An Empirical Analysis of the Factors Driving Organizational Satisfaction with Security-as-a-Service
Full text | |||
Source | Journal of Information Systems Security Volume 19, Number 1 (2023)
Pages 19–55
ISSN 1551-0123 (Print)ISSN 1551-0808 (Online) |
||
Authors | Ali Vedadi — University of Tennessee, Knoxville, USA
Timothy Greer — Middle Tennessee State University, USA
Nita Brooks — Middle Tennessee State University, USA
|
||
Publisher | Information Institute Publishing, Washington DC, USA |
Abstract
Among the various options for cloud services, security-as-a-service (SecaaS) is gaining significant momentum. Regarding the fact that cybersecurity has become a core business requirement and with the ever-growing expansion of IT security threats and shortage of qualified cybersecurity experts, SecaaS is destined to play a pivotal role in managing security across organizations. However, despite the various technological capabilities of SecaaS, addressing the challenges associated with this model, such as integration issues and the need for proper governance and mindful adoption, is required for satisfaction beyond the initial adoption. By proposing an integrative theoretical framework, we developed a research model and tested the research hypotheses by employing key informant methodology and collected data from 215 organizations from over 11 industries in the U.S. that employed the SecaaS model. Results showed that SecaaS technological capabilities, integration capabilities, and mindfulness are influential factors in determining satisfaction with SecaaS and its continued use. The findings are presented along with a discussion of implications for both theory and practice.
Keywords
Security-as-a-Service (SecaaS), Cloud Computing, Information Security, Satisfaction, Integration, Mindfulness, Key Informants.
References
Aggarwal, R., Kryscynski, D., Midha, V., and Singh, H. (2015). Early to adopt and early to discontinue: The impact of self-perceived and actual IT knowledge on technology use behaviors of end users. Information Systems Research, 26(1), 127-144.
Ali, M., Khan, S. U., and Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information Sciences, 305, 357-383.
Alzadjali, K., and Elbanna, A. (2020). Smart institutional intervention in the adoption of digital infrastructure: The case of government cloud computing in Oman. Information Systems Frontiers, 22(2), 365-380.
Bachlechner, D., Thalmann, S., and Maier, R. (2014). Security and compliance challenges in complex IT outsourcing arrangements: A multi-stakeholder perspective. Computers & Security, 40, 38-59.
Bagozzi, R. P. and Yi, Y. (1988). On the evaluation of Structural Equation Models. Journal of the Academy of Marketing Science, 16(1), 74–94.
Bendiab, G., Shiaeles, S., Boucherkha, S., and Ghita, B. (2019). FCMDT: A novel fuzzy cognitive maps dynamic trust model for cloud federated identity management. Computers & Security, 86, 270-290.
Benlian, A. and Hess, T. (2011). Opportunities and risks of software-as-a-service: Findings from a survey of IT executives. Decision Support Systems, 52(1), 232-246.
Benlian, A., Koufaris, M., and Hess, T. (2011). Service quality in software-as-a-service: Developing the SaaS-Qual measure and examining its role in usage continuance. Journal of Management Information Systems, 28(3), 85-126.
Benlian, A., Kettinger, W. J., Sunyaev, A., Winkler, T. J., and guest editors. (2018). The transformative value of cloud computing: a decoupling, platformization, and recombination theoretical framework. Journal of Management Information Systems, 35(3), 719-739.
Bhattacherjee, A. (2001). Understanding information systems continuance: an expectation-confirmation model. MIS Quarterly, 25(3), 351-370.
Bhattacherjee, A. and Park, S. C. (2014). Why end-users move to the cloud: a migration-theoretic analysis. European Journal of Information Systems, 23(3), 357-372.
Bhattacherjee, A., and Lin, C. P. (2015). A unified model of IT continuance: three complementary perspectives and crossover effects. European Journal of Information Systems, 24(4), 364-373.
Bollen, K., and Lennox, R. (1991). Conventional wisdom on measurement: A structural equation perspective. Psychological Bulletin, 110(2), 305-314.
