USING CLOUD COMPUTING SERVICE: A PERSPECTIVE FROM ...

Widjaja, Chen

Using Cloud Computing Service: A Perspective from its Users

USING CLOUD COMPUTING SERVICE: A PERSPECTIVE FROM USERS’ INFORMATION SECURITY, PRIVACY CONCERN, AND TRUST Andree Emmanuel Widjaja, Institute of International Management, National Cheng Kung University, Taiwan No.1 University Road, Tainan 701, Taiwan, R.O.C. Email: [email protected], Phone: +886926541202 Jengchung Victor Chen Institute of International Management National Cheng Kung University, Taiwan No.1 University Road, Tainan 701, Taiwan, R.O.C. Email: [email protected] Phone: +886-6-2757575 #53561

ABSTRACT There are numerous techniques to make Cloud Computing service more secure, however only little attention is given to the users’ perception regarding the information security and privacy issues in using such service. Grounded from Theory of Reasoned Action and Ethical Contract based theory, this paper addresses the information security, privacy concern, and trust issues in using Cloud Computing service from end users’ perspective. The result and conclusion are discussed. Keywords: Cloud computing service, concern for information privacy, trust, information security and privacy policy, theory of reasoned action

- 9221 -

Widjaja, Chen


INTRODUCTION The trend of using Cloud Computing has become more popular nowadays. The Cloud Computing Providers (CCP) target a variety of end users from software developers to the general public as well as offer services on every level. For instance, Youtube or Google docs are few from many online companies that offer cloud computing capabilities. Youtube or Google docs is considered as Cloud Computing since the operations are executed in the remote servers. The data is also stored in the remote databases. The users can access the database as well as operate particular computing operation through a high speed network, in this case by using Internet. Since Cloud Computing is a new breakthrough in IT literatures, there have been abundant recent studies discussing its architectures, applications, advantages, risks, security in technical terms, issues, threats, and many more (Archer et al., 2010; Owens, 2010; Reese, 2009; Subashini & Kavitha, 2011; Sultan, 2010; Sultan, 2011; Vaquero, Rodero-Merino, & Moran, 2011; Zissis & Lekkas, 2010). Nevertheless, there are still few studies to explore the Cloud Computing in relations to the information security and privacy concerns from end users perspectives. Given there are still great information security and privacy risks in using Cloud Computing, hence this study has main objective to take users information security and privacy concerns into consideration, and how these concerns would affect their trust, then the attitude and intention to use Cloud Computing. The study incorporated two theories, namely Theory of Reasoned Action (TRA) as the fundamental theoretical framework in our research model and Ethical Contract based theory to explain one of our main construct, information security and privacy policies awareness. This study would answer the research question: How the information security and privacy concerns would affect the trust, attitude, and the intention to use Cloud Computing. This paper is organized by firstly introduced the theoretical framework, followed by the research model, hypotheses development, and research methodology. Data analysis using PLS and the result of this study is discussed. THEORETICAL FRAMEWORK Cloud Computing There are many definitions of cloud computing available. One definition by Svantesson and Clarke (2010) suggests Cloud computing referred to “the technical arrangement which users stored their data in the remote servers and operated computers under control of other parties (cloud computing service provider), and rely on software applications executed and stored somewhere else, not in users’ own computers”. In other words, when using cloud computing all computing operations are executed remotely in other servers, and the results of operations are delivered through incredibly fast networking infrastructure to the users. Theory of Reasoned Action The Theory of Reasoned Action (TRA) is used to explain the attitude and intention to use Cloud Computing service. TRA was based on social psychology field which is concerned with the determinants of consciously intended behaviors (Ajzen & Fishbein, 1980). It is one of the most fundamental and influential theories of human behavior to predict a wide range of behaviors (Sheppard, Hartwick, & Warshaw, 1988). The key theory of TRA is prediction of - 9222 -

