1. No category

Towards the cloud - Tilburg University

Version 4.1
Towards the cloud
- THE ROLE OF TRUST AND PERCEIVED PRIVACY RISK ON THE ADOPTION OF
CLOUD COMPUTING -
Master Thesis Information Management
i
Version 4.1
Towards the cloud
- THE ROLE OF TRUST AND PERCEIVED PRIVACY RISK ON THE ADOPTION OF
CLOUD COMPUTING -
Master Thesis Information Management
R.J.W. Welten (Rob)
114565
[email protected]
09/11/2009
Version 4.1
PricewaterhouseCoopers
Tilburg University
System and Process Assurance
Faculty of Economics and Business Administration
ing. R.J.M. van Wesel (Rob)
Information Management
drs. ing. C. Meulendijks (Chiel)
prof. dr. W.J.A.M. van den Heuvel (Willem-Jan)
ii
Version 4.1
Preface
People have always dreamt about going towards the clouds. In the myth of Daedalus and Icarus
(written by Publius Ovidius Naso – 43 BC/17 AC), Daedalus builds wings for himself and his son Icarus
to escape from Minos on the island Crete1. Leonardo Da Vinci is considered the start of the history of
aviation. In the 15th century he designed something that looks like an airplane. Da Vinci made a total
of 400 sketches of machines that were designed to get airborne.
Another way of going towards the clouds is by skyscraper. The Egyptians were the first to build high.
With a height of 146 meter, the pyramid of Cheops was found the tallest building for 4000 years.
Now, the clouds are touched by numerous buildings. In present time, the highest building is the Burj
Dubai in Dubai. This building reaches 818 meters.
Nowadays, people have found another way of going towards the clouds: cloud computing. Although
acrophobia (fear of heights) is no issue with this way of going towards the cloud, other fears might
play a part with this technology.
This master thesis focuses on some of these other ‘fears’. It provides insight on the effects of
perceived privacy risks and trusting beliefs on the adoption of cloud computing.
I could not have achieved this master thesis without the contributions and support of others. First, I
would like to thank Willem-Jan van den Heuvel for supervising, and supporting me during process of
the master thesis. His contributions have been essential for the establishment of this master thesis.
Also I would like to thank PricewaterhouseCoopers for facilitating the internship and providing a
pleasant working atmosphere. In particular I would like to thank Rob van Wesel and Chiel
Meulendijks for their supervision, discussions, and positiveness. Second I would like to thank Roy van
Helden, Roy Stroek, Erik van Overveld and Danny Graus for their critique, support, and fun during the
internship. Thirdly, I would like to thank all the colleagues of Assurance and Advisory for their
support in any possible way.
The case studies that are conducted are an essential part of this master thesis. I would like to thank
CEVA logistics represented by Marc Schmitz, PricewaterhouseCoopers Global Technology Solutions
represented by Ronald Hunse and Gerrit Zevenbergen, and I-bridge Nederland represented by Kees
van Wijk for sharing their knowledge.
Finally, I would like to thank my friends and family for their unconditional support.
Rob Welten, Eindhoven, October 2009
1
http://thanasis.com/icarus.htm
I
Version 4.1
Abstract
2009 is called the year of cloud computing by many industry vendors and analysts. “Analysts
estimate that within the next five years, the global market for cloud computing will grow to $95
billion and that 12 percent of the worldwide software market will move to the cloud in that period”
(Bruening and Treacy, 2009). Cloud computing offers a lot of opportunities. In spite of the
opportunities, there is much vagueness surrounding cloud computing. IT managers wonder whether
cloud computing is a hype. This is being supported by many doubts in the media on privacy and trust
related issues.
In academic research, publications can be found that emphasize the risk of privacy issues when using
cloud computing. Next to that, trust is also discussed in academic literature as having an impact on
the acceptance of cloud computing. To the best of our knowledge, little research has been conducted
on the impact of privacy issues and of trust on the adoption of cloud computing.
This research project studies the role of trust and perceived privacy risks on the adoption of cloud
computing. Cloud computing is defined by this research project as “a nascent business and
technology concept with different meanings for different people.” (Lin et al., 2009). Three groups of
people are distinguished by this definition: application and IT users, Internet application developers,
and infrastructure providers and administrators. The objective of this research project is to provide
insight on the effects of perceived privacy risks and trust on the adoption of cloud computing in
general, and to examine trust enhancing, and privacy risk reducing interventions to encourage the
adoption of cloud computing.
This objective is being achieved by conducting a literature review which results in several
hypotheses. The hypotheses cover the impact of trust and privacy risks on the perceived usefulness
of cloud computing, and covers several trust-building interventions and privacy risk reducing
interventions.
To test these hypotheses, three case studies are conducted. The cases were conversant with cloud
computing, and are in the process of considering whether to accept cloud computing for their
organization, or the cases have already passed this process.
The main conclusion is that both trust and perceived privacy risks have an impact on the adoption of
cloud computing. Not all interventions – both trust-building and privacy risk reducing – provided by
literature, have a positive effect on the adoption of cloud computing.
II
Version 4.1
List of figures
Figure
Title
Page number
Figure 1.1
Research project approach
4
Figure 2.1
The three-layer cloud architecture
8
Figure 3.1
The research model
14
Figure 3.2
The Technology Acceptance Model
15
Figure 3.3
PET-ladder
19
Figure 4.1
Basic types of designs for case studies
24
Figure 4.2
Case study method
25
Figure 4.3
Triangulation – three sources of evidence
26
Figure 5.1
Results on the research model
33
Figure B.1
The research model
47
Figure C.1
CEVA – IS&S Organization structure
55
Figure C.2
CEVA’s technology radar of July 2009
56
Figure D.1
PwC GTS Organization Chart
66
Table
Title
Page number
Table 1.1
Thesis structure
5
Table 5.1
Cross case conclusions – Hypotheses on trust
34
Table 5.2
Cross case conclusions – Hypotheses on privacy
35
Table 5.3
Cross case conclusions – Hypothesis on trust and privacy
35
Table A.1
Previous TAM research
44/45
Table F.1
Cross case conclusions – Hypotheses on trust
84
Table F.2
Cross case conclusions – Hypotheses on privacy
86
Table F.3
Cross case conclusions – Hypothesis on trust and privacy
88
List of tables
III
Version 4.1
List of abbreviations
CRM
Customer Relationship Management
EC2
Elastic Compute Cloud
HRM
Human Relationship Management
IaaS
Infrastructure as a Service
IP
Internet Protocol
IS
Information Systems
IT
Information Technology
ItaaS
IT as a Service
P3P
Platform for Privacy Preferences Project
Paas
Platform as a Service
PC
Personal Computer
PET
Privacy Enhancing Technologies
PwC
PricewaterhouseCoopers
PwC GTS
PricewaterhouseCoopers Global Technology Solutions
SaaS
Software as a Service
SLA
Service Level Agreement
SME
Small and Medium Enterprises
TAM
Technology Acceptance Model
TRA
Theory of Reasoned Action
UK
United Kingdom
USA
United States of America
IV
Version 4.1
Table of contents
Preface ......................................................................................................................................... I
Abstract ....................................................................................................................................... II
List of figures............................................................................................................................... III
List of tables................................................................................................................................ III
List of abbreviations .................................................................................................................... IV
Table of contents ......................................................................................................................... V
Chapter 1 Introduction............................................................................................................... 1
1.1 Research objective ........................................................................................................................ 2
1.2 Research question ......................................................................................................................... 2
1.3 Scope definition............................................................................................................................. 3
1.4 Research method .......................................................................................................................... 4
1.5 Thesis structure ............................................................................................................................. 5
Chapter 2 Theoretical baseline ................................................................................................... 6
2.1 Cloud computing ........................................................................................................................... 6
2.1.1 Definition of cloud computing................................................................................................ 7
2.1.2 Advantages of cloud computing............................................................................................. 8
2.1.3 Disadvantages of cloud computing ........................................................................................ 9
2.2 Trust............................................................................................................................................. 10
2.2.1 Initial trust ............................................................................................................................ 11
2.2.2 Trusting beliefs ..................................................................................................................... 11
2.3 Privacy ......................................................................................................................................... 11
2.3.1 Privacy defined ..................................................................................................................... 12
2.4 Summary...................................................................................................................................... 13
Chapter 3 TAM in the Cloud ..................................................................................................... 14
3.1 Technology Acceptance Model ................................................................................................... 14
3.2 Trust............................................................................................................................................. 15
3.3 Privacy ......................................................................................................................................... 17
3.4 Trust and Privacy ......................................................................................................................... 20
3.5 Summary...................................................................................................................................... 21
V
Version 4.1
Chapter 4 The case studies ....................................................................................................... 23
4.1 Case study introduction............................................................................................................... 23
4.2 Case study method...................................................................................................................... 24
4.2.1 Define and Design................................................................................................................. 25
4.2.2 Prepare, Collect, and Analyze............................................................................................... 26
4.2.3 Analyze and Conclude .......................................................................................................... 27
4.3 Case study 1: CEVA Logistics........................................................................................................ 28
4.3.1 Key findings .......................................................................................................................... 29
4.4 Case study 2: PricewaterhouseCoopers Global Technology Solutions ....................................... 30
4.4.1 Key findings .......................................................................................................................... 30
4.5 Case study 3: I-bridge .................................................................................................................. 31
4.5.1 Key findings .......................................................................................................................... 31
Chapter 5 Conclusions.............................................................................................................. 33
5.1 Results on the hypotheses .......................................................................................................... 33
5.2 Answer to the research question ................................................................................................ 35
5.3 Limitations and future research .................................................................................................. 36
Bibliography............................................................................................................................... 37
Appendix A Previous TAM research .......................................................................................... 44
Appendix B Data collection protocol......................................................................................... 46
Appendix C Individual case report: CEVA Logistics..................................................................... 54
Appendix D Individual case report: PricewaterhouseCoopers Global Technology Solutions ........ 65
Appendix E Individual case report: I-bridge............................................................................... 75
Appendix F Cross case report ................................................................................................... 83
VI
Version 4.1
Chapter 1
Introduction
October 20, 1969 – California. The first attempt to log in to a computer network of two computers is
being made between the Stanford Research Institute and the University of California. The team
attempted to send the simple message ‘log’ from one computer to another. But before the full
message could be sent, the computer crashed and had to be restarted. Result: the first message ever
to be sent through the Internet was a merry ‘lo’.
Forty years later, the Internet is no longer just a communication medium. Nowadays, users are able
to execute applications and access data on demand from the Internet (the ‘cloud’) anywhere in the
world. This is being referred to as ‘cloud computing’.
2009 is called the year of cloud computing by many industry vendors and analysts (Miller, 2008;
Vouk, 2008). “Analysts estimate that within the next five years, the global market for cloud
computing will grow to $95 billion and that 12 percent of the worldwide software market will move
to the cloud in that period” (Bruening and Treacy, 2009). Cloud computing offers a lot of
opportunities. It offers significant cost advantages: because services in the cloud use a ‘pay-as-yougo’ model, the investments in software and hardware as well as a life-cycle investment in
professional staff to maintain servers, and upgrade software are not needed any longer. Also,
companies can redirect resources to more long-term strategic business development when using
cloud infrastructure services (Miller, 2008; Vouk, 2008; Bruening and Treacy, 2009; Lin et al., 2009).
In spite of these – and other, mentioned in section 2.1.2 – opportunities, there is much vagueness
surrounding cloud computing. IT managers wonder whether cloud computing is a hype. This is being
supported by many doubts in the media on privacy and trust related issues (Hell, 2008; Koetsier,
2009; Deen, 2009; Engates, 2009; Perez, 2009; Urquhart, 2009; Wailgum, 2009).
In academic research, publications can be found that emphasize the risk of privacy issues when using
cloud computing (Arnold, 2008; Bertino et al., 2009; Pearson, 2009; Pearson and Charlesworth,
2009). Pearson provides a summary of the main privacy risks for cloud computing (Pearson, 2009):
-
For the cloud service user: being forced or persuaded to be tracked or give personal
information against their will, or in an uncomfortable way;
-
For the organization using the cloud service: loss of reputation and credibility and noncompliance to legislation and enterprise policies;
-
For implementers of cloud platforms: sensitive information that has been stored on the
platforms could be exposed, and reputation could be damaged;
-
For providers of applications on top of cloud platforms: non compliance to legislation,
damaged reputation, and ‘function creep’ using the sensitive information that is being stored
in the cloud (meaning that the information might be used later for different purposes than
the original intention of the cloud service);
1
Version 4.1
-
For data subjects: the exposure of privacy sensitive information.
Next to the publications on privacy issues, trust is also discussed in academic literature as having an
impact on the acceptance of cloud computing (Mitchell, 2009; Waxer, 2009). Mitchell states that
“[f]ew midsize or large businesses are willing to trust the cloud today, although some are
experimenting” (Mitchell, 2009). Also, large cloud computing providers with a good reputation are
more trustworthy.
To the best of our knowledge, little research has been conducted on the impact of privacy issues and
of trust on the adoption of cloud computing.
1.1 Research objective
The objective of this research project is to provide insight on the effects of perceived privacy risks
and trust on the adoption of cloud computing in general, and to examine trust enhancing, and
privacy risk reducing interventions to encourage the adoption of cloud computing.
The findings are potentially useful to auditors and advisors who can find themselves in an advising
role on the adoption of cloud computing. Also, the findings are useful to IT managers who may
consider accepting cloud computing for their organization.
In academic literature, a lot of research has been conducted on technical issues regarding cloud
computing (i.e. Mei et al., 2008; Vouk, 2008; Buyya et al., 2009), but almost no research has been
conducted regarding the adoption of cloud computing. This study helps to fill this gap in academic
literature by researching the impact of some aspects (trust and privacy risks) on the adoption of
cloud computing.
1.2 Research question
Derived from the research objective, the research question that will be answered in this research
project is formulated as:
What is the impact of perceived privacy risks and trusting beliefs on the adoption of cloud
computing, and what interventions are useful to encourage the adoption of cloud
computing?
To answer the research question, hypotheses are formulated during the literature review. These
hypotheses will be elaborated on in chapter 3.
2
Version 4.1
1.3 Scope definition
Various aspects have an impact on the acceptance of cloud computing. This research project focuses
on trust and privacy risks. Other risk considerations, like for example performance risks, financial
risks and social risks, are excluded for this research. Although other risk considerations are found
important (Cunningham, 1967), the chosen considerations are selected because they are regarded by
Featherman and Pavlou (Featherman and Pavlou, 2003) as extremely important because of the
overwhelming privacy concern phenomenon in the e-service context.
Various theories have been developed that describe the acceptance of technology in IS research. For
this research project, the Technology Acceptance Model of Davis et al. (Davis et al., 1989) and
Venkatesh et al. (Venkatesh et al., 2003) is being used. The Technology Acceptance Model is “a
preeminent theory of technology acceptance in IS research” (Gefen et al., 2003), and is found the
most influential source in IS research (Moody et al., 2009). Therefore, TAM is used for this research
project.
TAM has proven its worth in numerous studies (as can be seen in Appendix A). Hence, no hypotheses
are made on the constructs of the TAM.
With regard to trust, this research focuses on initial trust. Initial trust is “trust in an unfamiliar
trustee, a relationship in which the actors do not yet have credible, meaningful information about, or
affective bonds with, each other” (McKnight et al., 2002). Since this research project concerns a new
technology, the actors do not yet have credible or meaningful information about each other. Trust
for this research project is thus defined as initial trust.
