4
This article was downloaded by: [Northeastern University] On: 25 November 2014, At: 12:22 Publisher: Routledge Informa Ltd Registered in England and Wales Registered Number: 1072954 Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK Journal of Global Information Technology Management Publication details, including instructions for authors and subscription information: http://www.tandfonline.com/loi/ugit20 IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing Roberto Vinaja a a Texas A&M University— San Antonio Published online: 07 Jul 2014. To cite this article: Roberto Vinaja (2013) IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing, Journal of Global Information Technology Management, 16:3, 82-84, DOI: 10.1080/1097198X.2013.10845644 To link to this article: http://dx.doi.org/10.1080/1097198X.2013.10845644 PLEASE SCROLL DOWN FOR ARTICLE Taylor & Francis makes every effort to ensure the accuracy of all the information (the “Content”) contained in the publications on our platform. However, Taylor & Francis, our agents, and our licensors make no representations or warranties whatsoever as to the accuracy, completeness, or suitability for any purpose of the Content. Any opinions and views expressed in this publication are the opinions and views of the authors, and are not the views of or endorsed by Taylor & Francis. The accuracy of the Content should not be relied upon and should be independently verified with primary sources of information. Taylor and Francis shall not be liable for any losses, actions, claims, proceedings, demands, costs, expenses, damages, and other liabilities whatsoever or howsoever caused arising directly or indirectly in connection with, in relation to or arising out of the use of the Content. This article may be used for research, teaching, and private study purposes. Any substantial or systematic reproduction, redistribution, reselling, loan, sub-licensing, systematic supply, or distribution in any form to anyone is expressly forbidden. Terms & Conditions of access and use can be found at http://www.tandfonline.com/ page/terms-and-conditions

IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing

  • Upload
    roberto

  • View
    214

  • Download
    2

Embed Size (px)

Citation preview

Page 1: IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing

This article was downloaded by: [Northeastern University]On: 25 November 2014, At: 12:22Publisher: RoutledgeInforma Ltd Registered in England and Wales Registered Number: 1072954Registered office: Mortimer House, 37-41 Mortimer Street, London W1T 3JH, UK

Journal of Global InformationTechnology ManagementPublication details, including instructions for authors andsubscription information:http://www.tandfonline.com/loi/ugit20

IT Security Risk Management:Perceived IT Security Risks in theContext of Cloud ComputingRoberto Vinajaa

a Texas A&M University— San AntonioPublished online: 07 Jul 2014.

To cite this article: Roberto Vinaja (2013) IT Security Risk Management: Perceived ITSecurity Risks in the Context of Cloud Computing, Journal of Global Information TechnologyManagement, 16:3, 82-84, DOI: 10.1080/1097198X.2013.10845644

To link to this article: http://dx.doi.org/10.1080/1097198X.2013.10845644

PLEASE SCROLL DOWN FOR ARTICLE

Taylor & Francis makes every effort to ensure the accuracy of all the information (the“Content”) contained in the publications on our platform. However, Taylor & Francis,our agents, and our licensors make no representations or warranties whatsoeveras to the accuracy, completeness, or suitability for any purpose of the Content. Anyopinions and views expressed in this publication are the opinions and views of theauthors, and are not the views of or endorsed by Taylor & Francis. The accuracyof the Content should not be relied upon and should be independently verifiedwith primary sources of information. Taylor and Francis shall not be liable for anylosses, actions, claims, proceedings, demands, costs, expenses, damages, and otherliabilities whatsoever or howsoever caused arising directly or indirectly in connectionwith, in relation to or arising out of the use of the Content.

This article may be used for research, teaching, and private study purposes. Anysubstantial or systematic reproduction, redistribution, reselling, loan, sub-licensing,systematic supply, or distribution in any form to anyone is expressly forbidden.Terms & Conditions of access and use can be found at http://www.tandfonline.com/page/terms-and-conditions

Page 2: IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing

Book Review

Reviewed by:

Roberto Vinaja, Texas A&M University-San [email protected]

IT Security Risk Management: Perceived IT Security Risks in theContext of Cloud Computing.

By Tobias Ackermann

Springer Fachmedien Wiesbadeng, Germany; 2013, 190 pages.ISBN-13: 978-3-658-01114-7

Cloud computing has experienced unprecedented growth that is projected tocontinue. However, recent security incidents in cloud computing systems haveincreased the awareness of the importance of IT security. IT security risk is a majorfactor in decisions related to outsourcing and cloud computing adoption. This bookconcerns Dr. Ackerman's study of the effect of IT security risks on cloud computingadoption decisions.

In Chapter 2 Ackerman explains the fundamental concepts of cloud computing andits three service delivery models: Infrastructure as a Service (IaaS), Platform as aService (PaaS), and Software as a Service (SaaS). In the next section, he introducesthe basic concepts of risk and perceived risk. The study was based on the four phasesof the IT risk management process: identification, quantification, treatment, andmonitoring/evaluation. Dr. Ackerman also reviews existing studies on the risks of IToutsourcing, application service provision, and cloud computing.

The most important contribution of this book is the development of amultidimensional measurement scale for the Perceived IT Security Risk (PITSR)construct. The development process had five steps: I) a structured literature review toidentify relevant studies, followed by a content analysis to identify a novel,comprehensive and systematic list of security risks; 2) the Q-sort method (usingjudges to assess construct validity and reliability) to confirm the clustering ofindividual risk to risk dimensions; 3) interviews with IT security experts to refine thescale; 4) construct conceptualization and model specifications using CovarianceStructure Analysis in LISREL; 5) a survey among 6,000 German companies toempirically operationalize and validate the instrument's discriminant validity andconstruct reliability.