Widjaja, Chen


behavioral intention. TRA can be applied to individual acceptance of technology (Davis, Bagozzi, & Warshaw, 1989). Contract Based Ethical Theory CCP have sets of policy regarding its users’ data security and privacy. The CCP policies serve as the rules and it is evaluated with the standard moral principles. To have such policies will produce more social good than no policies at all. CCP have to comply with the policies or rules in order to fulfill their moral obligation at their best to the users. Therefore, in the events of sensitive data breach and privacy violation whether in purpose or not, CCP certainly should be fully responsible. The ethical theory derived from social contract-theory which emphasizes criteria involving explicit social contracts and individual rights. In social contracts theory perspective, a moral system comes into being by virtue of certain contractual agreements between individual (Tavani, 2003). In the case of CCP, the contract can be considered as the written formal policy as well as legal agreement that CCP is bound to the users. By complying the “contracts” would directly lead to CCP good ethical conduct, thus in turns they are doing no harm to its users. In current study, the contract based theory would be adapted to explain users awareness and privacy concerns in CCP information security and privacy policies. RESEARCH MODEL AND HYPOTHESES Attitude and Behavioral Intention Behavior intention is defined as the cognitive representation of a person’s readiness to perform a given behavior and considered the immediate antecedent of behavior (Chen & Chen, 2009). Based on TRA, person’s specified behavior is determined by their behavioral intention to perform the behavior and it is jointly determined by the person’s attitude and subjective norms (Shin, 2010). Behavioral intention measures a person’s relative strength of intention to perform a behavior. Attitude consists of beliefs about the consequences of performing the behavior multiplied by his or her valuation of these consequences (Fishbein & Ajzen, 1975). Basically, a person’s behavioral intention depends on the person’s attitude about the behavior and subjective norms. If a person intends to do behavior then it is likely the person will do it (Ajzen & Fishbein, 1980). The TRA model indicates that the attitudinal components will have an effect on behavioral intention. Therefore, a persons’ attitude toward their behavioral intention is determined by their beliefs and evaluation. In this study, the behavior intention is defined as the intention to use Cloud Computing service. While, attitude is defined as the users attitude toward Cloud Computing service. Based on TRA, when the users has positive attitude toward Cloud Computing service, it is highly likely the users would have higher intention to use Cloud Computing service. Thus we propose the following hypothesis: H1: Attitude would positively related with the behavioral intention to use Cloud Computing service.

- 9223 -

Widjaja, Chen


Trust Trust in this study is referred as the attitudinal component in TRA. Trust is a critical factor in Information systems and it has been extensively research from various view points and analysis (Chen & Pfleuger, 2008; Shin, 2010). In its complexity, Mayer et al. (1995) defined trust as “the willingness of a party to be vulnerable to the actions of another party based on the expectation that the other party will perform a particular action important to the trustor, irrespective of the ability to monitor or control that other party”. Trust in cloud computing environment can be uncertain due to many reasons. One of the major reasons is because of users concern of information security and privacy (Marshall, 2009). Trust would have significant impact on the users attitude toward cloud computing services. For instance, if users trust the CCP, they would have positive attitudes towards Cloud Computing services as they believe the service providers (another party) are able to deliver the trusted services. Hence, we expect that: H2: Trust in CCP would positively affect users’ attitudes in using Cloud Computing services. Concern for Information Privacy As many users concerned about the protection of their personal information, concern of information privacy (CFIP) has been applied in various studies for measuring privacy towards how organization protect and use personal information (Slyke, Shim, Johnson, & Jiang, 2006). Boyle (2005) argued privacy is a thing we can control, at least to some extent by individuals or groups. CFIP and trust is closely related. Some studies indicates CFIP would influence trust as well as determining the level of trust of a customer toward an organization (Slyke et al., 2006). issues, users may still have some concerns for their information privacy. Stone et. al (1983) agreed the higher privacy concern, individual would be less likely to share the information. Indeed, to develop trust in online environment is hard. According to Zimmer et.al (2010), developing and maintaining trust online is harder than offline because one cannot guarantee the online firms, in this case whether CCP would behave accordingly Based on the aforementioned reasoning, we proposed: H3: Concerns for Information Privacy would negatively affect users’ trust in using Cloud Computing services General Information Security and Privacy Awareness It is important to know the understanding of the information security and privacy issues in general since it would affect the behavioral intention greatly. Thus, general information security and privacy awareness (GISPA) is defined as users overall – general knowledge understanding of potential issues related to information security and privacy and their ramifications (Bulgurcu, Cavusoglu, & Benbasat, 2010). In this study, we argue GISPA can be viewed as knowing “something” about information security and privacy issues either by personal experiences or external sources (Bulgurcu et al., 2010). In using cloud computing services, the high information security and privacy awareness would cause the users to have higher privacy concerns since they may be afraid for dealing with security or privacy threats experiences. Thus, we exert this hypothesis: - 9224 -