Trust includes trusting beliefs. Three trusting beliefs are utilized most often and are found most
important in academic literature: competence, benevolence, and integrity. These trusting beliefs are
found most important to an initial trust model (McKnight et al., 2002). Therefore, only these three
trusting beliefs are used for this research project. Trust is being elaborated on in section 2.2.
The term privacy can be used in different situations: physical privacy (intangibility of the own body),
relational privacy (confidentiality of mail, telephone, and telegraph), environmental privacy (no
entrance of a residence against the will of the occupant), and informational privacy (right of respect
of the private life, protection of the private life with regard to recording and providing personal data,
and prescripts concerning the perusal of recorded personal data and the usage of recorded personal
data). In the context of cloud computing, informational privacy is most relevant. Therefore, privacy
for this research project is defined as informational privacy.
3
Version 4.1
1.4 Research method
The qualitative research approach is very suitable for exploratory studies (Blumberg et al., 2008).
Since a gap exists in the academic literature on the effects of privacy risks and trust on the adoption
of cloud computing, this research can be viewed as an exploratory research. Therefore, a qualitative
research approach is used for this research project.
The Association for Information Systems provides four types of qualitative research methods: action
research, case study research, ethnography and grounded theory (Association for Information
Systems, 2009). “Action research aims to contribute both to the practical concerns of people in an
immediate problematic situation and to the goals of social science by joint collaboration within a
mutually acceptable ethical framework” (Rapoport, 1970). Case study research is defined on
numerous ways. Yin says that “a case study is an empirical inquiry that investigates a contemporary
phenomenon within its real-life context” (Yin, 2003). Ethnography “focuses on the sociology of
meaning through close field observation of sociocultural phenomena” (Neil, 2006). Grounded theory
is defined by Martin and Turner as “an inductive, theory discovery methodology that allows the
researcher to develop a theoretical account of the general features of a topic while simultaneously
grounding the account in empirical observations or data” (Martin and Turner, 1986).
As said before, this research project is an exploratory research. Yin (Yin, 2003) states that case
studies are very well suited for exploratory research. Therefore, this research project can be defined
as a case study research. This research encompasses three case studies. More information on case
studies and on the case study method for this research project can be read in chapter 4.
Figure 1.1 visualizes the approach that is used for this research project.
Figure 1.1: Research project approach
4
Version 4.1
In part I of the research, the problem is recognized and the theory is being explored.
Then, in part II, a literature review is conducted. This review is used to formulate the hypotheses that
will be tested by conducting case studies in part III.
Part III tests the hypotheses using case studies. In the first half of part III, the case studies are
conducted. The second half of part III is the analysis of the case studies.
The last part of this research project is part IV, in which conclusions are drawn.
1.5 Thesis structure
As visualized in figure 1.1, this thesis is divided into four parts. Part I consists of the problem
recognition and the theoretical foundation for the research. These are elaborated on in respectively
chapter 1 and chapter 2. Part II consists of a literature review and the formulation of the hypotheses
that will be researched in the case studies. Both the literature review and the hypotheses
formulation are presented in chapter 3. Chapter 4 encompass Part III. This chapter elaborates on the
case studies that are conducted to test the hypotheses and on the results of the case studies. Finally,
part IV presents the conclusions in chapter 5, including the results on the hypotheses, the answer to
the research question, limitations of this research and possibilities for future research.
The structure of the thesis is shown in table 1.1.
Part I
Part II
Problem description
Chapter 1
Theory
Chapter 2
Literature review
Chapter 3
Hypotheses formulation
Part III
Case studies
Chapter 4
Analysis
Part IV
Conclusions
Chapter 5
Table 1.1: Thesis structure
5
Version 4.1
Chapter 2
Theoretical baseline
This chapter focuses on the theoretical foundation for the research project. The terms cloud
computing, trust and privacy are elaborated on, in order to provide a sufficient theoretical basis for
the literature review and for the formulation of the hypotheses.
2.1 Cloud computing
Cloud computing is in the present time the dominant news topic in the area of IT. What cloud
computing is, however, is only just becoming clear. This section elaborates on the definition, the
advantages, and the disadvantages of cloud computing. First, some examples of cloud computing are
highlighted to exemplify cloud computing.
Well known examples of cloud computing are Amazon EC2 and Google Apps. Amazon EC2 (virtual IT)
provides resizable computing capacity in the cloud. The web service interface of Amazon EC2 allows
the configuration of capacity with minimal friction and gives full control of your computing resources.
New server instances can be obtained and booted within minutes. Amazon EC2 charges only for the
capacity that is actually used.2
Google Apps (Software-as-a-Service) allows you to collaborate in the same document. Documents
and agenda’s can be shared with colleagues, and other members can be invited to share data.
Google Apps is also accessible with mobile equipment. Google Apps consists of the following
applications:
-
Google Sites
One central location for sharing information between the team members
-
Google Documents
Create and share documents, spreadsheets, presentations and forms
-
Google Agenda
Arrange meetings, develop plans and publish information on activities
-
Google Talk
Chat with colleagues and buzz from computer to computer3
2
http://aws.amazon.com/ec2/
3
http://www.google.com/intl/nl/apps/business/index.html
6
Version 4.1
2.1.1 Definition of cloud computing
A lot of vagueness surrounds cloud computing. Some authors try to define cloud computing in a
single sentence, others have formulated a more elaborate definition.
One of the more elementary definitions is that of Bertino et al.: “Rather than running software and
managing data on a desktop computer or server, users are able to execute applications and access
data on demand from the “cloud” (the Internet) anywhere in the world” (Bertino et al., 2009).
Antonopoulos extends this definition further: “[the] Cloud offers the possibility of computing
capacity on-demand, effectively a dial that you can tweak to increase or decrease capacity, while
paying only for what you use. Not only can this save money on infrastructure, but much more
importantly it provides flexibility for launching applications or business lines with minimal capital
investment” (Antonopoulos, 2008).
To fully define cloud computing however, more than two lines are needed. In order to demystify the
vagueness around cloud computing, the 2008 IEEE4 International Conference on Web Services was
titled “Cloud Computing: IT as a Service”. The IEEE Computer society published in the IT Professional
Magazine a report on the conference (Lin et al., 2009).
This research project will use the extensive definition of the conference because it is a general
definition that is widely supported by many experts in the field of IT.
The panel of the conference defined cloud computing as “a nascent business and technology concept
with different meanings for different people.” (Lin et al., 2009). They distinguish three groups of
people: application and IT users, Internet application developers, and infrastructure providers and
administrators.
-
For application and IT users, cloud computing is IT as a service (ITaaS). This implies “delivery
of computing, storage, and applications over the Internet from centralized data centers”.
-
For Internet application developers, cloud computing is an “Internet-scale software
development platform and runtime environment”.
-
For infrastructure providers and administrators, cloud computing is “the massive, distributed
data center infrastructure connected by IP networks”
(Lin et al., 2009).
To illustrate this definition, a three-layer cloud architecture is presented. The top layer delivers
applications on demand in the Software as a- Service (SaaS) model. The middle layer represents
middleware that provides application services and/or Platform as a Service (PaaS). The bottom layer
is the flexible infrastructure of data centers services that are distributed and connected via Internetstyle networking. This three-layer cloud architecture is visualized in figure 2.1.
4
IEEE is the world’s leading professional association for the advancement of technology and has over 375,000
members in more than 160 countries. (http://www.ieee.org)
7
Version 4.1
Figure 2.1: The three-layer cloud architecture
(Lin et al., 2009)
2.1.2 Advantages of cloud computing
Cloud computing offers a lot of advantages. In his book ‘Cloud Computing: Web-Based Applications
that Change the Way You Work and Collaborate Online’ (Miller, 2008), Michael Miller provides an
extended overview of advantages of cloud computing. The overview of advantages in this chapter is
based on Millers’ overview, elaborated with advantages presented by Bruening and Treacy (Bruening
and Treacy, 2009) and Lin et al. (Lin et al., 2009).
Lower IT costs
IT costs are decreased on several areas:
-
Applications are no longer run on the desktop Personal Computer (PC), but are run in
the cloud. This means that the PC does not need the processing power or hard disk
space as demanded by traditional desktop software.
-
Powerful servers and the like are no longer required. The computing power of the
cloud can be used to replace or supplement internal computing resources.
-
Organizations no longer have to purchase computing resources to handle the
capacity peaks. Peaks are easily handled by the cloud.
-
Payment for most cloud computing services is based on a pay-as-you-go model. This
means that customers only pay for what they use.
-
The IT staff does not have to install and maintain the software on every desktop in
the organization.
8
Version 4.1
Fewer maintenance issues
With less hardware on hand in the organization, the maintenance costs are accordingly
decreased. Also, software is run in the cloud, not on the PC. So there is no software for the IT
staff to maintain.
Also, organizations do not have to face the choice between obsolete software and high
upgrade costs. The service provider upgrades the software in the cloud, so whenever the
customer logs in to the cloud, the latest version is loaded, with no need to pay for or
download an upgrade.
Increased computing power
No longer is the computing power limited to the power of the desktop PC. The power of the
entire cloud is at the disposal of the user. This means that bigger tasks can be performed in
the cloud than on the desktop.
Unlimited storage capacity
The cloud offers virtually limitless storage capacity.
Improved compatibility between operating systems and documents
Documents can be shared with computers that run different operating systems such as
Windows, Apple’s MAC OS, Linux or UNIX.
Easier group collaboration
One of the most important advantages to many users of cloud computing is the easy
collaboration on documents and projects. Cloud computing no longer requires the
correspondence of documents from one user to another, for example by e-mail, and work on
them sequentially. Cloud computing allows simultaneous access to documents, and edits in
the document are updated real-time.
Universal access to documents
Documents are stored in the cloud. This means that documents can be accessed from
anywhere, as long as a computer and an Internet connection is available.
2.1.3 Disadvantages of cloud computing
A lot of papers report on the advantages of cloud computing. The overviews and summaries of
disadvantages of cloud computing are less numerous. Miller (Miller, 2008) provides, next to the
overview of advantages, also an overview of disadvantages.
9
Version 4.1
Requires a constant Internet connection
Cloud computing is impossible without the connection to the Internet. Internet is needed to
access both documents and applications. If no Internet connection is available, this means
that no work can be done.
Does not work well with low-speed connections
Web-based applications and large documents require both a lot of bandwidth to download.
With a low-speed connection, such as dial-up, it might take a while to even change pages in a
document.
Web-based applications have to send everything back and forth from the PC to the cloud,
from the interface of the application to the document that is being edited. Even on a fast
connection, cloud computing can be slower than accessing a similar application on a desktop
PC.
Features might be limited
For now, web-based applications are not as full-featured as their fellow desktop applications.
This might be a big disadvantage for advanced users.
Stored data might not be secure
All data is stored in the cloud, and thus outside the sphere of control. As shown in the
previous section, this provides a lot of advantages. However, safety cannot be guaranteed.
Cloud systems can be hacked and documents can be accessed by unauthorized users.
This has a big impact on privacy and trust – which is the focus of this research project. This
will be elaborated on in chapter 3.
No physical or local backup
The data is only stored in the cloud. In the off chance that data goes missing, this means that
the data can not be restored by (traditional) local backup systems.
2.2 Trust
“Trust is a crucial enabling factor in relations where there is uncertainty, interdependence, risk, and
fear of opportunisms” (Xu et al., 2005). This is being concluded in numerous academic papers (Mayer
et al., 1995; Hoffman et al., 1999; Gefen et al., 2003; Gefen and Pavlou, 2004). Therefore, trust could
be crucial in the adoption of cloud computing.
This section provides insight in what trust means.
10
Version 4.1
2.2.1 Initial trust
“Trust develops gradually over time” (McKnight et al., 1998). In his research, McKnight indicates that,
for trust to grow over time, trust starts small and then gradually increases. The starting level of trust
is referred to as initial trust (Bigley and Pearce, 1998; McKnight et al., 1998; McKnight et al., 2002).
McKnight defines initial trust as “trust in an unfamiliar trustee, a relationship in which the actors do
not yet have credible, meaningful information about, or affective bonds with, each other” (McKnight
et al., 2002). Credible information is amassed after the actors have interacted for some time.
Since this research project concerns a new technology, the actors do not yet have credible or
meaningful information about each other. Trust for this research project is thus defined as initial
trust.
2.2.2 Trusting beliefs
Trusting beliefs “means the confident truster perception that the trustee […] has attributes that are
beneficial to the truster” (McKnight et al., 2002). McKnight studied the many types of trusting beliefs
and categorized them. These trusting beliefs are then supported and used in other studies (i.e. Gefen
and Pavlou, 2004; Xu et al., 2005). McKnight found three trusting beliefs that are utilized most often
and are found most important:
First there is competence. Competence is the “ability of the trustee to do what the truster needs”.
Second is benevolence and is defined as the “trustee caring and motivation to act in the truster’s
interests”. Last is integrity, which is the honesty of the trustee and promise keeping. (McKnight et al.,
2002)
2.3 Privacy
“A significant barrier to the adoption of cloud services is […] fear of confidential data leakage and loss
of privacy in the cloud” (Pearson and Charlesworth, 2009).
This section elaborates on what privacy means.
11
Version 4.1
2.3.1 Privacy defined
Privacy encompasses the right to be left alone and is a fundamental human right. There are four
situations in which the term privacy can be used (College Bescherming Persoonsgegevens, 2005).
1. Physical privacy, which means that everyone has the right of intangibility of his own body,
with exception of lawful restrictions;
2. Relational privacy, meaning confidentiality of mail telephone, and telegraph, with exception
of lawful restrictions;
3. Environmental privacy, which means that the entrance of a residence against the will of the
occupant is not permitted, with exception of lawful cases;
4. Informational privacy, meaning (1) everyone has the right of respect of a private life, with
exception of lawful restrictions, (2) the protection of the private life with regard to the
recording and providing of personal data as stated by the law, and (3) prescripts concerning
the perusal of recorded personal data and the usage of recorded personal data, as well as
correction of these data as stated by the law.
In the context of cloud computing, informational privacy is most relevant. Therefore, privacy for this
research project is defined as informational privacy.
An important aspect in informational privacy is personal data. Personal data is “information that can
be traced to a particular individual” (Pearson and Charlesworth, 2009). However, this definition is not
very clear in that it is to general. In the paper ‘Taking Account of Privacy when Designing Cloud
Computing Services’, Pearson defines personal data in more detail. Personal data is called privacy
sensitive information and encompasses (1) “any information that could be used to identify or locate
an individual (e.g. name, address) or information that can be correlated with other information to
identify an individual (e.g. credit card number, postal code, Internet Protocol (IP) address” and also
information that is considered to be sensitive such as collection of surveillance camera images of
public places, (2) sensitive information: “information on religion or race, health, sexual orientation,
union membership or other information that is considered private”, (3) usage data: data on
behavioral information, for example recently visited websites and product usage history, and (4)
unique device identities: all other types of information that can be uniquely related to a user device,
for example IP addresses and unique hardware identities. (Pearson, 2009)
12
Version 4.1
2.4 Summary
Chapter 2 explores the theoretical foundations for this research project. It elaborates on cloud
computing in general, on trust in general and on privacy in general to provide a basis for the
literature review and for the formulation of the hypotheses.
The definition of cloud computing that is being used for this research project is from the 2008 IEEE
International Conference on Web Services. The panel of the conference defined cloud computing as
“a nascent business and technology concept with different meanings for different people.” (Lin et al.,
2009).
