-
tification deviations as they occur, thus increasing certification reliability over today’s
approaches; cloud providers can constantly improve their cloud services by evaluating
ongoing feedback from certification authority about their performance; and finally CSC
can counteract customersworries due to lack of control of cloud infrastructure by in-
creasing the transparency of providers’ operation. With increasing reliance of organi-
zations on cloud service providers, the necessity for continuous reliable, trustworthy
and meaningful certification gains importance. Yet, CSC remains currently underex-
plored, not well test marketed and evaluated only in trials, resulting in a low adoption
rate by certification authorities [8].
To understand and enhance CSC’s rate of adoption, and therefore ultimately pave
the way for continuously reliable and secure cloud services, we examine the adoption
process of CSC from the perspective of certification authorities by conducting a thor-
ough literature search, and building on the Diffusion of Innovations theory [9] and the
Technology-Organization-Environment framework [10, 11]. Our work helps to answer
the research question: What influences certification authorities to adopt CSC?
Investigating how the characteristics of an innovation as well as organizational and
environmental factors will affect CSC’s rate of adoption can be of great value to under-
stand and enhance actual adoption processes [9]. With this study, we advance the un-
derstanding of the CSC adoption process by providing a synthesis and discussion of
relevant factors that influence adoption rate of certification authorities. In addition, we
provide a theoretical model to be tested in future research for validation.
The paper proceeds as follows. We provide a background on cloud service certifica-
tions and highlight the need for CSC, followed by a brief presentation of our research
approach. Thereafter, we discuss how the characteristics of CSC, organizational, envi-
ronmental, risk and cost factors influence the adoption process. We then discuss our
findings and conclude with directions for future research.
2 Theoretical Background
2.1 Cloud Service Certifications
Cloud computing offers ubiquitous, on-demand access to a shared pool of configurable
IT resources (e.g., servers, storage and applications) that can be rapidly provisioned and
released with minimal management effort or service provider interaction [12]. On the
one hand, cloud services offer an attractive alternative to traditional IT usage for organ-
izations, and on the other hand they challenge contemporary security and privacy risk
assessment approaches. Therefore, cloud services face a broad range of risks including
lack of accessibility, reliability and virtualization vulnerabilities, privacy and control
issues as well as issues related to data integrity and segregation [13].
One widespread strategy to reduce customers’ uncertainties is to adopt certifications,
which is particularly important for small and medium-sized cloud providers [1]. A cer-
tification is defined as a third party attestation of products, processes, systems or per-
sons that verifies the conformity to specified requirements [14]. During a certification
process, independent and accredited auditors perform comprehensive, manual checks
to test adherence according to a defined set of certification criteria. If a provider adheres
to the specified requirements, the certification authority awards a formal written certif-
icate. A variety of certifications has already been developed and market tested to signal
that providers have adopted their standards and comply with their certification audits;
these exist particularly in cloud markets (e.g., EuroCloud ‘StarAudit’ and Cloud Secu-
rity Alliance Security, Trust & Assurance Registry). Cloud service certifications typ-
ically consist of security, privacy and reliability requirements, and build on IT standards
(e.g., ISO 27001, ISO 27017 and ITIL), and aim to ensure availability, integrity and
confidentiality of cloud services for a validity period of one to three years [15].
2.2 The Need for Continuous Certification
Existing certifications represent only a retrospective look at the fulfillment of technical
and organizational measures. Requirements of certifications may no longer be met
throughout the validity period of the certification because cloud services are confronted
with continuously emerging environmental dynamics. Especially, we refer to environ-
mental dynamics that are difficult to predict, lead to an instability and create uncertainty
for customers or providers [16]. The premise behind these assumptions is that external
environments impact organizational performance, and organizations must take into ac-
count environmental characteristics and emerging dynamics when formulating strate-
gies and structures as well as during daily operations. As such, inherent cloud compu-
ting characteristics, ongoing architectural changes, the emergence of environmental
threats or changes in legal and regulatory landscape can be regarded as dynamics that
might have an impact on actions taken by a provider. Certification reliability has to be
re-evaluated over time if the assumptions under which a certification was awarded have
changed. Consequently, we believe that CSC is required to assure continuously reliable
and trustworthy certification and cloud services. CSC is a methodology that enables
certification authorities to react and to adjust their certification reports simultaneously
with the occurrence of events concerning the cloud service [6].
3 Research Approach
3.1 Literature Analysis
In this study, we focus on identifying factors that influence the adoption of CSC by
certification authorities, and therefore conducted a thorough literature review. To find
pertinent literature that deals with innovation adoption processes, we performed a
search in the online database of EBSCOHost (Academic Search Complete and Business
Source Complete). This search was executed on 15th March 2016 and was based on the
following search string: (“Diffusion of Innovation*”) AND ((“Information System*”)
OR (IS)), inspired by the Diffusion of Innovations theory [9]. The search was limited
to title, abstract and keywords. Moreover, the results were reduced by applying the fil-
ters for only “peer-reviewed publications”. This initial search revealed 81 potentially
relevant articles, published from 1982 to 2015, which deal in different ways with the
adoption or the diffusion of innovations. Some of these publications deal with innova-
tions in general whereas others specifically refer to concrete innovations. By examining
these articles, we determined 55 of them suggesting factors influencing the adoption of
an innovation. Identified papers were read and factors impacting the adoption of an
innovation were marked for further analysis, despite individual findings relating to the
factors (i.e., regarding their empirical support) [17]; leading to 437 factors. As a lot of
different factors were used in different articles, sometimes under different name, but
we named them only once and noted their frequency of being mentioned, as this can be
seen as an indicator of their importance. By this we reduced our list of factors to 258.