Widjaja, Chen


H4: General Information Security and Privacy Awareness (GISPA) would positively affect Concern for Information Privacy in using Cloud computing services. H5: General Information Security and Privacy Awareness (GISPA) would negatively affect users’ Attitude in using Cloud computing services. Information Security and Privacy Policies Awareness Information Security and Privacy Policies awareness (ISPPA) is defined as a users’ knowledge and understanding of the policies, rules, or agreements prescribed by particular CCP in using their services (Bulgurcu et al., 2010). This policy is relevant with subjective norm in TRA since it mentions about the influence of one institution (CCP) in cloud computing environment. As it was mentioned, Cloud Computing services are susceptible to information security and privacy issues since the service providers have ultimate control of users’ information. CCP may provide sophisticated protection techniques or procedures written in their policies related with Information security and privacy threats. If CCP is fully complied with its own policy as it is suggested in contract based ethical theory for having “good” ethical conduct, users who know better ISSPA would have less concerns for information privacy. Meanwhile, as the policies can influence the users’ beliefs in CCP, consequently they should have positive attitude towards Cloud Computing service. Based on this reasoning, we propose: H6: Information Security and Privacy Policies Awareness (ISPPA) would negatively affect Concern for Information Privacy in using cloud computing services H7: Information Security and Privacy Policies Awareness (ISPPA) would positively affect Users’ Attitude in using Cloud computing services. Subjective Norm One component in TRA which affects behavioral intention is subjective norm (Ajzen & Fishbein, 1980; Fishbein & Ajzen, 1975). According to TRA, subjective norm can be derived from beliefs of what others think, what experts think, and motivation to comply with others (Ajzen & Fishbein, 1980). Subjective norm in this study is conceptualized as the influence of friends, experts, and general other users whom they may not know (anonymous). The subjective norm would influence the behavioral intention in using Cloud Computing in many ways Subjective norm would also affect the users’ trust on using Cloud computing service. By seeing users, whether their friends, expert, or general users use the service, users would have tendency to become more trust (or distrust) in using Cloud Computing service. These subjective belief of other users would become the basis of their trust. The more they believe other users use Cloud Computing service, the more they trust it. Thus, we expect that: H8: Subjective norm would positively affect behavioral intention to use Cloud Computing service H9: Subjective norm would positively affect users’ trust in using Cloud Computing services. - 9225 -

Widjaja, Chen


Theory of Reasoned Action (TRA) Full Model Subjective norm +H9

GISPA

-H5

+H8

+H4

CFIP

-H3

Trust

+H2

Attitude toward cloud computing

+H1

Intention to use cloud computing

-H6

ISPPA

+H7

Figure 1. Research Model Research Methodology and Data Analysis This study used online survey methodology. Survey questionnaires items were adapted from previous studies and modified based on our study context. Target respondents were all students users who have used or heard about Cloud Computing services. This can be varied from Public, Private, or Shared Cloud computing services. For example, participants may have used Youtube, Google Docs services as the common example of Cloud Computing services. The questionnaires were distributed online in 2 months during January 2012 – February 2012 by using E-mail and Facebook Event. To validate thorough research model, this study employed Partial Least Square (PLS) statistical data analysis. We used Smart PLS 2.0 for our data analysis and based on that, we discussed the result and conclusion of this study. There were 201 total respondents answering our survey. The number of samples required for PLS analysis are exceeded of minimum of 50 for adequate model testing. All of the respondents were undergraduate and graduate students with diverse nationalities and reasonable number of male and female (see table 1). The descriptive statistics for each research variables are shown in table 2. Generally the Average Variance Extracted (AVE) value is > 0.5, indicating the higher variance captured by the construct than the measurement error (Fornell & Larcker, 1981). We deleted CFIP Error factor due to the very low factor loading. After the deletion, all of the PLS factor loadings output showed moderate result of factor loadings which are generally higher than the level of dropping items recommendation, < 0.5 (Hulland, 1999). Although, CFIP and Subjective Norm constructs composite reliability α values is 0.66 and 0.68 respectively, most of the composite reliability α values are > 0.7 (Fornell & Larcker, 1981), indicating quite significant reliability for the overall constructs reliability (see table 3 for Cross factor loading). - 9226 -

Widjaja, Chen


Table 1 Demographic data Demographic Sex Nationality

Age

Hours spend on the Internet Computer skills

Male Female American Australian Bolivian Cambodian Canadian Indonesian Japanese Kyrgyzstan Lao Latvian Malaysian Mongolian Myanmar Panama Philippines Portugal Russian Taiwan Thai UK Vietnam < 20 years old 20 – 25 years old 26 – 30 years old 31 – 35 years old 36 – 40 years old > 40 years old < 1 hour 1 – 3 hour 4 – 6 hour > 6 hour Excellent Very Good Good Mediocre Poor

Frequency 88 113 2 3 2 1 5 108 1 1 1 1 5 3 2 1 7 2 5 24 14 1 12 7 72 67 39 9 7 1 44 60 96 18 52 87 40 4

Percent (%) 43.8 56.2 1.0 1.5 1.0 0.5 2.5 53.7 0.5 0.5 0.5 0.5 2.5 1.5 1.0 0.5 3.5 1.0 2.5 11.9 7.0 0.5 6.0 3.5 35.8 33.3 19.4 4.5 3.5 0.5 21.9 29.9 47.8 9.0 25.9 43.3 19.9 2.0