Cloud computing offers both advantages and disadvantages. Advantages of cloud computing are
lower IT costs, fewer maintenance issues, increased computing power, unlimited storage capacity,
improved compatibility between operating systems and documents, easier group collaboration, and
universal access to documents. Disadvantages of cloud computing are that it requires a constant
Internet connection, it does not work well with low-speed connections, features might be limited,
stored data might not be secure, and no physical or local backups are available.
The advantages of cloud computing provide a lot of opportunities that could make the concept of
cloud computing a success. However, some of the disadvantages might provide barriers for the
success of cloud computing (Miller, 2008). This emphasizes the relevance of this research project.
Trust could be crucial in the adoption of cloud computing. Trust in this research project is focused on
initial trust which is defined as “trust in an unfamiliar trustee, a relationship in which the actors do
not yet have credible, meaningful information about, or affective bonds with, each other” (McKnight
et al., 2002).
For this research project, trust encompasses three trusting beliefs: competence, benevolence, and
integrity. The trusting beliefs are recognized in the trust-building interventions in section 3.2.
Privacy in this research project focuses on informational privacy, meaning (1) everyone has the right
of respect of a private life, with exception of lawful restrictions, (2) the protection of the private life
with regard to the recording and providing of personal data as stated by the law, and (3) prescripts
concerning the perusal of recorded personal data and the usage of recorded personal data, as well as
correction of these data as stated by the law.
Now that the theoretical baseline is founded, chapter 3 embroiders on this by providing a literature
review and hypotheses that will be researched in the case studies.
13
Version 4.1
Chapter 3
TAM in the Cloud
This chapter embroiders on the theoretical baseline and the formulation of the hypotheses. The
research model visualizes the hypotheses and the relationship between the constructs that are being
used in this research project. The research model is shown in figure 3.1.
Figure 3.1: The research model
3.1 Technology Acceptance Model
The research model that is being used for this research project is based on the Technology
Acceptance Model (TAM) of Davis et al. and Venkatesh et al. (Davis et al., 1989; Venkatesh et al.,
2003). The Technology Acceptance Model can be used to predict attitudes towards technology and
the usage of that technology. Davis applied the theory of reasoned action (TRA) of Ajzen and Fishbein
(Ajzen and Fishbein, 1980) to show that attitudes are influenced by beliefs which will lead to
intentions, and therefore generate behaviors.
TAM has been both simplified and extended in multiple studies (Adams et al., 1992; Igbaria et al.,
1995; Straub et al., 1995; Gefen and Straub, 1997; Teo et al., 1999; Venkatesh et al., 2003). The
14
Version 4.1
theory Venkatesh et al. in 2003 is found the challenger of TAM (Moody et al., 2009). TAM is
presented in figure 3.2.
Figure 3.2: The Technology Acceptance Model
(Davis et al., 1989; Venkatesh et al., 2003)
The TAM was introduced by Davis in 1986 (Davis, 1986). The TAM suggests two beliefs: perceived
usefulness and perceived ease of use. Perceived usefulness is defined as “the prospective user’s
subjective probability that using a specific application system will increase his or her job performance
within an organizational context” (Davis et al., 1989). Perceived ease of use refers to “the degree to
which the prospective user expects the target system to be free of effort” (Davis et al., 1989). A large
amount of research has shown that the TAM is a “robust model of technology acceptance behaviors
in a wide variety of IT” (Gefen et al., 2003). Moody et al. researched the most influential sources in IS
research and found the TAM is still the most influential theory in IS research (Moody et al., 2009).
Hence, TAM is used in this research project.
TAM has proven itself in numerous studies. Lederer et al. (Lederer et al., 2000) have provided a
summary of studies in which the TAM has proven itself. This overview is presented in appendix A. For
the reason that the TAM is proven in a large number of previous studies, there is no reason to doubt
the TAM. Hence, no hypotheses are made on the constructs of the TAM.
3.2 Trust
Hoffman et al. found in their study that 95% of the consumers did not provide personal information
to websites. 63% of them indicated that they did not provide personal information “because they do
not trust those who are collecting the data” (Hoffman et al., 1999). So, trust seems to have an impact
on the acceptance of technologies (Hoffman et al., 1999; Friedman et al., 2000; McKnight et al.,
2002).
Gefen et al., states that trust increases the probability that the customer will gain the expected
benefits. Also, “doing business with an e-vendor who cannot be trusted could result in detrimental
consequences, i.e., reduced usefulness” (Gefen et al., 2003). Following this line, it is hypothesized
that trust can enhance the adoption of cloud computing:
15
Version 4.1
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
When trust is a condition for the successful acceptance of cloud computing, actions have to be taken
to build trust, certainly when taking into account that “[t]rust is generally difficult to build, but easily
lost” (Cook and Luo, 2003). McKnight and Chervany studied the meaning of trust in e-commerce
customer relationships. They provide some trust-building interventions – interventions are actions
that may be taken to provide assurance (McKnight and Chervany, 2001). These trust-building
interventions are supported by other researchers such as Koufaris and Hampton-Sosa (Koufaris and
Hampton-Sosa, 2002), Gefen and Pavlou (Gefen and Pavlou, 2004), Xu et al. (Xu et al., 2005), and
Pearson and Charlesworth (Pearson and Charlesworth, 2009). These interventions are:
Privacy policies
A privacy policy “defines what data is collected, for what purpose the data will be used,
whether the enterprise provides access to the data, who are the data recipients (beyond the
enterprise), how long the data will be retained, and who will be informed in what cases”
(Karjoth and Schunter, 2002). If it is indicated that a privacy policy exists on the site, the
consumers’ trust in this vendor should increase for the reason that the vendor indicates its
ethicality with regard to privacy sensitive information (trusting belief – integrity). This should
result in increased willingness to share privacy sensitive information with the vendor.
Third-party privacy seals
Online vendors can participate in a third-party privacy seal program. The operators of these
programs design and advocate a set of standards and principles concerning, in this case,
privacy. Participating vendors follow these standards and principles. After the vendor is
verified by the third-party seal operator, vendors are allowed to display the privacy seal on
their websites (Cook and Luo, 2003). This proves, just like a privacy policy, that the vendor is
ethical with regard to privacy sensitive information (trusting belief – integrity), and should
thus increase the willingness to share information with the vendor.
Interacting with customers
Vendors that interact online with its customers “should be able to convey to them that it is
benevolent, competent, honest, and/or predictable” (McKnight and Chervany, 2001)
(trusting beliefs – benevolence, competence, integrity). The interaction strengthens the
trusting beliefs by providing evidence that the vendor has positive attributes.
Reputation building
“A reputation embodies the history of other peoples’ experiences with that service provider.
Good reputations increase credibility, making us more confident that we’ll really get what
16
Version 4.1
we’re promised” (Fombrun, 1996). Improving the reputation will also improve the trusting
beliefs (trusting beliefs – competence, benevolence, integrity).
Links to other sites
Links to other reputable sites imply that “one has good company because one is good
company” (McKnight and Chervany, 2001). Thus, these links might provide assurance and
increase trusting beliefs (trusting beliefs – competence, benevolence, integrity).
This is not an exhaustive list of all trust-building interventions. However, the interventions represent
popular (Xu et al., 2005) interventions that are supported by various academic authors (McKnight
and Chervany, 2001; Gefen and Pavlou, 2004; Xu et al., 2005; Pearson and Charlesworth, 2009).
To examine whether these trust-building interventions actually build trust, and thus have an effect
on the perceived usefulness of cloud computing, hypotheses are formulated on the interventions.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
3.3 Privacy
Cloud computing offers, as shown in section 2.1.2, a lot of advantages. However, as Pearson and
Charlesworth state: “The advantages of cloud computing […] can become disadvantages in
maintaining a level of privacy assurance sufficient to sustain confidence in potential customers”
(Pearson and Charlesworth, 2009). Greenberg puts it this way: “When users store their data with
programs hosted on someone else’s hardware, they lose a degree of control over their oftensensitive information” (Greenberg, 2008).
17
Version 4.1
Pearson provides a summary of the main privacy risks for cloud computing in her paper ‘Taking
Account of Privacy when Designing Cloud Computing Services’.
The main privacy risks for the cloud service user are “being forced or persuaded to be tracked or give
personal information against their will, or in a way which they feel uncomfortable”.
For the organization using the cloud service, the main privacy risks are loss of reputation and
credibility and non-compliance to legislation and enterprise policies.
Implementers of cloud platforms also face privacy risks. Sensitive information that has been stored
on the platforms could be exposed, and reputation could be damaged.
Privacy risks for providers of applications on top of cloud platforms are non compliance to legislation,
damaged reputation, and ‘function creep’ using the sensitive information that is being stored in the
cloud; meaning that the information might be used later for different purposes than the original
intention of the cloud service.
Last, the main privacy risk for the data subjects is appointed. This is, of course, the exposure of
privacy sensitive information. (Pearson, 2009)
James et al. have studied the intention to use biometrics devices. They show that privacy has a
positive impact on the perceived usefulness of the technology (James et al., 2006). This is being
supported by Gefen and Pavlou (Gefen and Pavlou, 2004) who researched the building of effective
online marketplaces. In accordance with these studies, the following hypothesis is formulated:
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
Privacy risks can be reduced on various ways. Academic literature provides the following privacy risk
reducing interventions that are designed to reduce those risks.
Technological interventions
The first privacy risk reducing interventions are technological interventions. Some authors
provide separate solutions. Bertino et al. (Bertino et al., 2009) provide an identity
management solution in his paper ‘Privacy-preserving Digital Identity Management for Cloud
Computing’, Greenberg (Greenberg, 2008), Edwards (Edwards, 2009), and Schultz (Schultz,
2009) recommend encryption, and others (e.g. Ackerman et al., 1999; Kim et al., 2002)
recommend P3P5 (Platform for Privacy Preferences Project). There are also overall
technological interventions such as Privacy Enhancing Technologies (PET), recommended for
example by Borking et al. (Borking et al., 2004), Koorn and ter Hart (Koorn and ter Hart,
2004), and Pearson (Pearson, 2009).
5
P3P is the abbreviation of Platform for Privacy Preferences Project from the World Wide Web Consortium.
The World Wide Web Consortium (W3C) develops interoperable technologies such as specifications, guidelines,
software, and tools to lead the Web to its full potential (http://www.w3.org/)
18
Version 4.1
The term PET is being used to indicate all technologies that can be used to protect privacy
sensitive information. PET is defined by the Information Commissioner’s Office as “any
technology that exists to protect or enhance an individual’s privacy, including facilitating
individuals’ access to their rights under the Data Protection Act 19986” (Information
Commissioner’s Office, 2007). Koorn and ter Hart (Koorn and ter Hart, 2004) have visualized
these technologies and placed them on the so called PET-ladder. This ladder is shown in
figure 3.3.
Figure 3.3: PET-ladder
(Koorn and ter Hart, 2004)
According to Borking et al., PET are suitable interventions to realize advanced
computerization within the proper borders of privacy (Borking et al., 2004). Because of the
wide range of technologies, PET is applicable to all types of information systems (IS).
Ameliorations to law and regulation
“One of cloud computing’s biggest risks arises from its very nature: it allows data to be sent
and stored just about anywhere – even divided among locations around the world. While
data dispersion helps give cloud computing a cost and performance edge, the downside is
that business information can land in storage systems in locales where privacy laws are loose
or even nonexistent” (Edwards, 2009). In the EU, privacy is a basic right. However, in the Asia
Pacific privacy is more focused on avoiding harm. Pearson (Pearson, 2009) considers
requirements that arise from applying privacy legislation to the cloud. However, sharing the
statements of Pearson and Charlesworth (Pearson and Charlesworth, 2009) and Edwards
6
The Data Protection Act 1998 is a United Kingdom (UK) Act of Parliament and defines the processing of data
on identifiable living people in UK law. (http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1)
19
Version 4.1
(Edwards, 2009) “legislation will need to evolve to allow compliance in dynamic, global
environments” (Pearson and Charlesworth, 2009).
Gefen and Pavlou (Gefen and Pavlou, 2004) and Jarvenpaa (Jarvenpaa et al., 2000) show that privacy
risks have a negative effect on the adoption of a new technology. With regard to the technological
interventions, this is being confirmed by James et al. (James et al., 2006). They confirm that the use
of technology to increase his or privacy has a positive impact on the perceived usefulness of
biometric devices. Accordingly, interventions that reduces privacy risks should therefore have a
positive effect on the perceived usefulness of a new technology.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
Similar to the list of trust-building interventions, this list of privacy risk reducing interventions is not
an exhaustive list. The interventions that are included for this research project are supported by
various academic authors (Borking et al., 2004; Koorn and ter Hart, 2004; Edwards, 2009; Pearson,
2009; Pearson and Charlesworth, 2009).
3.4 Trust and Privacy
Technological interventions help to build trust (Borking et al., 2004; Information Commissioner’s
Office, 2007; Vouk, 2008). The use of technological interventions “helps to signal the integrity and
intention of organisations regarding the information that they hold, and encourages trust in those
organisations” (Information Commissioner’s Office, 2007).
This is being supported in a more broad way by Caudill and Murphy (Caudill and Murphy, 2000) and
Culnan and Bies (Culnan and Bies, 2003). Caudil and Murphy state that privacy risk reducing
interventions are essential to develop intimacy and trust (Caudill and Murphy, 2000).
In harmony with these studies, the last hypothesis for this research project is formulated:
H3: Privacy risk reducing interventions have a positive effect on trust
20
Version 4.1
3.5 Summary
This chapter embroiders on the theoretical baseline and the formulation of the hypotheses. A
research model is developed to visualize the hypotheses and the relationship between the entities
that are being used in this research project. The research model is shown in figure 3.1.
The research model that is being used for this research project is based on the Technology
Acceptance Model of Davis and Venkatesh (Davis et al., 1989; Venkatesh et al., 2003). The
Technology Acceptance Model can be used to predict attitudes towards technology and the usage of
that technology.
Literature provides evidence that trust increases the probability that the customer will gain the
expected benefits. In line with this, the following hypothesis is formulated with regard to trust.
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
The literature review provides some trust-building interventions: privacy policies, third-party privacy
seals, interacting with customers, reputation building, and links to other sites. With regard to these
trust-building interventions, five hypotheses are formulated.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
Other studies have shown that privacy has a positive impact on the perceived usefulness of new
technologies. In accordance with this, the following hypothesis is formulated.
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
21
Version 4.1
Just like the literature provides trust-building interventions, it also provides privacy risk reducing
interventions: technological interventions, and ameliorations to law and regulation. With regard to
these privacy risk reducing interventions, the following hypotheses are formulated.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
The last hypothesis for this research project focuses on the impact of privacy on trust. This results in
the following hypothesis.
H3: Privacy risk reducing interventions have a positive effect on trust.
22
Version 4.1
Chapter 4
The case studies
Case studies are used in many situations to add to the knowledge of individual, group, organizational,
social, and political phenomena. The case study has been a common research strategy in psychology,
sociology, political science, social work, business, community planning, and even in economics. “The
distinctive need for case studies arises out of the desire to understand complex social phenomena”
(Yin, 2003).
In order to test the hypotheses that have been formulated in chapter 3, three case studies are
conducted. This chapter provides general information on case studies (4.1), and information on the
case study method that is used for this research project (4.2).