To further reduce this number of factors we carefully analyzed the used terms and
their meaning. First, we identified synonyms, aggregated them into one factor and
summed up the frequency of being mentioned for each of the synonymous terms. Sec-
ond, we subsumed terms with similar meanings as for example “competitors”, “com-
petition”, “competitive advantage”, and “other industry players” to “competitive pres-
sure” and considered their total frequency of mention. Third, we excluded terms which,
for example, refer to the adoption process itself rather than to factors influencing the
adoption decision like “earliness of adoption”, and those terms which are referring to
a concrete innovation, for example, “website features” and therefore cannot be trans-
ferred to CSC context. Finally, we carefully analyzed whether remaining factors are
empirically supported and read research findings to ensure relevancy of factors. Based
upon the remaining factors and on the frequency of being mentioned, we formed five
groups of factors which have a major influence on the adoption of an innovation: inno-
vations characteristics (mentioned 124 times) including relative advantage, complex-
ity, compatibility, observability and trialability; organizational factors (66) including
organization, management and technology attributes; individual factors (49) including
attitudes and skills; environmental factors (34) including the legal and regulatory land-
scape, market and competitive pressure; and finally risks and costs (16).
3.2 Theories of Factors Influencing the Adoption of Continuous Certification
The five groups of factors resulting from our literature analysis are in line with and can
be assigned to two different theoretical models explaining the adoption of innovations:
the Diffusion of Innovations theory (DOI) and the Technology-Organization-Environ-
ment (TOE) framework. The DOI theory was proposed by Everett M. Rogers [9] and
focuses on why innovations although having obvious advantages are often very
hesitantly adopted. A central concept of the DOI theory is the diffusion process, in
which an innovation is communicated through certain channels, over time, among the
members of a social system. Information about the innovation will be communicated
during the diffusion process, which reduces uncertainty of potential adopters about the
innovation itself, and finally leads to an adoption or rejection decision. An innovation
is defined as an idea, practice or object that is perceived as new by an individual. The
adoption rate is defined as the relative speed with which members of a social system
adopt an innovation. While most research has concentrated on the adoption of innova-
tions in regard to differences in their innovativeness, DOI theory examines the innova-
tion itself, and how its characteristics affect its rate of adoption. DOI theory describes
five main innovation characteristics: relative advantage, compatibility, complexity,
trialability and observability. Literature shows that the DOI theory has a solid theoret-
ical foundation and consistent empirical support (e.g., [1820]). DOI theory focuses on
the impact of innovation’s characteristics, but acknowledges that the specific context,
for example, the organization and her environment can influence the adoption rate as
well [9, 21]. We integrate the TOE framework that serves as an important, additional
theoretical perspective for studying such contextual factors [10, 11].
The TOE framework was developed by De Pietro, Wiarda and Fleischer [10], and is
embedded into the research by Tornatzky and Fleischer [11] who describe the entire
process of technological innovation, from the invention or development by engineers
until the adoption and implementation by users within an organization. The TOE frame-
work focuses on factors that influence the adoption and implementation of innovations
in the context of an organization. It identifies three main contexts that influence the
adoption of innovation: the technological, organizational and environmental context
[10, 11]. The TOE framework has been used by researchers to examine the adoption of
technological innovations, and has received ample empirical support (e.g., [20, 22, 23]).
To construct our theoretical model, we combined the DOI theory and the TOE frame-
work by using the innovation’s characteristics as representative factors for the techno-
logical context. In addition, we considered organizational factors, including both man-
agerial and IT capabilities. We complemented them by environmental factors as well
as the factor group ‘risks and costs because they take a decisive influence with regard
to the adoption of CSC (see Figure 1). We excluded the group of individual factors -
although resulting from the literature research - because this study takes an organization
level perspective. Finally, we excluded trialability as one of the innovation’s charac-
teristics because CSC cannot be tested easily beforehand as it affords high efforts and
expenditures.
Figure 1. Factors influencing the adoption of CSC.
4 Theoretical Model of Factors and their Impact on the
Adoption of Continuous Certification
In the following, we discuss identified factors in regard to the adoption of CSC by cer-
tification authorities, derive propositions about their impact and integrate them into a
theoretical model.
Innovation’s characteristics exert a great influence on the adoption of an innova-
tion. Before an organization passes through the innovation-decision process, it seeks
information in order to decrease uncertainty about the relative advantage of an innova-
tion [9]. Such a relative advantage, which for example generates cost savings or offers
the solution to an existing problem, can lead to the adoption of an innovation because
it is perceived as better, more economic or expediently. Providing CSC services is ben-
eficial for certification authorities because CSC increases their efficiency and reliability
of issued certifications in particular.
In the context of traditional certification processes, adherence to certification re-
quirements is observed by spot checks on a yearly basis only. Hence, certification de-
viations might be detected lately or hardly ever. In contrast, CSC allows the certifica-
tion authority to actively detect critical defects as they occur. Hence, CSC can be con-
sidered as proactive and enables corrective actions as soon as a problem is detected. So
CSC can improve reliability and trustworthiness of issued certifications. In addition,
certification reports are more relevant to customer’s decision makers. The change from
yearly spot checks to CSC is often accompanied by the use of automated certification
processes which enable certification authorities to test larger data samples and examine
data in a faster and therefore more efficient way, compared to their manual predeces-
sors. Finally, the certification authority might gain further benefits by offering innova-
tive certification services for cloud customers and charging extra fees (e.g., enabling
customers to validate requirement adherence on demand). While in traditional certifi-
cation contexts a business relationship only exists between the cloud provider and the
certification authority, CSC enables certification authorities to build up a direct rela-
tionship with cloud service customers, hence, creating new business models. Conse-
quently, CSC provides significant relative advantages for certification authorities be-
cause it increases the efficiency and quality of certifications, enables new business
models, and leads to continuously secure and reliable cloud services.