Bui, QN., Leo, E., and Adelakun, O. (2019). Exploring complexity and contradiction in information technology outsourcing: A set-theoretical approach. The Journal of Strategic Information Systems, 28(3), 330-355.
Butler, B. S. and Gray, P. H. (2006). Reliability, mindfulness, and information systems. MIS Quarterly, 30(2), 211-224.
Byrne (2018), SecaaS is where it’s at: Why security-as-a-service is the next big thing. Available at: https://securityintelligence.com/navigate-the-shifting-threat-landscape-with-security-as-a-service/.
Chan, F. K., Thong, J. Y., Venkatesh, V., Brown, S. A., Hu, P. J., and Tam, K. Y. (2010). Modeling citizen satisfaction with mandatory adoption of an e-government technology. Journal of the Association for information systems, 11(10), 519-549.
Chang, Y., Wong, S. F., Eze, U., and Lee, H. (2019). The effect of IT ambidexterity and cloud computing absorptive capacity on competitive advantage. Industrial Management and Data Systems, 119(3), 613-638.
Chin, W. W. (1998). Commentary: Issues and opinion on Structural Equation Modeling. MIS Quarterly, 22(1), xii-xvi.
Chin, W. W. and Newsted, P. R. (1999). Structural equation modeling analysis with small samples using partial least squares. Statistical Strategies for Small Sample Research, 1(1), 307-341.
Choudhary, V. and Vithayathil, J. (2013). The impact of cloud computing: Should the IT department be organized as a cost center or a profit center? Journal of Management Information Systems, 30(2), 67-100.
Chou, S. W. and Chiang, C. H. (2013). Understanding the formation of software-as-a-service (SaaS) satisfaction from the perspective of service quality. Decision Support Systems, 56, 148-155.
Cleo (2020), The state of ecosystem & application integration report. Available at: https://resources.cleo.com/report-ecosystem-and-application-integration
Cloud Security Alliance (2016). Defined categories of security as a service. CSA Research Publications.
Cohen, J. (1988). Statistical power analysis for the behavioral sciences, Hillsdale, NJ: Lawrence Erlbaum.
Dhar, S. (2012). From outsourcing to Cloud computing: evolution of IT services. Management Research Review, 35(8), 664-675.
Dhillon, S. and Coss, D. L. (2019). Information privacy literature: issues and challenges. Journal of Information System Security, 15(3).
Diamantopoulos, A. and Siguaw, J. A. (2006). Formative versus reflective indicators in organizational measure development: A comparison and empirical illustration. British Journal of Management, 17(4), 263-282.
Duffany, J. L. and Velez, C. Y. (2018). A machine-learning based wireless intrusion detection system. Journal of Information System Security, 14(1).
Erigha, E. D., Ayo, F. E., Dada, O. O., and Folorunso, O. (2017). Intrusion detection system based on support vector machines and the two-phase bat algorithm. Journal of Information System Security, 13(3).
Fernandes, D.A.B.; Soares, L.F.B.; Gomes, J.V.; Freire, M.M.; and Inácio, P.R.M. (2014). Security issues in cloud environments: A survey. International Journal of Information Security, 13(2), 113–170.
Fornell, C. and Larcker, D. F. (1981). Structural equation models with unobservable variables and measurement error: algebra and statistics. Journal of Marketing Research, 18(3), 39-50.
Furfaro, A., Garro, A., and Tundis, A. (2014). Towards security as a service (SecaaS): On the modeling of security services for cloud computing. IEEE International Carnahan Conference on Security Technology, 1-6.
Furneaux, B. and Wade, M. (2011). An exploration of organizational level information systems discontinuance intentions. MIS Quarterly, 35(3), 573-598.
Gardner, J. W., Boyer, K. K., and Ward, P. T. (2017). Achieving time-sensitive organizational performance through mindful use of technologies and routines. Organization Science, 28(6), 1061-1079.
Gericke, A., Klesse, M., Winter, R., and Wortmann, F. (2010). Success factors of application integration: an exploratory analysis. Communications of the Association for Information Systems, 27(1), 37.
Getov, V. (2012). Security as a service in smart clouds--opportunities and concerns. IEEE 36th Annual Computer Software and Applications Conference. 373-379.