In section 4.2.1 the criteria for the selection of the cases for this research project are presented:
-
The cases have to be conversant with cloud computing
-
The cases have to be in the process of considering to accept cloud computing for their
organization
OR
The cases have already passed this process.
With these criteria in mind, clients of PricewaterhouseCoopers were contacted. This resulted in
several reactions. Section 4.3, 4.4, and 4.5 introduce the clients that were selected to serve as cases
for this research project. Also, the key findings of the case studies are added. More details on the
findings of the individual cases are delivered in the individual case reports (appendix C, appendix D
and appendix E).
4.1 Case study introduction
As specified in section 1.4, this research project uses a qualitative research approach. Mittman states
that qualitative research methods are valuable in various studies, for example in providing rich
descriptions of complex phenomena, conducting initial explorations to develop theories, to generate
and test hypotheses, and moving toward explanations (Mittman, 2001).
Section 1.4 also substantiates the choice of the qualitative research method, which is case study
research. Yin (Yin, 2003) provides four case study designs: single-case (holistic) design, single-case
(embedded) design, multiple-case (holistic) design, and multiple-case (embedded) design.
Although all designs can lead to successful case studies, multiple-case designs are preferred over
single-case designs for several reasons. First, a multiple-case design offers the possibility of direct
replication, meaning that conclusions that independently arise from two cases are more powerful
23
Version 4.1
than those coming from a single case. Second, the context in multiple-cases is likely to vary to some
extent. If the cases provide common conclusions, the findings will expand the external
generalizability. These benefits of multiple-case designs over single-case designs even apply to a
‘two-case’ case study. Having more than two cases produces an even stronger effect. Hence, three
case studies are conducted for this research project.
Figure 4.1 Basic types of designs for case studies
(Yin, 2003)
Whether a holistic or an embedded design is being used depends on the type of phenomenon that is
being studied. If the case study examines only the global nature of a phenomenon, a holistic design is
used. If attention within a case is also given to a subunit or subunits of the phenomenon, an
embedded design is used. This research project focuses only on the global nature of cloud
computing. Therefore this research project uses a holistic design.
4.2 Case study method
Yin (Yin, 2003) provides a case study method for multiple-case designs. This method is being used for
this research project. Figure 4.2 illustrates the case study method which is tailored to this specific
research project.
24
Version 4.1
Figure 4.2: Case study method
(Yin, 2003)
In the three subsections that follow, the case study method is being elaborated on.
4.2.1 Define and Design
The ‘define and design’ phase encompasses three constructs: Theory, Select cases, and Design data
collection protocol.
Theory
The construct theory encloses the definition of the theory and the development of the
theoretical framework – which is the research model. This construct is brought about in
chapter 2 and chapter 3.
Select cases
This construct encompasses the selection of the cases. The cases that are selected for this
research project have to meet the following criteria:
-
The cases have to be conversant with cloud computing.
-
The cases have to be in the process of considering to accept cloud computing for
their organization
OR
The cases have already passed this process.
Design data collection protocol
A data collection protocol is also called the case study protocol. It encloses an introduction to
the case study, the data collection procedures, and the case study questions, and serves as a
25
Version 4.1
guideline for conducting the case studies. The data collection protocol is added in appendix
B.
Triangulation
An important principle of data collection is triangulation, which is the major strength of case
study data collection. Triangulation is the “rationale for using multiple sources of evidence”
(Yin, 2003). Triangulation increases the validity of the case studies.
There are six sources of evidence that are most commonly used in doing case studies:
documentation, archival records, interviews, direct observations, participant-observation,
and physical artefacts. Triangulation is applied to draw conclusions. The first source of
evidence in all case studies is interviews. The second source of evidence is documents
(minutes, notes, memos) and/or observations by the researcher.
Literature
Interviews
Documents and/or
observations
Figure 4.3: Triangulation – three sources of evidence
The appliance of the triangulation principle is visible in the tables in the cross case report
(appendix F). In these tables, every hypothesis received a ‘1’ and a ‘2’. The ‘1’ indicates
evidence source 1 (interviews), the ‘2’ indicates the second evidence source (documents
and/or observations). For each case it is indicated whether evidence source 1 and 2 either
supports or does not support the hypothesis, or whether no evidence was available. In the
analysis of the findings of the case studies, both evidence sources are considered of equal
importance.
4.2.2 Prepare, Collect, and Analyze
Prepare, Collect, and Analyze consists of six constructs, as can be seen in figure 4.2. Some of those
constructs are equal because they have to be executed for each of the case studies.
Conduct Nth case study
Conducting the case study is done according to the data collection protocol which is added in
appendix B.
26
Version 4.1
Write individual case report
When the case studies have been conducted, an individual case report has to be made for
each of the case studies.
There are six possible structures for a case study report: linear-analytic structures,
comparative structures, chronological structures, theory building structures, suspense
structures, and unsequenced structures. (1) The linear-analytic structure is the standard
approach for composing research reports and follows the sequence of problem statement,
methods used, findings from the data collected and analyzed, and the conclusions. (2) The
comparative structure repeats the same case study two or more times, each time comparing
alternative explanations of the same case. (3) Chronological structures present the evidence
in a chronological order (early, middle, and late phases of a case history). (4) The theory
building structure follows a theory-building logic, meaning that each chapter reveals a new
part of the theoretical framework. (5) Suspense structures invert the linear-analytic
structure. This structure starts with the answer or outcome and devotes the remaining
chapters to explain this answer or outcome. Last, (6) the chapters in the unsequenced
structure assume no particular order. This structure is often used for descriptive case studies.
The case reports of this research project are based on the theory-building structure, for the
reason that the constructs of the projects’ research model is designed to allow a theorybuilding logic. Each chapter encompasses construct(s) of the research model and elaborates
on previous constructs.
The individual case reports are added in appendix C, appendix D, and appendix E.
4.2.3 Analyze and Conclude
The last phase is ‘analyze and conclude’. This phase encloses two constructs: Draw cross case
conclusions, and Write cross case report.
Draw cross case conclusions
There are several analytical techniques possible to be used to analyse case studies. Yin
describes five analytical techniques: pattern matching, explanation building, time-series
analysis, logic models, and cross-case synthesis. (1) Pattern matching compares an
empirically based pattern – which are findings of the case – with a predicted pattern. (2)
Explanation building is a special type of pattern matching. The goal of explanation building is
to analyze the case study data by building an explanation about the case. (3) Time-series
analysis follows intricate patterns and is mainly relevant to single-case studies. (4) Logic
models match empirically events to theoretically predicted events, and are thus very similar
to pattern matching. The last analytical technique applies in particular to the analysis of
27
Version 4.1
multiple-case studies: (5) cross-case synthesis. Cross-case synthesis uses tables that display
the findings from the individual cases.
Since this research project is defined earlier as a multiple-case design, the cross-case
synthesis technique is applied to draw cross-case conclusions.
Cross-case synthesis can be performed when the individual case studies have been
conducted as independent studies. Within this approach, tables are created that display the
findings from the individual cases in an arranged way. “The examination of the tables for
cross-case patterns will rely strongly on argumentative interpretation, not on numeric tallies”
(Yin, 2003). The cross case conclusions have to meet a strong and plausible argumentation
that are supported by the data.
The tables that are used to display the findings from the individual cases are recorded
chapter 5 and in the cross case report (appendix F). These tables show the hypotheses, and
whether the hypotheses are (un)supported by the individual cases. The tables also visualize
whether the findings are (un)supported by one or two evidence sources (for the reason of
triangulation – see section 4.2.1).
Write cross case report
The cross case report uses the same structure as the individual case report: the theorybuilding structure. The cross case report is added in appendix F.
4.3 Case study 1: CEVA Logistics
“At CEVA Logistics we look at the world around us a little differently. We see everything through
logistical spectacles. This means that we examine every aspect of a supply chain and ask ourselves:
‘What is it made up of?’ ‘Where did it come from?’ ‘How did it get to where it is?’ ‘Who helped it on
its way?’ And most of all, ‘Can we improve it?’” (CEVA Logistics, 2009)
CEVA Logistics is owned by Apollo Management7. Previous of that it was owned by TNT. In 2006
Apollo Management took over TNT Logistics. In 2007 Apollo Management took over EGL Inc. Now,
TNT Logistics and EGL Inc. have been merged to CEVA Logistics.
CEVA Logistics uses the following definition of cloud computing: “Cloud computing is a style of
computing in which dynamically scalable and often visualized resources are provided as a service
over the internet. Users need not have knowledge of, experience in, or control over the technology
infrastructure in the “cloud” that supports them. The concept generally incorporates combinations of
7
http://www.apolloic.com/public/home.asp
28
Version 4.1
the following: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service
(SaaS).”
The definition of cloud computing – as presented in chapter 2 of the master thesis – distinguishes
three groups of people. For each group of people, cloud computing has a different meaning. CEVA
Logistics sides with the application and IT users, meaning that they look at cloud computing as ITaaS.
CEVA Logistics already applies the concept of cloud computing: SaaS. One of their applications – their
Customer Relationship Management (CRM) system – is being delivered by a provider over the
Internet. The data of this system is stored in a centralized data center owned by the provider.
Next to that, CEVA Logistics is also considering to transport their software development activities to
the cloud, and to decrease the number of own data centers by letting a cloud computing provider
deliver this service.
4.3.1 Key findings
CEVA Logistics considers trust to be of vital concern when adopting cloud computing. Since CEVA
Logistics already applies the concept of cloud computing, they accomplished a trusting relationship
with their provider when they were in the process of adopting the concept. Some of the trustbuilding interventions that are identified during the literature review were used during this process:
the provider provided a privacy policy and it is audited whether the provider complies with it, a lot of
interactions between CEVA Logistics and the provider preceded the contract, and the provider build
a good reputation. Links to other sites were not found important to CEVA Logistics in building a
trusting relationship. Third-party privacy seals were not used in the process of trust-building, for the
reason that CEVA Logistics was not aware of the existence of these seals.
Privacy risks also played a role to CEVA Logistics when they considered SaaS for their CRM system.
Disclosure of privacy sensitive information is their greatest privacy concern. The implementation of
some privacy enhancing technologies is a ‘must’ to CEVA Logistics. CEVA Logistics also agrees that
ameliorations to law and regulation are necessary to cope with the dynamic and global environment
of cloud computing.
In the case of CEVA Logistics, the technological interventions had a positive effect on the trusting
relationship between CEVA Logistics and the cloud computing provider.
29
Version 4.1
4.4 Case study 2: PricewaterhouseCoopers Global Technology Solutions
PricewaterhouseCoopers Global Technology Solutions (PwC GTS) is the department of PwC that is
responsible for all hardware and software and the support of these facilities. The three main units of
PwC GTS are:
-
Business Management Team
The business management team is the main communication channel of PwC GTS with the
rest of PwC.
-
Standards & Application Services
Standards and application services is responsible for the construction of new software and
the implementation of new software.
-
Operations
Operations focuses on solving incidents and problems of hardware and software.
In august 2007, PwC GTS started with the selection of a software package for a Human Relationship
Management (HRM) system. Their longlist contained twenty software vendors. This list was reduced
to seven vendors on the shortlist. One of these remaining vendors was Service-now. Service-now is a
platform that provides SaaS. PwC GTS applies the SaaS solution for their HRM system. Service-now is
the provider of this solution and delivers the solution over the Internet. The data is stored in a
centralized data center of Service-now in the Netherlands. In July 2008, PwC was able to use the SaaS
solution.
The definition of cloud computing distinguishes three groups of people. PwC GTS sides with the
application and IT users, meaning that they look at cloud computing as ITaaS.
4.4.1 Key findings
“When you let another party process and store your privacy sensitive information, you have to trust
the other party”. This statement shows that trust is essential to PwC GTS when they adopted cloud
computing. PwC GTS agrees that some of the trust-building interventions – that are identified during
the literature review – really increase trust, however, not all of them do. Privacy policies, interactions
with customers, and a good reputation are found trust-building by PwC GTS. Links to other sites are
not found important when trying to build a trusting relationship. PwC GTS was not aware of the
existence of third-party privacy seals. Accordingly, PwC GTS stated that third-party privacy seals do
not increase trust.
Privacy risks play an important role when considering to accept cloud computing, according to PwC
GTS. Technological interventions are found extremely important by PwC GTS because it is the main
30
Version 4.1
defense against privacy violations. Also, the issue of privacy in the ever growing global and dynamic
environment is being recognized. PwC GTS therefore agrees that ameliorations to law and regulation
are necessary.
According to PwC GTS, technological interventions enhance the trusting relationship.
4.5 Case study 3: I-bridge
I-bridge is the IT shared service centre of three parties: Randstad Nederland, Yacht, and TempoTeam. Basically, I-bridge supports the three organizations in the area of IT. I-bridge is owned by
Randstad Holding. The organization controls 10.000 desktops, and 1100 servers, dispersed over 720
locations.
The definition of cloud computing distinguishes three groups of people. I-bridge sides with the
application and IT users, meaning that they look at cloud computing as ITaaS.
I-bridge considers implementing virtual desktops for the clients. This means that all their applications
will be delivered over a private network. Data will be stored on centralized data centers. This can be
compared with cloud computing, however not the public cloud is being used but a private cloud is
being developed.
Although this implies not the delivery of computing by the cloud – as defined for this research project
–, it does imply that I-bridge has considered the Internet as an option for the delivery of their
computing facilities.
4.5.1 Key findings
Trust is a major issue when considering to accept cloud computing. However, I-bridge will never trust
any cloud computing provider. That is one of the reasons I-bridge choose not to adopt cloud
computing for their organization. When asked to rank the trust-building interventions in order of
importance with 1 as most important, the interviewee indicated a good reputation as most
important. Interaction with you as a customer is ranked second. A privacy policy is found third, but
the interviewee has doubts on whether a privacy policy alone will increase trust. The presence of
links to other sites is not found important because it does not increase trust in the opinion of Ibridge. Third-party privacy seals are not known to I-bridge and are therefore found least important.
31
Version 4.1
I-bridge agrees that privacy risks have an impact on the adoption of cloud computing for the reason
that you hand over the control over the privacy sensitive information to another party. Technological
interventions are essential to reduce privacy risks. According to I-bridge, all privacy risks can be
covered by technological interventions. I-bridge does not support the statement that amelioration to
law and regulation are needed, for the reason that it can never be realized to find an agreement
between all nations in the world and have them implement similar law and regulation.
I-bridge expects technological interventions increase trust in the cloud computing provider.
However, the cloud computing provider will have to prove, on a regular basis, it complies with its
own technological interventions.
32
Version 4.1
Chapter 5
Conclusions
The objective of this research project has been formulated in section 1.1, and reads: ‘to provide
insight on the effects of perceived privacy risks and trusting beliefs on the adoption of cloud
computing in general, and to examine trust enhancing, and privacy risk reducing interventions to
encourage the adoption of cloud computing.’ Derived from the research objective, the research
question was formulated as: ‘What is the impact of perceived privacy risks and trusting beliefs on the
adoption of cloud computing, and what interventions are useful to encourage the adoption of cloud
computing?’. To answer the research question, hypotheses were formulated during the literature
review. These hypotheses were tested using case studies.
In this chapter, the results on the hypotheses are presented, the main research question is answered,
limitations of the research project are indicated, and directions for further research are given.
5.1 Results on the hypotheses
Figure 5.1 presents the research model. The arrows that represent the hypotheses are coloured
according to the findings. A green arrow means the hypothesis is being supported, a red arrow
means that the hypothesis is being supported by literature but (one of) the case studie(s) does not
support the hypothesis.