Proposition 1 (P1): Relative advantages foster the adoption of CSC by certification
authorities.
The more compatible an innovation is perceived with sociocultural values and be-
liefs, the needs of potential adopters or with previous experiences the less uncertainty
concerning the innovation is present; leading to a higher rate of adoption [9]. Certifica-
tions are well-recognized means for customers to assess goods and services [1]. Im-
portance and number of independent third party product and service assessments stead-
ily increase in recent years [3]. Yet, providers are threatened by a highly dynamic and
ever-changing environment, and thus quickly respond to emerging environmental dy-
namics. With increasing reliance of customers on cloud services their demand for con-
tinuous, highly reliable and secure services gains importance. Consequently, it is nec-
essary for the certification authority to continuously verify the conformity with certifi-
cation requirements.
Previously introduced ideas and practices are a familiar standard against which the
innovation can be interpreted [9]. Current certification practices are mostly based upon
manual auditing operations, for example, performing interviews and manual security
tests. The transition to CSC requires an automation of certification processes. The use
of computer-based audit tools and technologies (CAATTs), which already aims at au-
tomating processes and facilitating the certification authority’s work, could therefore
promote this transition. Nonetheless, surveys reveal that CAATTs are not yet frequently
and systematically used [24], although they are seen as useful and beneficial. We as-
sume that CSC is compatible with the needs of relevant stakeholders and previously
introduced ideas leading to a positive effect on the adoption.
P2: A high compatibility fosters the adoption of CSC by certification authorities.
The complexity of an innovation is measured by the degree to which the innovation
is perceived as relatively difficult to understand and use [9]. The higher the complexity
is, the greater is the uncertainty of potential adopters. Adopting CSC exhibits a high
degree of complexity. Certification authorities must establish CSC and management
systems to support the certification planning, management, operation and scheduling
activities, develop new certification processes and train their employees. In order to
reduce the complexity of the CSC, authorities can build on existing monitoring systems
and processes of the provider to gather certification-relevant data [25]. For example,
certification authorities might access an interface that enables the secure and reliable
transmission of relevant data. Further on, the authority has not only to manage his own
CSC operations, but also has to consider and align with providers’ ongoing activities,
which also increases the complexity of CSC. Consequently, the certification scope has
to be adjusted individually for each cloud service, for example, in regard to available
cloud systems, provider’s organizational size, the number of employees as well as the
level of technical knowledge and skills.
P3: A high complexity hampers the adoption of CSC by certification authorities.
The observability is the degree to which the innovation provides tangible results [9].
The higher the perceived observability of an innovation is, the more positively it affects
the adoption rate. Performing CSC aims to increase transparency about cloud service
operation and certification adherence. Results of CSC will be visible for the public, for
example, by ongoing certification reports. In order to further increase the observability,
CSC offers the means for a new generation of web assurance seals: dynamic, up-to-
date, and accurate seals informing customers about the actual certification requirement
adherence status. Creating a high transparency for cloud service customers promotes
the observability of CSC and has a positive effect on its adoption rate. However, a high
observability also places high burdens on the protection and anonymization of provided
data to ensure data confidentiality, integrity and authenticity.
P4: A high observability fosters the adoption of CSC by certification authorities.
Organizational factors comprise features and characteristics of the organization,
essential aspects of management as well as the extent and the level of use of technology;
factors that influence the adoption of an innovation [10, 11]. An organization is char-
acterized by its age and size among others. Since size represents several important as-
pects of an organization, such as slack resources, organizational structure and decision-
making flexibility, it is a critical factor to influence innovation adoption [9]. In the IS
literature different opinions exist regarding the role that size plays [20]. On the one
hand, large and established authorities may be less flexible than smaller and younger
organizations, might show less innovation readiness and rather insist on previously ap-
plied methods [20, 23]. But on the other hand, these authorities have access to profound
experience and knowledge about certification processes and emerging innovations, and
can build on more financial means and multifarious human and material resources in
order to meet challenges posed by the adoption of innovations [9, 20]. We assume that
certification authority’s size and age will foster the adoption of the CSC because they
generally possess slack resources and expertise to meet adoption challenges, including
high initial investments and the redesign of certification business processes.
P5: The certification authority’s size and age will foster the adoption of the CSC.
With respect to organization’s management, its settings, policies and priorities in
particular affect the adoption of innovations [10, 11]. Thus, for example, CSC adoption
should be consistent with organizational objectives and strategy [21] and supported by
the top management [26]. The top management should provide the vision, support and
commitment around the innovation as well as commit resources and create the environ-
ment required for the adoption [27]. Thus, top management exerts a positive influence
on the adoption of CSC.
P6: Management support fosters the adoption of CSC by certification authorities.
Further on, the certification authority’s technology competence has an influence on
the innovation adoption [10, 11, 20]. Technology competence refers to the technologi-
cal characteristics available in the organization such as the IT infrastructure and IT pro-
fessionals [23]. The IT infrastructure covers the installed technologies, systems and
applications within the certification authority allowing an integration of CSC services
and corresponding IT systems. IT professionals are the human resources with technical
knowledge required to efficiently perform CSC. For example, if the existing IT infra-
structure is highly developed and versatile, and supports the integration of new CSC
components, adoption uncertainty is reduced and adoption rate increases.
P7: Technology competence fosters the adoption of CSC by certification authorities.