Table 2 Descriptive statistics for research variables Variable Mean Std M3 M4 1 2 3 4 a 1. Attitude 4.8172 1.2221 -0.475 0.299 0.9020 2. CFIP 5.9822 0.8060 -0.746 -0.109 -0.1115 0.7531 3. GISPA 4.9718 1.2399 -0.869 0.757 0.0721 0.0496 0.8492 4. Intention 5.0348 1.2681 -0.484 -0.066 0.3381 0.0873 0.1418 0.9589 5. ISPPA 4.3632 1.4948 -0.397 -0.585 0.2131 -0.1003 0.4738 0.1372 6. SubjN 4.9270 1.0269 -0.228 0.060 0.4201 -0.1219 0.1502 0.3791 7. Trust 4.4391 1.0710 0.075 0.210 0.3753 -0.2685 0.2199 0.2100 Note: M3: Skewness, M4: Kurtosis a Diagonal of correlation matrix shows the square root of variance extracted (SQRT AVE)

- 9227 -

5

6

7

0.9091 0.4164 0.3680

0.7784 0.4158

0.8553

Widjaja, Chen


Table 3 Cross factor loading Constructs Attitude (CR = 0.9459, AVE = 0.8137, α = 0.9238)

Labels ATT_1 ATT_2 ATT_3 ATT_4 CFIP (CR = 0.7953, AVE CFIP_COL = 0.5672, α = 0.6696) CFIP_IMPAC CFIP_SECUSE GISPA (CR = 0.8857, GISPA_1 AVE = 0.7212, α = GISPA_2 0.8067) GISPA_3 Intention (CR = 0.9717, INT_1 AVE = 0.9196, α = INT_2 0.9563) INT_3 ISPPA (CR = 0.9346, ISPPA_1 AVE = 0.8266, α = ISPPA_2 0.8971) ISPPA_3 SubjN (CR = 0.8216 , SBJN_1 AVE = 0.6060, α = SBJN_2 0.6879 ) SBJN_3 Trust (CR = 0.9159, AVE TRUST_1 = 0.7316, α = 0.8777) TRUST_2 TRUST_3 TRUST_4

Attitude 0.9029 0.9155 0.8940 0.8956 -0.2253 -0.0021 0.1519 0.0520 0.0968 0.0411 0.3391 0.3191 0.3132 0.1546 0.1957 0.2188 0.3281 0.3165 0.3544 0.3541 0.3330 0.3323 0.2519

CFIP -0.0584 -0.1458 -0.0900 -0.1041 0.8569 0.7287 0.6605 0.0590 -0.0246 0.0812 0.1086 0.0767 0.0642 -0.0498 -0.0843 -0.1244 0.0398 -0.1931 -0.0980 -0.3045 -0.2200 -0.2153 -0.1630

GISPA Intention ISPPA SubjN Trust 0.0737 0.2981 0.2679 0.3607 0.3018 0.0276 0.2861 0.1932 0.4153 0.3761 0.0863 0.3237 0.1063 0.3539 0.2908 0.0755 0.3138 0.1958 0.3819 0.3765 0.0071 -0.0184 -0.0707 -0.1375 -0.3218 0.0495 0.1048 -0.1161 -0.1041 -0.1057 0.1057 0.2415 -0.0455 0.0261 -0.0654 0.8284 0.1775 0.4474 0.1369 0.2113 0.8266 0.0885 0.4363 0.1692 0.1928 0.8911 0.0926 0.3329 0.0848 0.1591 0.1360 0.9494 0.1199 0.3760 0.2170 0.1389 0.9680 0.1341 0.3556 0.1841 0.1330 0.9594 0.1414 0.3580 0.2021 0.3644 0.1228 0.8701 0.4216 0.2921 0.4268 0.1198 0.9393 0.4096 0.3412 0.4805 0.1313 0.9168 0.3280 0.3592 0.1082 0.3274 0.2989 0.7841 0.2391 0.0780 0.3360 0.3218 0.8166 0.4313 0.1976 0.1955 0.3700 0.7322 0.2563 0.1451 0.1662 0.3371 0.3527 0.8528 0.1615 0.1096 0.2979 0.3744 0.8602 0.2215 0.2324 0.3082 0.3648 0.8970 0.2381 0.2211 0.3168 0.3279 0.8091

Figure 2 Path analysis using Smart PLS 2.0

Subjective norm +H9 (0.389)***

GISPA -H5 (-0.058)

+H8 (0.288)*** +H4 (0.125)

CFIP

-H3 (-0.221)**

Trust

-H6(-0.160)*

ISPPA

+H7 (0.113)+

Note: +p