Trust
Privacy policies
H1a
Third party privacy seals
H1b
Reputation building
H1c
Interaction with
customers
H1d
Links to other sites
H1e
H1
H3
Technology Acceptance Model
Perceived Usefulness
Technological
interventions
Intended use
Actual Use
H2a
Perceived Ease of Use
Ameliorations to
law and regulation
H2
H2b
Privacy
Figure 5.1: Results on the research model
33
Version 4.1
H1
H1a
H1b
H1c
H1d
H1e
1
2
1
2
1
2
1
2
1
2
1
2
CEVA Logistics
S
NA
S
S
U
NA
S
S
S
S
S
NA
PwC GTS
S
NA
S
S
U
NA
S
S
S
S
U
NA
I-bridge
S
NA
S
NA
U
NA
S
NA
S
NA
U
NA
Table 5.1: Cross case conclusions – Hypotheses on trust
Explanation of table 5.1, 5.2, and 5.3:
The appliance of the triangulation principle is visible in the tables. In these tables, every
hypothesis received a ‘1’ and a ‘2’. The ‘1’ indicates evidence source 1 (interviews), the ‘2’
indicates the second evidence source (documents and/or observations). For each case it is
indicated whether evidence source 1 and 2 either support or does not support the
hypothesis, or whether no evidence was available. In the analysis of the findings of the case
studies, both evidence sources are considered of equal importance.
In line with Gefen et al. (Gefen et al., 2003), it can be concluded that trust in the cloud computing
provider increases the probability that the client will gain the expected benefits of cloud computing,
and thus the perceived usefulness of cloud computing is being increased. Following the line of the
TAM, this means that trust in the cloud computing provider has a positive impact on the intended
use of cloud computing.
Literature provides some trust-building interventions. It is hypothesized that these interventions
increase trust, and therefore also have a positive effect on the perceived usefulness of cloud
computing. However, it can be concluded that not all interventions increase trust. None of the cases
was aware of the existence of third party privacy seals. Hence, third party privacy seals do not have a
positive effect on the perceived usefulness of cloud computing and accordingly do not have an
impact on the intended use of cloud computing. This also applies to the trust-building intervention
‘links to other sites’. Although provided by literature and supported by one of the cases, there is not
enough evidence to conclude that links to other sites have a positive effect on the perceived
usefulness of cloud computing. Privacy policies, reputation building, and interaction with customers
are the trust-building interventions that are being supported by both literature and the case studies.
Hence, it can be concluded that these three trust-building interventions have a positive effect on the
perceived usefulness of cloud computing and, following the line of the TAM, have a positive effect on
the intended use of this technology.
34
Version 4.1
H2
H2a
H2b
1
2
1
2
1
2
CEVA Logistics
S
S
S
S
S
NA
PwC GTS
S
S
S
S
S
NA
I-bridge
S
NA
S
NA
U
NA
Table 5.2: Cross case conclusions – Hypotheses on privacy
According to literature, privacy has a positive effect on the perceived usefulness of other
technologies. In line with this, it was hypothesized that privacy also has a positive effect on the
perceived usefulness of cloud computing. The case studies support a univocal positive result on this
hypothesis. It is therefore concluded that informational privacy has a positive effect on the perceived
usefulness of cloud computing, and thus on the intended use of cloud computing.
The privacy risk reducing interventions that are being provided by literature should reduce the
privacy risks and thus have a positive effect on the perceived usefulness of cloud computing. Both
privacy-risk reducing interventions identified in literature are supported by the cross case
conclusions. Therefore it is concluded that both technological interventions and ameliorations to law
and regulation have a positive effect on the perceived usefulness of cloud computing and thus on the
intended use of cloud computing.
H3
1
2
CEVA Logistics
S
NA
PwC GTS
S
NA
I-bridge
S
NA
Table 5.3: Cross case conclusions –
Hypothesis on trust and privacy
Literature states that privacy interventions are essential in building trust. All the interviewees of the
three cases agree that privacy risk reducing interventions have a positive effect on trust.
Unfortunately, none of the cases was able to provide a second source of evidence to support this the
hypothesis. However, for the reason that the interviewees are univocal, it is concluded that privacy
risk reducing interventions have a positive effect on trust.
5.2 Answer to the research question
Since the results on the hypotheses are known, the research question can now be answered. The
research question has been derived from the research objective, and is formulated as:
35
Version 4.1
What is the impact of perceived privacy risks and trusting beliefs on the adoption of cloud
computing, and what interventions are useful to encourage the adoption of cloud
computing?
The results on the hypotheses support that there is a connection between perceived privacy risks
and trusting beliefs, and the adoption of cloud computing. Perceived privacy risks have a negative
effect on the adoption of cloud computing, trusting beliefs have a positive effect on the adoption of
cloud computing.
Literature provides both trust-building interventions and privacy risk reducing interventions. Privacy
policy, reputation building, and interaction with customers are trust-building interventions that are
found useful in encouraging the adoption of cloud computing. Technological interventions and
ameliorations to law and regulation are privacy risk reducing and are also useful in encouraging the
adoption of cloud computing. Some discussion can be held on whether ameliorations to law and
regulation are realizable. One of the cases did not support hypothesis H2b (Ameliorations to law and
regulation have a positive effect on the intended use of cloud computing) for the reason that he
doubts that ameliorations to law and regulation can be made in the real world. Whether or not this
interventions are realizable, is out of scope for this research project.
5.3 Limitations and future research
This research project is not without limitations. This study focuses only on the constructs of trust and
perceived privacy risks. However, other risk considerations could possibly have an impact on the
adoption of cloud computing. Examples are performance risks, financial risks, and social risks. The
impact of these constructs is to be studied in future research.
With regard to trust, the focus of this study is on three trusting beliefs which are found most
important by McKnight et al. (McKnight et al., 2002). Although these trusting beliefs are most
important, other trusting beliefs – such as predictability, openness, carefulness, and attraction
(McKnight et al., 2002) – should be considered in future research.
More case studies increase the faithfulness of the findings (Yin, 2003). The findings of this research
project could be strengthened when more case studies are conducted. In future research, more cases
could be studied and a distinction cloud be made between small and medium enterprises (SME) and
large organizations.
36
Version 4.1
Bibliography
Ackerman, M.S., Cranor, L.F. and Reagle, J. Privacy in E-Commerce: Examining User Scenarios and
Privacy Preferences. ACM Conference on Electronic Commerce. P. 1 – 8. 1999
Adams, D.A., Nelson, R.R. and Todd, P.A. Perceived Usefulness, Ease of Use, and Usage of
Information Technology: A Replication. MIS Quarterly. Vol. 16, No. 2, P. 227 – 247. June 1992
Ajzen, I. and Fishbein, M. Understanding Attitudes and Predicting Social Behavior. Prentice-Hall. 1980
Amazon Elastic Compute Cloud (Amazon EC2). Consulted September 21, 2009
http://aws.amazon.com/ec2/
Antonopoulos, A. Privacy, security issues darken cloud computing. Network World. Vol. 25, No. 37, P.
25. September 22, 2008
Apollo Investment Corporation. Consulted October 9, 2009
http://www.apolloic.com/public/home.asp
Arnold, S. Cloud Computing and the issue of privacy. KM World. Vol. 17, No. 7, P. 14 – 22. July/August
2008
Association for Information Systems. Qualitative Research in Information Systems. Consulted August
20, 2009
http://www.qual.auckland.ac.nz/
Berg, J., Dickhaut, J. and McCabe, K. Trust, Reciprocity, and Social History. Games and economic
behavior. Vol. 10, No. 1, P. 122 – 142. 1995
Bertino, E., Paci, F., Ferrini, R. and Shang, N. Privacy-preserving Digital Identity Management for
Cloud Computing. IEEE Computer Society. 2009
Bigley, G.A. and Pearce, J.L. Straining for shared meaning in organization science: problems of trust
and distrust. Academy of Management Review. Vol. 23, P. 405 – 421. 1998
Blumberg, B., Cooper, D.R., and Schindler, P.S. Business Research Methods. McGraw-Hill Education.
2nd revised edition. April 2008
37
Version 4.1
Borking, J., Koorn, R., Gils, H. van, Hart, J. ter, Overbeek, P. and Tellegen, R. Privacy Enhancing
Technologies: Witboek voor beslissers. Ministerie van Binnenlandse Zaken en
Koninkrijksrelaties. December 2004
http://www.cbpweb.nl/downloads_technologie/Witboek_PET.pdf
Bruening, P.J. and Treacy, B.C. Privacy & Security Law Report: Privacy, Security Issues Raised by Cloud
Computing. The Bureau of National Affairs. 2009
Buyya, R., Yeo, C.S., Venugopal, S., Broberg, J. and Brandic I. Cloud computing and emerging IT
platforms: Vision, hype, and reality for delivering computing as the 5th utility. Future
Generation Computer Systems. Vol. 25, P. 599 – 616. 2009
Caudill, E.M. and Murphy, P.E. Consumer Online Privacy: Legal and Ethical Issues. Journal of Public
Policy & Marketing. Vol. 19, No. 1, P. 7 – 19. 2000
CEVA Logistics. CEVA Logistics is a Leading Global Logistics Company. Consulted October 8, 2009
http://www.nl.cevalogistics.com/
College Bescherming Persoonsgegevens. Contouren voor Compliance: Handreiking bij het Raamwerk
Privacy Audit. May 24, 2005
http://www.cbpweb.nl/indexen/ind_wetten_zelfr_compliance_hrpa.shtml
Cook, D.P. and Luo, W. The Role of Third-Party Seals in Building Trust Online. E-Service Journal. Vol. 2,
No. 3, P. 71 – 84. 2003
Council Directive 95/46/EC of the European Parliament and on the Council: on the protection of
individuals with regard to the processing of personal data and on the free movement of such
data. OJ, L281, P. 31 – 50. 1995
http://www.dataprotection.ie/viewdoc.asp?DocID=92
Culnan, M.J. and Bies, R.J. Consumer Privacy: Balancing Economic and Justice Considerations. The
Journal of Social Issues. Vol. 59, No. 4, P. 323 – 342. 2003
Cunningham, S. The Major Dimensions of Perceived Risk (Part of “Risk Taking and Information
Handling in Consumer Behavior” by Cox, D.F.). Harvard University Press. 1967
Daedalus & Icarus Page. Consulted October 2, 2009
http://thanasis.com/icarus.htm
38
Version 4.1
Data Protection Act 1998 (c. 29). Consulted September 6, 2009
http://www.opsi.gov.uk/acts/acts1998/ukpga_19980029_en_1
Davis, F.D. A Technology Acceptance Model for Empirically Testing New End-User Information
Systems: Theory and Results. Doctoral dissertation, MIT Sloan School of Management,
Cambridge. 1986
Davis, F.D., Bagozzi, R.P. and Warshaw, P.R. User Acceptance of Computer Technology: A Comparison
of Two Theoretical Models. Management Science. Vol. 35, P. 982 – 1003. August 1989
Deen, V. Hoe veilig is de cloud? Infoworld, de website voor ICT-management. August 28, 2009.
http://www.infoworld.nl/web/Artikel/Hoe-veilig-is-de-cloud2.htm
Edwards, J. Cutting Through the Fog Of Cloud Security. Computerworld. Vol. 43, No. 8, P. 26 – 29.
February 23, 2009
Engates, J. Een praktisch Cloud-verhaal. Infoworld, de website voor ICT-management. July 10, 2009
http://www.infoworld.nl/web/Artikel/Een-praktisch-Cloud-verhaal.htm?page=2
Featherman, M.S. and Pavlou, P.A. Predicting e-service adoption: a perceived risk facets perspective.
International Journal of Human-Computer Studies. Vol. 59, P. 451 – 474. March 31, 2003
Fombrun, C.J. Reputation: Realizing Value from the Corporate Image. Harvard Business School Press.
1996
Friedman, B., Kahn, P.H. and Howe, D.C. Trust Online. Communications of the Association for
Computing Machinery. Vol. 43, No. 12, P. 34 – 40. December 2000
Gefen, D. and Straub, D.W. Gender Differences in the Perception and Use of E-Mail: An Extension to
the Technology Acceptance Model. MIS Quarterly. Vol. 21, No. 4, P. 389 – 400. December
1997
Gefen, D. and Straub, D.W. The Relative Importance of Perceived Ease of Use in IS Adoption: A Study
of E-Commerce Adoption. Journal of the Association for Information Systems. Vol. 1. October
2000
Gefen, D., Karahanna, E. and Straub, D.W. Trust and TAM in Online Shopping: An Integrated Model.
MIS Quarterly. Vol. 27, No. 1, P. 51 – 89. March 2003
39
Version 4.1
Gefen, D. and Pavlou, P.A. Building Effective Online Marketplaces with Institution-Based Trust.
Information Systems Research. Vol. 15, No. 1, P. 37 – 59. March 2004
Greenberg, A. Cloud Computing’s Stormy Side. Forbes.com – Business news, Financial news, Stock
Market Analysis, Technology & Global Headline. February 19, 2008.
http://www.forbes.com/2008/02/17/web-application-cloud-tech-intelcx_ag_0219cloud.html
Hell, M. Amerikanen zijn bezorgd over cloud computing. Webwereld, altijd het laatste ICT-nieuws.
September 15, 2008.
http://webwereld.nl/nieuws/52739/-amerikanen-zijn-bezorgd-over-cloud-computing-.html
Hoffman, D.L., Novak, T.P. and Peralta, M. Building Con Trust Online. Communications of the
Association for Computing Machinery. Vol. 42, No. 4, P. 80 – 85. April 1999
IEEE – the world’s leading professional association for the advancement of technology. Consulted
September 5, 2009
http://www.ieee.org
Igbaria, M., Guimaraes, T. and Davis, G.B. Testing the Determinants of Microcomputer Usage via a
Structural Equation Model. Journal of Management Information Systems. Vol. 11, No. 4, P. 87
– 114. 1995
Information Commissioner’s Office. Data Protection Guidance Note: Privacy enhancing technologies
(PETs). March 29, 2007
James, T., Pirim, T., Boswell, K., Reithel, B. and Barkhi, R. Determining the Intention to Use Biometric
Devices: An Application and Extension of the Technology Acceptance Model. Journal of
Organizational and End User Computing. Vol. 18, No. 3. 2006
Jarvenpaa, S.L., Tractinsky, N. and Vitale, M. Consumer trust in an Internet store. Information
Technology and Management. Vol. 1, No. 1, P. 45 – 71. 2000
Karjoth, G. and Schunter, M. A Privacy Policy Model for Enterprises. IEEE Computer Society. 2002
Kim, A., Hoffman, L.J. and Martin, C.D. Building Privacy into the Semantic Web: An Ontology Needed
Now. Position Paper. 2002
40
Version 4.1
Koetsier, M. Helft bedrijven vindt cloud computing gebakken lucht. Webwereld, altijd het laatste ICTnieuws. March 12, 2009.
http://www2.webwereld.nl/nieuws/56336/helft-bedrijven-vindt-cloud-computing-gebakkenlucht.html
Koorn, R.F. and Hart, J. ter. Privacy: van organisatorisch beleid naar Privacy Enhancing Technologies.