Environmental factors comprise environmental values and norms, customer and
competitive pressures [10, 11]. The environmental values and norms can affect the
adoption of CSC for example by changing or setting up new guidelines. If for example
the validity period of cloud certificates is generally shortened, this prepares the transi-
tion to the CSC and could ultimately effect that certification authorities are only ac-
credited when awarding their certificates based on CSC. Also the government can con-
tribute to the adoption of CSC when well-reputed government institutions highlight the
use of CSC as an effective way to increase the security and reliability of cloud services.
P8: The values and norms foster the adoption of CSC by certification authorities.
Cloud customer pressure can exert great influence on the adoption of CSC [911].
Certification authorities might start adopting CSC, for example, if an ever-increasing
amount of (potential) cloud customers demands reliable certifications in modern, tur-
bulent environments. In the future, customers might decide whether to use a cloud ser-
vice or not, based on providers’ willingness to be continuously certified. Consequently,
customer pressure is assumed to be of great influence on the adoption of CSC.
P9: Customer pressure fosters adoption of CSC by certification authorities.
Certification authorities compete for certification requests. Competitive pressure
also acts as a facilitator influencing the adoption of CSC. Either the incentive of first
mover competitive advantages or the urgency to keep up with competitors will provide
the focus and purpose to successfully overcome obstacles and resistance to innovation
adoption within an organization [21, 28]. Likewise, innovation imposition strategies by
providers and partners might foster adoption rate of CSC, for example, if cloud provid-
ers tend to engage only with certification authorities that apply CSC in order to fulfill
the demands of their cloud customers. Subsequently, competitive pressure might force
certification authorities to open up for CSC and to create necessary conditions for adop-
tion.
P10: Competitive pressure fosters the adoption of CSC by certification authorities.
Risk and cost factors are referring to possible disadvantages or dangers, and to ex-
penses, which may affect the adoption of an innovation. In general, risks and costs rep-
resent multi-dimensional constructs that need to be viewed from different angles and
analyzed in detail. For example, various security and privacy risks might emerge that
impact certification authorities’ adoption intention differently. CSC implies the trans-
mission and storage of data about the cloud service at the site of the certification au-
thority. Subsequently, certification authorities are becoming a valuable target of attack-
ers from the outside. Hence, this involves high risks of data theft, leads to significantly
higher demands on data security and data protection, and may hamper the adoption.
P11: Risks hamper the adoption of CSC by certification authorities.
CSC of cloud services usually goes with automation of processes which on the one
hand affords high expenditures for purchasing the technical equipment and a high
amount of running costs for the operation and maintenance. On the other hand, an au-
tomation of processes might lead to (mid-term) cost savings.
P12: Costs influence the adoption of CSC by certification authorities.
Figure 2 depicts our theoretical model and summarizes identified factors and their
impact on the adoption intention of CSC by certification authorities. Adoption intention
refers to the probability that an organization will adopt CSC processes, set up required
IT infrastructures, and provide CSC services for cloud providers.
Figure 2. Theoretical model of CSC adoption by certification authorities.
5 Discussion and Conclusion
Based on a literature analysis, we developed a theoretical model by integrating the DOI
theory and the TOE framework complemented by risk and cost factors to examine
which factors influence the adoption of continuous cloud service certification. Thereby,
we are able to analyze the adoption of an innovation from two different perspectives:
the innovation itself with its characteristics and the surrounding organizational and en-
vironmental contexts. This study shows that many factors have an important impact on
the adoption of CSC. We believe that the multifarious relative advantages of CSC and
a high degree of observability will strongly motivate certification authorities to adopt
CSC. On the other hand, a limited compatibility and a high complexity might hamper
adoption. In regard to organizational factors, top management support and a high tech-
nical competence will positively influence the adoption of CSC. As environmental fac-
tors, customer and competitive pressures are of great importance when adopting CSC
of cloud services. At last, risks and costs are relevant inhibitors for the adoption of CSC.
The identified and discussed factors have been considered separately, but some are
closely related to each other, which might result in moderating effects on the adoption
intention. First, relative advantages of CSC due to a high observability of CSC results
are visible for both cloud customers and competitors, and thus they can lead to an
increase of customer and competitive pressure as environmental factors. Second, a high
technological competence, for example, due to the existence of a well-equipped IT de-
partment with well-trained specialists, reduces the complexity of CSC as well as in-
creases innovation’s compatibility. Finally, a close interrelationship between environ-
mental pressures as well as perceived relative advantages, and top management support
is apparent because they influence the strategy of an organization and actions that are
preferred by the management.
With this study, we provide a two-fold contribution for research and practice. First,
we advance the understanding of the CSC adoption process by providing a synthesis
and discussion of relevant factors that influence adoption rate from a DOI and TOE
perspective. Investigating how the attributes of an innovation affect its rate of adoption
can be of great value to change agents seeking to predict the reactions to an innovation,
and perhaps to modify certain of these reactions by the way they name and position an
innovation [9]. Finally, we provide a theoretical model to be tested in future research
to validate our assumptions, and to enhance the adoption process.
Nevertheless, this study has some limitations. Our discussion of the factors is based
on literature analysis and theoretical reasoning research only since at the current diffu-
sion state only a minority of certification authorities have started to deal with CSC
adoption. However, we are currently working on a quantitative study to analyze to what
extent the discussed factors influence CSC adoption. Within this study we focused on
the adoption of CSC of cloud services by certification authorities, hence our theoretical
model might be limited in regard to the context of cloud services as well as for the
certification authorities as stakeholder. Finally, we neglected factors of individual
adopters (i.e., managers) which might be of great importance in the actual adoption
decision process.
“Last, […] an innovation's rate of adoption is affected by the extent of change
agents' promotion efforts” [9]. On this account, we want to encourage researchers and
practitioners with this study to participate in adopting and diffusing CSC.
6 Acknowledgements
This research is funded by the German Federal Ministry for Education and Research
(grant no. 16KIS0079).
References
1. Sunyaev, A., Schneider, S.: Cloud services certification. CACM 56, 3336 (2013)
2. Schneider, S., Sunyaev, A.: Determinant factors of cloud-sourcing decisions: reflecting on
the IT outsourcing literature in the era of cloud computing. Journal of Information Tech-
nology 31, 131 (2016)
3. International Organization for Standardization: The ISO Survey of Management System
Standard Certifications 2014. Executive summary
4. Connelly, B.L., Certo, S.T., Ireland, R.D., Reutzel, C.R.: Signaling Theory. Journal of
Management 37, 3967 (2011)
5. Etzion, D., Pe'er, A.: Mixed signals. A dynamic analysis of warranty provision in the auto-
motive industry, 1960-2008. Strategic Manage J 35, 16051625 (2014)
6. Lins, S., Schneider, S., Sunyaev, A.: Trust is Good, Control is Better. Creating Secure
Clouds by Continuous Auditing. IEEE Transactions on Cloud Computing (2016)
7. Lins, S., Grochol, P., Schneider, S., Sunyaev, A.: Dynamic Certification of Cloud Ser-
vices. Trust, but Verify! IEEE Security & Privacy 14, 6671 (2016)
8. Lins, S., Teigeler, H., Sunyaev, A.: Towards a bright future: Enhancing diffusion of con-
tinuous cloud service auditing by third parties. In: Proceedings of the 24th European Con-
ference on Information (2016)
9. Rogers, E.M.: Diffusion of innovations. Free Press, New York (1962)
10. DePietro, R., Wiarda, E., Fleischer, M.: The context for change. In: Tornatzky, L.G.,
Fleischer, M., Chakrabarti, A.K. (eds.) The processes of technological innovation. Lexing-
ton Books (1990)
11. Tornatzky, L.G., Fleischer, M., Chakrabarti, A.K. (eds.): The processes of technological
innovation. Lexington Books (1990)
12. Mell, P.M., Grance, T.: The NIST definition of cloud computing. National Institute of
Standards and Technology, Gaithersburg, MD (2011)
13. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud
computing. J Netw Comput Appl 34, 111 (2011)
14. International Organization for Standardization: Conformity assessment - Vocabulary and
general principles 03.120.20; 01.040.03
15. Schneider, S., Lansing, J., Fangjian Gao, Sunyaev, A.: A Taxonomic Perspective on Certi-
fication Schemes. In: Proceedings of the 47th Hawaii International Conference on System
Sciences, pp. 49985007
16. Miles, R.E., Snow, C.C., Pfeffer, J.: Organization-Environment: Concepts and Issues. In-
dustrial Relations: A Journal of Economy and Society 13, 244264 (1974)
17. Lacity, M.C., Khan, S., Yan, A., Willcocks, L.P.: A review of the IT outsourcing empirical
literature and future research directions. Journal of Information Technology 25, 395433
(2010)
18. Premkumar, G., Ramamurthy, K., Nilakanta, S.: Implementation of Electronic Data Inter-
change 11, 157186 (1994)
19. Beatty, R.C., Shim, J.P., Jones, M.C.: Factors influencing corporate web site adoption. In-
formation & Management 38, 337354 (2001)
20. Zhu, K., Dong, S., Xu, S.X., Kraemer, K.L.: Innovation diffusion in global contexts. Eur J
Inf Syst 15, 601616 (2006)
21. Bradford, M., Florin, J.: Examining the role of innovation diffusion factors on the imple-
mentation success of enterprise resource planning systems. International Journal of Ac-
counting Information Systems 4, 205225 (2003)
22. Grover, V.: An Empirically Derived Model for the Adoption of Customer-based Interor-
ganizational Systems. Decision Sciences 24, 603640 (1993)
23. Zhu, K., Kraemer, K.L.: Post-Adoption Variations in Usage and Value of E-Business by
Organizations. Inform Syst Res 16, 6184 (2005)
24. Mahzan, N., Lymer, A.: Examining the adoption of computer-assisted audit tools and tech-
niques. Managerial Auditing Journal 29, 327349 (2014)
25. Stephanow, P., Fallenbeck, N.: Towards continuous certification of Infrastructure-as-a-ser-
vice using low-level metrics. In: International Conference on Advanced and Trusted Com-
puting, pp. 18 (2015)
26. Liang, H., Saraf, N., Hu, Q., Xue, Y.: Assimilation of Enterprise Systems. MIS Quarterly
31, 5987 (2007)
27. Lee, S., Kim, K.-j.: Factors affecting the implementation success of Internet-based infor-
mation systems. Computers in Human Behavior 23, 18531880 (2007)
28. Zaltman, G., Duncan, R., Holbek, J.: Innovations and organizations. Wiley, NY (1973)
... Customers therefore need to ensure that the specific services they are using are in the scope of the certification being presented. Researchers have also noted that because cloud services evolve so rapidly, certifications achieved at a fixed point in time may not represent the current state of the service [171]. This has led to calls for a shift to continuous auditing [171], [172]. ...
... Researchers have also noted that because cloud services evolve so rapidly, certifications achieved at a fixed point in time may not represent the current state of the service [171]. This has led to calls for a shift to continuous auditing [171], [172]. Furthermore, it has been argued that the certifications themselves are often not updated quick enough to cover new threats raised by novel cloud services [173], [174]. ...
Preprint
This article proposes that organisations moving to public cloud often surrender visibility and control over their computing operations and instead rely upon trust in the cloud provider. We show that organisations are increasingly willing to give this trust, but that methods to reduce the amount of trust needed whilst maintaining the benefits of public cloud is possible. We therefore identify specific losses of control that cloud customers face and the solutions, both present and future, which can help to return that control back.
... AR technology offers customers to try the product according to their needs to increase observability. According to Quinting et al. (2017), observability has a significant positive effect on technology adoption intention. Therefore, we develop the H6: ...
Article
Full-text available
Purpose This study evaluated the determinants of augmented reality (AR) adoption in Malaysia's travel and tour operator sectors through an integrated technology-organization-environmental (TOE) and diffusion of innovation (DOI) model. Design/methodology/approach The TOE and DOI were considered the primary theoretical models but are combined and extended by including few additional variables. Data were collected from 220 respondents of travel and tour operating businesses in Malaysia and analyzed by applying PLS structural equation model technique. Findings The empirical results established that perceived cost, relative advantages, complexity and compatibility, observability, competitor pressure, value alignment, customer pressure, and trialability are positively connected with the behavioral intention except for external support. The results reveal that value alignment partially mediates the association between relative advantages and behavioral intention, complexity and behavioral intention, compatibility and behavioral intention, perceived cost and behavioral intention except in between trialability and observability. Originality/value This research is unique as the value alignment construct is included in the model, and thus it fulfills the literature gap by adding the mediation construct. This study contributes to enhancing AR's understanding of the Malaysian travel and tour operator industry through the lenses of owners or managers. It offers an integrated model that combines the TOE and DOI models, rare in this sector, and can be replicated or extended with validated scales.
... Quinting et al. [10] constructed a theoretical model for the adoption of a sustainable cloud digital signature service based on the TOE model and the theory of diffusion of innovation. Based on the TAM, Kim et al. [9] conducted an empirical study on factors affecting the intention to accept cloud digital signature services. ...
Article
Full-text available
The electronic signature service has been causing various problems due to the rapid growth of e-commerce services. Therefore, in order to create an authentication service suitable for the era of the 4th Industrial Revolution, new security authentication technologies such as the cloud must be utilized. However, there is a lack of prior management studies on the intention to accept digital signatures. Therefore, this study conducted an empirical study to identify factors affecting the intention to adopt cloud-based digital signature services. This research proposed a model based on the technology−organization−environment framework and empirically analyzed the degree of mutual causality and influence between variables using the partial least squares structural equation model. The results show that technical characteristics, organizational characteristics, and environmental characteristics significantly affected the intention to adopt. However, there are still many concerns about the security of cloud-based services. It has been confirmed that solving this problem is the key to the activation of the electronic signature service.
... Ebenfalls könnten Cloud-Service-Auditoren auch Mock-Ups von Benutzeroberflächen oder Erfahrungsberichte von teilnehmenden Cloud-Service-Anbietern anbieten, um zumindest eine einfache Art der Erprobbarkeit zu ermöglichen, und somit die zukünftige Adoption deutlich verbessern. Da eine mangelnde Erprobbarkeit vorliegt ( Lins et al. 2016bQuinting et al. 2017;Teigeler et al. 2018), wurde diese nicht weiter im Rahmen der Studie untersucht. ...
Book
Dieses Buch liefert ein Rahmenwerk zur Zertifizierung von Services in der Cloud. Herzstück dabei ist ein umfangreicher Kriterienkatalog zum Assessment von Cloud-Services, der im Forschungsprojekt „Value4Cloud“, gefördert vom Bundesministerium für Wirtschaft und Technologie, entwickelt wurde. Cloud-Service-Anwender werden bei der Bewertung, dem Vergleich und der Auswahl von Services unterstützt. Das Buch eignet sich auch für Cloud-Service-Anbieter zum Self-Assessment und zur Verbesserung der eigenen Services. Neu in der 2. Auflage Um die Glaubwürdigkeit ausgestellter Zertifikate zu erhöhen, führt die 2. Auflage dieses Buches in das innovative Verfahren der kontinuierlichen Zertifizierung ein. Kontinuierliche Zertifizierungen ermöglichen es, kritische Anforderungen an Cloud-Services fortlaufend und (teil-)automatisiert zu überprüfen. Insbesondere werden Grundlagen, Metriken, Messmethoden und Gestaltungsrichtlinien zur kontinuierlichen und (teil-)automatisierten Zertifizierung von Cloud-Services vorgestellt, die im Forschungsprojekt „Next Generation Certification“, gefördert vom Bundesministerium für Bildung und Forschung, entwickelt wurden. Der Inhalt - Grundlagen zur (kontinuierlichen) Zertifizierung von Cloud-Services - Gestaltungsempfehlungen für Cloud-Service-Zertifizierungen - Kriterienkatalog zur Zertifizierung von Cloud-Services - Messverfahren zur Durchführung von kontinuierlichen Zertifizierungen - Marktpotenzial einer kontinuierlichen Zertifizierung
... Because CSC represents a promising strategy to address the challenges in conventional certification in dynamic cloud service contexts, an increasing amount of research has focused on analyzing how to certify cloud services on an ongoing and automated basis, which emphasizes the need for interminably secure and reliable cloud services. In particular, research on CSC analyzes the need and reasons for CSC (Lins et al., 2016a;Stephanow & Gall, 2015), examines the theoretical rationale underlying CSC to understand it , and discusses factors that influence stakeholders to participate in CSC (Lins et al., 2016b;Quinting, Lins, Szefer, & Sunyaev, 2017;Teigeler et al., 2018). More importantly, related research discusses how to perform CSC, which we discuss in Section 2.3 in detail. ...
Article
Full-text available
Continuous service certification (CSC) involves the consistently gathering and assessing certification-relevant information about cloud service operations to validate whether they continue to adhere to certification criteria. Previous research has proposed test-based CSC methodologies that directly assess the components of cloud service infrastructures. However, test-based certification requires that certification authorities can access the cloud infrastructure, which various issues may limit. To address these challenges, cloud service providers need to conduct monitoring-based CSC; that is, monitor their cloud service infrastructure to gather certification-relevant data by themselves and then provide these data to certification authorities. Nevertheless, we need to better understand how to design monitoring systems to enable cloud service providers to perform such monitoring. By taking a design science perspective, we derive universal meta-requirements and design guidelines for CSC monitoring systems based on findings from five expert focus group interviews with 33 cloud experts and 10 one-to-one interviews with cloud customers. With this study, we expand the current knowledge base regarding CSC and monitoring-based CSC. Our derived design guidelines contribute to the development of CSC monitoring systems and enable monitoring-based CSC that overcomes issues of prior test-based approaches.
... CSC utilizes innovative monitoring and auditing approaches to continuously validate cloud service provider's adherence to security and privacy requirements. Performing CSC is beneficial for cloud providers, certification authorities, and cloud customers (i.e., organizations that use cloud services) alike: providers can improve their cloud systems by evaluating continuous performance data; certification authorities actively detect and investigate critical certification deviations as they occur, thus increasing certification reliability; and finally CSC counteracts customers' lack of control by increasing the transparency of providers' operations (Teigeler et al. 2018;Quinting et al. 2017;Lins et al. 2016b). Most important, CSC constitutes a disruptive change of current certification processes by providing customers with ongoing, up-to-date feedback about cloud service's security and data protection levels. ...
Conference Paper
Full-text available
Recent research efforts resulted in innovative prototypes that enable certification authorities to continuously certify cloud services. Continuous service certification (CSC) involves constant collection and assessment of data relevant for validating a cloud service's compliance with security and privacy regulations through a certification authority. While practice shows that CSC is highly beneficial for cloud providers and certification authorities alike, it remains unclear which factors actually cause these actors to participate in CSC. As a first step towards closing this knowledge gap, this study builds on the technology-push and market-pull theories to identify factors that impact certification authori-ties' intention to perform CSC. We developed theoretical technology-push and market-pull models and tested them by conducting an online survey with 66 employees of certification authorities. Our findings reveal that technology-push factors, including relative advantage, organizational complexity, experimentation with innovation, influence certification authorities, on the one hand, and market-pull factors, including competitive pressure and regulatory intervention, on the other hand. By providing a synthesis and discussion of factors that influence certification authorities' intention to perform CSC, we advance the understanding of CSC diffusion, thus paving the way for continuously reliable and secure services.
... Through timely detection and continuous assurance of certification adherence as required in highly dynamic Because CSC is a promising strategy to address the challenges of conventional certification in dynamic cloud service contexts, an increasing amount of research has focused on analyzing how to certify cloud services on an ongoing and automated basis, thus emphasizing the need for interminably secure and reliable cloud services. In particular, research on CSC analyzes the need and reasons for CSC (Lins, Grochol et al., 2016;Stephanow & Gall, 2015), tries to understand the theoretical rationales underlying CSC , and discusses factors that influence stakeholders to participate in CSC (Lins, Teigeler et al., 2016;Quinting, Lins, Szefer, & Sunyaev, 2017;Teigeler et al., 2018). More importantly, related research discusses how to perform CSC, which will be discussed in the following section in detail. ...
Article
Full-text available
Continuous service certification (CSC) involves the consistent gathering and assessing of certification-relevant information about cloud service operation to validate ongoing certification criteria adherence. Previous research has proposed test-based CSC methodologies that directly assess components of the cloud service infrastructure. However, test-based certification requires access to the cloud infrastructure by certification authorities, which may be limited due to various issues. To address these challenges, cloud service providers have to monitor their cloud service infrastructure to gather certification-relevant data by themselves, and then provide these data to certification authorities, which is referred to monitoring-based CSC. Nevertheless, we require a better understanding of how to design monitoring systems to enable monitoring-based CSC of cloud services. By taking a design science perspective, we derive universal meta-requirements and design guidelines for CSC monitoring systems based on findings from five expert focus group interviews with 33 cloud experts and 10 one-to-one interviews with cloud customers. With this study, we have expanded the current knowledge base regarding CSC and monitoring-based CSC. Our derived design guidelines contribute to the development of CSC monitoring systems and enable monitoring-based CSC that overcomes issues of prior test-based approaches.
Chapter
This chapter explores how organizations can seek to secure a public cloud environment for use in big data operations. It begins by describing the challenges that cloud customers face when moving to the cloud, and proposes that these challenges can be summarized as a loss of control and visibility into the systems and controls around data. The chapter identifies thirteen areas where visibility and control can be lost, before progressing to highlight ten solutions to help regain these losses. It is proposed that planning is the most significant step a customer can take in ensuring a secure cloud for big data. Good planning will enable customers to know their data and pursue a risk-based approach to cloud security. The chapter provides insight into future research directions, highlighting research areas which hold the potential to further empower cloud customers in the medium to long term.
Chapter
Dieses Kapitel betrachtet abschließend das Marktpotenzial einer kontinuierlichen Zertifizierung. Dabei wird die Akzeptanz einer kontinuierlichen Zertifizierung durch Cloud-Service-Anbieter und Zertifizierungsstellen untersucht sowie Gestaltungsempfehlungen zur Realisierung von Vorteilen und Potenzialen für Cloud-Service-Kunden abgegeben.
Article
Full-text available
Component-based software development is an attractive proposition to globally distributed software development organizations because of its potential to integrate reusable components in new products. Several organizations have adopted component-based software development practices to support their global development processes, a phenomenon referred to as globally distributed component-based software development. Many factors influence an organization’s decision to adopt globally distributed component-based software development practices. The objective of this paper is to systematically assess the determinants that influence the adoption of component-based software development practices in global software development organizations. We develop a conceptual research model based on the diffusion of innovation (DOI) theory and the technology-organization-environment (TOE) framework. Data collected from 115 participants is used to test the conceptual model. The findings from our study indicate that relative advantage, complexity, technology competence and top management support are the key determinants for organizations to adopt globally distributed component-based software development practices. The assessment of both the direct and total effects of the determinants offers insight into the organization’s decision to adopt globally distributed component-based software development practices.
Conference Paper
Full-text available
Using cloud services empowers organizations to achieve various financial and technical benefits. Nonetheless, customers are faced with a lack of control since they cede control over their IT resources to the cloud providers. Independent third party assessments have been recommended as good means to counteract this lack of control. However, current third party assessments fail to cope with an ever-changing cloud computing environment. We argue that continuous auditing by third parties (CATP) is required to assure continuously reliable and secure cloud services. Yet, continuous auditing has been applied mostly for internal purposes, and adoption of CATP remains lagging behind. Therefore, we examine the adoption process of CATP by building on the lenses of diffusion of innovations theory as well as conducting a scientific database search and various interviews with cloud service experts. Our findings reveal that relative advantages, a high degree of compatibility and observability of CATP would strongly enhance adoption, while a high complexity and a limited trialability might hamper diffusion. We contribute to practice and research by advancing the understanding of the CATP adoption process by providing a synthesis of relevant attributes that influence adoption rate. More importantly , we provide recommendations on how to enhance the adoption process.
Article
Full-text available
Cloud computing (CC) is an emerging form of IT outsourcing (ITO) that requires organizations to adjust their sourcing processes. Although ITO researchers have established an extensive knowledge base on the determinant factors that drive sourcing decisions from various theoretical perspectives, the majority of research on cloud-sourcing decisions focuses on technological aspects. We reviewed the CC and ITO literature and systematically coded the determinant factors that influence sourcing decisions. We show that most determinant factors of sourcing decisions in the ITO context remain valid for the CC context. However, the findings for some factors (i.e., asset specificity, client firm IT capabilities, client firm size, institutional influences, and uncertainty) are inconclusive for the CC and ITO contexts. We discuss how the peculiarities of CC can explain these inconclusive findings. Our results indicate that CC researchers should draw from research on ITO decision making but re-examine ITO concepts in the light of the peculiarities of CC, such as the differences between software and infrastructure services, the self-service procurement of cloud services, or the evolving role of IT departments. By summarizing determinant factors of cloud-sourcing decisions for consideration in future research, we contribute to the development of endogenous theories in the IS domain.
Conference Paper
Full-text available
Numerous cloud service certifications (CSCs) are emerging in practice. However, in their striving to establish the market standard, CSC initiatives proceed independently, resulting in a disparate collection of CSCs that are predominantly proprietary, based on various standards, and differ in terms of scope, audit process, and underlying certification schemes. Although literature suggests that a certification's design influences its effectiveness, research on CSC design is lacking and there are no commonly agreed structural characteristics of CSCs. Informed by data from 13 expert interviews and 7 cloud computing standards, this paper delineates and structures CSC knowledge by developing a taxonomy for criteria to be assessed in a CSC. The taxonomy consists of 6 dimensions with 28 subordinate characteristics and classifies 328 criteria, thereby building foundations for future research to systematically develop and investigate the efficacy of CSC designs as well as providing a knowledge base for certifiers, cloud providers, and users.
Article
Although intended to ensure cloud service providers' security, reliability, and legal compliance, current cloud service certifications are quickly outdated. Dynamic certification, on the other hand, provides automated monitoring and auditing to verify cloud service providers' ongoing adherence to certification requirements.
Article
Cloud service certifications (CSC) attempt to assure a high level of security and compliance. However, considering that cloud services are part of an ever-changing environment, multi-year validity periods may put in doubt reliability of such certifications. We argue that continuous auditing (CA) of selected certification criteria is required to assure continuously reliable and secure cloud services, and thereby increase trustworthiness of certifications. CA of cloud services is still in its infancy, thus, we conducted a thorough literature review, interviews, and workshops with practitioners to conceptualize an architecture for continuous cloud service auditing. Our study shows that various criteria should be continuously audited. Yet, we reveal that most of existing methodologies are not applicable for third party auditing purposes. Therefore, we propose a conceptual CA architecture, and highlight important components and processes that have to be implemented. Finally, we discuss benefits and challenges that have to be tackled to diffuse the concept of continuous cloud service auditing. We contribute to knowledge and practice by providing applicable internal and third party auditing methodologies for auditors and providers, linked together in a conceptual architecture. Further on, we provide groundings for future research to implement CA in cloud service contexts.
Article
Often, signaling research in the strategy and economics literature postulates the existence of an ostensible signal and then empirically tests its veracity, utilizing cross-sectional data. We argue that this static approach does not allow researchers to fully incorporate the concept of equilibrium in their analysis, thereby potentially violating a key axiom of signaling theory. We propose that a dynamic analysis of signals can address this omission, and then conduct such an analysis. We use empirical data on warranty coverage offered by automobile manufacturers in the U.S. market extending from the first warranty offered by the industry in 1960 through to 2008. Our findings support the notion that signaling behavior differs in periods of equilibrium and disequilibrium, in turn influencing signal accuracy. Copyright © 2013 John Wiley & Sons, Ltd.