82 JGITM, Vo116, No 3, July 2013

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

12:

22 2

5 N

ovem

ber

2014

Page 3: IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing

Book Review

Ackerman used a framework that identifies 31 risk items classified into sixdimensions based on qualities of IT security found in the IT literature. Decisionmakers can use this checklist to identify IT outsourcing risks and evaluate providers,and during the risk-monitoring phase, to monitor and compare actual losses toestimated losses and probabilities. Providers can use the framework to developstrategies to mitigate risk. Ackerman identified five new security risks of cloudcomputing that are related to internal in-house systems. The following is a briefsummary of the six risk dimensions and associated risks.

Confidentiality is defined as information that is accessible only by authorized users,and includes the following risks: supplier looking at sensitive data, disclosure ofinternal system data, insufficient protection against eavesdropping, andeavesdropping communications.

Integrity includes these risks: manipulation of transferred data, intentional/accidentaldata manipulation at provider side, accidental modifications of transferred data, anddata modification in internal systems.

Availability, defined as services delivered on request, has risks that include servicediscontinuity, unintentional downtime, attacks against availability, data access loss,data loss on provider's side, and unavailability of internal systems.

Performance, defined as use speed that meets customer requirements, includes theserisks: network performance problems, limited scalability, deliberateunderperformance, and internal systems performance issues.

Accountability, meaning that all actions can be assigned to an identifiable user, mayundergo identity theft, insufficient user separation/action logging, unauthorizedaccess, and missing internal systems logging.

Maintainability or insurance of adaptability and support includes these risks: limitedcustomization/data import, incompatibility with new technologies/business processes,limited proprietary technologies, insufficient maintenance, and unfavorably timedupdates.

Ackerman proposes risk treatment options related to each dimension, includingencryption, intrusion detection systems, redundant systems, backups, load-balancing,packet filtering, duplication of critical components, mirroring, distributed datareplication, digital certificates, logs, digital signatures, and trusted timestamps.

IT experts participating in the survey considered all risk dimensions to be significant,but they considered the most influential dimensions to be confidentiality, availability,and accountability. They gave the highest ratings to these risks: a supplier looking atsensitive data, unintentional downtime, disclosure of internal system data, attacksagainst availability, disclosure of data by the provider, and identity theft. Some ofthe top security risks are related to the provider and cannot be eliminated by technical

83 JGITM, Vol 16, No 3, July 2013

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

12:

22 2

5 N

ovem

ber

2014

Page 4: IT Security Risk Management: Perceived IT Security Risks in the Context of Cloud Computing

Book Review

measures, and Ackerman says that it is therefore important to build a trustrelationship between partners by negotiating flexible contracts and service-levelagreements, to define measurable metrics, and to obtain certification by anindependent third-party assurance organization.

This study makes an important contribution to the IT security and IT risk literature byproviding empirical evidence of the strong relationship between the PITSR and theintention to increase adoption. Previous studies have shown that IT security risk hasan effect on perceived negative utility (reservations against adoption). This studyshows that PITSR has a double-negative effect on adoption intentions and that it alsohas a detrimental or inhibiting effect on perceived positive utility or promisedopportunities and advantages. Ackerman postulates that IT executives' perception ofopportunities has a stronger influence on their adoption intentions than theirperceptions of negative utility risks.

Next, Ackerman introduces a model to aggregate the individual risk estimates to anoverall probability distribution. He developed a decision support system that providesa graphical interface to the mathematical risk quantification model that can guideinvestment decisions by comparing alternative IT security scenarios. Dr. Ackermanapplied the risk quantification framework to an existing real-life e-commerce pricingsystem scenario to quantify the risks and to compare two alternative levels ofsecurity. His sensitivity analysis shows that changes in the magnitude of the potentiallosses have a greater effect on the risk distribution than changes in probabilities.Therefore, decision makers should focus on the risks with the highest costs.

The simulation is very detailed; however, the model and the survey study are basedon subjective perceived risks rather than calculated values of an actual riskprobability. Of course, estimating the probability of risks is a very difficult task. Theauthor provides limited guidance on how to estimate these probabilities and onlysuggests that probability and cost parameters can be estimated based on historicaldata. Other limitations, acknowledged by Dr. Ackerman, are that the model assumesthat all analyzed risks are uncorrelated with one another and that costs related to therisks are assumed to be static instead of following a distribution function.

This book presents an outstanding example of construct/instrument development thatis relevant not only for IT security experts but for all IT professionals. Although thePITSR framework was designed to be used in the context of cloud computing, it canbe applied as a baseline in broader areas of IT security and IT outsourcing. While thebook primarily addresses IT professionals who are interested in cloud computing andIT security, its frameworks will also appeal to readers interested in IT outsourcingand members of the general IT community.

Roberto Vinaja is an Assistant Professor in the College ofBusiness Administration,Texas A&M University-San Antonio. His research interests include BusinessApplications ofIT and Decision Support Systems.

84 JGITM, Vol 16, No 3, July 2013

Dow

nloa

ded

by [

Nor

thea

ster

n U

nive

rsity

] at

12:

22 2

5 N

ovem

ber

2014