Compact: computer en accountant. Vol. 31, No. 3, P. 15 – 22. 2004
Koufaris, M and Hampton-Sosa, W. Customer Trust Online: Examining the Role of the Experience
with the Web Site. Zicklin School of Business, Baruch College. May 2002
Kramer, R.M. The Sinister Attribution Error: Paranoid Cognition and Collective Distrust in
Organizations. Motivation and Emotion. Vol. 18, No. 2, P 199 – 230. 1994
Lederer, A.L., Maupin, D.J., Sena, M.P. and Zhuang, Y. The technology acceptance model and the
World Wide Web. Decision Support Systems. Vol. 29, Nr. 3, P. 269 – 282. October 2000
Lin, G., Fu, D., Jinzy, Z. and Dasmalchi, G. Cloud Computing: IT as a Service. IT Professional Magazine.
Vol. 11, No. 2, P. 10 – 13. March/April 2009
Martin, P.Y.; Turner, B.A. Grounded Theory and Organizational Research. The journal of Applied
Behavioral Science. Vol. 22, Nr. 22, Pag. 141-157. 1986
Mayer, R.C., Davis, J.H. and Schoorman, F.D. An Integrative Model of Organizational Trust. Academy
of Management Review. Vol. 20, No. 3, P. 709 – 734. 1995
McKnight, D.H., Cummings, L.L. Chervany, N.L. Initial Trust Formation in New Organizational
Relationships. The Academy of Management Review. Vol. 23, No. 3, P. 473 – 490. July 1998
McKnight, D.H. and Chervany, N. L. What Trust Means in E-Commerce Customer Relationships: An
Interdisciplinary Conceptual Typology. International Journal of Electronic Commerce. Vol. 6,
No. 2, P. 35 – 59. 2002
McKnight, D.H., Choudhury, V. and Kacmar, C. Developing and Validating Trust Measures for eCommerce: An Integrative Typology. Information Systems Research. Vol. 13, No. 3, P. 334 –
361. September 2002
Mei, L., Chan, W.K. and Tse, T.H. A Tale of Clouds: Paradigm Comparisons and Some Thoughts on
Research Issues. IEEE Computer Society. 2008
41
Version 4.1
Miller, M. Cloud Computing: Web-Based Applications That Change the Way You Work and
Collaborate Online. Que Publishing. August 2008
Miller, R. What’s In A Name? Utility vs. Cloud vs Grid. Data Center Knowledge. March 25, 2008.
http://www.datacenterknowledge.com/archives/2008/03/25/whats-in-a-name-utility-vscloud-vs-grid/
Mitchell, R.L. Confidence in the Cloud. Computerworld. Vol. 43, No. 23, P. 28 – 31. July 2009
Mittman, B.S. Qualitative Methods and Rigorous Management Research: (How) Are They
Compatible? Management Research in VA Workshop. November 19-20, 2001
Moody D., Iacob, M.E. and Amrit C. In search of Paradigms: Identifying the Theoretical foundations of
the Information Systems Field. Thirtieth International Conference on Information Systems,
Phoenix, Arizona. 2009
Neill, J. Qualitative Research I – Lecture Notes. July 5, 2006
http://wilderdom.com/OEcourses/PROFLIT/Class6Qualitative1.htm#Obrien
Pearson, S. Taking Account of Privacy when Designing Cloud Computing Services. HP White Paper.
Approved for External Publication. March 6, 2009
Pearson, S. and Charlesworth, A. Accountability as a Way Forward for Privacy Protection in the Cloud.
HP White Paper. Approved for External Publication. August 6, 2009
Perez, S. In Cloud we Trust? ReadWriteWeb – Web apps, Web Technology Trends, Social Networking
and Social Media. January 26, 2009
http://www.readwriteweb.com/enterprise/2009/01/in-cloud-we-trust.php
Rapoport, R.N. Three Dilemmas in Action Research. Human Relations. Vol. 23, No. 6, P. 499 – 513.
1970
Schultz, B. How to buy cloud computing services. Network World. Vol. 26, No. 19, P. 27 – 28. May 18,
2009
Straub, D., Limayem, M. and Karahanna-Evaristo, E. Measuring System Usage: Implications for IS
Theory Testing. Management Science. Vol. 41, No. 8, P. 1328 – 1342. August 1995
Teo, T.S.H., Lim, V.K.G. and Lai R.Y.C. Intrinsic and extrinsic motivation in Internet usage. Omega,
International Journal of Management Science. No. 27, P. 25 – 37. 1999
42
Version 4.1
Urquhart, J. The biggest cloud-computing issue of 2009 is trust. CNET News – Technology news.
January 7, 2009.
http://news.cnet.com/8301-19413_3-10133487-240.html
Venkatesh, V., Morris, M.G., Davis, G.B. and Davis, F.D. User Acceptance of Information Technology:
Toward a Unified View. MIS Quarterly. Vol. 27, No. 3, P. 425 – 478. September 2003
Vouk, M.A. Cloud Computing – Issues, Research and Implementations. Journal of Computing and
Information Technology. No.4, P. 235 – 246. 2008
Welkom bij Google Apps. Consulted September 21, 2009
http://www.google.com/intl/nl/apps/business/index.html
Wailgum, T. Cloud Hype Peaks, But IT Concerns Increase. Computerworld, News, Education &
Headlines. August 26, 2009.
http://www.computerworld.com/s/article/9137166/Cloud_Hype_Peaks_But_IT_Concerns_In
crease
Waxer, C. Can you trust the Cloud? Computerworld. Vol. 43, No. 20, P. 23 – 26. May 2009
World Wide Web Consortium – Web Standards. Consulted September 5, 2009.
http://www.w3.org/
Xu, H., Teo, H.H. and Tan, B.C.Y. Predicting the Adoption of Location-Based Services: The Role of Trust
and Perceived Privacy Risk. Twenty-Sixth International Conference on Information Systems.
2005
Yin, R.K. Case Study Research: Design and Methods (Applied Social Research Methods Series, Volume
5). Sage Publications. 3rd edition. 2003
43
Version 4.1
Appendix A
Previous TAM research
44
Version 4.1
Table A.1: Previous TAM research
(Lederer et al., 2000)
45
Version 4.1
Appendix B
Data collection protocol
This data collection protocol is based on the ‘Table of Content of a Protocol for Conducting Case
Studies’ which is illustrated in the book ‘Case Study Research: Design and Methods’ (Yin, 2003).
1 Introduction
Cloud computing – in this research project – is defined as ‘IT as a Service’. That is, delivery of
computing, storage, and applications over the Internet from centralized data centers.
Well known examples of cloud computing are Amazon EC2 and Google Apps.
The objective of the research project is to provide insight on the effects of perceived privacy risks and
trust on the adoption of cloud computing in general, and to examine trust enhancing, and privacy risk
reducing interventions to encourage the adoption of cloud computing.
1.1 Hypotheses
With regard to trust, the following hypothesis is formulated.
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
With regard to these trust-building interventions, five hypotheses are formulated.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
With regard to privacy, the following hypothesis is formulated.
46
Version 4.1
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
With regard to these privacy risk reducing interventions, the following hypotheses are formulated.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
The final hypothesis for this research project focuses on the impact of privacy on trust. This results in
the following hypothesis.
H3: Privacy risk reducing interventions have a positive effect on trust.
1.2 Research model
The research model visualizes the hypotheses and the relationship between the entities that are
being used in this research project. The research model is shown in figure B.1.
Figure B.1: The research model
47
Version 4.1
2 Data collection procedures
Data collection procedures include information on the organizations that have participated in the
case studies and on the calendar of the case studies.
2.1 Organizations
Case 1
Organization
CEVA Logistics
Contact
Marc Schmitz
Title
Vice President IS&S Strategy and Governance
Organization
PricewaterhouseCoopers Global Technology Solutions
Contact
Ronald Hunse
Title
IT Manager
Organization
I-bridge
Contact
Kees van Wijk
Title
Manager Operations
Case 2
Case 3
2.2 Calendar
Case 1
Date
09/10/2009
Location
CEVA Logistics
Siriusdreef 20
2132 WT Hoofddorp
The Netherlands
Case 2
Date
14/10/2009
Location
PricewaterhouseCoopers Global Technology Solutions
Newtonlaan 205
3584 BH Utrecht
The Netherlands
48
Version 4.1
Case 3
Date
16/10/2009
Location
I-bridge
Diemermere 25
1112 TC Diemen
The Netherlands
49
Version 4.1
3 Case study questions
Demographics
D1 What is your name?
D2 What is your title?
D3 What is the name of your organization?
D31
Please elaborate on your organization.
Cloud Computing
C1 What is your definition of cloud computing?
Cloud computing can be defined as a nascent business and technology
concept with different meanings for different people. Cloud Computing has a
different meaning for different people. Three groups of people are
distinguished:
-
For application and IT users, cloud computing is IT as a service
(ITaaS). This implies “delivery of computing, storage, and
applications over the Internet from centralized data centers”.
-
For Internet application developers, cloud computing is an “Internetscale software development platform and runtime environment”.
-
For infrastructure providers and administrators, cloud computing is
“the massive, distributed data center infrastructure connected by IP
networks”
C11
What does cloud computing mean for your organization?
C2 When and how did you come into touch with cloud computing?
C3 Why are you considering cloud computing for your organization?
Privacy
P1 Will privacy sensitive information be processed by the cloud computing provider?
P2 What are your privacy concerns with regard to cloud computing?
50
Version 4.1
P21
What is the impact of these privacy concerns when considering cloud computing for
your organization?
P3 Academic literature provides some privacy risk reducing interventions (interventions are
actions that may be taken to provide assurance). Will you check whether the cloud
computing provider has implemented privacy protection measures?
P4 Privacy Enhancing Technologies are all the technologies that exist to protect or enhance
privacy. These technologies are visualized in the PET-ladder:
Is it the implementation of some PET by the cloud computing provider a condition to you
when considering cloud computing for your organization?
P41
How will you check whether the cloud computing provider has implemented
technological interventions?
P42
Do you trust the cloud computing providers they will comply with their own
technological interventions (considering they can make back doors to overrule these
interventions)?
P5 One of cloud computing’s biggest risks arises from its very nature: it allows data to be sent
and stored just about anywhere – even divided among locations around the world. While
data dispersion helps give cloud computing a cost and performance edge, the downside is
that business information can land in storage systems in locales where privacy laws are loose
or even nonexistent.
What are your ideas on this statement?
P51
Do you think that privacy law and regulation will need to change in order to cope
with the dynamic and global environment of cloud computing?
P511
(yes)
What changes are required?
P512
(no)
Why not?
51
Version 4.1
Trust
T1 What role does trust in the cloud computing provider play when considering cloud
computing for your organization?
T11
Do you consider trust in the cloud computing provider important?
T111
(yes)
Why?
T112
(no)
Why?
T2 How can you trust a cloud computing provider when you have no experience with it?
To build trust, cloud computing providers can implement some trust-building
interventions (interventions are actions that may be taken to provide assurance).
Privacy policies
A privacy policy defines what data is collected, for what purpose the data will be
used, whether the enterprise provides access to the data, who are the data
recipients (beyond the enterprise), how long the data will be retained, and who will
be informed in what cases
Third-party privacy seals
Online vendors can participate in a third-party privacy seal program. The operators
of these programs design and advocate a set of standards and principles concerning
privacy. Participating vendors follow these standards and principles. After the vendor
is verified by the third-party seal operator, vendors are allowed to display the privacy
seal
Interacting with customers
Vendors that interact online with its customers should be able to convey to them
that it is benevolent, competent, honest, and/or predictable
Reputation building
A reputation embodies the history of other peoples’ experiences with that service
provider. Good reputations increase credibility, making us more confident that we’ll
really get what we’re promised
Links to other sites
Links to other reputable sites imply that one has good company because one is good
company
52
Version 4.1
T3 Does each of these trust-building interventions increase trust?
T31
Please rank these trust-building interventions in order of importance with 1 as most
important.
1
2
3
4
5
Privacy Policy
o
o
o
o
o
Third-Party Privacy seal
o
o
o
o
o
Interaction with you as a customer
o
o
o
o
o
Good reputation
o
o
o
o
o
Presence of links to other sites
o
o
o
o
o
T4 Will you check whether the cloud computing provider has trust-building interventions in use?
T41
Will you always check the validity of the interventions?
53
Version 4.1
Appendix C
Individual case report: CEVA Logistics
This individual case report is based on the theory building structure. Each chapter encompasses
construct(s) of the research model and elaborates on previous constructs.
First the demographics are elaborated on. Then, a chapter is devoted to cloud computing in general.
Chapter 3, 4, and 5 encompasses the constructs of the research model.
Chapter 1
Demographics
“At CEVA Logistics we look at the world around us a little differently. We see everything through
logistical spectacles. This means that we examine every aspect of a supply chain and ask ourselves:
‘What is it made up of?’ ‘Where did it come from?’ ‘How did it get to where it is?’ ‘Who helped it on
its way?’ And most of all, ‘Can we improve it?’” (CEVA Logistics, 2009)
CEVA Logistics is owned by Apollo Management. Previous of that it was owned by TNT. In 2006
Apollo Management took over TNT Logistics. In 2007 Apollo Management took over EGL Inc. Now,
TNT Logistics and EGL Inc. have been merged to CEVA Logistics.
On the next page, the IS&S Organization structure of CEVA is presented. In this structure, the
interviewee can be localized on the bottom. Marc Schmitz is Vice President IS&S Strategy and
Governance and is responsible for the strategy and governance of IT on the global level.
54
Figure C.1: CEVA – IS&S Organization structure
Global IS&S Strategy & Governance – VP IS&S M Schmitz
Warehouse Management Solutions
Transport Management Solutions
Freight Management Solutions
Back Office Solutions
Governance
Service Management
Americas - Regional VP IS&S - S Slater
Warehouse Management Solutions
Transport Management Solutions
Freight Management Solutions
Back Office Solutions
Governance
Service Management
Asia Pacific - Regional VP IS&S - C Ringuet
Warehouse Management Solutions
Transport Management Solutions
Freight Management Solutions
Back Office Solutions
Governance
Service Management
Southern Europe Middle East Africa – Regional VP IS&S – V Aronica
Warehouse Management Solutions
Transport Management Solutions
Freight Management Solutions
Back Office Solutions
Governance
Service Management
Northern Europe - Regional VP IS&S – J Court
Regional Business Head Responsibility
Project Management
Office
Demand and Supply
Management
Primary interface to
regions
Service Desk
VP IS&S Chapman (a.i.)
Service
Management
Application Architecture
Applications
Development Support
VP IS&S F Hoedeman
Applications
Delivers all infrastructure and telecommunications services
worldwide both in source
and outsourced
VP IS&S J Downs
Infrastructure
CIO Direct Responsibility (P Dew)
Version 4.1
55
Version 4.1
Chapter 2
Cloud Computing
CEVA Logistics keeps track of new technologies using the internal technology radar. The technology
radar of July 2009 is presented in figure C.2.
Figure C.2: CEVA’s technology radar of July 2009
The technology radar visualizes all new technologies that might be of interest to CEVA. The
technologies are ordered in the different wedges of the radar that they apply to. If a technology can
not be ordered in one of the wedges, or the technology covers all wedges, it is placed in the last
wedge: ‘Various Technologies & Concepts’ (on the right side of the radar). The technologies get a
symbol indicating the business value of the technology for CEVA Logistics. The closer the technology
gets to the core of the radar, the closer it gets to being adopted by the organization. Cloud
computing is recorded in the technology radar since July 2008.