Goel, S., Garnsey, M., Liu, Q., and Fisher, I. (2016). A perspective on the evolution of information system security audits: Challenges and implications. Journal of Information System Security, 12(1).
Goode, S., Lin, C., Tsai, J. C., and Jiang, J. J. (2015). Rethinking the role of security in client satisfaction with Software-as-a-Service (SaaS) providers. Decision Support Systems, 70, 73-85.
Grandinetti, L. (2013). Pervasive cloud computing technologies: future outlooks and interdisciplinary perspectives. Information Science Reference. IGI Global. Hershey, PA.
Hair, J. F., Ringle, C. M., and Sarstedt, M. (2011). PLS-SEM: Indeed a silver bullet. Journal of Marketing Theory and Practice, 19(2), 139-152.
Henseler, J., Ringle, C. M., and Sarstedt, M. (2015). A new criterion for assessing discriminant validity in variance-based structural equation modeling. Journal of the Academy of Marketing Science, 43(1), 115-135.
Ho, S. M., Ocasio-Velázquez, M., and Booth, C. (2017). Trust or consequences? Causal effects of perceived risk and subjective norms on cloud technology adoption. Computers & Security, 70, 581-595.
Homburg, C., Klarmann, M., Reimann, M., and Schilke, O. (2012). What drives key informant accuracy? Journal of Marketing Research, 49(4), 594-608.
Hsu, P. F. (2020). A Deeper look at cloud adoption trajectory and dilemma. Information Systems Frontiers, 1-18.
Huber, T. L., Fischer, T. A., Dibbern, J., and Hirschheim, R. (2013). A process model of complementarity and substitution of contractual and relational governance in IS outsourcing. Journal of Management Information Systems, 30(3), 81-114.
IBM (2020). Security response planning on the rise, but containing attacks remains an issue. Available at: https://newsroom.ibm.com/2020-06-30-IBM-Study-Security-Response-Planning-on-the-Rise-But-Containing-Attacks-Remains-an-Issue
Ibrahim, F. A. and Hemayed, E. E. (2019). Trusted cloud computing architectures for infrastructure as a service: Survey and systematic literature review. Computers & Security, 82, 196-226.
Info Security Magazine (2019), Cybersecurity skills shortage carries big national security risk. Available at: https://www.infosecuritymagazine.com/news/cybersecurity-skills-shortage
ISACA (2013), Security as a service: Business benefits with security, governance and assurance perspectives. ISACA Cloud Vision Series Whitepaper.
Joe-Wong, C. and Sen, S. (2018). Harnessing the power of the cloud: Revenue, fairness, and cloud neutrality. Journal of Management Information Systems, 35(3), 813-836.
Kathuria, A., Mann, A., Khuntia, J., Saldanha, T. J., and Kauffman, R. J. (2018). A strategic value appropriation path for cloud computing. Journal of Management Information Systems, 35(3), 740-775.
Khoumbati, K., Themistocleous, M., and Irani, Z. (2006). Evaluating the adoption of enterprise application integration in healthcare organizations. Journal of Management Information Systems, 22(4), 69-108.
Kim, D. J., Ferrin, D. L., and Rao, H. R. (2009). Trust and satisfaction, two stepping stones for successful e-commerce relationships: A longitudinal exploration. Information Systems Research, 20(2), 237-257.
Klein, R. and Rai, A. (2009). Interfirm strategic information flows in logistics supply chain relationships. MIS Quarterly, 33(4), 735-762.
Kock, N. (2015). Common method bias in PLS-SEM: A full collinearity assessment approach. International Journal of e-Collaboration, 11(4), 1-10.
Krancher, O., Luther, P., and Jost, M. (2018). Key affordances of platform-as-a-service: Self-organization and continuous feedback. Journal of Management Information Systems, 35(3), 776-812.
Kranz, J. J., Hanelt, A., and Kolbe, L. M. (2016). Understanding the influence of absorptive capacity and ambidexterity on the process of business model change–the case of on‐premise and cloud‐computing software. Information Systems Journal, 26(5), 477-517.
Kumar, P., Gupta, G. P., and Tripathi, R. (2021). An ensemble learning and fog-cloud architecture-driven cyber-attack detection framework for IoMT networks. Computer Communications, 166, 110-124.
Kung, L., Cegielski, C. G., and Kung, H. J. (2015). An integrated environmental perspective on software as a service adoption in manufacturing and retail firms. Journal of Information Technology, 30(4), 352-363.
Kushwah, G. S. and Ranga, V. (2021). Optimized extreme learning machine for detecting DDoS attacks in cloud computing. Computers & Security, 105, 102260.
Kwon, J. and Johnson, M. E. (2013). Healthcare security strategies for data protection and regulatory compliance. Journal of Management Information Systems, 30(2), 41-66.
Lacity, M. C., Khan, S. A., and Willcocks, L. P. (2009). A review of the IT outsourcing literature: Insights for practice. The Journal of Strategic Information Systems, 18(3), 130-146.
Lacity, M. C., Khan, S., Yan, A., and Willcocks, L. P. (2010). A review of the IT outsourcing empirical literature and future research directions. Journal of Information Technology, 25(4), 395-433.
Lansing, J., Benlian, A., and Sunyaev, A. (2018). Unblackboxing decision makers’ interpretations of is certifications in the context of cloud service certifications. Journal of the Association for Information Systems, 19(11), 1064-1096.
Lansing, J., Siegfried, N., Sunyaev, A., and Benlian, A. (2019). Strategic signaling through cloud service certifications: Comparing the relative importance of certifications’ assurances to companies and consumers. The Journal of Strategic Information Systems, 28(4), 101579.
LeBreton, J. M., and Tonidandel, S. (2008). Multivariate relative importance: extending relative weight analysis to multivariate criterion spaces, Journal of Applied Psychology, 93(1), 329-345.
Lee, S. J., Shim, H. Y., Lee, Y. R., Park, T. R., Park, S. H., and Lee, I. G. (2021). Study on systematic ransomware detection techniques. 23rd International Conference on Advanced Communication Technology (ICACT), IEEE, 297-301.
Liang, Y., Qi, G., Zhang, X., and Li, G. (2019). The effects of e-Government cloud assimilation on public value creation: An empirical study of China. Government Information Quarterly, 36(4), 101397.
Lim, M. K., Xiong, W., and Wang, C. (2021). Cloud manufacturing architecture: a critical analysis of its development, characteristics and future agenda to support its adoption. Industrial Management & Data Systems, 121(10), 2143-2180.
Limayem, M., Hirt, S. G., and Cheung, C. M. (2007). How habit limits the predictive power of intention: The case of information systems continuance. MIS Quarterly, 31(4), 705-737.
Lioliou, E., Zimmermann, A., Willcocks, L., and Gao, L. (2014). Formal and relational governance in IT outsourcing: Substitution, complementarity and the role of the psychological contract. Information Systems Journal, 24(6), 503-535.
Liu, V. and Khalifa, M. (2003). Determinants of satisfaction at different adoption stages of Internet-based services. Journal of the Association for Information Systems, 4(1), 206-232.
Liu, S., Yang, Y., Qu, W. G., and Liu, Y. (2016). The business value of cloud computing: the partnering agility perspective. Industrial Management & Data Systems,116(6), 1160-1177.
Liu, Y., Dong, S., Wei, J., and Tong, Y. (2020). Assessing cloud computing value in firms through socio-technical determinants. Information & Management, 57(8), 103369.
Loukis, E., Janssen, M., and Mintchev, I. (2019). Determinants of software-as-a-service benefits and impact on firm performance. Decision Support Systems, 117, 38-47.
Lowry, P. B., Dinev, T., and Willison, R. (2017). Why security and privacy research lies at the centre of the information systems (IS) artefact: Proposing a bold research agenda. European Journal of Information Systems, 26(6), 546-563.
Malladi, S. and Krishnan, M. S. (2012). Cloud computing adoption and its implications for CIO strategic focus - An empirical analysis. Proceedings of the International Conference on Information System.
Marotta, A. and Madnick, S. (2020). Perspectives on the Relationship between Compliance and Cybersecurity. Journal of Information System Security, 16(3), 151-177.
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., and Ghalsasi, A. (2011). Cloud computing – The business perspective. Decision Support Systems, 51(1), 176-189.
Mell, P. and Grance, T. (2011). The NIST definition of cloud computing. Available at: https://csrc.nist.gov/publications/detail/sp/800-145/final
Mordor Intelligence (2020), Security-as-a-service (secaas) market - growth, trends, covid-19 impact, and forecasts. Available at: https://www.mordorintelligence.com/industry-reports/security-as-a-service-market.
Mohajeri, K., Mesgari, M., and Lee, A. S. (2020). When statistical significance is not enough: Investigating relevance, practical significance, and statistical significance. MIS Quarterly, 44(2), 525-559.
Nair, K. K., Helberg, A., and van der Merwe, J. (2017). Towards a robust fingerprint authentication system protocol. Journal of Information System Security, 13(1).
Netemeyer, R. G., Bearden, W. O., and Sharma, S. (2003). Scaling procedures: Issues and applications. Sage Publications.
Neto, N. N., Madnick, S., de Paula, A. M. G., and Malara Borges, N. (2021). A case study of the capital one data breach: why didn't compliance requirements help prevent it? Journal of Information System Security, 17(1).
Okta (2016). Businesses @ Work. https://www.okta.com/businesses-at-work/2016-03
Olavsrud, Thor (2017). Security-as-a-service model gains traction. https://www.cio.com/article/3192649/security-as-a-service-model-gains-traction.html
Oliveira, T., Thomas, M., and Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51(5), 497-510.
Oredo, J. O. and Njihia, J. M. (2015). Mindfulness and quality of innovation in cloud computing adoption. International Journal of Business and Management, 10(1), 144.
Oshri, I., Kotlarsky, J., and Gerbasi, A. (2015). Strategic innovation through outsourcing: The role of relational and contractual governance. The Journal of Strategic Information Systems, 24(3), 203-216.
Patil, R., Dudeja, H., and Modi, C. (2019). Designing an efficient security framework for detecting intrusions in virtual network of cloud computing. Computers & Security, 85, 402-422
Petter, S., Straub, D., and Rai, A. (2007). Specifying formative constructs in information systems research. MIS Quarterly, 31(4), 623-656.
Podsakoff, P. M., MacKenzie, S. B., Lee, J. Y., and Podsakoff, N. P. (2003). Common method biases in behavioral research: a critical review of the literature and recommended remedies. Journal of Applied Psychology, 88(5), 879.
Rai, A., Arikan, I., Pye, J., and Tiwana, A. (2015). Fit and misfit of plural sourcing strategies and IT-enabled process integration capabilities: consequences of firm performance in the US electric utility industry. MIS Quarterly, 39(4), 865-886.
Research and Markets Report (2020). Cloud computing market by service model. https://www.researchandmarkets.com/reports/5136796/cloud-computing-market-by-service-model.
Retana, G. F., Forman, C., Narasimhan, S., Niculescu, M. F., and Wu, D. J. (2018). Technology support and post-adoption IT service use: Evidence from the cloud. MIS Quarterly, 42(3), 961-978.
Roberts, N. and Thatcher, J. (2009). Conceptualizing and testing formative constructs: Tutorial and annotated example. ACM SIGMIS Database: the DATABASE for Advances in Information Systems, 40(3), 9-39.
Schneider, S. and Sunyaev, A. (2016). Determinant factors of cloud-sourcing decisions: reflecting on the IT outsourcing literature in the era of cloud computing. Journal of Information Technology, 31(1), 1-31.
Schueller, Q., Basu, K., Younas, M., Patel, M., and Ball, F. (2018). A hierarchical intrusion detection system using support vector machine for SDN network in cloud data center. The 28th International Telecommunication Networks and Applications Conference, IEEE, 1-6.
Senk, C. (2013). Adoption of security as a service. Journal of Internet Services and Applications, 4(1), 1-16.
Sharma, D. H., Dhote, C. A., and Potey, M. M. (2013). Security-as-a-service from clouds: A comprehensive analysis. International Journal of Computer Applications, 67(3), 15-18.
Sharma, P., Sarstedt, M., Shmueli, G., Kim, K. H., and Thiele, K. O. (2019). PLS-based model selection: the role of alternative explanations in information systems research. Journal of the Association for Information Systems, 20(4), 346-397.
Smith, G. (2018). The intelligent solution: automation, the skills shortage and cyber-security. Computer Fraud & Security, (8), 6-9.
Son, I., Lee, D., Lee, J. N., and Chang, Y. B. (2014). Market perception on cloud computing initiatives in organizations: An extended resource-based view. Information & Management, 51(6), 653-669.
Spears, J. L. and Barki, H. (2010). User participation in information systems security risk management. MIS Quarterly, 34(3), 503-522.
Sykes, T. A. and Venkatesh, V. (2017). Explaining post-implementation employee system use and job performance: impacts of the content and source of social network ties. MIS Quarterly, 41(3), 917-936.
Tang, C. and Liu, J. (2015). Selecting a trusted cloud service provider for your SaaS program. Computers & Security, 50, 60-73.
Tourani, R., Bos, A., Misra, S., and Esposito, F. (2019). Towards security-as-a-service in multi-access edge. In Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, 358-363.
Trenz, M., Huntgeburth, J. C., and Veit, D. (2013). The role of uncertainty in cloud computing continuance: Antecedents. mitigators, and consequences, Proceedings of European Conference on Information Systems, 147-147.
Tukur, Y. M., Thakker, D., and Awan, I. U. (2021). Edge‐based blockchain enabled anomaly detection for insider attack prevention in Internet of Things. Transactions on Emerging Telecommunications Technologies, 32(6), e4158.
Vedadi, A. and Warkentin, M. (2016). Continuance intention on using mobile banking applications: A replication study of information systems continuance model. AIS Transactions on Replication Research, 2(1), 1-11.
Venters, W. and Whitley, E. A. (2012). A critical review of cloud computing: researching desires and realities. Journal of Information Technology, 27(3), 179-197.
Vo, T. H., Fuhrmann, W., Fischer-Hellmann, K. P., and Furnell, S. (2019). Identity-as-a-service: An adaptive security infrastructure and privacy-preserving user identity for the cloud environment. Future Internet, 11(5), 116
Vithayathil, J. (2018). Will cloud computing make the Information Technology (IT) department obsolete? Information Systems Journal, 28(4), 634-649.
Wang, W., and Yongchareon, S. (2020). Security-as-a-service: a literature review. International Journal of Web Information Systems, 16(5), 493-517.
Wei, H. L., Wang, E. T., and Ju, P. H. (2005). Understanding misalignment and cascading change of ERP implementation: a stage view of process analysis. European Journal of Information Systems, 14(4), 324-334.
Weick, K. E., K. M. Sutcliffe, and D. Obstfeld (1999). Organizing for high reliability: Process of collective mindfulness. Research in Organizational Behavior, 21, 81–123
Winkler, T. J. and Brown, C. V. (2013). Horizontal allocation of decision rights for on-premise applications and software-as-a-service. Journal of Management Information Systems, 30(3), 13-48.
Wong, C. W. Y., Lai, K.-H., and Teo, T. S. H. (2009). Institutional pressures and mindful IT management: The case of a container terminal in china, Information & Management, 46(8), 434-441.
Xiao, X. Sarker, S., Wright, R., Sarker, S. and Mariadoss, B.J. (2020). Commitment and replacement of existing SaaS-delivered applications: A mixed-methods investigation. MIS Quarterly, 44(4), 1811-1857.
Zamani, E. D. and Pouloudi, N. (2020). Generative mechanisms of workarounds, discontinuance and reframing: a study of negative disconfirmation with consumerised IT. Information Systems Journal, 31(3), 384–428
Zhang, X. and Yue, W.T. (2020). Integration of on-premises and cloud-based software: The product bundling perspective, Journal of the Association for Information Systems, 21(6), 1507-1551.