CEVA Logistics uses the following definition of cloud computing: “Cloud computing is a style of
computing in which dynamically scalable and often visualized resources are provided as a service
over the internet. Users need not have knowledge of, experience in, or control over the technology
56
Version 4.1
infrastructure in the “cloud” that supports them. The concept generally incorporates combinations of
the following: infrastructure as a service (IaaS), platform as a service (PaaS), software as a service
(SaaS).”
This definition has a lot of similarities with the definition that is being used for the research project.
The definition of cloud computing – as presented in chapter 2 of the master thesis – distinguishes
three groups of people. For each group of people, cloud computing has a different meaning. The
three groups of people are:
-
Application and IT users. For them, cloud computing is IT as a service (ITaaS). This implies
“delivery of computing, storage, and applications over the Internet from centralized data
centers”.
-
Internet application developers. For this group, cloud computing is an “Internet-scale
software development platform and runtime environment”.
-
Infrastructure providers and administrators. For them, cloud computing is “the massive,
distributed data center infrastructure connected by IP networks”
CEVA Logistics sides with the application and IT users, meaning that they look at cloud computing as
ITaaS.
CEVA Logistics already applies the concept of cloud computing: SaaS. One of their applications – their
Customer Relationship Management (CRM) system – is being delivered over the Internet. The data of
this system is stored in a centralized data center owned by the provider.
Next to that, CEVA Logistics is also considering to transport their software development activities to
the cloud, and to decrease the number of own data centers by letting a cloud computing provider
deliver this service.
57
Version 4.1
Chapter 3
Construct: Privacy
This chapter elaborates on the constructs that have a correlation with privacy and discusses the
hypotheses H2, H2a, and H2b:
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
3.1 Privacy
P1 Will privacy sensitive information be processed by the cloud computing provider?
Since CEVA Logistics already applies the concept of cloud computing, this question is easily
answered. Their CRM system (delivered over the Internet: SaaS) contains privacy sensitive
information of all clients and potential clients.
P2 What are your privacy concerns with regard to cloud computing?
The greatest privacy concern is loss of the privacy sensitive data, and with it the damage to
the reputation of CEVA Logistics. However, the privacy concerns were not found equal to the
advantages, and thus the choice to adopt cloud computing was made for their CRM system.
58
Version 4.1
P3 Academic literature provides some privacy risk reducing interventions (interventions are actions
that may be taken to provide assurance). Will you check whether the cloud computing provider has
implemented privacy protection measures?
According to the interviewee, every organization who is considering cloud computing, is
aware of the privacy risks of cloud computing. Cloud computing providers therefore use
privacy risk reducing interventions as a sales pitch.
P4 Privacy Enhancing Technologies are all the technologies that exist to protect or enhance privacy.
These technologies are visualized in the PET-ladder. Is it the implementation of some PET by the
cloud computing provider a condition to you when considering cloud computing for your
organization?
The cloud computing provider must have implemented PET when knowing that privacy
sensitive information will be processed by the provider. The cloud computing provider has to
prove this. It is possible to get assurance by asking for a SAS70 certificate. This certificate is
provided to the provider when it is audited by a third party. However, CEVA Logistics did not
ask for such a certificate.
P5 One of cloud computing’s biggest risks arises from its very nature: it allows data to be sent and
stored just about anywhere – even divided among locations around the world. While data dispersion
helps give cloud computing a cost and performance edge, the downside is that business information
can land in storage systems in locales where privacy laws are loose or even nonexistent. What are
your ideas on this statement?
It is a risk when your privacy sensitive information is stored in a country where no privacy law
is in place, or where the laws are deviant from ours. Also, law and regulation of different
countries are too vague. To CEVA Logistics it is important that ameliorations to law and
regulation are made to cope with the dynamic and global environment of cloud computing.
In the meanwhile, CEVA Logistics started their own project to try to solve the issue of
processing privacy sensitive information in the global environment. They created a list of so
called ‘safe harbours’. Safe harbours are nations that can be trusted with regard to the
processing of privacy sensitive information.
3.2 Findings
Privacy risks also played a role to CEVA Logistics when they considered SaaS for their CRM system:
the data stored in a CRM system is privacy sensitive information. For the other cloud computing
concepts they are considering, privacy risks are also a big issue. Disclosure of privacy sensitive data is
their greatest privacy concern.
59
Version 4.1
To ensure the cloud computing provider processes the privacy sensitive information in a ‘good’
manner, CEVA Logistics produced their own privacy policy to their cloud computing provider. Audits
make sure the provider complies with the privacy policy of CEVA Logistics.
According to the interviewee, every organization which is considering cloud computing, is aware of
the privacy risks of cloud computing. Cloud computing providers therefore use privacy risk reducing
interventions as a sales pitch.
Technological interventions
The implementation of some privacy enhancing technologies is a ‘must’ to CEVA Logistics. If
the cloud computing provider can not guarantee a certain level of privacy by using
technological interventions, the provider will certainly not be chosen. The level of privacy
that is being required depends on the sensitivity of the data that is being processed.
Ameliorations to law and regulation
CEVA Logistics has appointed a compliance officer for the understanding of the laws and
regulation of the different nations that CEVA Logistics is active in. This compliance officer also
contemplates the different privacy laws. However, the interviewee recognizes this does not
solve or reduces the complexness of the issue. Hence, he agrees that ameliorations to law
and regulation are necessary to cope with the globalization.
CEVA Logistics started their own project to try to solve the issue of processing privacy
sensitive information in the global environment. They created a list of so called ‘safe
harbours’. Safe harbours are nations that can be trusted with regard to the processing of
privacy sensitive information.
60
Version 4.1
Chapter 4
Construct: Trust
This chapter elaborates on the constructs that have a correlation with trust and discusses the
hypotheses H1, H1a, H1b, H1c, H1d, and H1e:
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
4.1 Trust
T1 What role does trust in the cloud computing provider play when considering cloud computing for
your organization?
CEVA Logistics considers trust to be of vital concern when adopting cloud computing. Their
CRM system contains a lot of privacy sensitive information. Hence, CEVA Logistics required a
trusting relationship with the concerning cloud computing provider before the provider could
process any information of CEVA Logistics.
61
Version 4.1
T2 How can you trust a cloud computing provider when you have no experience with it?
The cloud computing provider has to convince you as a customer that you can trust him. In
the case of CEVA Logistics, the provider used some of the interventions that have been
identified during the literature review.
T3 Does each of these trust-building interventions increase trust?
When asked to rank the trust-building interventions in order of importance with 1 as most
important, a good reputation of the provider was found most important, followed by the
privacy policy. Interactions with you as a customer mainly provided basis for the good
reputation and is therefore selected as third most important. The presence of links to other
sites takes precedence over third-party privacy seals because this last trust-building
intervention was unknown to CEVA Logistics.
1
2
3
4
5
Privacy Policy
o
•
o
o
o
Third-Party Privacy seal
o
o
o
o
•
Interaction with you as a customer
o
o
•
o
o
Good reputation
•
o
o
o
o
Presence of links to other sites
o
o
o
•
o
4.2 Findings
CEVA Logistics considers trust to be of vital concern when adopting cloud computing. Their CRM
system contains a lot of privacy sensitive information. Hence, CEVA Logistics required a trusting
relationship with the concerning cloud computing provider before the provider could process any
information of CEVA Logistics.
In order to accomplish this trusting relationship, CEVA Logistics made use of some of the trustbuilding interventions. Presented below are the trust-building interventions found in literature. For
each of the interventions, it is indicated whether CEVA Logistics and/or their provider made use of it.
Privacy policies
The privacy policy of the cloud computing provider has been compared with the privacy
policy of CEVA Logistics. Since it is audited whether the provider complies with the privacy
policy, this greatly increases trust.
Third-party privacy seals
CEVA Logistics was not aware of the existence of third-party privacy seals. Hence, this trustbuilding intervention did not have any effect in accomplishing a trusting relationship.
62
Version 4.1
Interacting with customers
A lot of contact between CEVA Logistics and the cloud computing provider preceded the
contract between the parties. This interaction provided the main basis for the trusting
relationship.
Reputation building
The interactions mentioned above, had an effect on the way CEVA Logistics viewed the cloud
computing provider; it increased the reputation of the cloud computing provider.
Links to other sites
Links to other sites are not important to CEVA Logistics in relation to the other trust-building
interventions.
63
Version 4.1
Chapter 5
Constructs: Trust and privacy
The final hypothesis for this research project focuses on the impact of privacy on trust. This results in
the following hypothesis.
H3: Privacy risk reducing interventions have a positive effect on trust.
In the case of CEVA Logistics, the technological interventions had a positive effect on the trusting
relationship between CEVA Logistics and the cloud computing provider.
64
Version 4.1
Appendix D
Individual case report: PricewaterhouseCoopers Global Technology Solutions
This individual case report is based on the theory building structure. Each chapter encompasses some
construct(s) of the research model and elaborates on previous constructs.
First the demographics are elaborated on. Then, a chapter is devoted to cloud computing in general.
Chapter 3, 4, and 5 encompasses the constructs of the research model.
Chapter 1
Demographics
PricewaterhouseCoopers Global Technology Solutions (PwC GTS) is the department of PwC that is
responsible for all hardware and software and the support of these facilities. The three main
activities of PwC GTS are:
-
Business Management Team
The business management team is the main communication channel of PwC GTS with the
rest of PwC.
-
Standards & Application Services
Standards and application services is responsible for the construction of new software and
the implementation of new software.
-
Operations
Operations focuses on solving incidents and problems of hardware and software.
The organization chart of PricewaterhouseCoopers Global Technology Solutions (PwC GTS) is
presented in figure D.1
65
Version 4.1
Figure D.1: PwC GTS Organization Chart
The interviewee operates in the ‘Standards & Application Services’ department. He was part of the
team that selected Service-now as the cloud computing provider.
66
Version 4.1
Chapter 2
Cloud Computing
In august 2007, PwC GTS started with the selection of a software package for a Human Relationship
Management (HRM) system. Their longlist contained twenty software vendors. This list was reduced
to seven vendors on the shortlist. One of these remaining vendors was Service-now. Service-now is a
platform that provides SaaS. PwC GTS applies the SaaS solution for their HRM system. Service-now is
the provider of this solution and delivers the solution over the Internet. The data is stored in a
centralized data center of Service-now in the Netherlands.
In July 2008, PwC was able to use the SaaS solution.
The definition of cloud computing – as presented in chapter 2 of the master thesis – distinguishes
three groups of people. For each group of people, cloud computing has a different meaning. The
three groups of people are:
-
Application and IT users. For them, cloud computing is IT as a service (ITaaS). This implies
“delivery of computing, storage, and applications over the Internet from centralized data
centers”.
-
Internet application developers. For this group, cloud computing is an “Internet-scale
software development platform and runtime environment”.
-
Infrastructure providers and administrators. For them, cloud computing is “the massive,
distributed data center infrastructure connected by IP networks”
PwC GTS sides with the application and IT users, meaning that they look at cloud computing as ITaaS.
The reason for PwC GTS to apply the concept of cloud computing – and in particular SaaS – are the
benefits of easy and global access and the cost-saving benefits.
67
Version 4.1
Chapter 3
Construct: Privacy
This chapter elaborates on the constructs that have a correlation with privacy and discusses the
hypotheses H2, H2a, and H2b:
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
3.1 Privacy
P1 Will privacy sensitive information be processed by the cloud computing provider?
PwC GTS already makes use of cloud computing for their HRM system. This system processes
privacy sensitive information and therefore privacy risks are considered of paramount
importance.
This is also one of the main reasons why PwC GTS agreed with Service-now to store their data
in a data center in the Netherlands
P2 What are your privacy concerns with regard to cloud computing?
Loss of data is the greatest privacy concern to PwC GTS.
68
Version 4.1
P3 Academic literature provides some privacy risk reducing interventions (interventions are actions
that may be taken to provide assurance). Will you check whether the cloud computing provider has
implemented privacy protection measures?
Whether the cloud computing provider has implemented privacy protection measures was
checked when they choose to accept to use cloud computing. Ameliorations to some of the
measures were made.
P4 Privacy Enhancing Technologies are all the technologies that exist to protect or enhance privacy.
These technologies are visualized in the PET-ladder. Is it the implementation of some PET by the
cloud computing provider a condition to you when considering cloud computing for your
organization?
As said before, to presence of these PET were checked and ameliorations were made to
these interventions. The presence of these PET is surely a condition when considering cloud
computing, for the reason that you give a third party access to your privacy sensitive
information.
You have to trust your provider, but there are measures that can help. For example, PwC GTS
agreed on a Service Level Agreement (SLA) with their provider.
P5 One of cloud computing’s biggest risks arises from its very nature: it allows data to be sent and
stored just about anywhere – even divided among locations around the world. While data dispersion
helps give cloud computing a cost and performance edge, the downside is that business information
can land in storage systems in locales where privacy laws are loose or even nonexistent. What are
your ideas on this statement?
PwC GTS agrees that there is an issue of privacy in the ever growing global and dynamic
environment. It would be good to tune the different national privacy laws with each other.
PwC recognized the issue when they were considering SaaS for their HRM system: Servicenow is a provider that has most of it clients in the United States of America (USA). The
privacy law of the USA is very different when compared with European privacy laws. That is
why PwC GTS decided to store their data in a data center in the Netherlands.
3.2 Findings
Privacy risks played an important part to PwC GTS when they considered Service-now as their
provider for their HRM system. The HRM system processes privacy sensitive information and
therefore privacy risks are considered of paramount importance.
To ensure Service-now processes the privacy sensitive information in a ‘good’ manner, PwC GTS and
Service-now agreed on a SLA. In this SLA, agreements are recorded on the way the privacy sensitive
information has to be processed and secured.
69
Version 4.1
PwC GTS was aware of the privacy risks when they considered the cloud computing solution for their
HRM system. The interventions of the provider were therefore checked and tailored to the specific
requirements of PwC.
Technological interventions
The technological interventions of the provider were checked and tailored to the specific
needs of PwC. The interventions provided by Service-now were found extremely important
because it is the main defense against privacy violations.
Ameliorations to law and regulation
PwC GTS recognized the issue of privacy in the ever growing global and dynamic
environment. The interviewee agrees that ameliorations to law and regulation are necessary.
The different national privacy laws need to be better tuned with each other.
PwC recognized the issue when they were considering SaaS for their HRM system: Servicenow is a provider that has most of it clients in the United States of America (USA). The
privacy law of the USA is very different when compared with European privacy laws. That is
why PwC GTS decided to store their data in a data center in the Netherlands.
70
Version 4.1
Chapter 4
Construct: Trust
This chapter elaborates on the constructs that have a correlation with trust and discusses the
hypotheses H1, H1a, H1b, H1c, H1d, and H1e:
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
4.1 Trust
T1 What role does trust in the cloud computing provider play when considering cloud computing for
your organization?
Trust played an important role when PwC GTS considered cloud computing, for the reason
that you hand over privacy sensitive information to a third party. However, trust was not
found enough. Therefore, PwC GTS agreed on a SLA with their provider.
T2 How can you trust a cloud computing provider when you have no experience with it?
The founder of Service-now is an acquaintance of an employee of PwC GTS. PwC GTS knew
who they were dealing with.
71
Version 4.1
T3 Does each of these trust-building interventions increase trust?
When asked to rank the trust-building interventions in order of importance with 1 as most
important, interactions were appointed as most important. A good reputation was
considered second, and the privacy policy was selected as third most important. The
presence of links to other sites was found not important, but did not end last for the reason
that third-party privacy seals were unknown.
1
2
3
4
5
Privacy Policy
o
o
•
o
o
Third Party Privacy seal
o
o
o
o
•
Interaction with you as a customer
•
o
o
o
o
Good reputation
o
•
o
o
o
Presence of links to other sites
o
o
o
•
o
4.2 Findings
“When you let another party process and store your privacy sensitive information, you have to trust
the other party”. This was said by the interviewee of PwC GTS during the interview. It shows that
trust is essential when adopting cloud computing.
Trust in the provider, as mentioned in section 4.1, has been accomplished by some of the trustbuilding interventions that are recognized during the literature review. Presented below are the
trust-building interventions found in literature. For each of the interventions, it is indicated whether
PwC GTS and/or Service-now made use of it.
Privacy policies
The privacy policy of the cloud computing provider has been compared with the privacy
policy of PwC. The interviewee agrees that this intervention increases trust.
Third-party privacy seals
Service-now has no third-party privacy seal. Also, the interviewee was not aware of the
existence of third-party privacy seals. Hence, this trust-building intervention did not have any
effect in accomplishing a trusting relationship.
Interacting with customers
During the selection-process of the software package for their HRM system, a lot of
conversations and presentations were held. Interactions between client and provider are
found most important by PwC GTS when trying to build a trusting relationship.
72
Version 4.1
Reputation building
The founder of Service-now is an acquaintance of an employee of PwC GTS. This increased
the reputation of Service-now in the eyes of PwC GTS. Next to that, Service-now is active
since 2000 and has build an impressive reputation in these few years of activity. This
reputation spreads easily because clients are being used as references for potential clients.
PwC GTS contacted, during the selection of Service-now, other parties that were already
using Service-now. Also, PwC GTS is regularly contacted by potential clients of Service-now to
serve as reference.
Links to other sites
The presence of links to other sites is found not important when trying to build a trustingrelationship.
73
Version 4.1
Chapter 5
Constructs: Trust and privacy
The final hypothesis for this research project focuses on the impact of privacy on trust. This results in
the following hypothesis.
H3: Privacy risk reducing interventions have a positive effect on trust.
According to the interviewee, the technological interventions enhance the trusting relationship
between PwC GTS and Service-now.
74
Version 4.1
Appendix E
Individual case report: I-bridge
This individual case report is based on the theory building structure. Each chapter encompasses some
construct(s) of the research model and elaborates on previous constructs.
First the demographics are elaborated on. Then, a chapter is devoted to cloud computing in general.
Chapter 3, 4, and 5 encompasses the constructs of the research model.
Chapter 1
Demographics
I-bridge is the IT shared service centre of three parties: Randstad Nederland, Yacht, and TempoTeam. Basically, I-bridge supports the three organizations in the area of IT. I-bridge is owned by
Randstad Holding. The organization controls 10.000 desktops, and 1100 servers, dispersed over 720
locations.
The interviewee is Manager Operations at I-bridge, which means he is responsible for the operational
service at I-bridge.
75
Version 4.1
Chapter 2
Cloud Computing
The definition of cloud computing – as presented in chapter 2 of the master thesis – distinguishes
three groups of people. For each group of people, cloud computing has a different meaning. The
three groups of people are:
-
Application and IT users. For them, cloud computing is IT as a service (ITaaS). This implies
“delivery of computing, storage, and applications over the Internet from centralized data
centers”.
-
Internet application developers. For this group, cloud computing is an “Internet-scale
software development platform and runtime environment”.
-
Infrastructure providers and administrators. For them, cloud computing is “the massive,
distributed data center infrastructure connected by IP networks”
I-bridge sides with the application and IT users, meaning that they look at cloud computing as ITaaS.
I-bridge is considering to implement virtual desktops for the clients. This means that all the
applications will be delivered over a private network. Data will be stored on centralized data centers.
This can be compared with cloud computing, however not the public cloud is being used but a
private cloud is being developed.
Although this implies not the delivery of computing by the cloud – as defined for this research project
– it does imply that I-bridge has considered the Internet as an option for the delivery of their
computing facilities.
76
Version 4.1
Chapter 3
Construct: Privacy
This chapter elaborates on the constructs that have a correlation with privacy and discusses the
hypotheses H2, H2a, and H2b:
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
H2a: Technological interventions, such as PET, have a positive effect on the perceived
usefulness of cloud computing.
H2b: Ameliorations to law and regulation have a positive effect on the intended use
of cloud computing.
3.1 Privacy
P1 Will privacy sensitive information be processed by the cloud computing provider?
No. I-bridge will never trust a cloud computing provider to process the privacy sensitive
information of I-bridge.
P2 What are your privacy concerns with regard to cloud computing?
I-bridge states that all privacy risks can be covered by technological interventions. Therefore
the interviewee does not have any privacy concerns. But since I-bridge will never trust a
cloud computing provider to process their privacy sensitive information, this is only
speculation.
P3 Academic literature provides some privacy risk reducing interventions (interventions are actions
that may be taken to provide assurance). Will you check whether the cloud computing provider has
implemented privacy protection measures?
This question is not applicable to I-bridge.
77
Version 4.1
P4 Privacy Enhancing Technologies are all the technologies that exist to protect or enhance privacy.
These technologies are visualized in the PET-ladder. Is it the implementation of some PET by the
cloud computing provider a condition to you when considering cloud computing for your
organization?
As stated before, all privacy risks can be covered by the technological interventions. The
provider has to offer every possible technological intervention that enhances the privacy of
the data that is being processed.
However, since I-bridge will never trust a cloud computing provider, they do not consider
cloud computing anymore.
P5 One of cloud computing’s biggest risks arises from its very nature: it allows data to be sent and
stored just about anywhere – even divided among locations around the world. While data dispersion
helps give cloud computing a cost and performance edge, the downside is that business information
can land in storage systems in locales where privacy laws are loose or even nonexistent. What are
your ideas on this statement?
According to the interviewee, ameliorations to law and regulation is a theoretical
intervention that can never be realized in practice. It is not possible to find an agreement
between all nations in the world and have them implement similar law and regulation.
I-bridge thinks that cloud computing providers should provide the possibility for the client to
choose in which nations the data is stored. Also, a list should be generated with nations that
have similar privacy law and regulation.
3.2 Findings
According to the interviewee, privacy risks surely do have an impact on the adoption of cloud
computing, for the reason that you hand over the control of the privacy sensitive information to
another party.
The interviewee states that all privacy risks can be covered by technological interventions. Privacy
risk reducing interventions are essential for the acceptance of cloud computing.
Technological interventions
All privacy risks can be covered by the technological interventions as presented in the PETladder. The provider has to offer every possible technological intervention that enhances the
privacy of the data that is being processed.
78
Version 4.1
Ameliorations to law and regulation
Ameliorations to law and regulation is a theoretical intervention that can never be realized in
practice. It is not possible to find an agreement between all nations in the world and have
them implement similar law and regulation.
I-bridge thinks that cloud computing providers should provide the possibility for the client to
choose in which nations the data is stored. Also, a list should be generated with nations that
have similar privacy law and regulation.
79
Version 4.1
Chapter 4
Construct: Trust
This chapter elaborates on the constructs that have a correlation with trust and discusses the
hypotheses H1, H1a, H1b, H1c, H1d, and H1e:
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness
of cloud computing.
H1b: The presence of a third party privacy seal will have a positive effect on the perceived
usefulness of cloud computing.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of
cloud computing.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud
computing.
H1e: The presence of links to other sites will have a positive effect on the perceived
usefulness of cloud computing.
4.1 Trust
T1 What role does trust in the cloud computing provider play when considering cloud computing for
your organization?
Trust is a major issue when considering to accept cloud computing. However, as said before,
I-bridge would never trust any cloud computing provider. That is one of the reasons I-bridge
decided not to accept cloud computing as defined by this research project.
T2 How can you trust a cloud computing provider when you have no experience with it?
In line with previous answers: not.
80
Version 4.1
T3 Does each of these trust-building interventions increase trust?
When asked to rank the trust building interventions in order of importance with 1 as most
important, the interviewee indicated a good reputation as most important. Interaction with
you as a customer is ranked second. A privacy policy is found third, but the interviewee has
doubts on whether a privacy policy alone will increase trust. The presence of links to other
sites is not found important because it does not increase trust in the opinion of I-bridge.
Third-party privacy seals are not known to I-bridge and are therefore found least important.
1
2
3
4
5
Privacy Policy
o
o
•
o
o
Third-Party Privacy seal
o
o
o
o
•
Interaction with you as a customer
o
•
o
o
o
Good reputation
•
o
o
o
o
Presence of links to other sites
o
o
o
•
o
4.2 Findings
Trust is a major issue when considering to accept cloud computing. However, I-bridge would never
trust any cloud computing provider. That is one of the reasons I-bridge decided not to accept cloud
computing as defined by this research project.
The interventions found in the literature review surely build trust. Even though, I-bridge does not
believe a cloud computing provider could ever build a satisfying level of trust. This means that the
trust-building interventions can never reach a satisfying level of trust. Hence, the trust-building
interventions are not elaborated on as in the other individual case studies.
81
Version 4.1
Chapter 5
Constructs: Trust and privacy
The final hypothesis for this research project focuses on the impact of privacy on trust. This results in
the following hypothesis.
H3: Privacy risk reducing interventions have a positive effect on trust.
The interviewee expects technological interventions to increase trust in the cloud computing
provider. However, the cloud computing provider will have to prove, on a regular basis, it complies
with its own technological interventions.
82
Version 4.1
Appendix F
Cross case report
This cross case report is based on the theory building structure. Each chapter encompasses
construct(s) of the research model and elaborates on previous constructs. Cross-case synthesis is the
analytical technique used to analyze the case studies. The cross-case synthesis technique presents
tables to draw cross case conclusions.
Chapter 1 focuses on the constructs regarding trust and thus on hypotheses H1, H1a, H1b, H1c, H1d,
and H1e. Chapter 2 focuses on the constructs regarding privacy and thus on hypotheses H2, H2a, and
H2b. Chapter 3 encompasses the hypothesis H3 and focuses on the impact of privacy on trust.
The appliance of the triangulation principle is visible in the tables. In these tables, every hypothesis
received a ‘1’ and a ‘2’. The ‘1’ indicates evidence source 1 (interviews), the ‘2’ indicates the second
evidence source (documents and/or observations). For each case it is indicated whether evidence
source 1 and 2 either support or does not support the hypothesis, or whether no evidence was
available. In the analysis of the findings of the case studies, both evidence sources are considered of
equal importance.
Chapter 1
Construct: Trust
The individual conclusions that are drawn in the individual case reports are presented in table F.18.
8
Legend:
1, evidence source 1 – Interviews;
2, evidence source 2 – Documents / observations;
NA, Not Available;
S, Supported;
U, Unsupported;
83
Version 4.1
H1
H1a
H1b
H1c
H1d
H1e
1
2
1
2
1
2
1
2
1
2
1
2
CEVA Logistics
S
NA
S
S
U
NA
S
S
S
S
S
NA
PwC GTS
S
NA
S
S
U
NA
S
S
S
S
U
NA
I-bridge
S
NA
S
NA
U
NA
S
NA
S
NA
U
NA
Table F.1: Cross case conclusions – Hypotheses on trust
H1: Trust will have a positive effect on the perceived usefulness of cloud computing.
The interviewees all agree that trust has a positive effect on the perceived usefulness of
cloud computing. None of the cases could deliver a second evidence source. However, for the
reason that the interviewees are univocal, this hypothesis is supported.
H1a: The presence of a privacy policy will have a positive effect on the perceived usefulness of cloud
computing.
All of the cases provide two evidence sources that support hypothesis H1a, except for case 3
who could not provide a second evidence source. The cross case conclusion supports
hypothesis H1a.
H1b: The presence of a third-party privacy seal will have a positive effect on the perceived usefulness
of cloud computing.
Third-party privacy seals are an unknown phenomena to all cases. Therefore, none of the
interviewees could support the hypothesis that third-party privacy seals have a positive
effect on the perceived usefulness of cloud computing. Because this trust-building
intervention was unknown, none of the cases could provide a second evidence source.
Hence, hypothesis H1b is not supported by the case studies.
H1c: Interaction with customers will have a positive effect on the perceived usefulness of cloud
computing.
All three cases support hypothesis H1c. All cases could provide two evidence sources, except
for case 3. The cross case conclusion therefore supports hypothesis H1c.
H1d: Reputation building will have a positive effect on the perceived usefulness of cloud computing.
The hypothesis on reputation building is supported by all cases with two evidence sources,
except for case 3. Because of the amount of evidence, the conclusion can be drawn that
hypothesis H1d is supported by the cases.
84
Version 4.1
H1e: The presence of links to other sites will have a positive effect on the perceived usefulness of
cloud computing.
The individual conclusions on hypothesis H1e are not univocal. Two out of three cases do not
support this hypothesis. Since none of the cases can provide a second evidence source, the
cross case conclusion does not support hypothesis H1e.
85
Version 4.1
Chapter 2
Construct: Privacy
The individual conclusions that are drawn in the individual case reports are presented in table F.29.
H2
H2a
H2b
1
2
1
2
1
2
CEVA Logistics
S
S
S
S
S
NA
PwC GTS
S
S
S
S
S
NA
I-bridge
S
NA
S
NA
U
NA
Table F.2: Cross case conclusions – Hypotheses on privacy
H2: Privacy will have a positive effect on the perceived usefulness of cloud computing.
All interviewees support the hypothesis that privacy has a positive effect on the perceived
usefulness of cloud computing. Only case 3 could not provide a second source of evidence for
the reason that they choose not to adopt cloud computing. The cross case conclusion
therefore supports hypothesis H2.
H2a: Technological interventions, such as PET, have a positive effect on the perceived usefulness of
cloud computing.
The cases provide a univocal conclusion on hypothesis H2a. Hence, the cross case conclusion
supports hypothesis H2a.
9
Legend:
1, evidence source 1 – Interviews;
2, evidence source 2 – Documents / observations;
NA, Not Available;
S, Supported;
U, Unsupported;
86
Version 4.1
H2b: Ameliorations to law and regulation have a positive effect on the intended use of cloud
computing.
Two out of three interviewees support the hypothesis that ameliorations to law and
regulation have a positive effect on the intended use of cloud computing. However, one of
the interviewees does not support this hypothesis because he doubts the intervention is
realizable. However, since two out of three cases support the hypothesis, the cross case
conclusion supports hypothesis H2b. Whether or not this hypothesis is realizable, is out of
scope for this research project.
87
Version 4.1
Chapter 3
Constructs: Trust and privacy
The individual conclusions that are drawn in the individual case reports are presented in table F.310.
H3
1
2
CEVA Logistics
S
NA
PwC GTS
S
NA
I-bridge
S
NA
Table F.3: Cross case conclusions –
Hypothesis on trust and privacy
H3: Privacy risk reducing interventions have a positive effect on trust.
All the interviewees of the three cases agree that privacy risk reducing interventions have a
positive effect on trust. Unfortunately, none of the cases was able to provide a second source
of evidence to support this hypothesis. However, for the reason that the interviewees are
univocal, this hypothesis is supported.
10
Legend:
1, evidence source 1 – Interviews;
2, evidence source 2 – Documents / observations;
NA, Not Available;
S, Supported;
U, Unsupported;
88

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz