Restructure/Rewrite Dissertation paper
priyachinni0
referencepaper.pdf
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
SECURITY AND PRIVACY RISKS ASSOCIATED OF CLOUD COMPUTING:
A CORRELATIONAL STUDY
by
Edgardo Vargas Moya
SHAWON S. M. RAHMAN, PhD, Faculty Mentor, and Chair
WENBIN LUO, PhD, Committee Member
WILLIAM J. McKIBBIN, PhD, Committee Member
Todd C. Wilson, PhD, Dean, School of Business and Technology
A Dissertation Presented in Partial Fulfillment
Of the Requirements for the Degree
Doctor of Philosophy
Capella University
April 2021
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
© Edgardo Vargas Moya, 2021
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
Abstract
The study investigates the relationship between security and privacy risks and their connection
with the adoption of cloud computing in the business sector. The scholarly literature has an
existing gap regarding threat severity, threat susceptibility, response efficacy, and self-efficacy in
adopting cloud computing. The investigation variables are from the protection motivation theory
(PMT) and the theory of planned behavior (TPB). Due to those mentioned earlier, the study has
two research questions. The first question is, to what extent do perceptions of threat severity,
threat susceptibility, response efficacy, and self-efficacy on security risks contribute to the
variance in the intention to adopt cloud computing in the business sector? The second question
is, to what extent do perceptions of threat severity, threat susceptibility, response efficacy, and
self-efficacy on private risks contribute to the variance in the intention to adopt cloud computing
in the business sector? The subquestions, null, and alternative hypotheses measure each
independent variable factor, individually. The methodology for the study is quantitative with a
correlational approach. Individuals with a minimum of five years of experience, in information
technology (IT), in the United States are the target population. The demographic information in
the survey questionnaire included sex, years of employment, application service area, and
geographical area. Participants answered questions from a survey; the collected data used a
Likert-type 1-to-7-point scale, ranking the responses. The multiple correlational (R) and the
multiple correlations squared (R2) coefficients of the multiple linear regression answered the two
research questions and determined the effect of the variables. The F distribution and probability
(p) are the values to confirm the results obtained. The findings, based on the research literature
and the statistical data, showed each examined factor affects the intention to adopt cloud
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
computing to different degrees. In the investigation results the most significant effect was self-
efficacy for a security risk situation, R(216) = .55, R2 = .30, p < .00001. Also the most significant
effect was self-efficacy for a privacy risk situation, R(216) = .61, R2 = .37, p < .00001. A
practical implication from the investigation, training is essential for both IS personnel and
company officers. Corporate officials’ hesitation in adopting new technology, such as cloud
computing, can be reduced. The impact of facilitating training for the Information Systems (IS)
personnel allows the personnel a better understanding of cloud computing technology. The
training needs to include techniques on deploying the new technology and methods in
safeguarding against threats. Another implication of this training leads to obtain better results
regardless of the other three factors. Company officials and IS personnel need to collaborate in
the implementation of cloud computing. The investigation concludes that both training and
collaboration will have an immediate positive impact by improving the adoption and
implementation of cloud computing technology.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
iii
Dedication
I wish to thank God for His compassion in my successful completion of the entire
doctoral program, especially during the challenging moments. Without you, I would not have
achieved this goal. This dissertation is dedicated to all my family, especially to my parents, Mr.
José Vargas and Mrs. Doris Moya, who showed me the way of studying and fighting for my
goals. My sister, Linette Vargas, has always supported me during my challenges and in my
achievements. The dedication is extended to Jarel and Jareliz, my nephews, bringing joy to my
life, during this process. To my friend Abraham Aponte and his family, for their encouragement
throughout the academic and dissertation process. To my coworkers at the Interamerican
University of Puerto Rico, Aguadilla Campus, especially Dr. José Otaola, for his support. Again
thank all for your patience and help during my academic quest.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
iv
Acknowledgments
I wish to express my genuine thanks to my entire committee for their steadfast support
throughout my dissertation journey, principally Dr. Shawon S. M. Rahman, mentor and chair of
my dissertation committee. Thanks for your direction, time, patience, and feedback that made it
possible for me to complete this process. I also thank committee members Dr. Wenbin Luo and
Dr. William J. McKibbin for all their support.
A special thanks to all Capella faculty, staff, and the university community for their help
and guidance throughout the five years of intense education and research. It has been a
magnificent opportunity to study and interact with such quality professionals. Additionally, I
thank my peers at Capella University for their excellent course room interactions and feedback.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
v
Table of Contents
Acknowledgments.................................................................................................. iv
List of Tables ....................................................................................................... viii
List of Figures ..........................................................................................................x
CHAPTER 1. INTRODUCTION ........................................................................................1
Background of the Problem .....................................................................................2
Statement of the Problem .........................................................................................7
Purpose of the Study ................................................................................................7
Significance of the Study .........................................................................................8
Research Questions ..................................................................................................9
Definition of Terms................................................................................................11
Research Design.....................................................................................................14
Assumptions, Limitations, and Deliminitations ....................................................17
Assumptions ...............................................................................................17
Limitations .................................................................................................19
Organization of the Remainder of the Study .........................................................20
CHAPTER 2. LITERATURE REVIEW ...........................................................................22
Methods of Searching ............................................................................................23
Theoretical Orientation for the Study ....................................................................24
Review of the Literature ........................................................................................27
Findings..................................................................................................................51
Critique of Previous Research Methods ................................................................56
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
vi
Summary ................................................................................................................58
CHAPTER 3. METHODOLOGY .....................................................................................61
Purpose of the Study ..............................................................................................62
Research Questions and Hypotheses .....................................................................63
Research Design.....................................................................................................66
Target Population and Sample ...............................................................................68
Population ..................................................................................................69
Sample........................................................................................................70
Power Analysis ..........................................................................................71
Procedures ..............................................................................................................72
Participant Selection ..................................................................................73
Protection of Participants ...........................................................................74
Data Collection ..........................................................................................74
Data Analysis .............................................................................................76
Instruments .............................................................................................................84
Ethical Considerations ...........................................................................................86
Summary ................................................................................................................88
CHAPTER 4. RESULTS ...................................................................................................90
Background ............................................................................................................90
Description of the Sample ......................................................................................92
Evidence of Instruments ........................................................................................95
Hypothesis Testing...............................................................................................112
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
vii
Summary of the Hypothesis Testing ....................................................................120
Summary ..............................................................................................................122
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS ..................126
Summary of the Results .......................................................................................127
Discussion of the Results .....................................................................................130
Conclusions Based on the Results .......................................................................133
Limitations ...........................................................................................................144
Implications for Practice ......................................................................................145
Recommendations for Further Research ..............................................................147
Conclusion ...........................................................................................................149
REFERENCES ................................................................................................................152
APPENDIX. DEMOGRAPHICS ....................................................................................160
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
viii
List of Tables
Table 1. Variables Descriptions ........................................................................................66
Table 2. Statistical Analysis for each Research Question .................................................81
Table 3. Survey Participants .............................................................................................93
Table 4. Participants’ Sex .................................................................................................93
Table 5. Years of Employment .........................................................................................94
Table 6. Application Service Area ....................................................................................94
Table 7. Geographical Area ..............................................................................................95
Table 8. Results for Questions Measure TSESR ..............................................................96
Table 9. Results for Questions Measure TSUSR ...............................................................97
Table 10. Results for Questions Measure RESR ...............................................................98
Table 11. Results for Questions Measure SESR ................................................................99
Table 12. Results for Questions Measure TSEPR ...........................................................100
Table 13. Results for Questions Measure TSUPR ...........................................................101
Table 14. Results for Questions Measure REPR .............................................................102
Table 15. Results for Questions Measure SEPR ..............................................................104
Table 16. Results for Questions Measure IACC ..............................................................105
Table 17. Correlation Coefficients ...................................................................................110
Table 18. Listing of Hypothesis Testing ..........................................................................112
Table 19. Descriptive Stats ..............................................................................................113
Table 20. Summary of Analysis Results for Security Risks Variables ...........................114
Table 21. Comparison of Security Risks Variables ........................................................116
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
ix
Table 22. Summary of Analysis Results for Privacy Risks Variables ............................118
Table 23. Comparison of Privacy Risks Variables .........................................................120
Table 24. Summary of Analysis Results ..........................................................................131
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
x
List of Figures
Figure 1. Research PMT and TPB Integrated Model ........................................................17
Figure 2. PMT and TPB Integrated Constructs Model ......................................................27
Figure 3. Logical Diagram and Overview of Cloud Computing .......................................29
Figure 4. Cloud-computing Technology Functionalities ...................................................31
Figure 5. Data Integrity Scheme ........................................................................................32
Figure 6. Data Privacy Scheme ..........................................................................................33
Figure 7. Factors of the Theory of Planned Behavior ........................................................34
Figure 8. Factors of the Protection Motivation Theory .....................................................36
Figure 9. Data Analysis Process ........................................................................................80
Figure 10. Data Storage Process ........................................................................................82
Figure 11. Data Destruction Process ..................................................................................83
Figure 12. Ethical Considerations Process.........................................................................87
Figure 13. Security Variable Scatterplots ........................................................................107
Figure 14. Privacy Variable Scatterplots .........................................................................108
Figure 15. Security Variable Normal Probability Plot ....................................................109
Figure 16. Privacy Variable Normal Probability Plot .....................................................109
Figure 17. Security Variable Residual Plots ...................................................................111
Figure 18. Privacy Variable Residual Plots ....................................................................111
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
1
CHAPTER 1. INTRODUCTION
The study investigates the correlation between security and privacy risks and their
relationship with the adoption of cloud computing. The cloud computing technology is a growing
industry permitting more business clients (Singh, 2019). However, security and privacy risks in
cloud computing are a concern in this new technology (Holzmann, Schwarz, & Audretsch,
2020). Therefore, the research focuses specifically on security and privacy risks concerning
cloud computing technology for the business sector and fills that existing gap in the literature.
The variables from the protection motivation theory (PMT) and theory of planned behavior
(TPB) will form the base of the theoretical framework for the investigative model. A survey data
from information technology (IT) professionals with a minimum of five years' experience shall
be the base of this investigation to test the model. The data collected from the participants will
establish the foundation of the study. Chapter 1 will describe the details of the research.
Chapter 1 begins with the background of the problem, where recent literature on the topic
shows the risks of adopting cloud computing. The statement of the problem identifies what is
known and not known about security and privacy risks. The theoretical and practical aspects
follow the statement of the problem, showing the significance of the research. The terms,
security risks, privacy risks, adoption, and related variables are defined. The research design
shows the procedure used to obtain the sample and the rationale for the statistics used in the
study. The conclusion of the Chapter 1 contains the assumptions and limitations of the study.
One example of a premise is those with five years or more in IT experience will participate in a
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
2
questionnaire survey. Management officials do not take part in the investigation, a limitation of
the study.
Background of the Problem
The use of cloud computing technology has substantially improved the business sector.
The National Institute of Standards and Technology (NIST) describes cloud computing as
computing properties that are rapidly configurable and distributed with little effort and
collaboration with cloud providers (Kumar & Shantala, 2020). Businesses have additional
resources to improve their services to customers. Some companies specialize in helping business
organizations to guide, install, and configure their needs to the cloud computing technology
(Singh, 2019). There are advantages and disadvantages to the technology; however, it is not risk-
free, as is discussed in the following sections and are the focus of this investigation.
Advantages of Cloud Computing
Singh (2019) indicates that cloud computing provides businesses with the optimization of
their resources by reducing the need to acquire hardware. The use of mobile phones, laptops,
tablets, and other technological devices increased access to information. Such technology
permits a business to reduce its dependence on the physical infrastructure. Outside companies
provide their clients with the service they require using their dedicated support system. By
limiting their hardware and software resources, the business saves on the cost and gains in profits
(Holzmann et al., 2020). The attributes are on-demand self-service, broad network access,
resource pooling, rapid elasticity, and measured services (Roozbahani & Azad, 2015; Singh,
2019). Cloud computing saves businesses money, making this an attractive resource. To achieve
these characteristics, in many cases, depends on the service and deployment model.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
3
Cloud computing services meet most business needs provided by other companies. Cloud
providers can offer private cloud, community cloud, public clouds, and hybrid cloud deployment
models. The choice of the category of the service model or the deployment model rest on the
different needs of the customer (Kumar & Shantala, 2020). Examples of cloud providers are
Amazon Virtual Private Cloud, Cisco Private Cloud, Microsoft Private Cloud, Salesforce,
Windows Azure, and Google Cloud Platform. Based on these individual business needs, the
service model or the deployment model is configured (Holzmann et al., 2020). However, as
mentioned above, no technology, especially emerging, is free of risks.
Disadvantages of Cloud Computing
Drawbacks are typical for a business contracting a cloud computing company for the first
time. The study's topic investigates security and privacy risks in the business sector in the United
States, intending to adopt cloud computing technology. Ekufu (2012) studied security and
privacy concerns in the business sector. The research suggests, "security and privacy of data and
information transmitted through the cloud is one of the biggest issues and concerns users in
organizations in their reservations to accept or reject a particular technology" (p. 36). The
concern has existed since the first models of cloud computing emerged.
In most cloud computing structures, the primary server holding the client data is not part
of the commercial installation's hardware. Contracted personnel become the third party
controlling the personal data and handling security and privacy issues, raising concerns about the
risks of adopting cloud computing in the business sector (Kumar & Shantala, 2020). The
company is then dependent on outsiders to maintain and secure the stored data (Holzmann et al.,
2020). The healthcare industry is an example of this type of situation. The cloud computing
industry depends on contracted businesses to secure and manage large amounts of clients' private
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
4
data (Chen, Yang, Hao, Mao, & Hwang, 2017). Personal data includes the names of individuals,
social security numbers, and addresses. The possible loss of personal data has increased concerns
about privacy and security issues.
The cloud computing technology is not guaranteed to safeguard security and privacy
issues for companies. In 2013, an estimated 58 million records of personal data from the
Healthcare industry were lost (Jones, 2014). The Healthcare industry, government agencies,
educational institutions, and those in the information technology field have also lost sensitive
data. Laqtib, Yassini, and Hasnaoui (2020) express the same concern about privacy and security
risks with personal data loss. However, businesses are still attracted to cloud computing
technology. The main attraction to cloud computing, even with the potential loss of personal
data, is the monetary savings a company has, due to the variety of cloud computing suppliers and
services.
Joseph, Kathrine, and Vijayan (2014) understood that cloud computing vendors saw a
90% increase in sales. From 2014 to 2018, it continued to grow by 26% in the United States, but
lower than Finland and other places in the world (Singh, 2019). These sales coincided with the
increase in the individual needs of each business. Companies need to understand their particular
vulnerabilities regarding security and privacy risks to take advantage of cloud computing
technology to become more profitable. In some instances, corporations are not clear about their
specific IT weaknesses (Joseph et al., 2014). Before buying into cloud computing technology,
the information about their susceptibilities is essential. When a business is not clear about its
specific vulnerabilities, the potential for security and privacy risks increases. To better assess the
weaknesses, a combination of theories is needed to investigate the intent to adopt cloud
computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
5
Background of Theories
The research uses two theories, the protection motivation theory (PMT) and the theory of
planned behavior (TPB). Yang and Lee (2016) understand that PMT predicts the individual's
protection performances. One factor that can affect a person's performance is fear (Gao, Li, &
Luo, 2015). Fear is a factor leading to errors or negligence on the part of the individual.
Inadequate use of cloud computing technology is negligence and part of the threat to privacy and
security risks (Chen, Ramamurthy, & Wen, 2015). The constructs of the PMT theory measure
these risks. To measure the behavior before these risks, we will use the constructs of the PMT
theory. The study constructs are the threat severity, threat susceptibility, response efficacy, and
self-efficacy from the PMT (Floyd, Prentice-Dunn, & Rogers, 2000; Herath & Rao, 2009;
Mumtaz & Nalin Asanka, 2019; Rogers, 1975). These constructs are used for the independent
variables in the hypotheses evaluating their possible effect on cloud computing adoption. The
constructs to measure compliance with company policies use the PMT theory (Herath & Rao,
2009). The intention to adopt must be measured using a second theory.
The second theory is the TPB. Ajzen (2006) developed the model TPB to study the action
of the intention. The TPB emphasizes the theory of reasoned action to predict human behavior
(Sommestad, Karlzén, & Hallberg, 2015). The theory pays attention to each individual's
intention in a given situation that may include security or privacy risks. The theory also
emphasizes the aspects are influencing the conduct of the individual (Foth, 2016). Foth (2016)
stated these three aspects as the attitude toward the behavior, subjective norm, and perceived
control. The TPB is a basis for measuring and comparing the dependent variable, intention to
adopt cloud computing, with the independent variables (Aboelmaged, 2010; Ekufu, 2012;
Rastogi, Verma, & Sushil., 2018). Ekufu (2012) had used the TPB theory to measure the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
6
intention to adopt cloud computing without the same variables of the present investigation. In his
research, Ekufu (2012) used the technology acceptance model (TAM) constructs for the
independent variables. The PMT and TAM theories can attain the purpose of the study, within
the field of Information Security and Assurance. These two theories can reach the purpose of this
research within the field of Information Security and Security.
Focus of the Investigation
Businesses demonstrate a significant concern about security and privacy risks when using
cloud computing (Ekufu, 2012). The interest derives from their IT infrastructure's uncertainty
regarding security and privacy risks (Joseph et al., 2014). As a consequence, businesses are
insecure about adopting cloud computing due to possible security and privacy risks. Such
insecurity leads to the research goal of this investigation.
The outcome of the investigation contributes to the field of information assurance and
security by extending the current body of knowledge. The target population is individuals with a
minimum of five years of experience in the IT field. The study will help anticipate the incidents
caused by risks before cloud computing technology is adopted (Herath & Rao, 2009).
Understanding particular incidents relating to security and privacy risks establishes a better
understanding of cloud computing adoption. The review consequently expands the body of
knowledge in the IT area. The business sector is provided with a better understanding of the risks
of adopting cloud computing technology (Shaikh & Sasikumar, 2012). Based on the study, there
is a recommendation for companies and business organizations to adopt cloud computing
technology (Ekufu, 2012). The study's contribution is assisting businesses in understanding
better their vulnerabilities in their intent to adopt cloud computing technology.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
7
Statement of the Problem
The research literature indicates that businesses have the technical knowledge to install
and manage cloud computing (Brandis, Dzombeta, Colomo-Palacios, & Stantchev, 2019; Paquet,
2013). The research literature on security and privacy risks in the business sector in the United
States that intend to adopt cloud computing technology indicates the technical knowledge on
how to install and manage the cloud computing exists (Brandis et al., 2019; Paquet, 2013).
Privacy and security risks are essential considerations for the business sector (Rastogi et al.,
2018). The research literature indicates that privacy and security risks are important
considerations (Rastogi et al., 2018). The increase in the loss of data has created more federal
laws to protect this information. The research literature indicates an increase in federal
regulations to tighten the support against the potential loss of privacy and security information
(Castellani, Sinard, Wilkerson, Whitsitt, & Henricks, 2015). However, the research literature
also shows a lack of knowledge of how the security and privacy risks affect cloud computing
technology adoption in the business sector (Brandis et al., 2019; Paquet, 2013). Therefore, it is
necessary to investigate the area to cover a lack of knowledge.
Purpose of the Study
The relationship between security and privacy risks and the adoption of cloud computing
technology is the study's primary purpose. The PMT and the TPB study this relationship. The
study's methodology is quantitative with a correlational approach design that fulfills the use of
the study. Rogers (1975) PMT is a pioneer theory related to perceived behavior in adopting new
technology. Threat severity, threat susceptibility, response efficacy, and self-efficacy are the four
factors in his model construct. Among the factors using the PMT is the perceived probability of
an occurrence. Professionals use perception as a form to protect themselves (De Donno, Giaretta,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
8
Dragoni, Bucchiarone, & Mazzara, 2019; Floyd et al., 2000; Rogers, 1975). Herath and Rao
(2009) used the PMT theory to investigate the relationship between these factors and security
policies. The PMT theory constructs use security and privacy risks as variables. These variables
indicate its influence or contribution to cloud computing adoption for the business sector. The
impact is significant to investigate, showing an improvement in the security of a business's IT
system (Bahl & Wali, 2014). The other theory of the study, TPB, is used for other purposes and
complements the PMT.
The TPB presents new characteristics in understanding a person's behavior, essential for
the present study. An underlying assumption of the TPB theory, the individual's behavior is on a
continuum scale (Sommestad et al., 2015). The range goes from the healthiest reaction to the
most difficult. These behavioral responses are another way to understand better how and why a
person meets safety. Such a characteristic permits establishing a scale to measure the intention of
the person (Herath & Rao, 2009). The importance of the TPB theory allows an empirical
measurement in the intention to adopt cloud computing in this case. The intended audience is the
IT companies intending to adopt cloud computing. The statistical results provide a better
understanding of which risks, security, or privacy, most potentially influence cloud computing
clients in the US.
Significance of the Study
The importance or relevance of the research includes two types of implications,
theoretical and practical. The theoretical implications are related to information technology's
field using Rogers (1975) PMT and Ajzen's (2006) TPB as the theoretical model within the area
of information assurance and security. Considering the consequences of both theories, the PMT
and TPB, in the intent to adopt cloud computing, privacy, and security issues are critical. Many
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
9
security breaches occur in part from the negligence of employees of the business (Chen et al.,
2015). The business sector must guard against privacy and security risks in cloud computing
technology. Privacy and security protection are a fundamental human right protected by federal
law (Blume, 2015). The PMT and TPB are a viable tool in understanding the intent to adopt
cloud computing technology. These theoretical implications also have practical implications, as
well.
Two practical implications of the research can be applied to business practices and thus
help its efficiency. The first implication is identifying the types of security and privacy risks
affecting the intention of adopting cloud computing. The business organizations' preparation for
these situations is essential (Chen, Ramamurthy, & Wen, 2012). Businesses need to be aware
that better-planning leads to fuller compliance with federal laws. Among these federal laws are
the Computer Fraud and Abuse Act (1990), Electronic Communication Privacy Act (1986), and
the Health Insurance Portability Act (HIPAA) (1996) (Jones, 2014). Business preparation and
fuller compliance with federal laws diminish security and privacy risks. The healthcare industry
in the United States is an example of those organizations that would benefit. The second
implication is to help businesses adapt to cloud computing as a new form of technology, without
much hesitation and more quickly. Companies, clear on their weaknesses and needs, are more
efficient with the latest technology (Joseph et al., 2014). Cloud computing provides a new
technology for these businesses. This new technology for these businesses would be cloud
computing.
Research Questions
Two primary topics in the investigation are security and privacy risks for businesses
intending to adopt cloud computing technology. Security and privacy risks form the basis for the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
10
two main research questions. These two primary research questions have four questions based on
security risks and four questions on privacy risks for eight questions. The eight questions are the
basis for the correlational study, using one dependent variable and four independent variables.
The dependent variable is the intention to adopt cloud computing. The four independent
variables are threat severity, threat susceptibility, response efficacy, and self-efficacy. These four
independent variables are the constructs from the PMT, and the dependent variable is from the
TPB. The specific research questions are displayed on the following lines.
ResQ1: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on security risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
ResQ1a: To what extent do perceptions of threat severity on security risks contribute to
the variance in the intention to adopt cloud computing?
ResQ1b: To what extent do perceptions of threat susceptibility on security risks
contribute to the variance in the intention to adopt cloud computing?
ResQ1c: To what extent do perceptions of response efficacy on a security risk contribute
to the variance in the intention to adopt cloud computing?
ResQ1d: To what extent do perceptions of self-efficacy on a security risk contribute to
the variance in the intention to adopt cloud computing?
ResQ2: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on privacy risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
ResQ2a: To what extent do perceptions of threat severity on privacy risks contribute to
the variance in the intention to adopt cloud computing?
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
11
ResQ2b: To what extent do perceptions of threat susceptibility on privacy risks contribute
to the variance in the intention to adopt cloud computing?
ResQ2c: To what extent do perceptions of response efficacy on a privacy risk contribute
to the variance in the intention to adopt cloud computing?
ResQ2d: To what extent do perceptions of self-efficacy on a privacy risk contribute to the
variance in the intention to adopt cloud computing?
Definition of Terms
The definition of the terms is by category and in alphabetical order for easier access. The
purpose is to allow for a better understanding of the terms used in the research.
Constructs
Response efficacy. The response efficacy "is the perceived effectiveness of the suggested
adaptive behavior" (Menard, Gatlin, & Warkentin, 2014, p. 84).
Self-efficacy. The self-efficacy "is the degree to which a person believes he/she can
effectively perform a recommended adaptive behavior" (Menard et al., 2014, p. 84).
Threat severity. The threat severity "relates to how serious someone perceives a threat to
be" (Menard et al., 2014, p. 84).
Threat susceptibility. The threat susceptibility "refers to the degree to which someone
feels vulnerable to a particular threat" (Menard et al., 2014, p. 84).
Security Risks Variables
Herath and Rao (2009) is the reference to the constructs. Threat severity, threat
susceptibility, response efficacy, and self-efficacy are the constructs. The definitions of these
constructs as variables are above.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
12
Response efficacy on a security risk (RESR). The definition of security risks is any
situation or situations that may affect the controls that ensure the integrity of services and data
(Marston, Li, Bandyopadhyay, Zhang, & Ghalsasi, 2011). The variable RESR is connected to
the response efficacy construct. In this case, the suggested adaptive controls' perceived
effectiveness ensures integrity in a cloud computing environment.
Self-efficacy on a security risk (SESR). The definition of security risks is any situation or
situations that may affect the controls that ensure the integrity of services and data (Marston et
al., 2011). The self-efficacy construct and the variable SESR are connected. In this case, the
degree to which a person believes can effectively perform recommended adaptive controls that
ensure the integrity in a cloud computing environment.
Threat severity on a security risk (TSESR). The definition of security risks is any
situation or situations affecting the control or controls that ensure the integrity of services and
data (Marston et al., 2011). The variable TSESR measures the threat severity construct. In this
case, how serious someone perceives the situation or situations that may affect the controls
ensures integrity in a cloud computing environment.
Threat susceptibility to security risk (TSUSR). The definition of security risks is any
situation or situations that may affect the controls that ensure the integrity of services and data
(Marston et al., 2011). The variable TSUSR measures the threat susceptibility construct. In this
case, the degree to which someone feels vulnerable to a situation or situations may affect the
controls that ensure the integrity in a cloud computing environment.
Privacy Risks Variables
Herath and Rao (2009) reference the constructs of threat severity, threat susceptibility,
response efficacy, and self-efficacy. The definition of each of the constructs is defined above.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
13
Response efficacy on a privacy risk (REPR). The definition of privacy risks is any
situation or situations that may affect the controls that guarantee authorized access to services
and data (Marston et al., 2011). The variable REPR is connected to the response efficacy
construct. In this case, the suggested adaptive controls' perceived effectiveness guarantees
authorized access in a cloud computing environment.
Self-efficacy on a privacy risk (SEPR). The definition of privacy risks is any situation or
situations that may affect the controls that guarantee authorized access to services and data
(Marston et al., 2011). The variable SEPR measures the self-efficacy construct. In this case, the
degree to which a person believes can effectively perform recommended adaptive controls that
guarantee authorized access in a cloud computing environment.
Threat severity on a privacy risk (TSEPR). The definition of privacy risks is any situation
or situations that may affect the controls that guarantee authorized access to services and data
(Marston et al., 2011). The variable TSEPR measures the threat severity construct. In this case,
how serious someone perceives the situation or situations that may affect the controls guarantees
authorized access in a cloud computing environment.
Threat susceptibility to a privacy risk (TSUPR). The definition of privacy risks is any
situation or situations that may affect the controls that guarantee authorized access to services
and data (Marston et al., 2011). The variable TSUPR measures to the threat susceptibility
construct. In this case, the degree to which someone feels vulnerable to a situation or situation
may affect the controls that guarantee authorized access in a cloud computing environment.
Intention to Adopt
Intention to Adopt cloud computing (IACC). Any action or actions that lead to the
decision to use some service or technology related to cloud computing (Granneman, 2010).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
14
Operational Definitions
Response efficacy. The response efficacy "is the perceived effectiveness of the suggested
adaptive behavior" (Menard et al., 2014, p. 84). The variable will be measured using a Likert-
type 1-to-7-point scale based on the instrument developed by Herath and Rao (2009). The items
related to question ResQ1c are those used to measure this variable.
Self-efficacy. The self-efficacy "is the degree to which a person believes he/she can
perform a recommended adaptive behavior effectively" (Menard et al., 2014, p. 84). The variable
will be measured using a Likert-type 1-to-7-point scale based on the instrument developed by
Herath and Rao (2009). The items related to question ResQ1d is to measure this variable.
Threat severity. The threat severity "relates to how serious someone perceives a threat to
be" (Menard et al., 2014, p. 84). The variable will be measured using a Likert-type 1-to-7-point
scale based on the instrument developed by Herath and Rao (2009). The it Likert-type 1-to-7-
point scale ems related to question ResQ1a measure this variable.
Threat susceptibility. The threat susceptibility "refers to the degree to which someone
feels vulnerable to a particular threat" (Menard et al., 2014, p. 84). The variable will be measured
using Likert-type 1-to-7-point scale based on the instrument developed by Herath and Rao
(2009). The items related to question ResQ1b measure the variable.
Research Design
The methodology for the study is a quantitative method with a nonexperimental design
and a correlational approach. The purpose of the study is to examine whether there is a
correlation between security and privacy risks when the business sector intends to adopt cloud
computing. A correlational study is one of the quantitative methodologies. The correlation is a
measure of the relationship between two variables (Field, 2013). Finding a correlation between
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
15
the independent variables (IVs) and the dependent variable (DV) is the purpose of the study
(Mertler & Vannatta, 2013). A correlational study is investigative, discovering relationships,
understandings, and characteristics among subjects (Ekufu, 2012). Incorporating questions from
previously validated instruments in the survey safeguard the results and determine whether there
is a relationship between the different variables. The non-experimental design with a
correlational focus derives after analyzing the variables to their corresponding hypothesis and the
research questions.
A survey, collecting data, to respond to the research questions is the primary tool.
(Sekaran & Bougie, 2014). Included in the survey questionnaire are the items designed to
measure the relationship between the variable under investigation (Venkatesh, Thong, & Xu,
2012). A Likert-type 1-to-7-point scale will measure the participant's responses (Venkatesh et al.,
2012). The values obtained from the answers will be used for the quantitative methods to
measure the relationship between the variables (Vogt, 2007). The survey responses were
measured using the scale, resulting in ordinal data.
The investigation's statistics are not possible with ordinal data; thus, the conversion is
necessary to interval data. The number of elements will divide the total sum of scores obtained
from the survey to perform the conversion. The average obtained from the division is the interval
data for the statistics. This type of test's typical effect size is 0.15, considered medium size
(Statistics Solutions, 2010). However, the actual investigation's effect size is 0.12, which is
smaller than the one typically used. The value of 0.12 is used to obtain a more extensive and
more representative sample of the population. Representativeness is essential to generalize the
results in the diverse population studied at the end of the investigation (Field, 2013). Once the
data is obtained, then the statistics will proceed.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
16
The correlational coefficient (R) of the multiple regression will answer the research
questions by indicating a significant relationship. These coefficient values in a multiple
regression range from 0 to 1 the signs of the regression coefficients (b) verifying the negative or
positive relationship (Field, 2013). The correlation square (R2), also known as the coefficient of
determination of each variable related to DV, will be used to determine which has a more
significant effect (Field, 2013). The results obtain from F distribution and the probability (p) are
the values to confirm the results obtained previously. Knowing the effects of each IV on the DV
allows determining the order of the factors. The results of these data also will provide the
percentage, median (Mdn), means (M), standard error (SE), and standard deviation (SD). The
investigation model uses two theories, the PMT and the TPB.
The criterion of a potential threat is an individual IT's perception. The PMT theory used
by Yang and Lee (2016) measured an "individual's protection behaviors" (p. 255). Sommestad et
al. (2015) used the TPB to focus on the theory of reasoned action paying attention to the
intention of each person's behavior. According to Foth (2016), the TPB theory studied those
factors influencing an individual's behavior. Both the PMT and TPB are appropriate theories to
investigate a perceived threat in a cloud computing situation (Ekufu, 2012; Herath & Rao, 2009).
This study aims to understand the influence between security and privacy risks and the intention
to adopt cloud computing technology by using the PMT and TPB theories. The model developed
from these two theories is illustrated in Figure 1.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
17
Figure 1
Research PMT and TPB Integrated Model
Note. The model demonstrate the two primary research areas: security and privacy risks and their
corresponding construct. Each construct is linked by its matching hypothesis that leads to an
understanding of the intent to adopt cloud computing in the United States. From "Protection
motivation and deterrence: A framework for security policy compliance in organizations" by
Herath and Rao, 2009, p. 110, European Journal of Information Systems. Copyright 2009 by
Herath and Rao. Adapted with permission.
Assumptions, Limitations, and Delimitations
Assumptions
The following sections will show the assumptions and limitations of the investigation.
The assumptions are those factors that we will take for granted in order to carry out the
investigation. Limitations, on the other hand, are those issues that the research will not study.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
18
Both the assumptions and limitations are divided into several categories that will be discussed
below.
General methodological assumptions. The investigation assumes a non-experimental
design using a quantitative approach as its methodology permits a better correlational approach
and better results. The selected methodology, design, and strategy will help the study obtain
adequate data, and then the statistics to answer the research questions.
Survey participants are assumed to be current IT professionals with a minimum of five
years of experience. A minimum of five years of experience allows the IT professional
experience in dealing with privacy and security risks associated with cloud computing
technology. The experience, it is assumed, is accompanied by relevant training in security and
privacy risks in cloud computing technology. An underlying assumption in the survey
questionnaire is the participant's honesty in their responses.
The respondents will give an accurate response to the demographic questions. These
questions include the participant's geographic region, sex, and the professional area where the IT
has their experience related to business, health, engineering, and others. The investigator
assumes the same honesty of the individual participants when responding to the investigation
questions. These questions assume the validity and reliability of the following survey
instruments.
Theoretical assumptions. The investigation assumes that the theoretical framework from
the PMT and TPB theories are adequate for the study. The theoretical framework permits
studying security and privacy risks and better understand their effects on the intention to adopt
cloud computing. Previous studies have used PMT and TPB successfully.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
19
Topic-specific assumptions. It is assumed assumes that the instruments used by Herath
and Rao (2009), and Ekufu (2012) have met the validity and reliability requirements. Herath and
Rao (2009) integrated the PMT and the TPB in their investigation on security policies with cloud
computing adoption. Ekufu (2012) used his instrument in the TPB to measure the intention to
adopt cloud computing technology. His investigation was validated and reliable. Therefore, the
investigator assumes that these research instruments do not need a field test for reliability and
validity. This study's research instrument integrates the PMT and the TPB theories, as shown in
Figure 1. The investigator assumes that these theories and instruments are suitable frameworks
for this study.
Assumptions about measures. It is assumed that the administration and security
protocols will be followed as established. These protocols will avoid jeopardizing the validity of
the research in order to obtain accurate results.
Limitations
Improvements for further research are shown in this investigation's limitations to guide
future researchers on areas of the study that can be improved and thus create a better approach.
Design limitations. The first limitation of the investigation is the lack of knowledge of
the influence on security and privacy risks in the decision to adopt cloud computing technology.
Herath and Rao (2009) studied security policies regarding the intent to adopt cloud computing.
Their study uses various theoretical models related to security policies and the adoption of new
technology. Ekufu (2012) utilized a combination of Technology Accepted Model (TAM) and the
TPB. The literature review shows that TAM and TPB's use are frequent, thus showing a
limitation in the areas of privacy and security risks in the intent to adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
20
A survey sample will include 218 individuals in the United States. These individuals have
a minimum of five years of working experience in the IT field. Top management personnel with
organizational capability are not part of the sample survey. Using only the sample survey as part
of the investigative instrument is a limitation. Other techniques such as personal interviews,
observations, and etcetera help better understand other factors in the intent to adopt new
technology. There are several different delimitations for this investigation that should take into
account for future research.
The theory of PMT (Rogers, 1975) and the TPB by Ajzen (2006) do not include other
factors. Cost-efficiency, real-time effectiveness, and manageability of the technology are the
factors. The PMT is focused more on the adoption of new technology. The TPB studies an
individual's intention to accomplish a task based on reward or punishment.
Delimitations. This research is not a longitudinal study, which is another form of
investigation. A longitudinal study permits a comparative approach by completing the research
using various time parameters. From these results, the investigator then has a better
understanding of the intent to adopt cloud computing regarding security and privacy risks. In not
including a longitudinal study is delimiting this investigation.
Organization of the Remainder of the Study
Chapter 1 introduced the topic of security and privacy risks about the intention to adopt
cloud computing technology. As part of the introduction, the identified purpose and the problem
is detailed. Eight research questions follow the problem and purpose statement. It is from the
PMT theory that these research questions are based. Definitions of the key terms and other
introductory information conclude the chapter.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
21
Chapter 2 reviews the literature on cloud adoption, based on the context of the adoption
of technology are the theoretical frameworks. Such a background provides a better insight into
the possible adoption of new technology.
Chapter 3 presents the research methodology and design, having various parts, including
the target population, as an integral part of the research design. The target population will give
answers to the research questions and hypotheses. Research procedures and the appropriate
research instruments are part of the research design. Ethical considerations cover the target
population and guide research procedures.
Chapter 4 provides the survey analysis results, affirming the alternate hypothesis or the
research question's null hypothesis. The response offers a better insight into the intention to
adopt cloud computing technology.
Chapter 5 presents the results. The analysis provides a better understanding of the
intention to adopt cloud computing. The intention leads to the discussion of the research
limitations. Based on the flaws of the study, the researcher then discusses the implications of the
study. These implications can provide the bases for future research.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
22
CHAPTER 2. LITERATURE REVIEW
For years, the business sector has focused on providing better service to their customers
without increasing their operational costs and IT infrastructure. Cloud computing, one of the
fastest developing technologies in the world today, is an alternative service with advantages and
risks. The investigation focuses on the security and privacy risks a business finds when deciding
whether to adopt the technology.
Chapter 2 begins with an explanation of the search methods used in the investigation. The
first step is to locate the different databases used to find the study's relevant literature as a
reference for future searches. Another technique used keywords and their combinations to
determine pertinent literature to the research. The limitations of the study follow to obtain the
most current information. The theoretical orientation explaining the theories for the investigation
are in the next section.
Rogers (1975) created the PMT to study individual behavior towards complying with
potential threats. Herath and Rao (2009) used the PMT theory in their investigation, studying an
individual’s compliance with security policies in the context of cloud computing technology.
Potential threats to security and privacy risks measured the individuals' behavior. The intention is
a critical element in the intent to adopt cloud computing technology, the fundamental basis for
the current investigation.
The focus of the TPB is the intention to adopt cloud computing technology (Ajzen, 2006;
Ekufu, 2012). The TPB forms the second fundamental part of the investigation. The TPB was
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
23
used to predict an individual's potential behavior about the intention of complying with security
policies (Herath & Rao, 2009). In another study, the TPB was used by Ekufu (2012) to analyze
the relationship between behavior and the intent to adopt cloud computing. The current
investigation uses the PMT and the TPB to evaluate the individual's behavior, intending to adopt
cloud computing. Before beginning the analysis, certain cloud computing concepts need first to
be understood.
A literary review of the basic concepts of cloud computing identifies the technology used
for cloud computing. Kumar and Shantala (2020) found that the National Institute of Standards
and Technology (NIST) defines cloud computing as computing resources with the capacity to be
rapidly configurable with the least amount of work. The literary review continues with the
concepts of cloud computing, PMT, and TPB. These theories are investigated and analyzed
individually and collectively, from a business perspective. A review of the most recent cloud
computing literature follows.
The literature review's relevant findings include analyzing data and discussion, a critique
of previous studies, and its methods explaining their effectiveness. Finally, a summary of the
critical points is established in the Chapter 2 more fully developed in Chapter 3.
Methods of Searching
The three different databases selected for the research were Google Scholar, ProQuest,
Science Direct, and EBSCOhost. The keywords and their combinations are the following: cloud
computing, adoption, intend, business sector, privacy risk, security risk, protection motivation
theory, and theory of planned behavior were the terms used. The combinations were cloud
computing and adoption, cloud computing and privacy risk, cloud computing and security risk,
cloud computing and protection motivation theory, cloud computing and theory of planned
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
24
behavior, cloud computing, and business sector, and cloud computing and intent. A discussion of
these related combinations to the topic of research for a better understanding is necessary.
The combinations used the words and, or, not, were as boolean operators and wildcards
such as asterisks *. These searches were for keywords such as cloud computing and privacy
risks, cloud computing and security threats, cloud computing, and *. These were applied where
the database, such as Google Scholar, ProQuest, Science Direct, and EBSCOhost, permitted
them. Despite efforts to cover as much material as possible, it is always necessary to establish
some limitations to focus on the topic.
The limitations were to help find more accurate and updated information on the research
topic. The start date, 2012, was to read the most recent research on the subject of business use of
cloud computing technology. Security and privacy risks in cloud computing technology present a
different challenge for businesses. Personal data and security information becomes compromised
with security and privacy risks, giving a reason to investigate the topic's latest information. The
theories of PMT and TPB were established in the years 1975 and 2002, respectively. Studies
similar to the current one used the PMT and TPB instruments earlier than the starting date of
2012. The reliability and validity of these investigations give credibility to the present research.
Theoretical Orientation for the Study
The protection motivation theory (PMT) and the theory of planned behavior (TPB) are
the investigation's theoretical foundation. Evaluation of the IT personnel’s perceived probability
of security and privacy risks in adopting cloud computing derives from Rogers (1975) PMT
theory. Brand, Kruger-Van Renen, and Rudman (2015) suggest an investigation to mitigate
security and privacy risks, facilitates the adoption of new technology. Hence the importance of
using the PMT theory focusing on the security and privacy risks.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
25
The PMT arises from two processes: threat appraisal and coping response appraisal.
These two processes have four measurable factors (Floyd et al., 2000; Herath & Rao, 2009;
Mumtaz & Nalin Asanka, 2019; Rogers, 1975). The four factors are the perceived severity of a
threatening event, the perceived susceptibility of the occurrence, the efficacy of the
recommended preventive behavior, and the perceived self-efficacy. The PMT proposes that all
those personnel involved protect themselves based on these four factors (Rogers, 1975). The
PMT studies continue to investigate perceived vulnerabilities (He & Zeadally, 2015). Laqtib et
al. (2020) suggests a slow increase in cloud computing systems in the past few years. Singh
(2019) suggests that cloud computing use continues to increase quickly. The use of cloud
computing systems by the business sector is still viewed suspiciously by the business sector.
Understanding the four factors on threat appraisal and the coping response appraisal is essential
in adopting cloud computing technology. Below is a description of the first two constructs for the
threat appraisal process.
The two constructs of the threat appraisal for the study are threat severity and threat
susceptibility. The threat severity “relates to how serious someone perceives a threat to be”
(Menard et al., 2014, p. 84). The threat susceptibility “refers to the degree to which someone
feels vulnerable to a particular threat” (Menard et al., 2014, p. 84). These two constructs are
focused on the perception of security or privacy risk. Next is a description of the other two
constructs for the coping response appraisal.
The response efficacy and self-efficacy are the other two constructs for the study. The
response efficacy “is the perceived effectiveness of the suggested adaptive behavior” (Menard et
al., 2014, p. 84). The self-efficacy “is the degree to which a person believes can effectively
perform a recommended adaptive behavior” (Menard et al., 2014, p. 84). These two constructs
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
26
are focused on the perception of the reaction to an occurrence of a security or privacy risk.
However, the four constructs mentioned so far also measure the possible existence of risk safety
or privacy. Another theory is needed to measure the intention of adopting new technology.
The TPB, developed by Ajzen (2006), is used. The TPB studies the behavior of the intent
to adopt new technology. The TPB will measure the dependent variable, the intention to adopt
cloud computing, and compare with the independent variables (Aboelmaged, 2010; Ekufu, 2012;
Rastogi et al., 2018). There are two other essential theories related to adopting cloud computing
technology, the technology acceptance model (TAM) and the unified theory of acceptance and
use of technology (UTAUT). These two theories use different perspectives in their investigations
to adopt new technology (Davis, 1989; Rastogi et al., 2018; Venkatesh et al., 2012). The PMT
and TPB are well-connected theories included in the research developed by Herath and Rao
(2009).
Both PMT and TPB provide an excellent background for investigating the perceived
probability of the occurrence of a security or privacy risk (Herath & Rao, 2009). The PMT and
TPB theories were selected to study the influence or contribution between risks and the intention
of adopting cloud computing. The relationship between the two theories and the adoption is
shows in Figure 2.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
27
Figure 2
PMT and TPB Integrated Constructs Model
Note. The model shows the relationship between the constructs of the PMT and TPB theories
with the adoption of cloud computing technology.
Review of the Literature
The literature review begins by explaining cloud computing's main characteristics as a
tool for the business sector. The intent to adopt cloud computing is the focus of the research. The
TPB and the PMT form the theoretical framework of the investigation. The next section explains
their complementariness and their differences. The literature review focuses on security and
privacy risks in the business sector, intending to adopt cloud computing.
Cloud Computing
The enormous growth of the Web has produced thousands of e-commerce transactions
and millions of queries each day (Jones, Irani, Sivarajah, & Love, 2019). The business sector
needs to respond to its clients' needs effectively. Different technologies react to clients' needs,
including cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
28
A wide range of applications, such as industry, marketing, telecommunications, health
care, insurance, transportation, banking, shopping, public and private hospitals, libraries, and
personal services, use cloud computing technology. Cloud computing is considered an essential
service, ranking fifth after water, electricity, gas, and telephone services (Korucu & Karakoca,
2020). Cloud computing is part of our daily lives. Web services, such as Gmail, Hotmail, and
Yahoo mail, carry messages between individuals. Those interested in movie series and videos
have Netflix and YouTube. Spotify, Twitter, Facebook, and Instagram allow music to stream,
text messages, photos, and video social networking. Cloud computing technologies share and
collect a wide range of content between blogs and wikis (Korucu & Karakoca, 2020). Aside
from these commercial applications, cloud computing technology offers technical advantages for
the business sector.
Cloud computing can provide advanced performance, instant updates, automatic
maintenance, and repair, enabling compatibility between different platforms such as different
operating systems, different file formats, enabling collaborative group work and collaboration
with remote access (Jones et al., 2019). Aside from these services, cloud computing technology
has other essential services for the business sector. High-level data security protects against
viruses. The possibility of unlimited data storage capacity, backup systems, with an emphasis on
privacy, helps a business secure its data. Cloud computing includes multidimensional features,
such as mobility, efficiency, accessibility, flexibility, scalability, and continuity. These features
are available due to cloud computing dynamic infrastructure (Jones et al., 2019). The cloud
computing structure to provide these services and applications need development.
Clients can leverage to deploy their enterprise IT structure using the cloud computing
paradigm and technology resources (see Figure 3). Korucu and Karakoca (2020) have identified
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
29
cloud computing as a "virtualized, dynamically scalable, managed computing power, a large-
scale distributed computing paradigm driven by the economies of scale, communicated over the
internet to the demands of external customers" (p. 71). The National Institute of Standards and
Technology (NIST) describes cloud computing as computing properties that are rapidly
configurable and distributed with little effort and collaboration with cloud providers (Kumar &
Shantala, 2020). According to Jones et al. (2019), cloud computing is an internet-based
distributed computing paradigm covering many services within cloud computing technologies,
permitting users access to these services only through the internet network. The classification of
the cloud computing model does not apply to all computer models. A computing model needs to
have five characteristics to meet the definition of cloud computing (Singh, 2019). The attributes
are on-demand self-service, broad network access, resource pooling, rapid elasticity, and
measured services. To achieve these characteristics, in many cases, depends on the service and
deployment model.
Figure 3
Logical Diagram and Overview of Cloud Computing
Note. From "Predicting cloud computing technology adoption by organizations: An empirical
integration of technology acceptance model and theory of planned behavior" by Ekufu, 2012, p.
6, ProQuest. Copyright 2012 by Ekufu. Reprinted with permission.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
30
The NIST defines Platform as a Service (PaaS), Software as a Service (SaaS), and
Infrastructure as a Service (IaaS) as three standard service models (Singh, 2019). NIST describes
PaaS as the client's capacity to organize the created applications or acquired by the consumer in
the cloud infrastructure (Holzmann et al., 2020). The applications' development uses
programming languages, libraries, services, and tools compatible with the provider. In other
words, the PaaS is a service delivery model allowing the consumer to deploy consumer-created
or acquired applications (e.g., operating systems, databases, and Web servers) onto the cloud
infrastructure (Jones et al., 2019). On the other hand, SaaS is a different case from the PaaS.
The NIST explains SaaS as the client's capacity to use the provider's applications using a
cloud infrastructure (Holzmann et al., 2020). A thin client interface, a web browser, or a program
interface allows the personnel to attain accessibility. SaaS, according to Jones et al. (2019), is a
software distribution model. The model provides the consumer with the capability of using a
provider's applications running on a cloud infrastructure. Accessibility is via a web browser
using the internet. Cloud service offers complete application functionality. The services range
from productivity applications (e.g., word processing and spreadsheets) to programs for customer
relationship manager (CRM) or enterprise resource management (ERM). IaaS has differentiating
characteristics from SaaS.
The NIST defines IaaS as the capacity a client has to implement and execute arbitrary
Software (Singh, 2019). More directly, the is IaaS, a provision model offering the consumer
outsourced processing, storage, networks, and other fundamental computing resources by cloud
service providers such as IBM, Microsoft, and Amazon's EC2 (Jones et al., 2019). All these
modalities, PaaS, SaaS, and IaaS, have had constant use growth since 2017, and it has projected
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
31
the growth will continue until 2021, especially the SaaS (Singh, 2019). As is shown in Figure 4,
Software can include operating systems and applications in different layers.
Figure 4
Cloud-computing Technology Functionalities
Note. The figure show the SaaS, PaaS, and IaaS as three standard service models and their
interaction with cloud clients.
Some companies are dedicated to guide, install, and configure cloud computing
technology based on the individual needs of a business (Ahmed, Capretz, Sandhu, & Raza, 2014;
Singh, 2019). Cloud providers offer private cloud, community cloud, public clouds, and hybrid
cloud deployment models. The selection of the type of service model or the deployment model
rest on the different needs of the customer (Kumar & Shantala, 2020). For each client's needs,
exist a wide variety of cloud providers. Amazon Virtual Private Cloud, Cisco Private Cloud,
Microsoft Private Cloud, Salesforce, Windows Azure, and Google Cloud Platform are examples
of current cloud providers. In terms of services, the growth registered an increase in 2018, with
Amazon, Windows Azure, and Google, respectively, dominating the top positions (Singh, 2019).
Due to its spot instances, Amazon's dominance is through an auction-like mechanism for cloud
customers (Kumar, Baranwal, Raza, & Vidyarthi, 2018). Nevertheless, despite its exceptional
qualities, cloud computing has its risks.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
32
Security and Privacy Risks
Security and privacy risks are two principal concerns with the use of cloud computing
technology. The interest is due to cloud computing is an emerging computing service paradigm
(Jones et al., 2019). It means that its complete-scale, complexity, and innovation are still worries,
risks, and fears surrounding the technology maturity. That is why it is a concern with security
and privacy with the paradigm of cloud computing. A better understanding of the issue stems
from the definitions of security and privacy risks. The meaning of security risks is any situation
that may affect the controls guaranteeing the integrity of the services and data. A partial loss or
complete loss of data is an example of a security failure (Ekufu, 2012). Data integrity is a
significant security concern for the cloud ecosystem has a distributed storage system (Kumar &
Shantala, 2020). The concept of data integrity allows the original user to access and offer full
control of the management of their intellectual possessions and exclude other illegal users.
Figure 5 shows the actions taken to safeguard the integrity of the data. As expected in cloud
computing environments, privacy risks accompany security risks.
Figure 5
Data Integrity Structure
Note. The structure shows the actions taken to safeguard the integrity of the data. The figure also
shows the different protection mechanisms developed to solve data integrity during the cloud
storage system.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
33
The definition of the privacy risks is any situation that may affect the controls which
guarantee authorized access to services and data (Applegate, Austin, & Soule, 2009; Marston et
al., 2011). Failure in the service structure prohibiting a client from using the applications is an
example of a privacy risk (Ekufu, 2012). Regardless of cloud computing's potential, there is
always a privacy factor risk associated with the data. Increased reliance on third-party providers
may not meet some business expectations on privacy security, leading to gaps in sensitive data
(Kumar & Shantala, 2020). Figure 6 shows some of the measures to safeguard the confidentiality
of the data. The examples presented are part of the concern of these risks when talking about
cloud computing technology.
Figure 6
Data Privacy Scheme
Note. The scheme shows some of the measures to safeguard the confidentiality of the data. The
figure also shows the different protection mechanisms developed to solve data privacy problems
during the access system to the cloud.
Cloud computing remains one of the highest technology investments. Still, the
technologies' distribution is made carefully due to its unknown long-term implications (Jones et
al., 2019). Due to the unexplored consequences, the businesses are concerned with not providing
the client with a more secure and private transaction in a cloud computing environment. There is
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
34
a need for research on the acceptance and use of technologies like cloud computing in this
context (Holzmann et al., 2020). The TPB and PMT theories will be the ones used to study the
concerns and thus be able to overcome them.
Theory of Planned Behavior
The theory of planned behavior (TPB) focuses on the theory of reasoned action to predict
human behavior (Sommestad et al., 2015). The concept pays attention to each person's intention
to behave in a given situation that may include security or privacy risks. According to the TPB,
behavioral intention leads to a specific behavior, such as technology usage. The role of intention
as a predictor of behavior is well established in the literature (Holzmann et al., 2020). However,
this is not the only approach to the TPB theory.
Figure 7
Factors of the Theory of Planned Behavior
Note. The figure shows the different constructs that make up the TPB theory and how they relate
to each other. From " Predicting cloud computing technology adoption by organizations: An
empirical integration of technology acceptance model and theory of planned behavior" by Ekufu,
2012, p. 21, ProQuest. Copyright 2012 by Ekufu. Adapted with permission.
The theory also focuses on the factors influencing the behavior of the individual (Foth,
2016). Three categories affect behavioral intention (see Figure 7). Foth (2016) mentioned these
three categories as "attitude toward the behavior, subjective norm, and perceived control" (p. 92).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
35
A definition of attitude is a stable way of thinking or moving someone; usually, one that affects
the behavior of a person (Foth, 2016; Wright & Guang-Xin, 2019). The subjective norm is the
perceived social pressure to engage or not engage in an adequate response (Foth, 2016). For
example, respect for another's viewpoint is an influence on individual behavior. A highly
respected individual expects to be considerate. Finally, perceived behavioral control refers to
people's views of their capacity to perform a given response (Foth, 2016; Wright & Guang-Xin,
2019). Other IS personnel influence their colleagues' behavior by demonstrating the ease or
difficulty in achieving a task. The TPB presents another characteristic in understanding a
person's behavior, essential for the current investigation.
An underlying assumption of the TPB theory, the individual's behavior is on a continuum
scale (Sommestad et al., 2015). The range goes from the healthiest reaction to the most difficult.
These behavioral responses are another way to understand better how and why a person meets
safety. Such a characteristic permits establishing a scale to measure the intention of the person
(Herath & Rao, 2009). Other researchers have focused their research on the constructs used in
the TPB.
Sommestad et al. (2015) extended the TPB by including a threat appraisal construct
derived from the PMT. Anticipated regret is the independent variable. The likely disappointment
represents the threat appraisal in the TPB model from these investigators (Sommestad et al.,
2015). PMT has other constructs, and the description of each one follows.
Protection Motivation Theory
Yang and Lee (2016) understand that the protection motivation theory (PMT; see Figure
8) is a way of predicting the "individual's protection behaviors" (p. 255). An individual's
behavior in the face of fear is essential and influences when evaluating potential threats and
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
36
threat severity. An individual evaluates and determines the next steps taken when faced with a
potential threat. Gao et al. (2015) have conducted research using the PMT and delineated this
theory's following point.
Fear is an equally dangerous situation and a factor that motivates an individual (Gao et
al., 2015). Fear is a factor leading to errors or negligence on the part of the individual. Improper
use of cloud computing technology is negligence and part of the threat to privacy and security
risks (Chen et al., 2015). Training and education are necessary for an IT specialist to prepare
against threat susceptibility. An evaluation of their training and learning follows. Based on the
review results, the threat is either discarded or reevaluated due to the potential severity. It is
necessary to know how the PMT analyzes the assessment in more detail.
As mentioned in previous sections, the PMT consists of two-parts, the coping appraisal
and the threat appraisal. The coping appraisal "consists of self-efficacy and response-efficacy"
(Yang & Lee, 2016, p. 255). These two constructs are essential in dealing with the threat; a sense
of confidence allows the individual (see Figure 8) to respond positively (Yang & Lee, 2016, p.
255). Self-confidence and coping are essential in the practice of self-efficacy and response
efficiency. The threat appraisal constructs focus on another critical area of PMT theory.
Figure 8
Factors of the Protection Motivation Theory
Note. The figure shows the different constructs that make the PMT theory and how they relate.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
37
The threat appraisal "consists of threat severity and threat susceptibility" (Yang & Lee,
2016, p. 256). Some researchers, like Barlette and Gundolf, have named threat susceptibility as
threat vulnerability. They are the ones directly related to fear. An individual's assessment of the
severity and weakness (see Figure 8) influences the protection response. Other researchers
regarding specific situations have used these constructs.
White, Ekin, and Visinescu (2017) suggest that many authors have used the PMT to study
human behavior on technology. The PMT theory was used in their latest research to measure
people's reaction and adaptation when they acquired new home computers (White et al., 2017).
The authors used the constructs of response efficacy and self-efficacy in their investigation.
Analysis of behavior in the face of possible risks incorporates the PMT theory.
Barlette, Gundolf, and Jaouen (2017) understand the PMT as "one of the most
explanatory theories about a person's intention to use protective behavior" (p. 10). The PMT
theory development was to study social behavior, eventually adapted to study behavior
specialists in the Information Security System (ISS). The research explored the behavior of
employees, teachers, and students using new technologies in their educational facilities (Barlette
et al., 2017). During their investigation, the authors used the constructs of the coping response
and threat appraisal. There is a combination of the PMT theories to produce a more robust study
in the current research.
Integration of PMT and TPB
The earlier studies have usually analyzed the adoption and use of diverse technologies.
However, the number of studies emphasizing new technology adoption is slight (Holzmann et
al., 2020). For that reason, a combination of the TPB and PMT theories provide another
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
38
perspective regarding security and privacy risks with the adoption of cloud computing
technology.
The PMT theory, developed by Rogers (1975), is the primary theory for this research.
The theory measures the possible security and privacy risks with the adoption of cloud
computing. The TPB theory, developed by Ajzen (2006), expands the PMT theory, measuring
the intention to adopt. While focusing on different areas, both are necessary and important for
the current investigation. The investigation of the perceived probability by IT personnel of
security and privacy risks in adopting cloud computing technology is possible using these two
theories. The combination of theories such as the one explained, PMT and TPB, is typical in
research.
Sommestad et al. (2015) used their investigation of the TPB as the leading theory and the
PMT as the secondary one. The purpose of their study was on information security policy. The
PMT replaced a TPB construct regarding the threat appraisal construct. Sommestad et al. (2015)
found better empirical data for the information security policy using various theories. The
compiled data found there were better methods to establish a more specific security policy for
companies. As a result of the investigation, it allows for better "compliance with employees'
information security policy" (Sommestad et al., 2015, p. 212). Their conclusion confirmed the
combination of theories produced better empirical data, clarifying the relationships they were
studying. Other researchers have combined these same theories.
Foth (2016) mentions the combination of various theories used to expand the TPB. The
TPB also is used to "including additional factors as independent variables" (Foth, 2016, p. 93).
Among other theories mentioned by the investigator is the PMT to expand the TPB successfully.
Foth (2016) suggests the use of the PMT in studying "employee compliance behavior with
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
39
security policy" (p. 93). A behavior change is not necessarily due to a threat of some form of
punishment for not following security policy (Foth, 2016; Ninh-Thuan & Viet-Ha, 2013). Using
the TPB in an integrated model, Foth (2016) understands, explains other behavioral factors. In
conclusion, combining these theories has allowed for more specific empirical data on security
policy and user behavior.
The study focuses on security and privacy risks in businesses in the United States,
intending to adopt cloud computing technology. Brand et al. (2015), in their investigation,
suggest the need to study how to minimize the risks in the adoption of new technology. The
research proposes the following to achieve a minimum of security and privacy risks.
For this investigation, the PMT integrates both the threat appraisal and coping response
appraisal as part of a new integrated model. These two processes can be measured using four
factors or constructs (Rogers, 1975). The four factors are the perceived severity of a threatening
event, the perceived susceptibility of the occurrence, the efficacy of the recommended preventive
behavior, and the perceived self-efficacy. The PMT proposes that all IT personnel protect
themselves based on these four factors (Rogers, 1975). Their response is essential to
understanding the intention to adopt cloud computing technology (Bahl & Wali, 2014). The TPB
theory is used in this research model to measure the intention to adopt cloud computing.
The TPB theory presents a more robust model. Two constructs of the TPB are essential.
A description of attitude is how a person feels "about performing the behavior for data protection
compliance" (Foth, 2016, p. 93). The second construct is perceived behavioral control. The
perceived behavioral control is "the perceived ease or difficulty in performing the behavior"
(Foth, 2016, p. 93). The empirical data taken from these constructs better clarifies the intent to
adopt cloud computing technology. The TPB is an appropriate theory for the study of the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
40
intention to adopt cloud computing technology (Sommestad et al., 2015). The TPB is the basis
for measuring the dependent variable, the intention to adopt cloud computing. There is a
comparison between the dependent and independent variables. Both the PMT and TPB theories
allow for a better understanding regarding security and privacy risks and the intention to adopt
cloud computing.
Both the PMT and TPB have the theoretical framework for investigating the perceived
probability of the occurrence of an incident (Perepletchikov, Ryan, & Tari, 2013; Yang & Lee,
2016). The investigation's objective is to know and understand the influence or contribution
between the risks and the intention to adopt cloud computing technology. For that reason, the
PMT and TPB are the selected theories for the investigation, including the new integrated model.
The theories allow for expanding the dependent variables, permitting a more precise set of data
to better the business sector's recommendations. However, there are also conflicts or different
approaches between these two theories.
Differences Between PMT and TPB
The current study focuses on four of the PMT constructs. These four are threat severity,
threat susceptibility, response efficacy, and self-efficacy. Each PMT constructs cover one area of
an individual's behavior. The underlying assumption is that an individual's conduct demonstrates
a willingness to be proactive (Rogers, 1975). Action is vital to understanding "information
security success" (Lebek, Uffen, Neumann, Hohler, & Breitner, 2014, p. 1053). Different sources
of behavior form the theory of TPB. Ajzen's theory (2006) was initially derived from studies in
psychology, criminology, sociology, and in today's cyber environment of information systems.
Lebek et al. (2014) used the TPB and PMT theory constructs to study behavior and motivation
patterns. Many of the constructs within these two models coincide. Included are other factors due
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
41
to the coincidence. Researches favor using the TPB and PMT due to the level of coincidence
between the two models (Lebek et al., 2014). The focus of each theory of the integrated model is
different.
The differences between these two theories are in their respective approaches. The PMT
studies the individual's understanding of an external threat and the process to effectively deal
with the external threat (Yang & Lee, 2016). The individual undergoes two critical processes, the
threat appraisal followed by the coping appraisal. The individual's motivation for evaluating the
potential intensity of the external threat is part of the assessment. Payment by the company,
defending the infrastructure from a possible external threat, is reasonable. The coping appraisal
processes are similar but not identical.
An appropriate evaluation of a potential threat is critical during the coping appraisal
situation (Gao et al., 2015). A financial cost to the business is another negative consequence of a
negligent coping appraisal (Chen et al., 2015). These potential consequences are important
considerations during the coping appraisal process. These are two possible repercussions or costs
by not responding appropriately and effectively to an external threat. There are other independent
factors to which we must pay attention.
The factors of fear and fear appeal influence an individual's behavior (Gao et al., 2015).
Fear is an individual response to a potential external threat. The possible fear changes when the
external threat becomes a reality. The response time and effectiveness determine the danger
(Chen et al., 2015). Then the individual responses to the situation are critical to the present
investigation. The other independent factors are threat severity and threat susceptibility.
The individual needs to evaluate the potential threat of susceptibility and threat severity
(Yang & Lee, 2016). Understanding the nature of the external threat will guide the response. The
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
42
individual employee needs to have a clear understanding of the business susceptibility level to
better evaluate a threat susceptibility before becoming a threat severity (Gao et al., 2015). Such
knowledge leads to other measures.
Self-efficacy and response efficacy are necessary (Yang & Lee, 2016). The individual
employee needs to have a high level of self-efficacy to deal with the external threat susceptibility
and threat severity. Self-efficacy permits the individual to have a higher level of confidence and
assurance with a response efficacy beneficial for the business (Chen et al., 2015). These
independent principles are part of the dependent principal.
The independent principle is the concept and focus of the PMT. Wherever an external
threat exists, the motivation is to assure an adequate response. As the PMT theory understands,
the individual reaction towards an external threat is demonstrated by an appropriate response
from the information technologist (IT) person or personnel, the critical component (Menard et
al., 2014). A useful evaluation of different constructs leads to a proper response to the threat.
Such a response then diminishes the potential of another danger. The approach of the TPB theory
is different.
The TPB theory focuses on the individual employee's environment (Sommestad et al.,
2015). The TPB understands that a working atmosphere influences the employee's behavior. A
controlled environment where the different employees work responsibly toward assuring the
security of the data is essential. A negative or positive sentiment of the person fulfilling their
professional responsibilities defines attitude (Sommestad et al., 2015). Two other considerations
are personal anxiety and confidence in the new technology (Holzmann et al., 2020). Other
employees, it must be taken into account, influence their approach.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
43
The subjective norm is the perception of the individual employee towards others (Foth,
2016). A positive work environment influences the employee, as does a negative work
environment. The TPB and PMT use both negative and positive work environments as two
independent principals, and each model has different constructs and approaches. Controlling an
employee's behavior is defined as the individual's perception of complying with the established
rules (Sommestad et al., 2015). An explanation and synthesis of the PMT theory are in the
following paragraph.
The PMT approach studies an employee's perception and reaction to a potential threat in
the work environment (Menard et al., 2014). For the investigation, security and privacy risks can
be either internal or external. The internal risk can originate from a poorly trained employee or
an employee with little knowledge. An external threat may arise from a computer hacker
intending to steal information from a location outside the business location. The second theory is
TPB. The TPB synthesizes the results in the PMT theory.
The TPB focuses on the environment influencing the individual employee's behavior;
these include fellow employees and supervisors. Their actions and expectations change a single
employee's behavior (Sommestad et al., 2015). The purpose of the TPB is to understand the best
way to make a positive work environment. A positive environment can influence a person's
attitude and, in this case, encourage the adoption of new technology. Both the PMT and TPB
theories lead to the following.
The PMT and TPB have similar constructs, permitting an investigator to use both in an
effective integrated manner. The research literature shows that there are various constructs.
Those constructs that coincide help the researcher better understand the potential of an individual
employee's behavior towards security and privacy risks. Those constructs which do not coincide
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
44
are a reminder of the differences in approach each theory has. The various constructs'
complementariness has permitted previous researchers to incorporate them in their
investigations, allowing their use in this study.
Cloud Computing in the Business Sector
The relationship between security and privacy risks adopting cloud computing
technology is the research topic, and the business sector in the United States is the focus. Two
studies indicate business concerns with security and privacy risks. Business concern about
security and privacy risks suggest Weng and Hung (2014), is, “companies still have been
concerned that putting financial and operational information in the cloud increases the possibility
of exposing sensitive data to hackers and outside entities” (p. 309). Another study, Zamosky
(2014), suggests a concern about cloud computing in the business sector deals with security and
privacy risks. The Federal Trade Commission (FTC), in 2014, asked for stricter legislation
regarding consumer data (Wright & Guang-Xin, 2019). Financial and operational information
passes through cloud computing technology, exposing a company to a third party gaining access
to sensitive data and information based on privacy and security risks. It is possible to gain illegal
access to this sensitive data in cloud computing.
There are various scholarly investigations on the healthcare care business. Jones (2014)
reported a loss of 58 million records in 2013. Despite these privacy and security risks, cloud
computing presents an attractive concept for the business sector. Even with these risks, cloud
computing technology is still a smart concept for the business sector. The cost-effectiveness of
storing and sharing of electronic records is an advantage for businesses.
The investigation of the incidents of security and privacy risks for the business sector is
an essential factor. Understanding security and privacy risks are crucial to anticipate the events
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
45
causing security and privacy risks (Zamosky, 2014). In anticipation of these incidents, the
investigation needs to analyze the relationship between security and privacy risks to adopt cloud
computing technology for the business sector. Based on this knowledge, better results in
understanding how privacy and security risks influence the intent to adopt cloud computing
technology in the business sector (Weng & Hung, 2014). The anticipated outcome of the
investigation is as follows. The contribution to the field of information assurance and security is
an extension of the current body of knowledge in the area of adopting cloud computing
technology.
Each of the recommendations in adopting cloud computing derive from the empirical
data collected during the investigation. These recommendations help better understand the
intention of adopting cloud computing technology in the business sector (Neilson, 2013;
Zamosky, 2014). The suggestions are another contribution to the study. The target population is
IT professionals with a minimum of five years of IT experience. More precise details about the
literature on risks and opportunities follow.
The cloud computing provides a more extensive network of computers and storage
equipment, permitting more businesses connectivity to the system (Knight & Saxby, 2014).
Accessibility allows businesses to have the following advantage of cost-effectiveness in storing
and sharing electronic records being an advantage for all businesses. The cost of infrastructure is
less (Zamosky, 2014). Privacy and security risks on data integrity and access to services is a
reality (Weinstock, 2014). Many companies have experienced such a loss.
Manufacturing, telecommunications, government facilities, computer businesses, and
healthcare industries are concerned about keeping their records and services private and safe
(Kwon & Johnson, 2014; McDowall & Mills, 2019). Threats are both internal as well as external
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
46
(Kwon & Johnson, 2014). These threats have resulted in a cleaning cost to the businesses
involved, an estimated 4 to 7 million dollars (Claunch & McMillan, 2013). Researchers have
contributed by making various recommendations.
Claunch and McMillan (2013) suggest that businesses conduct internal, full, and
objective risk analysis. The risk analysis data helps the IT personnel access what constitutes a
direct threat to their business's security or privacy risks. The risk analysis is a criterion for the IT
personnel to determine cloud computing technology adoption to meet the business's specific
needs (Sadiq, Zur Muehlen, & Indulska, 2012; Weng & Hung, 2014). The company determines
the amount of risk and recommendation against threats to security and privacy risks. A proposal
for the analysis of security and privacy risk follows.
Kwon and Johnson (2014) suggest a proactive approach in the selection process. Being
proactive helps to anticipate the potential risks and their mitigation. Brokers for cloud computing
companies seek better business clients' methods to share their electronic data (Zota & Petre,
2014). These methods help to mitigate the risks in privacy and security. Zamosky (2014)
understands the priorities should classify the level of security and confidentiality of the data.
These priorities range from a business concern the company deems which data is the most
sensitive to protect. To achieve the classification, company officials must have a proactive
attitude. Some businesses have already taken a proactive approach. Google has an automatic data
encryption system for its data (Joseph et al., 2014; Strauss, 2014). Current federal laws establish
regulations to handle data.
Among the laws that regulate the data are the Computer Fraud and Abuse Act, the
Electronic Communication Privacy Act, and the Health Insurance Portability Act. The Computer
Fraud and Abuse Act (1990) establishes computer usage and data dissemination guidelines
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
47
(Jones, 2014). Sharing of data between individuals can potentially cause a violation of privacy.
The potential breach of privacy is part of the reason for the Electronic Communication Privacy
Act (1986) (Jones, 2014). Its purpose is to protect the privacy of individuals. The Health
Insurance Portability Act (HIPAA; 1986) is another law for sharing and storing electronic health
records (Jones, 2014). These electronic records service providers are responsible for saving
them, as is with cloud computing companies, being the rationale for these laws (Bahl & Wali,
2014). External, as well as internal threats need to be assessed. The purpose of these laws is to
secure both the internal and well as external threats to business data (Hayden, 2013). Some in the
business sector have their reservations about complying with the established laws and the
consequences for their specific businesses (Kwon & Johnson, 2014). Being able to anticipate the
risks helps minimize their concerns. The task of reducing both security and privacy risks
continues. The above recommendations are only generalized, not business-specific.
Storage and sharing of electronic data have proven not wholly secure (Jones, 2014).
Healthcare industries have received more scrutiny from investigators than in other business
sectors. Castellani et al. (2015) have studied Healthcare industries understanding the literature
research emphasis is in this business sector. Healthcare industries used cloud computing systems
for their processes (Chen et al., 2017; Ramanathan, Schmit, Menon, & Fox, 2015). The gap in
the research literature does not include other business areas.
Security risks for businesses are an essential consideration in their intent to adopt cloud
computing. Kwon and Johnson (2014) suggest that the personnel charged with security decision-
making rely on qualitative evaluations concerning their security needs. Adopting cloud
computing technology increases the concern of securing personal data. As suggested by Weng
and Hung (2014), “there is a long list of companies that have problems in implementing cloud
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
48
computing systems, such as the well-known and successful Dell computers, Apple computers, or
Whirlpool” (p. 310). The cloud computing companies have suggested a security risk platform
(Rimböck & Loipersberger, 2013; Zamosky, 2014). Ahmed et al. (2014) suggest a need to know
how to deal with such risks. The loss of personal data is a violation of federal law. Federal law
classifies personal information as a human right and a protected factor. The potential risk of
losing such sensitive data violates federal law. The FTC has stated, “Data dissemination,
intentional or not, has become a public concern” (Wright & Guang-Xin, 2019). The legal penalty
for data loss is severe, motivating the IT personnel to ensure its security. By doing so, a client’s
records are more secure and reliable. Businesses, Bambauer (2014) suggests, need to become
knowledgeable on security issues. The research literature on security and privacy of data for
businesses is not abundant. Such a knowledge gap is the next step to be remedied.
The perception of adopting cloud computing technology is a critical element in better
understanding the gap between cloud computing adoption or not (Weng & Hung, 2014). Security
and privacy risks are an essential element in that perception. Risks occur during an exchange of
electronic data (Rogowski, 2013; Zamosky, 2014). Proper protocol and training are imperative
(Kerr, 2015). Threat severity is another concern.
Menard et al. (2014) define threat severity, stating it "relates to how serious someone
perceives a threat to be" (p. 84). Such perception plays a role in the intent of the adoption of
cloud computing technology. The investigation proposes to study the factors which may prompt
the adoption of such technology. Such concern about threat severity is linked to threat
susceptibility.
A definition of threat susceptibility is "the degree to which someone feels vulnerable to a
particular threat" (Menard et al., 2014, p. 84). It is necessary to identify both threat susceptibility
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
49
and threat severity. Once identified, they play a role in the perception and understanding of the
intention to adopt cloud computing technology. Considering an adequate response to these
potential threats is next.
Business sector interests are also interested in knowing about response efficacy. The
concern is as much in the severity of the threat as in the susceptibility of the danger. Menard et
al. (2014) define response efficacy as "is the perceived effectiveness of the suggested adaptive
behavior" (p. 84). This concern is vital for any business. Self-efficacy is another concern aside
from response-efficacy.
Menard et al. (2014) state that self-efficacy is "the degree to which a person believes
he/she can effectively perform a recommended adaptive behavior" (p. 84). The individual IT
response to a perceived threat is critical; it deals with risks and perceived threats personally.
These are the four constructs of the proposed investigation. The PMT is the theoretical model to
be used in this investigation.
Based on the PMT theory, the research provides information about the perception of each
construct (Lebek et al., 2014). The study might give only one underlying construct overall, or the
results may show a combination of the constructs determining the perception of adopting cloud
computing technology (Lebek et al., 2014). These factors may or may not favor the adoption of
cloud computing technology. These are the concerns the current research is interested in
clarifying. The statistical information gathered from the studies using the PMT theory helps
identify and close the gap on the intent to adopt cloud computing technology in the business
sector. The significance of identifying which constructs are essential to the adoption of cloud
computing technology is as follows.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
50
The designation of each construct allows for responses, which are measured
quantitatively. Each measured response provides a clearer understanding of each IT
professional's perception (Menard et al., 2014). An appropriately measured response permits a
thoughtful consideration towards which constructs have a more significant effect on the intention
of adopting cloud computing. One of the most critical perceptions is the perceived level of a
threat (Yang & Lee, 2016). Such insight permits a better understanding of the potential damage a
business might have. There is a slight difference between the second construct and the first.
Measurement of threat susceptibility provides another angle of perception. The analysis
encompasses a business's ability to deal with threats and uncover their potential liability (Menard
et al., 2014). Empirical measurement is an essential consideration for the professional IT person
responsible for evaluating and adopting new technologies. The degree of perception for a
business liability may play a role in influencing the acceptance or rejection of the adoption of
cloud computing technology (Yang & Lee, 2016). The above-described leads to the third
construct of the present investigation.
Bahl and Wali (2014) suggest a business response to a potential or perceived threat is an
essential understanding of how a business organization is protecting the data. The measures
intended by a business organization or the procedures already in place must be understood by
employees and evaluated by company officials and IT personnel (Weng & Hung, 2014). A
company needs to have a specific procedure in place for every type of emergency. The realistic
possibility of a particular failure in a procedure or an unseen situation causing failure influences
the adoption of new technology. An effective and efficient response needs to be in place to
alleviate any potential need to address a lawsuit (Yang & Lee, 2016). Having an effective and
efficient response is necessary to attend the fourth and final construct.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
51
The individual IT professional's response to a threat or suspicion of a threat is essential
(Menard et al., 2014). Aside from professional training, the level of confidence is just as
important. Attending to a potential threat and having the necessary communication channels is an
integral part of the business. Employee confidence is essential for better execution in a cloud
computing environment.
Findings
Based on the literature review, one of the first findings is the relationship between
security and privacy risks and cloud computing adoption (Kwon & Johnson, 2014). The strength
of having efficacy, and self-efficacy, during potential security or privacy risk helps to diminish
the risk. Kwon and Johnson (2014) state that some threats are both external as well as internal.
According to Chen et al. (2015), overall security starts with a security culture of dealing with
internal and external influences shaping the IT personnel's behavior. Internal threats are from
various sources.
Bambauer (2014) advises that humans can commit security errors, whether intentionally
or not, being a form of internal threat. The security errors are due to "Modern software and
hardware are simply too complex for flaws to be eliminated" (Bambauer, 2014, p. 1020).
Another internal threat may come from digital natives, a group only interested in personal gain,
is another form of internal threat (Andy et al., 2020). The reference to digital natives specifically
refers to individuals with constant access to the internet and have constant social interaction. The
group is variously known as Millennials, Generation Y, Generation Me, or Nexsters (Kugler,
2015). Identification of the internal situation, such as fear to respond with efficacy, self-efficacy,
external factors, threat severity, and threat susceptibility (Kwon & Johnson, 2014). IT personnel
sometimes confront severe external threats.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
52
Bambauer (2014) identified Ghost Net as a “sophisticated software program capable of
capturing sensitive information from a person or a company” (p. 1014). The user is not aware of
the spying. Devices dedicated to home area networks, and smart transportation systems, as
examples, depend on cloud services. These devices are not exempt from potential intrusion from
a third party, capturing personal information. De Donno et al. (2019) suggest a clear and detailed
analysis and evaluation will assure the devices' security.
Given the mentioned characteristics, the forms of threats are serious concerns when
intending to adopt cloud computing technology. The characteristics are due to different
circumstances that can be caused by human factors. The literature also indicates that the manner
in how the IT professional responds to a potential security threat is another crucial factor.
The response is another form of attitude, which has many definitions. To use one
definition, Staddon (2020) says attitude is “an individual’s disposition towards a subject, and
whether it is positive or negative” (p. 3). Communication is good practice. IT personnel should
have the ability to communicate with colleagues when a potential threat is perceived (Pandya-
Wood, Barron, & Elliott, 2017). Weng and Hung (2014) suggest a response efficacy on security
risk is best when the individual IT professional feels better prepared to deal with this type of
event. Therefore, this preparation must include knowing the possible risks and thus being able to
combat them more effectively.
The next generation of cloud enterprise resource planning has seen a "high level of
interest in organizations" (Weng & Hung, 2014, p. 309). The cloud computing technology
provides flexibility for the business sector (Korucu & Karakoca, 2020). The maturity of the
technology still concerns by many businesses (Jones et al., 2019). Individual data security is
paramount. Until now, data security “are quite scattered” (Kumar & Shantala, 2020, p. 2019).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
53
Interest in the next generation of technology is a motivator to have a more efficient system
against threats. Senior management officials need to have cost-effectiveness analysis for the
company (Jones et al., 2019). The response efficacy leads to a higher intent to adopt cloud
computing due to the ability to have "complete control over the system" (Weng & Hung, 2014,
p. 311). The result is that the IT professional will gain better knowledge and control of the
system. Self-efficacy and response efficacy are another factor that professionals are aware of
when it comes to security risks.
Kwon and Johnson (2014) suggest a relationship exists between self-efficacy on security
risk and the intent to adopt cloud computing. Self-efficacy derives from a reactive or proactive
approach. Those who advocate for a responsive approach understand, "reactive approaches can
be as competitive the best proactive approaches" (Kwon & Johnson, 2014, p. 454). On the other
hand, those favoring a proactive approach explain, "recovering from repeated failures does not
lead to consumer satisfaction" (Kwon & Johnson, 2014, p. 454). No matter which of the two
groups is favored, there is a concern with self-efficacy at times of a security risk. Kwon and
Johnson (2014), in their conclusion, suggest "proactive security investment is significantly
associated with fewer security failures" (p. 466). A study on cloud computing suggested that the
purpose of deduplication was to “retain the highest possible security information” (Kumar &
Shantala, 2020, p. 2012). Proactivity is the best method to deal with risky situations effectively.
This proactive approach allows the individual to be more effective as an IT professional,
especially when it comes to protecting data.
Blume (2015) suggests the "protection of personal data was perceived as necessary to
ensure the digital economy" (p. 3). Compliance with internal and external regulations needs to be
followed by all IT personnel and management (Brandis et al., 2019). Federal law does provide
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
54
guidance and suggestions for acceptable practices. Bambauer (2014) suggests that strong federal
regulations are not in place due to the “structural dynamic of cybersecurity” (p. 1040).
Businesses need to take the initiative in assuring better protection for their vulnerable data by
creating a more robust set of security keys verifying large sets of data (Kumar & Shantala, 2020).
Another factor towards a business’s vulnerability stems from not being fully aware of their
software vulnerabilities (Bambauer, 2014). The cloud computing elements have been with the
general population for years, using Google and emails as an example (Jones et al., 2019). The
digital economy derives from new technologies using cloud computing. Threat severity on
security or privacy risk and the intent to adopt cloud computing affect the digital economy.
The digital economy's effect is partly due to the increase in the volume of personal data
shared through cloud computing technology (Blume, 2015). The growth of personal data shared
by using cloud computing technology has led to security and privacy risks. One factor for the
loss of the data. Chen et al. (2015) have indicated that these risks show the need for heightened
awareness in assuring personal data security and minimizing the risks. Minimizing threats
reduces risks. Jones (2014) mentions the Health Insurance Portability Act (HIPPA; 1986)
ensures how personal data is to be shared and stored. The purpose is to decrease the threat
severity to such information. The literature review suggests taking this information assurance,
and security measures might increase the intention to adopt cloud computing. Like the threat
severity, threat susceptibility is another factor to consider.
Hayden (2013) identifies personal health information as "protected health information"
(p. 45). The company needs "safeguards include contingency planning, back up procedures and
encryption of mobile devices" (Hayden, 2013, p. 46). The cloud computing technology requires
safeguards against threat susceptibility to security or privacy risk. The company "must continue
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
55
to build defensible compliance programs supported by the business organization" (p. 59). Legal
regulations, according to Bambauer (2014), strengthen cybersecurity weaknesses for businesses.
The business sector should have adequate internal policies protecting sensitive data.
Weinstock (2014) suggests that personal data theft derives from taking a person's Social
Security number, date of birth, or even a patient's name. A doctor needs to inform the patient to
safeguard all personal information and not share the information with any unauthorized
individual. A second important step, "train your employees to understand the danger of medical
identity theft" (Weinstock, 2014, p. 169). Patients have access to their medical information. Each
patient needs to safeguard their data to ensure privacy (Pandya-Wood et al., 2017). Continuous
training of professional personnel is essential to maintain a better sense of self-efficacy towards
internal and external threats. Health patients need education about their medical information and
the methods to protect the data on their devices. The purpose of these suggestions is to face
threats or risks to adopt cloud computing technology effectively. Based on the literature review,
there is a relationship between response efficacy on privacy risks and the intent to adopt cloud
computing technology.
Aside from having the patient guard their data, another response efficacy on privacy risks
and the intent to adopt cloud computing lies with the professional staff; "train your employees to
understand the danger of medical identity theft" (Weinstock, 2014, p. 169). The purpose of these
suggestions is to face threats or risks to adopt cloud computing technology effectively. Based on
the literature review, there is a relationship between response efficacy on privacy risks and the
intent to adopt cloud computing technology.
Bambauer's (2014) study suggests a relationship between self-efficacy on privacy risks
and the intent to adopt cloud computing technology. Federal regulations on cybersecurity exist,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
56
and companies must observe and comply with them. Companies are responsible for "satisfying
to their auditors; they have implemented these controls" (Bambauer, 2014, p. 1038). The federal
government, regarding "the structural dynamic of cybersecurity is tilted against regulation"
(Bambauer, 2014, p. 1040). The business organization has the responsibility to assure the IT
professional trained to have self-efficacy on privacy risks with the intent to adopt cloud
computing. Training increases the level of confidence with the IT professionals. The anticipation
is that there is a relationship between self-efficacy on privacy risks and the intent to adopt cloud
computing technology.
Critique of Previous Research Methods
The literary revision is related to cloud computing and discloses various details. Many
investigations use quantitative methods over qualitative; both approaches present advantages and
disadvantages. Using the quantitative method requires statistical analysis. Using a statistical
analysis lessens the subjectivity of the investigator. Statistics allow determining the dimensions
of people's attitudes towards technology (Staddon, 2020). A qualitative method might give the
investigator a subjective viewpoint since there is more interaction with the participants. Staddon
(2020) suggests that "qualitative interviews would have the potential to allow the development of
a more detailed understanding of the factors" (p. 17). In other words, a qualitative investigation
does allow the investigator an opportunity to understand a participant's reasoning better. The
downside is that the participant’s better understanding could influence the researcher (Pandya-
Wood et al., 2017). The use of a quantitative method is focused on deductive reasoning, not
considering the participant's logic.
A representative sample size in a quantitative investigation is essential. In the quantitative
study of Rastogi et al. (2018) is an example of representativeness when the "sample included
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
57
variety of respondents such as businessmen, housewives, faculty members, students of
management and engineering institutions, professionals working in IT industry and other private
organizations" (p. 341). An accurate representative sample size permits the investigator to have
better reliability and validity results. Qualitative research relies on the expertise and experience
of the investigator. Pandya-Wood et al. (2017) suggest, "Some researchers are unclear about the
distinction between qualitative research methods and public involvement activities" (p. 7). The
reliability and validity of the results depend on the participant's information and the investigator's
analysis of their responses.
Other investigations have used either the technology acceptance model (TAM) or the
unified theory of acceptance and use of technology (UTAUT). A criticism of TAM is that the
data does not explain an individual's actual behavior, especially with technology. Staddon (2020)
suggests that "both the TAM and TAM2 are old instruments designed in a world where
technology was not as prevalent" (p. 5). Consequently, TAM is not a uniform theory and does
not explain the actual practice of an individual.
The performance and the effort expectancy are the basis of the UTAUT constructs.
Performance and effort expectancy, according to critics, do not accurately predict intention. The
UTAUT facilitating construct is not a reliable predictor of a person's intention. The "UTAUT
and most other technology acceptance models primarily focus on the advantages of using
technology and leave out the negative factors that discourage usage" (Andy et al., 2020, p. 205).
For these reasons, critics do not believe UTAUT to be an appropriate model to study the intent to
adopt cloud computing technology.
The PMT measures the behavior of an individual but does not predict future behavior.
Fear and threat appraisal are an integral part of the constructs of this model. Without fear,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
58
protection motivation is limited. Investigators using the PMT model need to be aware of the
threat appraisal process's fear factor.
The TPB critics have focused their criticism on health industry studies. There are many
reasons an IT professional reacts to a threat. Understanding how to control or influence particular
behavior helps in lessening potential errors in judgment.
Both the TPB and PMT, as theoretical models, have their weaknesses as said above,
though, in combination for a correlational study, these theoretical models permit a better balance
of results. "To understand the behavioral intention of adopting technology, researchers in the past
have applied these models in a variety of ways- using a model individually, combining two or
more models" (Rastogi et al., 2018, p. 336). The weakness of one model is the strength of the
other. A correlational study is an alternative method for assessing the intention of adopting cloud
computing technology.
Previous studies have used PMT, TPB, TAM, and UTAUT as single models. However,
"most of these models explain only thirty to thirty-six percent of behavioral intentions" (Rastogi
et al., 2018, p. 336). The results of these investigations have highlighted both the strength and
weaknesses of each model. PMT has two processes, a threat appraisal and coping appraisal. Each
measures the reaction of an individual to a potential threat. In contrast, the TPB measures three
factors; the perceived behavioral control, attitude, and subjective norm. A combination of the
PMT and TPB strengthens the current study with correlational analysis of the data. Based on the
data, a better understanding of the intention to adopt cloud computing technology is appreciated.
Summary
Based on the literature review, the business sector is interested in cloud computing
technology with security and privacy risks as two fundamental considerations (Brandis et al.,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
59
2019). Business incentives include reducing the cost of infrastructure, application costs while
improving efficiency by using cloud computing. A concern businesses share is having outside
contractors handle the security and privacy of their data. An individual’s behavior regarding
potential security and privacy threats when cloud computing service becomes operational is a
concern for the company. The usefulness of cloud computing is an attraction (Rastogi et al.,
2018). Businesses are at a crossroads regarding security and privacy risks and the opportunity to
use cloud computing technology.
These considerations influence the business sector in its possible intention to adopt cloud
computing technology. Security and privacy risks in cloud computing make businesses
apprehensive about adopting new technology. According to a literature review, the business
section is cautiously moving towards adopting cloud computing technology (Singh, 2019). A
company’s hesitation in utilizing and adopting cloud computing technology harms the business
economically, not offering more secure services to its customers. A suggestion is to investigate
these factors coming to an analysis providing for ideas to speed up the business decision-making
process whether to adopt or not adopt cloud computing technology.
The literature supports the use of PMT and TPB theories as an integral part of a model to
analyze the relationship between risks and the adoption of new technology (Foth, 2016). The
combination of these theories is the theoretical framework for this research, and therefore, they
work with the research instrument. These theories have been used previously for other
investigations similar to this one. The PMT theory for the analysis of the different types of
security and privacy risks. The TPB theory for the study of adopting new technology. Therefore,
both the PMT and the TPB theories help understand businesses' intent to adopt cloud computing
technology.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
60
Chapter 3 contains the research questions and corresponding hypotheses. The recruitment
of the sample population and the process to participate is part of Chapter 3. The population
sample and collection of data to be determined, protecting the privacy of the participants.
Chapter 3 concludes by indicating how to analyze the data to answer the research questions and
decide the security and privacy risks most likely to influence the decision to adopt cloud
computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
61
CHAPTER 3. METHODOLOGY
The literature review emphasized that there is growth in the interest of cloud computing
technology in the industry today. Companies reiterate a growing concern in leaving data and
services in other individuals' hands when analyzing this technology's adoption. Security and
privacy risks are at the core of their apprehension in adopting cloud computing technology in the
industry. The methodology organization to the research question answer is in the next paragraph.
The first part of Chapter 3 establishes the study's purpose, indicating the relationship
between security and privacy risks, and the adoption of cloud computing is a priority. Such a
preference is founded on theories of the investigation and targeted population. The presentation
of the two research questions and their corresponding hypothesis is in the second section. Each
hypothesis has a corresponding negated and alternative part to answer the questions of the study.
The Chapter 3 explains the independent or dependent variables and their relevant relationships
and characteristics. The investigation builds on the first two parts.
The research methodology is the third part of Chapter 3. The study's methodology is a
quantitative method with a non-experimental design and a correlational approach using a Likert-
type 1-to-7-point scale to evaluate the survey's answers. The research methodology specifies
three essential aspects of the investigation first, the selection process of the participants, second,
the management of the data, and third, the philosophical assumption of the study. The Chapter 3
continues with the target population and sample. The population to be studied in detail discussed.
First, there is an explanation in the process of obtaining the sample to be used in the
investigation. The Chapter 3 discusses the appropriate method to determine the sample size of
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
62
the investigation. The third part of the chapter explains the details of each participant's privacy
rights and the process to protect each of these rights. Second is the technique used to analyze the
collected data with the instruments used in previous investigations to validate and prove this
investigation's reliability. The section on ethical consideration describes the confidentiality,
anonymity, and privacy attention taken into account during the investigation to assure participant
confidence in the study. The conclusion of Chapter 3 summarizes all the steps taken to ensure the
research's best possible methodology.
Purpose of the Study
The study’s goal is to examine whether there is a relationship between security and
privacy risks with the adoption of cloud computing. The protection PMT and the TPB are the
theories to study the relationship. The methodology for the study is a quantitative method with a
non-experimental design and a correlational approach. Rogers (1975) PMT is a pioneer theory
related to perceived behavior in adopting new technology. Threat severity, threat susceptibility,
response efficacy, and self-efficacy are the model constructs' four factors. Measurement of the
perceived probability of an occurrence uses these four factors. The perception of such an event
leads individuals to protect themselves (Floyd et al., 2000; Rogers, 1975). Herath and Rao
(2009) used the PMT theory to investigate the relationship between these factors and security
policies. Security and privacy risks are variables to be studied using the PMT theory. These
variables indicate its influence or contribution to cloud computing adoption for the business
sector, being significant enough to investigate. The other theory, TPB, complements the PMT.
The TPB offerings new features in understanding a person's behavior, essential for the
present study. A fundamental supposition of the TPB theory, the individual's behavior is on a
continuum scale (Sommestad et al., 2015). These behavioral responses are another way to
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
63
comprehend well how and why a person encounters safety. Such a characteristic permits
establishing a scale to measure the intention of the person (Herath & Rao, 2009). The
significance of the TPB theory allows an empirical measurement in the intention to adopt cloud
computing. The intended audience is the IT companies intending to adopt cloud computing. The
findings will improve a business's security concerning the IT system (Bahl & Wali, 2014). The
results also provide a better understanding of which risks, security, or privacy would influence
the US's potential cloud clients.
Research Questions and Hypotheses
The study has two main research questions focused on security and privacy risks,
subdivided into eight specific questions for each type of security and privacy risks. Each of the
eight questions is individually analyzed. Two hypotheses were developed based on the two
research questions. One is a null hypothesis developed, and the other is the alternative to be
analyzed to find which hypothesis is appropriate.
Research Questions 1, With Research Subquestions, and Hypotheses
ResQ1: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on security risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
ResQ1a: To what extent do perceptions of threat severity on security risks contribute to
the variance in the intention to adopt cloud computing?
H01a: There are no statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
Ha1a: There are statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
64
ResQ1b: To what extent do perceptions of threat susceptibility on security risks
contribute to the variance in the intention to adopt cloud computing?
H01b: There are no statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
Ha1b: There are statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
ResQ1c: To what extent do perceptions of response efficacy on a security risk contribute
to the variance in the intention to adopt cloud computing?
H01c: There are no statistically significant perceptions of response efficacy on the
security risk situation that varies the intention to adopt cloud computing.
Ha1c: There are statistically significant perceptions of response efficacy on the security
risk situation that varies the intention to adopt cloud computing.
ResQ1d: To what extent do perceptions of self-efficacy on a security risk contribute to
the variance in the intention to adopt cloud computing?
H01d: There are no statistically significant perceptions of self-efficacy on a security risk
situation that varies the intention to adopt cloud computing.
Ha1d: There are statistically significant perceptions of self-efficacy on a security risk
situation that varies the intention to adopt cloud computing.
Research Questions 2, With Research Subquestions, and Hypotheses
ResQ2: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on privacy risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
65
ResQ2a: To what extent do perceptions of threat severity on privacy risks contribute to
the variance in the intention to adopt cloud computing?
H02a: There are no statistically significant perceptions of threat severity on privacy risks
that vary the intention to adopt cloud computing.
Ha2a: There are statistically significant perceptions of threat severity on privacy risks that
vary the intention to adopt cloud computing.
ResQ2b: To what extent do perceptions of threat susceptibility on privacy risks contribute
to the variance in the intention to adopt cloud computing?
H02b: There are no statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
Ha2b: There are statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
ResQ2c: To what extent do perceptions of response efficacy on a privacy risk contribute
to the variance in the intention to adopt cloud computing?
H02c: There are no statistically significant perceptions of response efficacy on privacy
risk that varies the intention to adopt cloud computing.
Ha2c: There are statistically significant perceptions of response efficacy on privacy risk
that varies the intention to adopt cloud computing.
ResQ2d: To what extent do perceptions of self-efficacy on a privacy risk contribute to the
variance in the intention to adopt cloud computing?
H02d: There are no statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
66
Ha2d: There are statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
Table 1 describes each question's variables, stating whether it is an Independent Variable
(IV) or a Dependent Variable (VD). Each of these variables and their corresponding data, as
categorized in the data type, are included.
Table 1
Variables Descriptions
Research Design
The methodology for the study is a quantitative method with a non-experimental design
and a correlational approach. The purpose of the study is to examine whether there is a
correlation between security and privacy risks when the business sector intends to adopt cloud
RQ Variables IV/DV Data Type
1a TSESR IV Ordinal
IACC DV Ordinal
1b TSUSR IV Ordinal
IACC DV Ordinal
1c RESR IV Ordinal
IACC DV Ordinal
1d SESR IV Ordinal
IACC DV Ordinal
2a TSEPR IV Ordinal
IACC DV Ordinal
2b TSUPR IV Ordinal
IACC DV Ordinal
2c REPR IV Ordinal
IACC DV Ordinal
2d SEPR IV Ordinal
IACC DV Ordinal Note. Description of the variables used in the research. RQ = Research Questions Number; IV = Independent Variable; DV = Dependent Variable. TSESR = Threat severity on a security risk; TSUSR =
Threat susceptibility to security risk; RESR = Response efficacy on a security risk; SESR = Self-efficacy on
a security risk; TSEPR = Threat severity on a privacy risk; TSUPR = Threat susceptibility to a privacy risk;
REPR = Response efficacy on a privacy risk; SEPR = Self-efficacy on a privacy risk; IACC = Intention to
adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
67
computing. The correlation is a degree of the relationship among two variables (Field, 2013).
Discovery a correlation among the independent variables (IVs), and the dependent variable (DV)
is the purpose of the study (Mertler & Vannatta, 2013). A correlational study is investigative,
discovering relationships, understandings, and characteristics among subjects (Ekufu, 2012).
Incorporating questions from previously validated instruments in the survey to safeguard the
results and determine whether there is a relationship between the different variables. The non-
experimental design with a correlational focus derives after analyzing the variables to their
corresponding hypothesis and the research questions.
A survey questionnaire based on the Likert-type 1-to-7-point scale to measure the
participant’s responses is a part of the data collection (Vogt, 2007). The design scale will be from
1 = Strongly Disagree to 7 = Strongly Agree (Lambrinoudakis, 2013). Survey responses are
measured using the scale, resulting in typical ordinal data (Statistics Solutions, 2019). The
investigation's statistics are not possible with ordinal data; thus, the conversion is necessary to
interval data. To perform the conversion, the number of elements will divide the total sum of
scores obtained from the survey (Statistics Solutions, 2019). The average obtained from the
division is the interval data for the statistics.
The measure for the study is a cross-sectional form, and it is a one-time collection of
data. Survey Monkey identifies the participants based on the criteria previously mentioned for
the target population. Once identified, SurveyMonkey will do a simple random sampling
(SurveyMonkey, 2014a). The random sampling will target the participants based on the sample
size. The participants will receive the questionnaire (Sekaran & Bougie, 2014). The survey
questionnaire has questions designed to measure the relationship between the variables
(Venkatesh et al., 2012). The primary investigator will receive only the collected raw data to
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
68
protect each participant’s identities (Jones, 2014; North, Richardson, & North, 2017). The post-
positivist approach is the primary guide for the investigation, with more details mentioned
below.
The post-positivist approach applies to the two investigation questions on security and
privacy risks identifying and assessing the causes influencing the outcomes of the survey
(Creswell, 2014). The study’s focus is on the perception of adopting cloud computing in the
business sector. The ontological assumption's base is the business intention of adopting new
technologies that can be observed and measured. The epistemological assumption is acquiring
knowledge about the intention to adopt new technologies such as computing in the cloud, which
is measurable as valuable knowledge (Venkatesh et al., 2012). The axiological assumption
measures the intention to adopt new technologies, objectively expanding the PMT theory to better
understand the purpose. Herath and Rao (2009) survey instrument is the methodological
assumption, incorporating four constructs of the PMT theory, in the model to measure the
intention to adopt cloud computing, understanding the risks of privacy and security.
Target Population and Sample
The following section covers the participant population and indicates the criterion for
selecting the sample for the study. The sample population is composed of individuals currently in
the field of IT. The participants must have a minimum of 5 years of IT work experience and
reside in the United States (US). One criterion for selection is the familiarity the sample
population has with cloud computing technology. Calculations, using G*Power, determined the
sample population, based on the established conditions for the study.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
69
Population
The selection of the correct demographic for the analysis is an essential component of the
investigation. Sekaran and Bougie (2014) suggest that a study's targeted population is the entire
group of people, events, or things of interest the researcher wants to investigate. Using their
suggestion, the study population will be individuals with a minimum of five years of experience
in the IT field. These individuals must also reside in the United States or a territory. The
projected 12.1 million tech employees in the US for 2019 is a growth of approximately 2.3
million workers or 23% through the decade in the United States (U.S. Bureau of Labor Statistics,
2020). Occupation in computer and information technology jobs is expected to grow 11% from
2019 to 2029 (U.S. Bureau of Labor Statistics, 2020). Subdivision of the demographic
characteristics of the population allows for more specific ones for research.
The demographic information (see Appendix) of the population includes sex, years of
employment, application service area, and geographical area to interpret the possible results and
statistics obtained from the previously indicated information. Research does not consider race,
ethnicity, or age, as these factors will not for statistics or conclusions.
In terms of sex, the population can be male or female. The years of employment are five
years of experience or more without a maximum number of years established. The application
service area covers jobs such as computer business, government facility health care,
manufacturing, telecommunications, transportation, University or college, and so on. Finally, the
population's geographical area will cover Puerto Rico (PR), United States (US), and others, as
previously stated.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
70
Sample
The sample size of the study is an essential factor in obtaining satisfactory results on the
analyzed population. Thus, the sample must meet the minimum five-year experience
requirements in the IT field and reside in the United States or a territory. This minimum
experience time will allow the sample to have a degree of experience in the field, especially
concerning cloud computing. The residency requirement in the United States (US) and its
territories (e.g., Puerto Rico) ensures that similar laws govern the sample taken. The territories
are subject to the federal laws of the US. These two requirements, experience, and residence,
allow us to have a sample representative of the population. However, these two characteristics
are not the only ones taken into consideration for research.
The characteristics of years of experience and residence are the main ones for the
investigation. Nevertheless, the demographics information of sex, application service area, and
geographic area are considered for the research. The reason for this is to find out if there is a
relationship between the demographic information and the results finally found for the research
questions. Besides sex, application service area, a geographic area is used to understand the
sample's composition better. For the information obtained to be adequate for the investigation,
inclusion and exclusion criteria have been established.
Experience and residence form part of the inclusion criteria as well. As mentioned above,
one objective of the research is to ensure similar laws regarding information systems govern the
sample of the participating population. Information systems are not governed by the same laws
in all countries, limiting the study to the US and its territories. The minimum number of years of
five is considered to guarantee experience in information systems, especially cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
71
The rationale for inclusion criteria emphasizes uniformity and compliance with national laws.
The exclusion criteria follow.
The exclusion criteria will be that these individuals may not have any relationship with
the employer or business relationship with the researcher. The exclusion criteria maintain purity
during the investigation and avoid any undue interference that will affect the investigation
results.
Power Analysis
The sample size calculator G*Power 3 has 198 participants for the total sample size.
Towards this end, SurveyMonkey (2014a) has already generated a table similar to the G*Power
3. Sekaran and Bougie (2014) have a similar table, as shown in Table 13.3, indicating the
minimum number of participants to be 196, as the sample size, under the same conditions. The
larger the sample size, the more representative the results will be (Hernández-Sampiere,
Fernández-Collado, & Baptista-Lucio, 2006). Therefore, to increase the study's
representativeness, the sample size has198 participants, increasing the survey's significance.
There is one further recommendation regarding the appropriate sample size.
Increasing the sample size by 10% is the other recommendation. Statistically, it is
demonstrated, at least 10% ignore or do not complete the survey, suggesting the reason to
increase the sample size by the same percentage (Sekaran & Bougie, 2014). The sample size of
218 participants is the final sample size to generate broader generalizations. Sekaran and Bougie
(2014) suggest, under the above conditions, a population of 420 is needed to achieve the
recommended sample size. The recommended sample size ensures the total of respondents
completing the survey reaches 218. The whole is necessary to satisfy the final sample size
statistically.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
72
The confidence level of 95%, with a 5% error margin is appropriate for this type of
investigation (Creswell, 2014). The values, confidence level, and margin of error are commonly
recommended for input parameters in studies to obtain parameters of outputs suitable for
research. This type of test's typical effect size is 0.15, considered medium size (Statistics
Solutions, 2020). However, the actual investigation's effect size is 0.12, which is smaller than the
one typically used. The value of 0.12 increases the representative sample of the population.
Representativeness is vital to generalize the results in the diverse population studied at the end of
the investigation (Field, 2013). The effect size measures the effort of the phenomenon, showing
the possible change in the results. The F tests family are for the most linear multiple regression
test, including the level of confidence, the margin of error, and the size of the effect that
determines the sample size. The number of independent variables is eight predictors used in the
study. The data has been entered into the G*Power application to obtain the sample size. In this
case, the sample size was 198, being the minimum participants needed for the selected
population.
Procedures
The procedures section describes how the participants are selected and analyzed their
answers to the research questions. A simple random sample produced the selection sample.
Validated instruments are the basis for the questions in the distributed questionnaire, with the
help of SurveyMonkey. The data from the survey provide the statistics to answer the research
questions. Chapter 3 has a section discussing the statistical procedure stating the process of
protecting the participant’s identification and eliminating the collected data on the seventh year
of storage.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
73
Participant Selection
The study uses the sampling strategy as the probability technique for participant
selection. A first step is a consent form included with the SurveyMonkey allowing the potential
participants to either accept or decline from taking the survey (Jones, 2014; North et al., 2017).
The SurveyMonkey database collects the data from the participants.
The survey questionnaire must guarantee fairness and objectivity for all the selected
participants. All participants have the same opportunity to participate in the survey, guaranteeing
each participant impartiality and objectivity for the target population (Hoffer, George, &
Valacich, 2014). The simple random sample is the method to be used for the participant’s
selection. The SurveyMonkey (2014a) tool allows the investigator a method to conduct this
simple random sample, including the exclusion criteria. The random sample is not the only
technique used during the investigation about the participants.
An identification number (ID) is another technique to verify a participant’s eligibility
(Sekaran & Bougie, 2014). An ID number assures the authenticity of a participant’s employment
(Antonelli, de Almeida, Espejo, & Longhi, 2013). No personal critical data, such as the ID
number, shall be known or sent to the investigator. Only the raw data from the survey
questionnaire is sent to the principal investigator. Inclusion and exclusion criteria promote the
validity of the collected data.
Individuals with a minimum of five years of professional experience in the IT field
compose part of the inclusion criteria. The exclusion includes any IT employee with a
professional relationship regarding the investigator’s employer or business relationship from the
survey.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
74
Protection of Participants
All participants receive a detailed description, prepared beforehand by the investigator,
by SurveyMonkey. The description contains contact information to respond to all the
participants' doubts or questions (Jones, 2014; North et al., 2017). If the participant is interested,
SurveyMonkey assures the investigator receives a completed and signed the consent form.
Data storage will be handled safely to protect the participant (Blume, 2015; North et al.,
2017). The SurveyMonkey tool has features such as secure sockets layer (SSL), Norton,
TRUSTe, and central account management (Enterprise) for protection and validation of the data
(SurveyMonkey, 2014b). An additional form of protection for data security comes from the FTC
regulating the safety of the data (Cohen, 2014). After the collection of data, SurveyMonkey
stores the data from the completed questionnaires. Only the primary researcher has access to the
data (Jones, 2014; North et al., 2017). For further assurance, the collected data is placed in a
different physical location from the identifiers by the primary researcher (Kissel, 2013). The
destruction of the data will take place in the seventh year after the conclusion of the investigation
(Kissel, Regenscheid, Scholl, & Stine, 2014). These are the procedures to ensure the security and
protection of the data.
Data Collection
Description of the entire process, from filling out the documentation for the research
permits, contact forms, and the participants' identification, are described below. Survey Monkey
gives each participant a description and a consent form document. The participant is informed of
the data the research receives.
A detailed description of the data collection sampling procedures follows. The first step is
to fill out the necessary documentation form from the Institutional Review Board (IRB) of
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
75
Capella University to obtain the appropriate permits and start with the research. The investigator
contacts SurveyMonkey about the size and type of targeted population for the study, and a time
frame to complete the survey. SurveyMonkey will proceed to identify the possible target
population and proceed with a simple random sampling. This random sampling permits the
candidates to have the same opportunity for selection to determine participants for the
investigation (Sekaran & Bougie, 2014). SurveyMonkey contacts the identified candidates. The
candidates are provided a consent form with the description and conditions of the study.
Additionally, the procedure for reaching the minimum number of participants required, the
procedures for storing the collected data, and the safety procedures after ensuring the appropriate
disposal of the saved data after seven years of storage. The researcher is responsible for
answering all questions and doubts from the candidate (Blume, 2015; North et al., 2017). If a
candidate is interested, they must accept the research conditions in order to participate. The
candidate becomes an official participant in the survey by accepting the research conditions. At
the moment a candidate does not agree to the conditions of the research, their participation ends.
SurveyMonkey then communicates and expresses to the candidate thanks for their interest.
An identification number or ID is assigned to each volunteer to ensure their eligibility in
participating in the survey (Sekaran & Bougie, 2014). The SurveyMonkey will handle their
eligibility. No personal, critical data, like the ID, shall be known to the investigator. The
principal investigator receives only the raw data.
The following steps detail the description of the data collection procedures. The
SurveyMonkey contacts the participants selected to schedule the administration of the online
survey. The researcher provides the SurveyMonkey with the consent forms. The SurveyMonkey
collects the consent forms and participant acceptance, sending them to the researcher. A time
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
76
frame is provided by the SurveyMonkey to complete the online survey, as well as using the
qualified participant's e-mail (SurveyMonkey, 2014a). The SurveyMonkey repeats all the
procedures necessary until meeting the required minimum sample size of 218 participants
(SurveyMonkey, 2014a). When the minimum amount needed for the survey is reached or
exceeded, the SurveyMonkey will automatically remove the request to participate from their
website (SurveyMonkey, 2014a). The SurveyMonkey collects and stores the data onto their
database. After collecting the data, the investigator proceeds to encrypt the data, using various
tools, to protect the data (SurveyMonkey, 2014b). SurveyMonkey provides the collected raw
data to the primary researcher (Jones, 2014; North et al., 2017). The collected raw data is stored
in a secure place, in a different physical location to those of the identifiers (Kissel, 2013). IBM
SPSS receives the raw data for pertinent statistical information. Destruction of the data occurs
after the required period of seven years (Kissel et al., 2014). These are all of the necessary steps
to ensure the security and privacy of the collected data.
Data Analysis
This section has a description of the process to analyze the data and statistics. The
analysis of the statistical data obtains the results and reports for the investigation. The
methodology is a nonexperimental correlational study using the IBM SPSS application as a data
analysis tool, validated for statistical investigation (Field, 2013). In other words, with this
application, the researcher obtains reliable results to help answer the research questions.
Microsoft Excel and Social Science Statistics are other useful applications to generate the same
statistics (Mertler & Vannatta, 2013). An explanation of the IBM SPSS application for the data
analysis follows.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
77
Data transformation. The first step is to transform the ordinal data into interval data.
The summary of the transformation of the total scores follows. The next step is to divide the
overall scores between the numbers of items, obtaining the interval data. The data transformation
is necessary since the type of statistics acquired applies only to the interval data. The screen data
process begins with the interval data, which helps analyze the incomplete data and identify
possible outliers (Mertler & Vannatta, 2013). Incomplete data and possible outliers can affect the
statistics' realization and should, therefore, be eliminated.
Data screen. For screen data, the process begins by examining the missing data for each
variable. According to the analysis, the identified missing data can be eliminated or replaced by
average data. Depending on the researcher's parameters, if the amount of data loss is
considerable, it is removed. Otherwise, if the amount is small, the statistics are replaced by the
average. The second step of the screen data process is to examine variables for multivariate
outliers. For this step, it is necessary to run a preliminary regression to calculate the Mahalanobis
Distance. The IBM SPSS application uses the following options, analysis, regression, and then
linear. The researcher should identify a variable serving as a case number, then to the Dependent
variable box. The variable helps to identify all relevant quantitative variables, move to the
independent variable box, save, and then check the Mahalanobis option under Distances. Select
the Continue option, click OK, and determine chi-square (X2) critical value p < .001. Conduct
Explore to test outliers for Mahalanobis chi-square (X2). Select Analyze Descriptive statistics
option and then Explore. Move mah_1 to the Dependent variable box and leave the Factor box
empty. For the statistics, check Outliers, continue, and click OK. Finally, the researcher should
delete outliers for participants when X2 exceeds critical X2 at p < .001. The next step is to verify
the Linearity, Normality, Homoscedasticity, and Multicollinearity of the data.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
78
Assumptions. The multiple linear regression analysis makes several vital assumptions
(Mertler & Vannatta, 2013). For the first assumption, there must be a linear relationship between
the outcome variable and the independent variables for the multiple regression. The second
assumption the multivariate normality in a multiple regression assumes that the residuals are
normally distributed. The third assumption is that homoscedasticity states that error terms'
variance is similar across the independent variables' values. The last assumption, no
multicollinearity, the multiple regression assumes that the independent variables are not
positively correlated with each other. For the regression test, the data collected must comply with
these four mentioned conditions.
For the Linearity condition, the researcher must create a Scatterplot Matrix of all IVs and
the DV. If Scatterplot shapes are not close to ellipse shapes, then reevaluate univariate normality
and consider transformations. On the other hand, for the Normality, examine normality for
quantitative variables — Run Normality Plots with Test with Explore. Then the researcher
should review boxplots and histograms and Transform data if necessary. Next, the
Homoscedasticity condition needs to be examined. The researcher should run a preliminary
Regression to create a residual plot. Select the options of Analyze, Regression, and then Linear.
Move DV to the Dependent variable box and move IVs to the Independent variable box. To plot,
select ZRESID for the y-axis and select ZPRED for the x-axis. Continue and then click OK,
clustering of residuals at the top, bottom, select left or right of the plot, then r. If the clustered
residuals are at the top, bottom, left, or right, are in the plot, then reevaluate univariate normality
and consider transformations. Finally, the Variance Inflation Factor values test the No
Multicollinearity condition. With a Correlation matrix, the correlation coefficients' magnitude
should be less than 0.80 to fulfill the final assumption. In the next part, if the data comply with
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
79
Linearity, Normality, Homoscedasticity, and No Multicollinearity, the researcher should perform
the Multiple Regression to obtain the desired statistics (Mertler & Vannatta, 2013).
Multiple regression. Data analysis begins with descriptive statistics. The standard error,
the standard deviation, the median, and the mean will be obtained for the descriptive statistics.
For the Multiple Regression, run a regression using Linear Regression. The researcher should
move the DV to the dependent variable box, move the IVs to the Independent(s) box, and then
select the stepping method. In the section on statistics, check Estimates, Model fit, R2 (to be used
only with the stepping-methods R). Select the options of Descriptive, Part and partial
correlations, and Collinearity diagnostics and then Continue. Among the options, select the
appropriate criteria, Continue, then click OK. The researcher should then interpret tolerance; if
tolerance for each IVs is more significant than 1, interpret model summary, ANOVA summary
table, and coefficients table, using the IBM SPSS application. The following are the steps taken
for the interpretation of the results.
Hypothesis testing. The final step in data analysis is to summarize the findings and place
them in the results section (Mertler & Vannatta, 2013). The researchers should describe any data
elimination or transformation. Present descriptive statistics in the table (standard error, standard
deviation, median, and mean), narrate the significance of the overall regression (R, R2, F, and p
values with degrees of freedom). The researchers summarize the steps in a table (R2, R2, and
level of significance for the difference) for each IV in the model with the stepping method. With
the statistics obtained, the post hoc results, if required, are narrated, and the conclusions will be
established.
The data is analyzed to test the research hypothesis and respond to the research questions.
The calculation for the values R and R2 and F and p in the actual step is essential. The calculation
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
80
of the values allows the evaluation of each hypothesis's accuracy and allows the investigator to
choose between null or alternate, verifying each hypothesis's accuracy to each research question.
Next, an image (see Figure 9) of the simplified data analysis follows.
Figure 9
Data Analysis Process
The table (see Table 3) summarizes the type of statistical analysis for each research
question. Table 3 shows each related question and the type of statistical analysis with its relevant
statistical description. Each research question is tested and displayed in the table. The Post-hoc
Analysis column indicates that the test is not required in a multiple regression analysis.
Transform the ordinal data to interval data
Screen Data
Conduct Multiple Regression
Summarize Results
Verify Linearity, Normality, Homoscedasticity,
and Multicollinearity
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
81
Table 2
Statistical Analysis for Each Research Question
Research
Question
Type of Analysis Descriptive Stats Hypothesis
Testing
Post-hoc
Analysis
ResQ1a Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ1b Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ1c Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ1d Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ2a Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ2b Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ2c Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required
ResQ2d Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. Not required Note. The first column shows the research question of each hypothesis to be tested belongs. The second, third,
and fourth columns show the type of analysis, statistics, and hypothesis tested. SE = Standard Error, SD =
Standard Deviation, Mdn = Median, M= Mean, R = Multiple correlation, R2 = Multiple correlation square, F = F
distribution, and p = probability.
Kissel et al. (2014) suggest these specific steps for the security and eventual destruction
of the data. The first is to secure the data for a minimum of seven years. After the data analysis
has yielded the necessary statistics, the study records' storage follows the next step. Storage of all
the study records to protect the data is done with an external memory device using a password.
An encrypted program designed for such protection adds further protection to the stored data on
the external device. A locked security box will house the external memory in a locked cabinet
located in the investigator’s office at the University. The closed cabinet and office door have two
separate keys, kept only by the researcher. Storage of the collected data is stored and secured for
seven years.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
82
Figure 10
Data Storage Process
The data storage process (see Figure 10) is essential. If a need arises, the researcher can
reuse the data only for the current research. A new memory device or other digital storage is
available to transfer the data program for the investigation's designed purpose. The discarded
memory will pass immediately through the process of sanitization (Kissel et al., 2014). Only the
researcher, the researcher’s supervisor, and the dissertation committee will have access to the
study data. Additionally, Capella University’s IRB, the Research Compliance Committee (RCC)
or its designees may review the research records.
Data will be stored in external memory
with a password and encrypted.
External memory will be stored in a
locked security box.
Security box will be stored in a locked
cabinet.
Data will be stored for seven years.
If the external memory needs
replacement, then a transferred data
program is to be used. The discarded
memory will pass through the sanitation
process.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
83
Figure 11
Data Destruction Process
The specific steps to destroy the data (see Figure 11), after a minimum of seven years, are
the following; the external memory will enter the sanitization phase, erasing the memory using a
program designed for this purpose – all according to the recommendations of the National
Institute of Standards and Technology for non-sensitive data (Kissel et al., 2014). A process to
verify the erasure of the external memory will ensure the data no longer exists begins with the
complete deletion in the external memory and repeating the process. If the external memory still
retains the data or a portion of the data, the National Institute of Standards and Technology
recommends the incineration of the memory device (Kissel et al., 2014). These are the steps
indicated after seven years for the security and deletion of the data.
After seven years, the external memory
will enter the sanitization phase.
External memory will be clear using an
erase program.
Verify that external memory no longer has
the data. If the data or part of it remains
then if it is necessary, the memory will be
physically destroyed.
Verify that external memory no longer has
the data. Deletion of the If still possesses
the data or part of it; the deletion program
will be used again.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
84
Instruments
For the present investigation, the instruments used are from previous studies developed
by Herath and Rao (2009), and by Ekufu (2012). Herath and Rao (2009) developed the
integrated protection motivation and deterrence model, which is the first instrument used in this
investigation. A survey questionnaire for the investigation derives from the protection and
motivation deterrence model to measure the relationship between the variables (Venkatesh et al.,
2012). The questionnaire instrument was adopted since the study items were previously
validated, giving confidence to the instrument's reliability and validity (Herath & Rao, 2009).
Integrated Protection Motivation and Deterrence Model
Validity. The integrated protection motivation and deterrence model items, from the
instrument developed by Herath and Rao (2009), are validated to measure the effects of
protection motivation. The validity coefficient for all constructs is higher than .70, with p greater
than 0.0001 (Herath & Rao, 2009). The validity coefficient is considered acceptable for the
study.
Reliability. The reliability coefficient for all constructs is higher than .70, with p greater
than 0.0001 (Herath & Rao, 2009). The reliability coefficient is considered acceptable for the
study.
The instrument questions derives from "Protection motivation and deterrence: A
framework for security policy compliance in organizations" by Herath and Rao, 2009. Adapted
with permission from Dr. H. Raghav Rao and Dr. Tejaswini Herath.
The second instrument, the e-Procurement and Grid Technology instrument, became the
basis for the analysis for the intention to adopt cloud computing. Ekufu (2012) combined the
technology acceptance model and theory of planned behavior within his survey instrument. As
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
85
with the present investigation, it studies the effects of external factors in the intention to adopt
cloud computing. These were previously validated and used to measure the intention of adopting
cloud computing. This instrument also uses a Likert-type 1-to-7-point scale. The questions then
were chosen to meet the circumstances of the present investigation.
e-Procurement and Grid Technology Instrument
Validity. The validity coefficient is 0.65 (Ekufu, 2012). The validity coefficient is
considered acceptable for the study.
Reliability. The reliability coefficient is 0.90, higher than .70 recommended for the
experiment (Ekufu, 2012).
The instrument questions derives from "Predicting cloud computing technology adoption
by organizations: An empirical integration of technology acceptance model and theory of
planned behavior" by Ekufu, 2012. Adapted with permission from Dr. ThankGod Ekufu.
The investigation variables are TSESR, TSUSR, RESR, SESR, TSEPR, TSUPR, REPR,
SEPR, and IACC. The variables were obtained and compared thanks to the integration of the two
instruments. All variables are the ordinal type. A Likert-type 1-to-7-point scale will be used to
measure the participant’s answers. The design scale will be 1 = Strongly disagree, 2 = Disagree,
3 = Slightly disagree, 4 = Neither agree nor disagree, 5 = Slightly agree, 6 = Agree, and 7 =
Strongly agree (Herath & Rao, 2009; Lambrinoudakis, 2013). The simple random sample is the
technique done by SurveyMonkey (2014a), which guarantees the protection for each participant's
identity (Jones, 2014; North et al., 2017). Such a practice keeps with the most exceptional
practices in conducting and maintaining an ethical environment during the research.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
86
Four demographic questions, covering sex, years of employment, service area and
geographical region, are asked in the survey, for the purpose of categorizing the participants. See
the Appendix section to see these four demographic questions.
Ethical Considerations
The three critical areas the National Institutes of Health expresses most concern about is
the protection of human participants in the study. The protection derives from confidentiality,
anonymity and privacy (Adashi, Walters, & Menikoff, 2018). Each participant receives pertinent
information about the investigation's nature and protocols to protect their identities (Jones, 2014;
North et al., 2017). Part of the ethical consideration is to ensure each participant clearly
understands the investigation's protocols and nature (Brandis et al., 2019; Pandya-Wood et al.,
2017). The researcher's contact information is provided to all participants to clarify any doubts or
questions. Confidentiality and anonymity are managed using a simple random sample, permitting
all potential participants to be selected. SurveyMonkey does random sampling based on their
database. From the random sampling, a minimum number for the study, of 218 participants, is
taken. Participation is voluntary and anonymous.
The participants’ personal and seemly intrusive information (see Figure 12) is not
solicited, to assure privacy (Pandya-Wood et al., 2017; Sekaran & Bougie, 2014). The survey
questions will only concentrate on answering the research questions, hypotheses, and
demographic questions. The four demographic questions ask, for the sex, years of employment,
service area, and geographical region of each participant. The study's design avoids
psychological or emotional damage to any vulnerable population (Sekaran & Bougie, 2014).
Research participants may not have any relationship with the investigator’s employer or a
business relationship with the researcher. All participants have the option to decline from the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
87
study at any time (Jones, 2014; North et al., 2017). Each survey also has an Informed Consent
Form.
The Informed Consent Form is provided containing all of the details previously
mentioned. The participants consented by incorporating a link to the form in the survey design
template (Sekaran & Bougie, 2014). These steps assure the participants' rights in the research to
safeguard their confidentiality, anonymity, and privacy of the process for ethical consideration.
Figure 12
Ethical Considerations Process
The participant will receive the
pertinent information about the
investigation, and the protocols.
Participation is voluntary and
anonymous. All have the option to
decline from the study at any time.
Survey Monkey will do random
sampling to select the participants.
The investigator will not solicit any
information based on the participant's
private or personal information. The
survey questions focus on the research
questions and demography.
Participants may not have any
relationship with the employer or
business relationship with the
researcher.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
88
The research study was received to review the study topic and received approval from the
Capella University Institutional Review Board (IRB). No other IRBs or other agencies need to
review this research study.
Summary
Chapter 3 studies the methodology and execution for the investigation. The methodology
of the study aims to provide the statistical framework demonstrating the relationship between
security and privacy risks, and the adoption of cloud computing for businesses. Rogers's (1975)
PMT study pointed to this relationship. Two research questions and their corresponding
hypotheses are in the second part of the chapter. The two questions focus on security and
privacy risks, which are then subdivided into eight specific questions for each type of risk to be
analyzed. As shown, each hypothesis has an equivalent negated and alternative part to the
response for the study questions. The independent or dependent variable and their relationship
and characteristics are specified. These questions indicate that businesses target both security and
privacy risks as a concern in adopting cloud computing technology.
A detailed discussion of the definition of the research methodology was in the research
design part. The methodology that is a non-experimental correlational study will use a Likert-
type 1-to-7-point scale to evaluate the answers acquired in the survey. The design scale is from 1
= Strongly Disagree to 7 = Strongly Agree (Lambrinoudakis, 2013). It stated how a random
sampling process selected the sample size. Additionally, the chapter specified data management
and the philosophical assumptions of the study.
A discussion of the target population and sample in all aspects is in the fourth part of
Chapter 3. The study's target population is individuals with least five years of professional
experience in the IT field. The survey incorporates the taken sample, the participants' selection,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
89
and the calculations to reach the appropriate sample size for this investigation. Protection of the
participant's rights and the technique used to analyze the data is part of this chapter.
SurveyMonkey describes the study to the participants. The investigator is responsible for
responding to all of the questions and doubts of the participants. By filling out and signing the
consent form, the participant demonstrates interest in the study. The SurveyMonkey tool has
features such as secure sockets layer (SSL), Norton, TRUSTe, and central account management
(Enterprise) to protect and validate the data. Destruction of the data takes place after seven years
(Kissel et al., 2014). The chapter discusses the instruments mentioned in the chapter.
Chapter 3 mentions the validated and reliable survey instruments of Herath and Rao
(2009) and Ekufu (2012) used in this study to measure the relationship and intention of adopting
cloud computing. Finally, the ethical considerations section continues with the topic of
confidentiality, anonymity, and each participant's privacy during the investigation. Conserving
confidentiality and anonymity will be managed using a simple random sample without asking for
any personal or seemingly invasive information.
Chapter 4 begins with a background giving a brief introduction to the statistics, tables,
and figures generated from the survey. The demographic information provided by the
participants allows for a description of the sample size. From the participant’s responses to the
survey questions, the collected data become the statistics. The statistics verify the correct
hypothesis. Response to the research questions makes it possible to determine the relationship
between security and privacy risks and the intention to adopt cloud computing technology.
Chapter 4 concludes with a summary of the findings based on the statistics.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
90
CHAPTER 4. RESULTS
The chapter starts with a brief analysis and a presentation of the data collected, leading to
the related research questions and hypotheses. The data analysis presents the number of
participants, years of work experience, and a graph indicating if the participants live in the
United States or one of its territories. A hypothesis and the factors measured for security and
privacy risks are part of the graph's explanation.
A detailed description of the selected sample follows. The calculated sample under which
the participants agreed to reflect in the detailed description is shown in Table 3. A
comprehensive demographic chart includes sex, years of employment, service area, and
geographical location, which are part of the survey sample. The participant's responses to the
survey questions are analyzed, noting the tendency towards responding to Strongly Disagree and
Strongly Agree.
The data is analyzed to test the research hypothesis and respond to the research questions.
The calculation for the multiple correlational (R) values and multiple correlations squared (R2)
coefficients of the multiple linear regression is the next step. The F distribution and probability
(p) are the values to confirm the results obtained. Based on the calculation for the values
permitted the evaluation of each hypothesis and verification of their accuracy. The chapter has a
summary of the evaluated data.
Background
Chapter 4 analyzes the correlation between security and privacy risks and when a
business intends to adopt cloud computing. The methodology for the study is a quantitative
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
91
method with a nonexperimental design and a correlational approach. A description of the sample
is the first information provided in the chapter. There are two principal criteria each participant
needed to comply with. The first is a minimum of five years of work-related experience in IT or
a related field. The second is to live in the United States or a territory of the United States. The
two criteria or conditions were presented to the potential participants or candidates in the
research description before they agreed or not to participate. The survey was only available in
those places and to those individuals meeting both requirements.
The total number of potential participants identified and contacted was 277. Of the 277
potential participants contacted, a total of 237 agreed to participate, having fulfilled both
established criteria. One hundred and nineteen persons reported having had a minimum of 16
years of work experience in IT or a related field. The majority of these participants said their
work experience was in the computer business. One hundred and twenty participants were
women.
The 237 participants all indicated that they reside in the United States, in other words, in
one of the fifty states of the union. Only two participants reside in one of the sixteen territories
belonging to the United States. In the survey, those who lived in Puerto Rico and those who lived
in other territories (e.g, Guam, Northern Mariana Islands, United States Virgin Islands, and
American Samoa) were divided in two groups. Of the participants, one resides in the territory of
Puerto Rico and the other participant in an unknown territory of the United States. After
collecting the data, the next steps were to corroborate the eight null hypotheses in the hypothesis
testing.
There are four null hypotheses on security risks and four on privacy risks. The four null
hypotheses on security risks measured each variable, as well as the four null hypotheses on
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
92
privacy risks measuring these factors, threat severity, threat susceptibility, response efficacy, and
self-efficacy on security and privacy risks. These factors are measured using R, the Pearson
correlation coefficient; R2 is the coefficient of determination and p-value. The significant value is
measured using 0.05%. The last part of the chapter is the summary of the findings.
Description of the Sample
The survey has two essential requirements. The first is that each participant must have a
minimum of five years of work experience related to IT or a related field. The investigator
assumes the IT professional has had a minimum of five years of experience with cloud
computing experience, including working with any possible threats. The second requirement is to
reside in the United States or any of its territories. The United States has more of a uniform set of
regulations and laws regarding cloud computing. Those fulfilling both requirements would be the
target population for the investigation. The total target population determined the minimum
sample size. The random sampling is a technique to assure every potential participant has an
equal opportunity to participate in the survey (SurveyMonkey, 2014a). Random sampling target
the participants based on the sample size.
The sample size calculator G*Power 3 calculated 198 participants for the total sample
size for the investigation. SurveyMonkey (2014a) generated a table similar to the G*Power 3.
Creswell (2014) recommended an additional 10% of the sample size. Statistically, at least 10%
of the participants ignore or do not complete the survey. Therefore, the final sample size should
be 218 participants to have the results of this study generate broader generalizations in studying
privacy and security risks with the intent to adopt cloud computing technology. Sekaran and
Bougie (2014) suggest under the above conditions, a population of 420 is needed to achieve the
recommended sample size.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
93
Number of Participants
The number of participants in the survey, 237, exceeded the minimum expectation of
218. Two hundred seventy-seven persons were contacted (see Table 3) for the study. A total of
237 individuals agreed to participate (see Table 3), a representative sample of 85.56% of all
participants. The participants needed to answer the question to participate in the survey
investigation. By agreeing to participate, they also confirmed that they met the minimum
experience and residency criteria.
Table 3
Survey Participants
Answer Choices Responses Participants
I Agree 85.56% 237
I Disagree 14.44% 40
Total 100% 277 Note. Participants were not required to answer the question.
Demographic Information
The demographic information (see Table 4) shows that most participants were female.
Table 4 shows 120 female participants or 51.95%, which shows approximately a 4% increase
over their male counterparts.
Table 4
Participants’ Sex
Answer Choices Responses Participants
Female 51.95% 120
Male 48.05% 111
Total 100% 231 Note. Participants were not required to answer the question.
The minimum number of years to participate in the survey is five years of experience in
information technology and related fields. All participants have a minimum of five years of work
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
94
experience in IT or a related field. As shown in Table 5, most participants have more than 16
years of working experience. Table 5 shows a total of 119 persons for a percentage of 51.52%.
Table 5
Years of Employment
Answer Choices Responses Participants
5 years 9.52% 22
6 to 10 years 22.94% 53
11 to 15 years 16.02% 37
More than 16 years 51.52% 119
Total 100% 231 Note. Participants were not required to answer the question.
The Appendix secction contains demographic information, application service, and
geographic areas. Table 6 shows the variety of service areas IT professional has participated in
the survey. According to Table 6, the most prevalent is computer business, with 98 participants
for 42.42%. The participants with work experience in the field of telecommunications had 27
participants for a percentage of 11.69%.
Table 6
Application Service Area
Answer Choices Responses Participants
Computer business 42.42% 98
Government facility 1.73% 4
Health care 3.90% 9
Manufacturing 5.19% 12
Telecommunitations 11.69% 27
Transportations 1.30% 3
University/College 3.03% 7
Others 30.74% 71
Total 100% 231 Note. Participants were not required to answer the question.
The final table shows the geographical area of residence. The study requires that every
participant lives in the United States or one of its territories. As shown in Table 7, the
participants meet the requirement. According to Table 7, 230 participants, or 99.14%, live in the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
95
United States. Of the remaining two, one lives in Puerto Rico, an American territory, and the last
participant lives in an unidentified American territory being one of the survey parameters.
Table 7
Geographical Area
Answer Choices Responses Participants
Puerto Rico (PR) 0.43% 1
United States (US) 99.14% 230
Others 0.43% 1
Total 100% 232 Note. Participants were not required to answer the question.
As previously stated, 237 individuals represent broad participation for the survey,
exceeding the minimum expectation, of 218, by 19 individuals. All participants, comprising
100%, reside in the United States or one of their territories. All participants have a minimum of
five years of professional experience in IT or a field related to information technology. The
sample in the survey met the parameters for the investigation.
Evidence of Instruments
The instruments were measured and scored using a Likert-type 1-to-7-point scale. The
scale is used to measure the trend in the participants' responses to the research questions. The
Likert-type 1-to-7-point scale, measured all the instruments excluding the demographic questions
(Lambrinoudakis, 2013). The following sections will show the trends in the responses obtained
according to the question and the variable analyzed in the survey.
Survey Questions
Responses for each of the survey questions, obtained from the survey participants, are
measured using the Likert-type 1-to-7-point scale (Lambrinoudakis, 2013). All survey questions
show the number of participants responding or not answering each of the questions.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
96
The three questions measure the Threat Severity of Security Risks (TSESR) variable in
an industry situation. The values found based on the scale are shown in Table 8.
Table 8
Results for Questions Measure TSESR
Q6. I believe that information stored in an organization system is vulnerable to a security
risk in a cloud computing situation.
Q7. I believe the productivity of an organization and its employees is threatened by
security risk in a cloud computing situation.
Q8. I believe the profitability of the organization is threatened by security risk in a cloud
computing situation.
Questions Q6, Q7, and Q8, as stated above, resulted in making the following
observations regarding the TSER variable. The response showing a greater tendency for all three
questions was Agree with a total 33.48% average. Strongly Agree was an overall average of
26.05%. The total percent of these two affirmative responses was 59.53%. Those who selected
Disagree had a total percentage of 2.57%. The Strongly Disagree overall average was 5.06%.
The total percent of these two negative responses was 7.63%. The responses reflect a positive
Details Q6 % Q7 % Q8 %
Strongly Disagree 8 3.62 7 3.21 5 2.26
Disagree 2 0.90 5 2.29 10 4.52
Slightly Disagree 7 3.17 13 5.96 8 3.62
Neither Agree or Disagree 20 9.05 24 11.01 33 14.93
Slightly Agree 39 17.62 48 22.02 38 17.19
Agree 77 34.84 69 31.65 75 33.94
Strongly Agree 68 30.77 52 23.85 52 23.53
Total 221 218 221
Skipped 56 59 56
Weighted Average 5.64 5.37 5.36 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
97
tendency comparing both total percentages in the response of the participants. For the next
questions, the trend was as follows.
The three questions measure the Threat Susceptibility Security Risks (TSUSR) variable
in the industry situation. The values found are shown in the following Table 9.
Table 9
Results for Questions Measure TSUSR
Q9. How likely is it that a security risk will cause a significant outage that will result in a
loss of productivity in a cloud computing situation?
Q10. How likely is it that a security risk will cause a significant outage to the Internet that
results in financial losses to the organization in a cloud computing situation?
Q11. How likely is it that an organization will lose sensitive data due to a security risk in
a cloud computing situation?
Questions Q9, Q10, and Q11, as stated above, yielded the basis for the following
observations regarding the TSUSR variable. The response with a greater tendency for all three
questions was Agree with a total average of 30.70%. Strongly Agree was an overall average of
24.31%. The total percent of these two positive responses was 55.01%. Those who selected
Details Q9 % Q10 % Q11 %
Strongly Disagree 2 0.91 4 1.83 5 2.27
Disagree 7 3.20 8 3.65 7 3.18
Slightly Disagree 14 6.39 9 4.11 14 6.36
Neither Agree or Disagree 37 16.89 34 15.53 25 11.36
Slightly Agree 40 18.26 49 22.37 41 18.64
Agree 69 31.51 63 28.77 70 31.82
Strongly Agree 50 22.83 52 23.74 58 26.36
Total 219 219 220
Skipped 58 58 57
Weighted Average 5.34 5.34 5.42 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
98
Disagree had a total percentage of 3.34%. The Strongly Disagree overall average was 1.67%.
The total percent of these two negative responses was 5.01%. A comparison of both total
percentages shows a positive response from the participants. For the set of questions, the trend
was as follows.
The three questions measure the variable Response efficacy in a security risk (RESR) in a
situation in the industry. The values found based on the scale are shown in Table 10.
Table 10
Results for Questions Measure RESR
Q12. Every employee can make a difference when it comes to helping to protect the
security of the organization's IS in a cloud computing situation.
Q13. There is not much that any one individual can do to help to protect the security of
the organization IS in a cloud computing situation.
Q14. If I follow the organization IS security policies, I can make a difference in helping
to protect my organization's IS in a cloud computing situation.
Questions Q12, Q13, and Q14, as stated above, resulted in making the following
observations regarding the RESR variable. The response with a greater tendency for all three
Details Q12 % Q13 % Q14 %
Strongly Disagree 4 1.83 31 14.03 2 0.90
Disagree 3 1.37 36 16.29 4 1.81
Slightly Disagree 8 3.65 21 9.50 4 1.81
Neither Agree or Disagree 21 9.59 16 7.24 22 9.95
Slightly Agree 29 13.24 29 13.12 28 12.67
Agree 71 32.42 59 26.70 82 37.10
Strongly Agree 83 37.90 29 13.12 79 35.75
Total 219 221 221
Skipped 58 56 56
Weighted Average 5.80 4.22 5.86 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
99
questions was Agree with a total average of 32.07%. Strongly Agree was an overall average of
28.92%. The total percent of these two affirmative responses was 60.99%. Those who selected
Disagree averaged 6.49%. The Strongly Disagree overall average was 5.59%. The total percent
of these two negative responses was 12.08%. The response of the participants, when comparing
both total percentages, reflect a positive tendency. For the next three questions, the trend was as
follows.
The questions measure the variable of self-efficacy in a security risk situation (SESR) in
a potentially dangerous circumstance. The values in Table 11 show the responses of the
participants.
Q15. I would feel comfortable following most of the IS security policies on my own in a
cloud computing situation.
Q16. If I wanted to, I could easily follow IS security policies on my own in a cloud
computing situation.
Q17. I would be able to follow most of the IS security policies, even if there was no one
around to help me in a cloud computing situation.
Table 11
Results for Questions Measure SESR
Details Q15 % Q16 % Q17 %
Strongly Disagree 3 1.37 4 1.83 2 0.91
Disagree 7 3.20 3 1.38 6 2.73
Slightly Disagree 8 3.65 8 3.67 8 3.64
Neither Agree or Disagree 22 10.05 24 11.01 20 9.09
Slightly Agree 41 18.72 29 13.30 39 17.73
Agree 77 35.16 88 40.37 72 32.73
Strongly Agree 61 27.85 62 28.44 73 33.18
Total 219 218 220
Skipped 58 59 57
Weighted Average 5.58 5.67 5.71 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
100
Questions Q15, Q16, and Q17, as stated above, yielded the basis for the following
observations regarding the SESR variable. The response showing a greater tendency for all three
questions was Agree with a total average of 36.09%. Strongly Agree was an overall average of
29.82%. The total percent of these two affirmative responses was 65.91%. Those who selected
Disagree had a total percentage of 2.44%. The Strongly Disagree overall average was 1.37%.
The total percent of these two negative responses was 3.81%. A comparison of the total
percentages indicates a positive tendency from the participants. For the next questions, the trend
was as follows.
The values obtained based on the scale are shown in Table 12. The next three questions
measure the Threat Severity of Privacy Risks (TSEPR) variable in an industry situation.
Q18. I believe that information stored in an organization system is vulnerable to a privacy
risk in a cloud computing situation.
Q19. I believe the productivity of an organization and its employees is threatened by
privacy risk in a cloud computing situation.
Q20. I believe the profitability of the organization is threatened by privacy risks in a
cloud computing situation.
Table 12
Results for Questions Measure TSEPR
Details Q18 % Q19 % Q20 %
Strongly Disagree 3 1.38 2 0.91 2 0.91
Disagree 8 3.69 6 2.74 13 5.91
Slightly Disagree 8 3.69 11 5.02 8 3.64
Neither Agree or Disagree 27 12.44 33 15.07 30 13.64
Slightly Agree 37 17.05 40 18.26 44 20.00
Agree 75 34.56 78 35.62 76 34.55
Strongly Agree 59 27.19 49 22.37 47 21.36
Total 217 219 220
Skipped 60 58 57
Weighted Average 5.53 5.43 5.35 Note. The participants were not obliged to answer all the instrument questions. The
table shows the results obtained in each of the three questions and the percentage it
represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
101
Questions Q18, Q19, and Q20, as stated above, yielded the basis for the following
observations regarding the TSEPR variable. The response showing a greater tendency for all
three questions was Agree with a total average of 34.91%. Strongly Agree was an overall average
of 23.64%. The total percent of these two affirmative responses was 58.55%. Those who selected
Disagree had a total percentage of 3.36%. The Strongly Disagree an overall average of 1.07%.
Comparing the total percentage between participants selecting disagree and Strongly Disagree,
and those who agree and Strongly Agree is a total percentage of 4.43% and 29.28%, respectively.
The trend for the next questions is in Table 13.
The values obtained based on the scale are shown in Table 13. Questions 21, 22, and 23
measure the variable Threat Susceptibility Privacy Risks (TSUPR) in a situation in the industry.
Table 13
Results for Questions Measure TSUPR
Q21. How likely is it that a privacy risk will cause a significant outage that will result in a
loss of productivity in a cloud computing situation?
Q22. How likely is it that a privacy risk will cause a significant outage to the Internet that
results in financial losses to the organization in a cloud computing situation?
Details Q21 % Q22 % Q23 %
Strongly Disagree 5 2.29 3 1.38 3 1.38
Disagree 8 3.67 7 3.23 7 3.21
Slightly Disagree 13 5.96 14 6.45 8 3.67
Neither Agree or Disagree 29 13.30 37 17.05 33 15.14
Slightly Agree 46 21.10 46 21.20 46 21.10
Agree 69 31.65 70 32.16 66 30.28
Strongly Agree 48 22.02 40 18.43 55 25.23
Total 218 217 218
Skipped 59 60 59
Weighted Average 5.30 5.24 5.43 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
102
Q23. How likely is it that an organization will lose sensitive data due to a privacy risk in
a cloud computing situation?
Questions Q21, Q22, and Q23, as stated above, resulted in making the following
observations regarding the TSUPR variable. The response with a greater tendency for all three
questions was Agree with a total average of 31.40%. Strongly Agree was an overall average of
21.89%. The total percent of these two positive responses was 53.29%. Those who selected
Disagree averaged a total of 3.37%. The Strongly Disagree an overall average of 1.68%. The
total percent of these two negative responses was 5.05%. Both total percentages show a positive
response tendency from the participants. For the next questions, the trend was as follows.
The values obtained based on the scale are shown in Table 14. The three questions
measure the response to a Privacy Risk (REPR) variable in an industry situation.
Table 14
Results for Questions Measure REPR
Q24. Every employee can make a difference when it comes to helping to protect the
privacy of the organization's IS in a cloud computing situation.
Details Q24 % Q25 % Q26 %
Strongly Disagree 1 0.46 40 18.18 2 0.92
Disagree 4 1.83 29 13.18 2 0.92
Slightly Disagree 8 3.65 20 9.09 5 5.29
Neither Agree or Disagree 18 8.22 25 11.36 22 10.09
Slightly Agree 30 13.70 29 13.18 28 12.84
Agree 89 40.64 42 19.09 96 44.04
Strongly Agree 69 31.51 35 15.91 63 28.90
Total 219 220 218
Skipped 58 57 59
Weighted Average 5.81 4.09 5.81 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
103
Q25. There is not much that any one individual can do to help to protect the privacy of
the organization's IS in a cloud computing situation.
Q26. If I follow the organization's IS privacy policies, I can make a difference in helping
to protect my organization's IS in a cloud computing situation.
Questions Q24, Q25, and Q26, as stated above, yielded the basis for the following
observations regarding the REPR variable. The response with a greater tendency for all three
questions was Agree totaling an average of 34.59%. Strongly Agree had a total percentage of
25.44%. The total percent of these two positive responses was 60.03%. Those who selected
Disagree averaged a total of 5.31%. The Strongly Disagree averaged 6.52%. The total percent of
these two negative responses was 11.83%. The participants demonstrated a positive tendency
comparing both total percentages in the response of the participants. For the next questions, the
trend was as follows.
The three questions measured the variable Self-efficacy in a privacy risk (SEPR) situation
in the industry. The values obtained are in Table 15.
Q27. I would feel comfortable following most of the IS privacy policies on my own in a
cloud computing situation.
Q28. If I wanted to, I could easily follow IS privacy policies on my own in a cloud
computing situation.
Q29. I would be able to follow most of the IS privacy policies, even if there was no one
around to help me in a cloud computing situation.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
104
Table 15
Results for Questions Measure SEPR
Questions Q27, Q28, and Q29, as stated above, resulted in making the following
observations regarding the SEPR variable. The response showing a greater tendency for all three
questions was Agree totaling an average of 37.92%. Strongly Agree totaled an average of
29.97%. The total percent of these two positive responses was 67.89%. Those who selected
Disagree had an overall average was 1.99%. The Strongly Disagree total average was 0.76%.
The total percent of these two negative responses was 2.75%. The positive tendency reflects in
comparing both total percentages to the participants' responses. For the next questions, the trend
was as follows.
Questions 30, 31, and 32 measure the variable Intention to Adopt Cloud Computing
(IACC). The values obtained based on the scale are shown in Table 16.
Q30. I will use cloud technology for my computing needs.
Q31. Using cloud technology in performing my job tasks is something I would do.
Q32. I would see myself using cloud technology in performing my job functions.
Details Q27 % Q28 % Q29 %
Strongly Disagree 2 0.92 2 0.91 1 0.46
Disagree 3 1.38 4 1.83 6 2.75
Slightly Disagree 8 3.69 14 6.39 12 5.50
Neither Agree or Disagree 24 11.06 22 10.05 24 11.01
Slightly Agree 28 12.90 33 15.07 27 12.39
Agree 83 38.25 80 36.53 85 38.99
Strongly Agree 69 31.80 64 29.22 63 28.90
Total 217 219 218
Skipped 60 58 59
Weighted Average 5.76 5.63 5.65 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
105
Table 16
Results for Questions Measure IACC
Questions Q30, Q31, and Q32, as stated above, yielded the basis for the following
observations regarding the IACC variable. The response with a greater tendency for all three
questions was Agree totaling an average of 40.83%. Strongly Agree totaled an average of
37.37%. The total percent of these two positive responses was 68.20%. Those selecting the
option of Disagree totaled an average was 2.44%. The Strongly Disagree totaled an average was
1.53%. The total percent of these two negative responses was 3.97%. Comparing both total
percentages from the response of the participants shows a positive tendency. The data from the
participant's responses lead to suggest the following.
The survey participants selected Agree being the predominating response in all of the
survey questions. The response, Agree average, fluctuated between 30.70 to 40.83 percent.
Strongly Disagree ranged between 0.76 to 6.52 percent. The participants tend toward a positive
response to all of the research questions.
Details Q30 % Q31 % Q32 %
Strongly Disagree 4 1.83 4 1.84 2 0.92
Disagree 6 2.74 3 1.38 7 3.21
Slightly Disagree 7 3.20 5 2.30 4 1.83
Neither Agree or Disagree 31 14.16 28 12.90 19 8.72
Slightly Agree 34 15.53 22 10.14 32 14.68
Agree 84 38.36 89 41.01 94 43.12
Strongly Agree 53 24.20 66 30.41 60 27.52
Total 219 217 218
Skipped 58 60 59
Weighted Average 5.51 5.73 5.72 Note. The participants were not obliged to answer all the instrument questions. The table
shows the results obtained in each of the three questions and the percentage it represents.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
106
Data Preparation
Preparation of the data began by identifying all responses to those participants opting not
to answer the questions. Identification of the lost data is essential due to its effect on the
realization of statistics (Mertler & Vannatta, 2013). Such data, according to the analysis, can be
eliminated or replaced by average data. The elimination of the participants occurred by not
answering two or more questions, resulting in a total of 218, being the minimum number
required for the investigation. An average for the unanswered questions produced a statistic
based on responses from the other participants (Field, 2013). The percentage does not change the
tendency for the answers. Each question has the same number of responses.
Identification of possible outliers, possibly affecting the statistics' realization, is the next
step (Mertler & Vannatta, 2013). The IBM SPSS application identified outliers (Field, 2013).
The statistics were not adversely affected since there were no outliers in the analysis of the data.
The interval data is necessary to perform the desired statistics.
The data obtained in the response of each of the participants was an ordinal type.
Measurement of the answers was on a scale of 1 to 7, an ordinary one (Field, 2013). There were
three questions or assertions for each variable. Analysis of the data is necessary before
transforming it into an interval. All responses are added and then divided by the number of
questions asked. The result is an average value of each variable, becoming an interval data. The
interval data derives from the 218 participants.
Assumptions
Linearity, Normality, Multicollinearity, and Homoscedasticity of the data is the next step
(Field, 2013). The data will comply with Linearity, Normality, No Multicollinearity, and
Homoscedasticity conditions or assumptions. For the regression test, the data collected must
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
107
comply with the above mentioned four conditions. For that reason, the conditions need to be first
verified before the data is ready for analysis and the hypotheses tested.
To demonstrate the first assumption, linearity, the way to do it is by using Scatterplots.
The Scatterplots will show the linearity between the data obtained for the investigation. Multiple
linear regression requires the relationship between the independent and dependent variables to be
linear (Mertler & Vannatta, 2013).
Figure 13
Security Variable Scatterplots
Note. The figure shows the scatterplot graphs for the data related to the security variables. A
linear relationship can see between the independent security variables and the dependent variable
in all the four graphs shown.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
108
Figure 14
Privacy Variable Scatterplots
Note. The figure shows the scatterplot graphs for the data related to the privacy variables. A
linear relationship can see between the independent privacy variables and the dependent variable
in all the four graphs shown.
To demonstrate the second assumption normality, the way to do it is by using Normal
Probability Plots. The Normal Probability Plots will show the normality of the data obtained for
the investigation. The multiple linear regression analysis requires that the errors between
observed and predicted values should be normally distributed (Mertler & Vannatta, 2013).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
109
Figure 15
Security Variable Normal Probability Plot
Note. The figure shows the normal graphs for the data related to the security variables. In all four
security graphs shown that the errors between observed and predicted values are normally
distributed.
Figure 16
Privacy Variable Normal Probability Plot
Note. The figure shows the normal graphs for the data related to the privacy variables. In all four
privacy graphs shown that the errors between observed and predicted values are normally
distributed.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
110
To demonstrate the third assumption, no multicollinearity in the data, the way to do it is
by using the correlation coefficients. Table 17 will show the correlation coefficients of the data
obtained for the investigation.
Table 17
Correlation Coefficients
Variable R
TSESR .23
TSUSR .27
RESR .49
SESR .55
TSEPR .37
TSUPR .30
REPR .58
SEPR .61 Note. Correlation obtained for each of the variables of the investigation. TSESR = Threat severity on a
security risk; TSUSR = Threat susceptibility to security risk; RESR = Response efficacy on a security risk;
SESR = Self-efficacy on a security risk; TSEPR = Threat severity on a privacy risk; TSUPR = Threat
susceptibility to a privacy risk; REPR = Response efficacy on a privacy risk; SEPR = Self-efficacy on a
privacy risk. R = Multiple correlation.
Table 17 shows that all correlations among all independent variables and the correlation
coefficients' magnitude are less than .80 (Mertler & Vannatta, 2013). Therefore, there is no
strong correlation, and then no multicollinearity can be assumed in the data.
Finally, to demonstrate the fourth assumption, homoscedasticity, the way to do it is using
Residual Plots. The Residual Plots will show the homoscedasticity of the data obtained for the
investigation. There should be no clear pattern in the distribution of residuals versus predicted
values for the last assumption (Mertler & Vannatta, 2013).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
111
Figure 17
Security Variable Residual Plots
Figure 17 shows the residual graphs for the data related to security variables. In graphs a,
b, and d, there is no clear pattern of the data shown. Although graph c shows a particular trend, it
is not clear. Although in the upper part of graph c, it could present a particular pattern, in the
lower part, it does not have it and therefore does not form a clear cone (Mertler & Vannatta,
2013). Consequently, the four graphs present no discernable pattern.
Figure 18
Privacy Variable Residual Plots
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
112
Figure 18 shows the residual graphs for the data related to privacy variables. In graphs a,
b, and d, there is no clear pattern of the data shown. Although graph c shows a particular trend, it
is not clear. Although in the upper part of graph c, it could present a particular pattern, in the
lower part, it does not have it and therefore does not form a clear cone (Mertler & Vannatta,
2013). Consequently, the four graphs do not present a clear pattern.
The data examined meets all four assumptions, shown in the different graphs and the
table. Given the above, no transformation of the data is necessary. Therefore, the data is ready
for statistics and hypothesis testing.
Hypothesis Testing
This study conducted a multiple regression analysis to address the research questions on
the impact of cloud technology adoption factors. Also, the investigation dealt with complex
variable relationships as it affects cloud adoption. Table 18 shows the hypothesis testing.
Table 18
Listing of Hypothesis Testing
Research
Question
Type of Analysis Descriptive Stats Hypothesis
Testing
Hypothesis
ResQ1a Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H01a
ResQ1b Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H01b
ResQ1c Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H01c
ResQ1d Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H01d
ResQ2a Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H02a
ResQ2b Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H02b
ResQ2c Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H02c
ResQ2d Multiple linear regression SE, SD, Mdn, and M. R, R2, F, and p. H02d Note. The first column shows the instrument question of each hypothesis to be tested belongs. The second,
third, and fourth columns show the type of analysis, statistics, and hypothesis tested. SE = Standard Error, SD =
Standard Deviation, Mdn = Median, M= Mean, R = Multiple correlation, R2 = Multiple correlation square, F =
F distribution, and p = probability.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
113
The Table 19 shows the descriptive statistics obtained from the variables used in the
investigation.
Table 19
Descriptive Stats
Variable SE SD Mdn M
TSESR 0.090 1.33 5.72 5.43
TSUSR 0.087 1.28 5.67 5.36
RESR 0.068 1.01 5.00 5.29
SESR 0.082 1.21 6.00 5.65
TSEPR 0.085 1.26 6.00 5.44
TSUPR 0.090 1.33 5.67 5.32
REPR 0.065 0.96 5.00 5.23
SEPR 0.082 1.21 6.00 5.67
IACC 0.083 1.22 6.00 5.65 Note. Results obtained for each of the variables of the investigation. TSESR = Threat severity on a
security risk; TSUSR = Threat susceptibility to security risk; RESR = Response efficacy on a security
risk; SESR = Self-efficacy on a security risk; TSEPR = Threat severity on a privacy risk; TSUPR =
Threat susceptibility to a privacy risk; REPR = Response efficacy on a privacy risk; SEPR = Self-
efficacy on a privacy risk; IACC = Intention to adopt cloud computing. SE = Standard Error, SD =
Standard Deviation, Mdn = Median and M = Mean.
The analysis of the research questions and hypotheses uses descriptive statistics. Each
research question and its corresponding hypotheses will be analyzed individually.
The first research question asked was, to what extent do perceptions of threat severity,
threat susceptibility, response efficacy, and self-efficacy on security risks contribute to the
variance in the intention to adopt cloud computing in the business sector. As observed, the
question contains four independent variable factors on security risks used to measure their
influence on the intention to adopt cloud computing in the business sector. The subquestions
measure each independent variable. The first subquestion is to what extent do perceptions of
threat severity on security risks contribute to the variance in the intention to adopt cloud
computing. The following research subquestion is the basis for the null hypothesis:
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
114
H01a: There are no statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
Four independent variable factors were analyzed to address the research question. The
independent variable, Threat Severity on Security Risks (TSESR), is analyzed using the
dependent variable factor, the intention to adopt cloud computing (IACC). Table 20 displays the
results of the analysis for all the security risk variables.
Table 20
Summary of Analysis Results for Security Risks Variables
Table 20 shows a positive correlation, although weak, between the independent variable
TSESR and the dependent variable IACC, R(218) = .23, R2 = .051, p < .0008. The coefficient of
determination represents a variation of 5.1% of TSESR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). The result rejects the
null hypothesis due to a positive correlation. The p-value is not significant.
The second subquestion is to what extent do perceptions of threat susceptibility on
security risks contribute to the variance in the intention to adopt cloud computing. The null
hypothesis arises from the subquestion:
H01b: There are no statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
Variable Mean N R R2 p F
TSESR 5.43 218 .23 .051 .0008 0.24
TSUSR 5.39 218 .27 .072 .00006 0.51
RESR 5.29 218 .49 .242 .00001 0.004
SESR 5.65 218 .55 .305 .00001 0.88 Note. Results obtained for each of the security variables of the investigation. Dependent Variable =
IACC, Mean = 5.65. TSESR = Threat severity on a security risk; TSUSR = Threat susceptibility to
security risk; RESR = Response efficacy on a security risk; SESR = Self-efficacy on a security risk. M
= Mean, N = Total number of cases, R = Multiple correlation, R2 = Multiple correlation square, F = F
distribution, and p = probability.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
115
The independent variable, threat susceptibility security risks (TSUSR), is analyzed using
the dependent variable factor, the intention to adopt cloud computing (IACC). Now the
hypothesis is analyzed with the obtained values.
Table 20 shows a positive correlation, although weak, between the independent variable
TSUSR and the dependent variable IACC, R(218) = .27, R2 = .072, p < .00006. The coefficient
of determination represents a variation of 7.20% of TSUSR towards IACC. The p-value obtained
is less than .05, making the value insignificant (Sekaran & Bougie, 2014). Consequently, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
The third subquestion focuses on the extent of perceptions of the response efficacy on
security risk and its influence on the variance of intending to adopt cloud computing. The
following null hypothesis derives from the research subquestion:
H01c: There are no statistically significant perceptions of response efficacy on the
security risk situation that varies the intention to adopt cloud computing.
The independent variable, response efficacy in a security risk (RESR), is analyzed using
the dependent variable factor, the intention to adopt cloud computing (IACC). Now the
hypothesis is analyzed with the obtained values.
Table 20 shows a positive correlation, although weak, between the independent variable
RESR and the dependent variable IACC, R(218) = .49, R2 = .242, p < .00001. The coefficient of
determination represents a variation of 24.2% of RESR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). Therefore, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
116
The fourth subquestion asks the extent of perceptions towards self-efficacy on a security
risk influence the variance in the intention to adopt cloud computing. The following null
hypothesis derives from the research subquestion:
H01d: There are no statistically significant perceptions for self-efficacy on a security risk
situation that varies the intention to adopt cloud computing, formed the null hypothesis.
The independent variable, self-efficacy in a security risk (SESR), is analyzed using the
dependent variable factor, the intention to adopt cloud computing (IACC). The hypothesis is now
analyzed using the obtained values.
Table 20 shows a positive correlation, although weak, between the independent variable
SESR and the dependent variable IACC, R(218) = .55, R2 = .305, p < .00001. The coefficient of
determination represents a variation of 30.5% of SESR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). Consequently, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
Determining the independent variables of a more significant effect on the dependent
variables was another objective of the investigation. Table 21 shows the values of R and R
squared for each of the independent variables.
Table 21
Comparison of Security Risks Variables
Variable R R2
TSESR .23 .051
TSUSR .27 .072
RESR .49 .242
SESR .55 .305 Note. Results obtained for each of the security variables of the investigation. Dependent Variable =
IACC. TSESR = Threat severity on a security risk; TSUSR = Threat susceptibility to security risk;
RESR = Response efficacy on a security risk; SESR = Self-efficacy on a security risk. R = Multiple
correlation, and R2 = Multiple correlation square.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
117
Table 21 shows that the SESR variable has the most significant effect on the IACC
variable, R(218) = .55, R2 = .305. The positive correlation and coefficient of determination
indicated a higher variable than the other security risk variables. Its influence on IACC is
greatest of all.
The second research question asked to what extent perceptions of threat severity, threat
susceptibility, response efficacy, and self-efficacy have on privacy risks and its contribution to
the variance in the intention to adopt cloud computing in the business sector. Four independent
variable factors on security risks measure their influence on the intention to adopt cloud
computing in the business sector. The subquestions developed measures the independent
variables factors individually. The first subquestion asks about the extent perceptions of threat
severity on privacy risks contribute to the variance in the intention to adopt cloud computing.
The following null hypothesis derives from this research subquestion:
H02a: There are no statistically significant perceptions of threat severity on privacy risks
that vary the intention to adopt cloud computing.
The four independent variable factors were analyzed to address the research question.
Threat Severity Privacy Risks (TSEPR), the independent variable, analyzed the dependent
variable factor, the intention to adopt cloud computing (IACC). Table 22 displays the results of
the analysis.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
118
Table 22
Summary of Analysis Results for Privacy Risks Variables
Variable Mean N R R2 p F
TSEPR 5.44 218 .37 .134 .00001 .67
TSUPR 5.32 218 .30 .089 .00001 .22
REPR 5.23 218 .58 .333 .00001 .0004
SEPR 5.67 218 .61 .371 .00001 .90 Note. Results obtained for each of the privacy variables of the investigation. Dependent Variable = IACC,
Mean = 5.65. TSEPR = Threat severity on a privacy risk; TSUPR = Threat susceptibility to a privacy risk;
REPR = Response efficacy on a privacy risk; SEPR = Self-efficacy on a privacy risk. M = Mean, N =
Total number of cases, R = Multiple correlation, R2 = Multiple correlation square, F = F distribution, and
p = probability.
Table 22 shows a positive correlation, although weak, between the independent variable
TSEPR and the dependent variable IACC, R(218) = .37, R2 = .134, p < .00001. The coefficient of
determination represents a variation of 13.4% of TSEPR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). The null hypothesis is
then rejected due to a positive correlation, and the p-value is not significant.
The second subquestion is to what extent do perceptions of threat susceptibility on
privacy risks contribute to the variance in the intention to adopt cloud computing. The research
subquestion forms the following null hypothesis:
H02b: There are no statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
The dependent variable factor analyzed the independent variable, Threat Susceptibility
Privacy Risks (TSUPR), the intention to adopt cloud computing (IACC). Now the hypothesis is
analyzed with the obtained values.
Table 22 shows a positive correlation, although weak, between the independent variable
TSUPR and the dependent variable IACC, R(218) = .30, R2 = .089, p < .00001. The coefficient
of determination represents a variation of 8.9% of TSUPR towards IACC. The p-value obtained
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
119
is less than .05, making the value insignificant (Sekaran & Bougie, 2014). Consequently, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
The third subquestion asks the extent the perceptions of response efficacy on a privacy
risk contribute to the variance in the intention to adopt cloud computing. The null hypothesis
comes from the research subquestion:
H02c: There are no statistically significant perceptions of response efficacy on privacy
risk that varies the intention to adopt cloud computing.
The dependent variable factor, the intention to adopt cloud computing (IACC), analyzed
the independent variable, Response Efficacy in a Privacy Risk (REPR). Now the hypothesis is
analyzed with the obtained values.
Table 22 shows a positive correlation, although weak, between the independent variable
REPR and the dependent variable IACC, R(218) = .58, R2 = .333, p < .00001. The coefficient of
determination represents a variation of 33.3% of REPR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). Consequently, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
The fourth subquestion is the extent that perceptions of self-efficacy on a privacy risk
contribute to the variance in the intention to adopt cloud computing. The null hypothesis comes
from the research subquestion:
H02d: There are no statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
Self-efficacy is the independent variable in a privacy risk (SEPR), analyzed using the
dependent variable factor, the intention to adopt cloud computing (IACC). Now the hypothesis is
analyzed with the obtained values.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
120
Table 22 shows a positive correlation, although weak, between the independent variable
SEPR and the dependent variable IACC, R(218) = .61, R2 = .371, p < .00001. The coefficient of
determination represents a variation of 37.1% of SEPR towards IACC. The p-value obtained is
less than .05, making the value insignificant (Sekaran & Bougie, 2014). Therefore, the null
hypothesis is rejected due to a positive correlation, and the p-value is not significant.
Determine the independent variable having a more significant effect on the dependent
variable was another objective of the research. Table 23 shows R and R square values for each of
the independent variables.
Table 23
Comparison of Privacy Risks Variables
Variable R R2
TSEPR .37 .134
TSUPR .30 .089
REPR .59 .333
SEPR .61 .371 Note. Results obtained for each of the privacy variables of the investigation. Dependent Variable
= IACC. TSEPR = Threat severity on a privacy risk; TSUPR = Threat susceptibility to a privacy
risk; REPR = Response efficacy on a privacy risk; SEPR = Self-efficacy on a privacy risk R =
Multiple correlation, and R2 = Multiple correlation square.
As shown in Table 23, the SEPR variable has the most significant effect on the IACC
variable, R(218) = .61, R2 = .371. The positive correlation and coefficient of determination
indicated a higher variable than the other security risk variables. Its influence on IACC is
greatest of all.
Summary of the Hypothesis Testing
The performance of statistical tests obtained the results to verify the hypothesis as
planned. Below is a detailed overview of the results.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
121
H01a: There are no statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
The correlation value has a weak positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H01a, R(218) = .23, R 2 = .051, p <
.0008. The alternative hypothesis of Ha1a, therefore, is accepted.
H01b: There are no statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
The correlation value has a weak positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H01b, R(218) = .27, R 2 = .072, p <
.00006. Therefore, the alternative hypothesis of Ha1b is accepted.
H01c: There are no statistically significant perceptions of response efficacy on the
security risk situation that varies the intention to adopt cloud computing.
The correlation value has a weak positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H01c, R(218) = .49, R 2 = .242, p <
.00001. The alternative hypothesis of Ha1c, therefore, is accepted.
H01d: There are no statistically significant perceptions of self-efficacy on a security risk
situation that varies the intention to adopt cloud computing.
The correlation value has a moderate positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H01d, R(218) = .55, R 2 = .305, p <
.00001. Therefore, the alternative hypothesis of Ha1d is accepted.
H02a: There are no statistically significant perceptions of threat severity on privacy risks
that vary the intention to adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
122
The correlation value has a weak positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H02a, R(218) = .37, R 2 = .134, p <
.00001. Therefore, the alternative hypothesis of Ha2a is accepted.
H02b: There are no statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
The correlation value has a weak positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H02b, R(218) = .30, R 2 = .089, p <
.00001. The alternative hypothesis of Ha2b is accepted.
H02c: There are no statistically significant perceptions of response efficacy on privacy
risk that varies the intention to adopt cloud computing.
The correlation value has a moderate positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H02c, R(218) = .58, R 2 = .333, p <
.00001. Therefore, the alternative hypothesis of Ha2c is accepted.
H02d: There are no statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
The correlation value has a moderate positive relationship, and the value of p-value is not
significant, results in the rejection of the null hypothesis H02d, R(218) = .61, R 2 = .371, p <
.00001. Therefore, the alternative hypothesis of Ha2d is accepted.
Summary
The number of participants surpassed the initial expectation for the survey. There were
277 persons contacted for this survey. Of the 277 persons contacted, 237 individuals participated
in the survey, representing 85.56% of the participants. The demographic information shows that
most participants were female. The 120 female participants, or 51.59%, demonstrated a 4%
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
123
increase over their male counterparts. There were two essential requirements for the participants
in this investigation.
The first requirement was a minimum of five years of work experience in IT or a related
field. A total of 119 participants reported having more than 16 years of working experience for a
percentage of 51.52%. The survey covered these areas of interest: the demographics of
application service, geographic areas, computer, and computer business, with 98 participants,
representing 42.42% of those surveyed. The telecommunications service area represents the
second largest population, with 27 participants, or 11.69%. Residence in the United States or one
of its territories is a second requirement.
All participants met the requirement. A total of 230 participants, or 99.14%, live in the
United States. Of the remaining two, one resides in Puerto Rico, an American territory, and the
other person resides in an unknown American territory. Analysis of the minimum number of
participants allowed for an analysis of their responses.
The Agree was the predominant response to all of the survey questions. This trend was
with an average that fluctuated between 30.70 to 40.83 percent for all the survey questions.
Strongly Disagree received the lowest tendency throughout the survey, with a fluctuation,
averaging between 0.76 to 6.52 percent for all the survey questions. The participants tended
toward a positive response to all of the research questions. Analysis of the answers has led to
evaluate the hypothesis leading to the statistics generated.
The statistical tests examine the veracity of the hypothesis followed a structured plan.
The first null hypothesis correlated the independent variable TSESR and the dependent variable
IACC. Rejection of the null hypothesis H01a is due to a existence of a weak positive correlation,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
124
and the value of p-value not being significant, R(218) = .23, R2 = .051, p < .0008. The alternative
hypothesis of Ha1a is accepted.
The second null hypothesis correlated the independent variable TSUSR and the
dependent variable IACC. Rejection of the null hypothesis H01b is due to a existence of a weak
positive correlation, and the value of p-value not being significant, R(218) = .27, R2 = .072, p <
.00006. Therefore, the alternative hypothesis of Ha1b is accepted. Analysis of the third null
hypothesis follows.
The third null hypothesis correlated the independent variable RESR and the dependent
variable IACC. Rejection of the null hypothesis H01c is due to a existence of a weak positive
correlation, and the value of p-value not being significant, R(218) = .49, R2 = .242, p < .00001.
The alternative hypothesis of Ha1c is accepted. The fourth null hypothesis is analyzed.
The fourth null hypothesis correlated the independent variable SESR and the dependent
variable IACC. Rejection of the null hypothesis H01d is due to a existence of a moderate positive
correlation, and the value of p-value not being significant, R(218) = .55, R2 = .305, p < .00001.
Therefore, the alternative hypothesis of Ha1d is accepted. Analysis of the fifth null hypothesis
follows
The fifth null hypothesis correlated the independent variable TSEPR and the dependent
variable IACC. Rejection of the null hypothesis H02a is due to a existence of a weak positive
correlation, and the value of p-value not being significant, R(218) = .37, R2 = .134, p < .00001.
The alternative hypothesis of Ha2a is accepted. Analysis of the sixth null hypothesis follows.
The sixth null hypothesis correlated the independent variable TSUPR and the dependent
variable IACC. Rejection of the null hypothesis H02b is due to a existence of a weak positive
correlation, and the value of p-value not being significant, R(218) = .30, R2 = .089, p < .00001.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
125
The alternative hypothesis of Ha2b is accepted. Following is an analysis of the seventh
hypothesis.
The independent variable, REPR, is correlated with the dependent variable IACC for
statistics. Rejection of the null hypothesis H02c is due to a existence of a moderate positive
correlation, and the value of p-value not being significant, R(218) = .58, R2 = .333, p < .00001.
The alternative hypothesis of Ha2c is accepted. Analysis of the eighth hypothesis follows in the
next paragraph.
The eighth null hypothesis correlated the independent variable SEPR and the dependent
variable IACC. Rejection of the null hypothesis H02d is due to a existence of a moderate positive
correlation, and the value of p-value not being significant, R(218) = .61, R2 = .371, p < .00001.
The alternative hypothesis of Ha2d is accepted. The final analysis leads to an understanding of
the independent variables significantly affecting the dependent variables.
The SESR security variable has the most significant effect on the IACC variable. The
correlation, and correlation squared are higher in the SESR variable as compared to other
security risks variables, R(218) = .55, R2 = .305, p < .00001. The SEPR privacy variable has the
most effect on the IACC variable. The correlation, and correlation squared are higher for the
SEPR variable compared to the other privacy risk variables, R(218) = .61, R2 = .371, p < .00001.
The statistical results from Chapter 4 lead to the last chapter of the investigation.
The summarized results of Chapter 4 are in Chapter 5 for further discussion and analysis,
forming the conclusion of Chapter 5. The discussion continues with the limitations and effects
these may have had on the investigation. The survey results are in Chapter 5, as part of the
implications of the survey. Before concluding the investigation, there are recommendations for
future research.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
126
CHAPTER 5. DISCUSSION, IMPLICATIONS, RECOMMENDATIONS
The methodology used in the study is a non-experimental correlational study. Chapter 5
presents a review of the data analysis, with Chapter 4 showing the data results, implications, and
limitations of the investigation. Chapter 5, the final chapter, first offers recommendations for
future research and concludes the study. The first part of the chapter summarizes the results
based on the literature review. Following is the research methodology and a discussion of the
results.
The statistical analysis provides for any fallouts. A table with the complete results, in
Chapter 4, allows for a better reference. The initial hypothesis and research questions guide the
results and interpretation of the data. Both practical and theoretical research derive from the
results and analysis, drawing to a conclusion.
In the field of information assurance and security, the research literature provides the
framework for the conclusions. The conclusion has two main subsections, the first analyzes the
research literature, and the second explains the data results. The research literature has a gap in
knowledge about security and privacy risks, thus supporting the investigation. The PMT and the
TPB are the two theoretical frameworks used with the research literature in the investigation, as
explained in Chapter 2. There is corroboration between the statistical analysis and the second
subsection's data results. The section on limitations and implications follows later in the chapter.
The limitations section explains possible design problems with a suggestion to improve
the quality of the data results. At the beginning of the investigation, unexpected findings
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
127
emerged. The business sector can take advantage of the practical consequences based on the
implications of the study.
The results help professionals in the field of IT and related areas. Finally, Chapter 5 has
a section for recommendations to either expand or improve the study results. The last part is
titled conclusion, offering a summary of the dissertation, pointing towards general findings.
Summary of the Results
The research focused on the relationship between security and privacy risks and their
connection with the adoption of cloud computing. The general problem is the unknown link in
the investigation. The investigation's purpose added empirical information to the existing
literature gap on the connection between these risks and the intention to adopt cloud computing.
Cloud computing technology is a growing industry permitting more services for business clients
(Singh, 2019). Security and privacy risks in cloud computing are a concern with this new
technology (Holzmann et al., 2020). Since these are concerns, the investigation will focus on
security and privacy risks regarding cloud computing technology for the business sector. These
concerns also lead to the current research problem.
The research literature on security and privacy risks in the business sector in the United
States intending to adopt cloud computing technology indicates a technical knowledge on how to
install and manage the cloud computing (Brandis et al., 2019; Paquet, 2013). The research
literature suggests that privacy and security risks are important considerations (Rastogi et al.,
2018). The increase in the loss of data has created more federal laws to protect the information.
The research literature indicates an increase in federal regulations focus on reinforcement against
the potential loss of privacy and security information (Castellani et al., 2015). The research
literature also shows a lack of knowledge of how security and privacy risks affect cloud
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
128
computing technology adoption in the business sector (De Donno et al., 2019; Paquet, 2013).
The investigation's significance helps to gain knowledge about security and privacy risks in
adopting cloud computing.
The research significance includes both theoretical and practical implications. The
theoretical effects are related to the field of IT using Rogers (1975) PMT as the conceptual
model within the area of information assurance and security. The TPB by Ajzen (2006) is the
second theoretical construct used to measure the dependent variable, the intent to adopt cloud
computing technology. The PMT considered the consequences in the intention to adopt cloud
computing, privacy and security issues are critical. Many security breaches occur in part from the
negligence of employees of the business (Chen et al., 2015). The business sector must guard
against privacy and security risks in cloud computing technology. Privacy and security
protection are a fundamental human right protected by federal law (Blume, 2015). The PMT is a
viable tool in understanding the intent to adopt cloud computing technology. These theoretical
implications also have practical implications.
Two practical implications of the research could be applied to the business practice, thus
helping its efficiency. The first practical implication is identifying the types of security and
privacy risks affecting the intention of adopting cloud computing. A security risk example is,
breaking a company's security code. A privacy risk example has unauthorized individual access
to private data. The business organizations' preparation for these situations is essential (Chen et
al., 2015). Business leaders understand that security and privacy risks are different; their specific
policies in these areas should lead to better planning to comply with federal laws. Another
implication involves a company's acceptance of cloud computing technology, based on their
specific needs.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
129
The second practical implication is to help businesses adapt to cloud computing as a new
form of technology, quicker, and without much hesitation. An example of a weakness is a
company's inability to encrypt data, based on their technological resources. The company would
need cloud computing technology to encrypt the data and enable the business to decrypt the
information. The company's weakness becomes a strength by developing new techniques to
become more efficient using the latest technology (Joseph et al., 2014). The company must have
confidence in cloud computing technology, protect the data, avoid a potential lawsuit, and lose
money. The lack of confidence is the focus of the current research. The following methodology
is proposed in the present investigation to address the issue of a lack of confidence.
The methodology is a non-experimental correlational study. The purpose of the study was
to test the correlation between security and privacy risks when the business sector intends to
adopt cloud computing. A correlational study is one of the quantitative methodologies and wants
to measure the relationship between two variables (Field, 2013). The purpose of this study is to
find the correlation between the independent variables (IVs) and the dependent variable (DV)
(Mertler & Vannatta, 2013). A correlational study allows the investigator to uncover and better
understand the relationships between the dependent and independent variables and the subjects.
(Ekufu, 2012). The participants responded to various research questions in a survey (Sekaran &
Bougie, 2014). The next step was to measure the participant's responses using a Likert-type 1-
to-7-point scale (Venkatesh et al., 2012). The Likert type scale methodology produced the data to
obtain the results.
The summary begins with the results obtained in the survey from the investigation. The
number of participants exceeded the initial expectation of the survey. There were 277 persons
contacted, a total of 237 individuals took part, for an average of 85.56% of the total number of
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
130
participants. The demographic information shows that most of the participants were female, 120,
or an average of 51.95%, showing approximately a 4% increase over their male counterparts.
There were two essential requirements for the participants in the investigation.
The initial requirement was a minimum of five years of experience in IT or a related
field. A total of 119 or an average of 51.52% of the participants reported having more than 16
years of working experience. Three other criteria demonstrated excellent results. Computer
business was the most prevalent application service counting on 98 participants for an average of
42.42%. The second area of significant participation was identified as telecommunications, with
27 participants, for an average of 11.69%. An additional criterion is a residence in the United
States or one of its territories.
The results of the survey show that all participants met the requirement. A total of 230
participants, or an average of 99.14%, live in the United States. Two participants live in a United
States territory, one in Puerto Rico and the other in an unknown American area, part of the
survey's parameter. Analysis of the survey responses occurred after attaining the minimum
number of participants who met the two requirements.
Discussion of the Results
The predominating response was Agree in all the answers for the survey questions. The
average of the trend fluctuated between 30.70 to 40.83%, depending on the survey question.
Strongly Disagree had the least tendency, ranging in the average between 0.76 to 6.52% in
almost all the questions. The participants tended toward a positive response to all of the research
questions. The analysis of the responses, see Table 25, leads to evaluating the hypotheses studied
in this investigation.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
131
Table 24
Summary of Analysis Results
Variable Mean N R R2 p F
TSESR 5.43 218 .23 .051 .0008 0.24
TSUSR 5.39 218 .27 .072 .00006 0.51
RESR 5.29 218 .49 .242 .00001 0.004
SESR 5.65 218 .55 .305 .00001 0.88
TSEPR 5.44 218 .37 .134 .00001 0.67
TSUPR 5.32 218 .30 .089 .00001 0.22
REPR 5.23 218 .58 .333 .00001 0.0004
SEPR 5.67 218 .61 .371 .00001 0.90 Note. Results obtained for each of the variables of the investigation. Dependent Variable = IACC, Mean =
5.65. TSESR = Threat severity on a security risk; TSUSR = Threat susceptibility to security risk; RESR =
Response efficacy on a security risk; SESR = Self-efficacy on a security risk; TSEPR = Threat severity on
a privacy risk; TSUPR = Threat susceptibility to a privacy risk; REPR = Response efficacy on a privacy
risk; SEPR = Self-efficacy on a privacy risk. M = Mean; N = Total number of cases; R = Multiple
correlation; R2 = Multiple correlation square; F = F distribution; and p = probability.
The statistical tests, to verify the hypothesis, followed a structured plan. The first null
hypothesis correlated the independent variable, TSESR, and the dependent variable, IACC.
Rejection of the null hypothesis H01a comes because, see Table 24, has a weak positive
correlation, and the p-value, is not significant, R(218) = .23, R2 = .051, p < .0008. Therefore, the
first alternative hypothesis is accepted — the same type of analysis applied to the other seven
hypotheses.
The second null hypothesis correlated the independent variable TSUSR and the
dependent variable IACC. Rejection of the null hypothesis H01b based because, see Table 24,
has a weak positive correlation, and the p-value is not substantial, R(218) = .27, R2 = .072, p <
.00006. The second alternative hypothesis is accepted. The analysis of the following hypotheses
continued with the third hypothesis.
Correlation of the independent variable RESR and the dependent variable IACC was the
third null hypothesis. The null hypothesis H01c, is rejected because has a weak positive
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
132
correlation, and the p-value is not significant, R(218) = .49, R2 = .242, p < .00001; see Table 24.
The third alternative hypothesis is accepted. The next paragraph analyzes the fourth hypothesis.
The fourth null hypothesis correlated the independent variable SESR and the dependent
variable IACC. The null hypothesis H01d rejected because has a moderate positive correlation,
and the value of p-value is not significant, R(218) = .55, R2 = .305, p < .00001. The data supports
accepting the fourth alternative hypothesis. Analysis of the fifth hypothesis follows.
The fifth null hypothesis is with the independent variable, TSEPR, and the dependent
variable, IACC, were correlated. The null hypothesis H02a is rejected as the value, as shown in
Table 24, has a weak positive correlation, and the value of p-value is not significant, R(218) =
.37, R2 = .134, p < .00001. The fifth alternative hypothesis is accepted. The analysis of the sixth
hypothesis is in the next paragraph.
The sixth null hypothesis correlated the independent variable TSUPR and the dependent
variable IACC. The null hypothesis H02b rejected because has a weak positive correlation, and
the value of p (.00001) is not significant, R(218) = .30, R2 = .089, p < .00001; see Table 24.
Based on the results, the data supports accepting the sixth alternative hypothesis. The data
supports the sixth alternative hypothesis. Analysis of the seventh hypothesis follows.
The seventh null hypothesis correlated the independent variable REPR and the dependent
variable IACC. Based on the data shown in Table 24, the null hypothesis H02c rejected because
has a moderate positive correlation, and the value of p-value not significant, R(218) = .58, R2 =
.333, p < .00001. From the result of the data, the seventh alternative hypothesis was accepted.
The eighth and final hypothesis is next.
The data evidenced a correlation between the independent variable SEPR and the
dependent variable IACC. The eighth null hypothesis, H02d, is rejected because, as evidenced by
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
133
the data in Table 24, has a moderate positive correlation, and the p-value is not significant,
R(218) = .61, R2 = .371, p < .00001. The data supports accepting the eighth alternative
hypothesis. The independent variables have a more substantial effect on the dependent variable,
leading to a final analysis.
The independent variable, SESR, has the most significant effect on the IACC variable.
The correlation and correlation squared are the highest in the SESR variable when compared to
other security risk variables, R(218) = .55, R2 = .305, p < .00001. On the other hand, the
independent variable, SEPR, has the most significant effect on the IACC variable. The
correlation and correlation squared are the highest in the SEPR variable when compared to other
security risk variables, R(218) = .61, R2 = .371, p < .00001.
Conclusions Based on the Results
In the following sections, the results obtained in the investigation will be explained. A
comparison will be made between the literature's findings and the established theoretical
framework in the first part. Then, using the statistics obtained and the literature, the results found
in the research will be interpreted to establish the conclusions.
Comparison of the Findings With the Theoretical Framework and Previous Literature
The PMT and the TPB are the theoretical foundations for this investigation. Rogers
(1975) developed the PMT theory and evaluates the IT personnel's perceived probability of
security and privacy risks in adopting cloud computing. The other theory, the TPB, is needed to
measure the intention of adopting new technology.
The theory TPB, developed by Ajzen (2006), studies the behavior of the intent to adopt
new technology. The TPB was used to measure the dependent variable, the intention to adopt
the cloud computing, and compare the results with the independent variables (Aboelmaged,
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
134
2010; Ekufu, 2012; Rastogi et al., 2018). The PMT and TPB theories, as already indicated,
became the basis for the theoretical framework. The results from the theoretical framework and
literature research are explained in the following paragraph.
The PMT best describes the results of the data analysis. The researcher anticipated two
factors, from the PMT theory, being the motivators for adopting cloud computing, threat
appraisal, and coping response appraisal. Measurement of these two PMT processes has four
factors (Floyd et al., 2000; Herath & Rao, 2009; Mumtaz & Nalin Asanka, 2019; Rogers, 1975).
The four factors used in the investigation hypotheses are threat severity, threat susceptibility,
response efficacy, and self-efficacy. According to the literature, the four factors influence the
intention to adopt cloud computing.
The research literature shows that external or internal threats are considered when
adopting any innovative technology system, including cloud computing. The following
discussion contains the results of each hypothesis.
Interpretation of the Findings
The first hypothesis analyzes the relationship between threat severity on security risks
and adopts cloud computing. Listed below are the null and alternative hypothesis:
H01a: There are no statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
HA1a: There are statistically significant perceptions of threat severity on security risks
that vary the intention to adopt cloud computing.
The health care industry, as an example, is concerned about external and internal threats
when considering the adoption of cloud computing technology (Kwon & Johnson, 2014). The
data supports the research literature, making it possible to discard the null hypothesis (H01a).
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
135
Bahl and Wali (2014) suggest a business response to a potential or perceived threat is an
essential understanding of how a company might protecting its data. The research literature
indicates that external or internal threats are considered when adopting any new technology,
including cloud computing. The anticipation is, as the values of the independent variable
increase, the effect will be more significant on the dependent variable, in this case, is cloud
computing adoption. Table 24 demonstrate the values of the multiple correlation, multiple
correlation square, and p-value being indicative of the importance of the dependent variable,
R(218) = .23, R2 = .051, p < .0008. The multiple correlation values move towards 1. As the
literature indicates, both the value of the multiple correlations and the p-value confirm varying
influence or contribution to adopt cloud computing. The data in Table 24 and the research
literature demonstrate that the alternative hypothesis Ha1a should be accepted, leading to the
second hypothesis's investigation.
The second hypothesis analyzes the relationship between threat susceptibility to security
risks and adopts cloud computing. Stated below are the null hypothesis and the alternative
hypothesis:
H01b: There are no statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
Ha1b: There are statistically significant perceptions of threat susceptibility on security
risks that vary the intention to adopt cloud computing.
Bambauer (2014) suggests that one of the most significant risk factors are humans. The
human element, it is not surprising to note, when taken into account, is essential when
considering the occurrence of potential for intentional or unintentional security errors. Proper
protocol and training are imperative (Kerr, 2015). The data supports Bambauer's (2014)
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
136
suggestion concerning the human element, negating the null hypothesis (H01b). Based on the
literature review anticipates, the independent variable's values increase, the dependent variable,
cloud computing adoption becomes more significant. The values, as seen in Table 24, the
multiple correlation, multiple correlation square, and p-value confirm the explanation is correct,
R(218) = .27, R2 = .072, p < .00006. The multiple correlation values move towards 1,
demonstrated by the results. Both the value of multiple correlations and the p-value confirm an
influence or contribution varying to adopt cloud computing, confirming the research literature.
The research literature and the data from Table 24 show the alternative hypothesis Ha1b should
be accepted, permitting the third hypothesis's investigation.
The third hypothesis analyzes the relationship between response efficacy on security risk
and adopts cloud computing. Both the null and alternative hypothesis are
H01c: There are no statistically significant perceptions of response efficacy on the
security risk situation that varies the intention to adopt cloud computing.
Ha1c: There are statistically significant perceptions of response efficacy on the security
risk situation that varies the intention to adopt cloud computing.
Herath and Rao (2009) explain when the increase in response efficacy is a definite
indication when adopting new regulations. The personnel are better prepared to handle a threat or
risk event. Weng and Hung (2014) suggest a response efficacy a security risk is best when the
professional staff is better prepared to handle the activity. The assumption is that the personnel
are more confident with adopting new technology such as cloud computing.
Consequently, the literature does not support the null hypothesis H01c. The anticipation
is, as the values of the independent variable increase, its subsequent effect is more significant on
the dependent variable, cloud computing adoption. The values, see Table 24, were obtained, the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
137
multiple correlation, multiple correlation square, and p-value affirming the above explanation is
correct, R(218) = .49, R2 = .242, p < .00001. Multiple correlation values move towards 1. The
values of the multiple correlation and p-value confirm an influence or contribution varying the
intention of adopting cloud computing, as the literature indicates. The evidence, both in the
research literature, and the data found in Table 24, shows the alternative hypothesis Ha1c should
be accepted. The discussion on the fourth hypothesis is next.
The fourth hypothesis analyzes the relationship between self-efficacy on security risk
and adopts cloud computing. The null hypothesis and the alternative hypothesis studied:
H01d: There are no statistically significant perceptions of self-efficacy on a security risk
situation that varies the intention to adopt cloud computing.
Ha1d: There are statistically significant perceptions of self-efficacy on a security risk
situation that varies the intention to adopt cloud computing.
Kwon and Johnson (2014) suggest that the first step is to ensure an objective overview
analysis of the business's system. Many companies undergo such a review, giving the IS
personnel more professional effectiveness. The purpose is to have each IS professional (IT
technician, computer programmer, and related fields) better training to attend any threat or risk.
An individual professional's response to a threat or a suspicion of a threat is necessary (Menard
et al., 2014). Adopting cloud computing technologies, such as cloud computing, should have a
period of preparation for the IT professional. The research literature does not support the null
hypothesis H01d. The anticipation is, as the values of the independent variable increase, the
effect more significant on the dependent variable, in this case, cloud computing adoption.
Evidence, as shown in the values in Table 24, the multiple correlation, multiple correlation
square, and p-value support the explanation is correct, R(218) = .55, R2 = .305, p < .00001. The
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
138
multiple regression data affirms the research literature. As the multiple correlation values move
towards 1, the value of multiple correlations, the p-value, confirms the influence or contribution
varying the intention of adopting cloud computing. Both the research literature and the data, as
seen in Table 24, demonstrate the alternative hypothesis Ha1d should be accepted. The fifth
hypothesis analyzes another relationship.
The fifth hypothesis analyzes the relationship between threat severity on privacy risks
and adopts cloud computing. The null hypothesis and the alternative hypothesis are
H02a: There are no statistically significant perceptions of threat severity on privacy risks
that vary the intention to adopt cloud computing.
Ha2a: There are statistically significant perceptions of threat severity on privacy risks that
vary the intention to adopt cloud computing.
Privacy risks involve a client's right to privacy. In this regard, Blume (2015) understands
privacy to be a part of a human right and a business's responsibility. Privacy is a critical factor
for consideration. Privacy threats augment when regulations to protect privacy are not
implemented appropriately during the adoption of new technologies. Weinstock (2014) suggests
that personal data theft derives from taking a person's Social Security number, date of birth, or
even a patient's name. A privacy threat is more likely to occur if the business personnel has little
or no expertise in new technologies, such as cloud computing. The research literature, therefore,
does not support the null hypothesis H02a. As the independent variable's values increase, the
anticipation is, the effect is higher on the dependent variable, being cloud computing adoption.
As seen in Table 24, the multiple correlation, multiple correlation square, and p-value, indicating
the explanation is correct, R(218) = .37, R2 = .134, p < .00001. As the multiple correlation
values move towards one, the value of R, the value of p, confirms the influence or contribution
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
139
varying the intention of the intention of adopting cloud computing, affirming the research
literature. The data in Table 24 corroborate the research literature, showing the alternative
hypothesis Ha2a should be accepted. The sixth hypothesis analyzes another relationship
concerning privacy risks.
The sixth hypothesis analyzes the relationship between threat susceptibility to privacy
risks and adopts cloud computing. The null hypothesis and the alternative hypothesis are
H02b: There are no statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
Ha2b: There are statistically significant perceptions of threat susceptibility on privacy
risks that vary the intention to adopt cloud computing.
Hayden (2013) suggests prevailing laws do provide a framework to protect private data.
New technologies, such as cloud computing, not comply with these privacy laws, increase
business susceptibility. Chen et al. (2015) have indicated that these risks need heightened
awareness to ensure personal data security and minimize the risks. The threat to privacy
increases in the adoption of new technology, such as cloud computing. The research literature
does not support the sixth null hypothesis, H02b. As the independent variable's values increase,
the anticipation is the effect will increase the dependent variable, being cloud computing
adoption. As demonstrated in Table 24, the multiple correlation, multiple correlation square, and
p-value result evidencing the above explanation, R(218) = .30, R2 = .089, p < .00001. As the
multiple correlation values move towards one, the multiple correlations and the p-value confirms
an influence or contribution varying the intention of adopting cloud computing, supporting the
research literature. The data found in Table 24 corroborate the research literature, showing the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
140
alternative hypothesis Ha2b should be accepted. The seventh hypothesis analyzes another
relationship dealing with privacy risks.
The seventh hypothesis analyzes the relationship between response efficacy on privacy
risks and adopts cloud computing. The null hypothesis and the alternative hypothesis are
H02c: There are no statistically significant perceptions of response efficacy on privacy
risk that varies the intention to adopt cloud computing.
Ha2c: There are statistically significant perceptions of response efficacy on privacy risk
that varies the intention to adopt cloud computing.
Marston et al. (2011) suggests that privacy and security risks are important
considerations. The assumption is, organizations take these factors into account. Blume (2015)
suggests the "protection of personal data was perceived as necessary to ensure the digital
economy" (p. 3). The research literature does not support the null hypothesis H02c. The
anticipation is, as the values of the independent variable increase, the effect is higher on the
dependent variable, cloud computing adoption. The values demonstrated, see Table 24, the
multiple correlation, multiple correlation square, and p-value confirming the explanation is
correct, R(218) = .58, R2 = .333, p < .00001. As the multiple correlation values move towards 1,
the p-value affirms the influence or contribution varying the intention to adopt cloud computing.
The results support the research literature. The alternative hypothesis Ha2c, therefore, is
accepted. The eighth and the last hypothesis analyzes another relationship on privacy risks.
The eighth hypothesis analyzes the relationship between self-efficacy on privacy risks
and adopts cloud computing. The null hypothesis and the alternative hypothesis are
H02d: There are no statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
141
Ha2d: There are statistically significant perceptions of self-efficacy on a privacy risk
situation that varies the intention to adopt cloud computing.
Two different studies are focused on the issue of security and privacy risks. These
investigations demonstrated the need to be sensitive to a privacy risk (Marston et al., 2011). The
assumption is, organizations take these factors into account. To a greater or lesser extent, various
organizations prepare their staff to combat threats or risks to privacy, a risk related to cloud
computing adoption. Kwon and Johnson (2014), in their conclusion, suggest "proactive security
investment is significantly associated with fewer security failures" (p. 466). Preparation helps
each staff member have a higher level of personal confidence. The research literature does not
affirm the null hypothesis H02d. Consecutively, the anticipation is the independent variable's
values increase; the effect becomes more significant on the dependent variable, cloud computing
adoption. The data in Table 24, the multiple correlation, multiple correlation square, and p-value
the data confirms the expectation, supporting the above explanation, R(218) = .61, R2 = .371, p <
.00001. The multiple correlation values move towards 1. The multiple correlations and p-value
values prove an influence or contribution is varying the intention of adopting cloud computing,
as the literature indicates. Therefore, the alternative hypothesis Ha2d is accepted. All four factors
influence the intention to adopt cloud computing technology.
Security and privacy risks influence the adoption of new technologies, and one
alternative is cloud computing. Some factors are in higher proportion than others. Research
statistics determine these ratios. A multiple regression permits finding the multiple correlation
square (R2), in which each IV is related to a DV and contributes a more significant effect on it
(Field, 2013). The research literature and investigative results need to demonstrate a relationship.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
142
The following paragraphs describe which factors have the most significant influence and their
reasons for each.
The SESR variable, as shown in Table 24, has the most significant effect on the IACC
variable. The multiple regression and multiple regression squared were higher for the variable
than other security risk variables, R(218) = .55, R2 = .305. Its influence on IACC is the greatest
of all security risk variables. The variable SEPR presents similar results.
The SEPR variable, as shown in Table 24, has the most significant effect on the IACC
variable. The multiple regression and multiple regression squared were higher for the variable
than other security risk variables, R(218) = .61, R2 = .371. The influence is the greatest of all
privacy risk variables. The next paragraph explains the impact of the SESR and SEPR variables.
Self-efficacy is measured by the SESR and SEPR variable's influence in the PMT theory.
As the research literature indicates, self-efficacy relates to the professional viewing himself
effectively and efficiently responding to risk situations. Threat severity, threat susceptibility, and
response efficacy are other risk factors not to impact the participants directly. These three factors
are directly related to how an organization or company prepares for management than the
potential risks cloud computing technology brings. Fear is both a dangerous and negatively
motivating factor for an individual (Gao et al., 2015).
In many cases, self-efficacy is a personal consideration. Negligence is another factor for
IT professionals when adopting new technology, like cloud computing. Negligence plays a part
in the threat to privacy and security risks (Chen et al., 2015). Each hypothesis has a response,
correlating the four factors and the intention of adopting cloud computing.
The investigation has two research questions and the variance to adopt cloud computing
technology. The first question asks for an IT professional's perception regarding the four factors
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
143
from a security risk perspective. The second question focuses on security risks. Both questions
ask the variance of security and privacy risks in the intention to adopt cloud computing
technology.
ResQ1: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on security risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
ResQ2: To what extent do perceptions of threat severity, threat susceptibility, response
efficacy, and self-efficacy on privacy risks contribute to the variance in the intention to adopt
cloud computing in the business sector?
Both the research literature and the statistics support the perception of the four factors
mentioned in the research questions. The four factors contribute to the variance in the intention
to adopt cloud computing. The statistics demonstrate that threat severity and threat susceptibility
do not significantly influence the variance in adopting cloud computing. Response efficacy and
self-efficacy are two factors in the perception to adopt cloud computing technology. As
demonstrated in the statistics, self-efficacy is the most critical factor for security risks and
privacy risks.
Table 24 shows the extent to which the four factors have intending to adopt cloud
computing regarding security and privacy risks. The value of the multiple correlations squared
indicates that each factor's extension intends to adopt cloud computing. The first research
question (ResQ1) focuses on security risks. The multiple correlations squared shows the
variation for threat severity response is 0.051 (5.1%), and for self-efficacy is 0.305 (30.5%). The
variation is shown in the values, from least to the most, with self-efficacy being the most crucial
factor. The other two factors range between these two results. The values show the extent to the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
144
variation to adopt cloud computing. The second research question (ResQ2) focuses on privacy
risks.
Table 24 also shows the R squared values for privacy risks. The R squared shows the
variation for threat susceptibility response is 0.089 (8.9%), and for self-efficacy is 0.371
(37.1%). The variation is shown in the values, from least to the most, with self-efficacy being the
essential factor. The other two factors range between these two results. The values show the
extent of the variation to adopt cloud computing.
Limitations
Improvements for further research are shown in this investigation's limitations to guide
future researchers in the study areas, suggesting an increase to create a better approach. The first
limitation of the inquiry is the lack of knowledge in the influence on security and privacy risks in
the decision to adopt cloud computing technology. Herath and Rao (2009) studied security
policies regarding the intent to adopt cloud computing. Their study uses various theoretical
models related to security policies and the adoption of new technology. Ekufu (2012) utilized a
combination of TAM and the TPB. The literature review shows that TAM and TPB's use are
frequent, thus showing a limitation in the areas of privacy and security risks in the intent to adopt
cloud computing.
A survey sample includes 216 individuals in the continental United States, one from an
unknown territory of the United States and the second participant, from Puerto Rico, for 218
participants. All individuals have a minimum of five years of working experience in the IT field.
Top management personnel with organizational capability are not part of the sample survey.
Using only the sample survey as part of the investigative instrument is a limitation. Other
techniques, such as personal interviews, observations, etcetera, help understand better other
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
145
factors to adopt new technology, such as cloud computing. For a future investigation, there are
several delimitations.
The PMT (Rogers, 1975) and the TPB by Ajzen (2006) do not include other factors.
Among these includes cost-efficiency, real-time effectiveness, and manageability of the
technology. The PMT focuses on the adoption of new technology. TPB studies an individual's
intention to accomplish a task based on reward or punishment.
The research is not a longitudinal study, another investigative technique. A longitudinal
investigation permits a comparative approach by completing the research using various time
parameters. The longitudinal analysis allows the investigator to understand better the intent to
adopt cloud computing regarding security and privacy risks. In not including, a longitudinal
study delimits the investigation.
Implications for Practice
The investigation results apply to the field of information assurance and security within
the continental United States and its territories. Both the PMT and TPB theories were
instrumental in understanding the importance of the four factors identified as influential in
adopting cloud computing technology. This knowledge implies that PMT and TPB theories are
viable tools for a future investigation in the intent to adopt cloud computing technology.
The four factors identified in the study are the threat severity, threat security, response
efficacy, and self-efficacy. In this study, these four factors correlated with the decision process to
adopt cloud computing. Self-efficacy was the most influential in the adoption of the process. The
investigation discovered the IS staff's concern about self-efficacy over the other factors
regardless of whether the threat was security or privacy. Federal regulations emphasize the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
146
matter regarding the loss of privacy and security issues (Castellani et al., 2015). Privacy and
security issues are a heightened priority, in the assurance of information, as are other factors.
The research found a statistically significant perception of self-efficacy in a security risk
or privacy risk situation, which validated the Ha1d and Ha2d hypothesis. An implication for the
finding is that training both IS personnel and company officials is essential. Overcoming a
corporate official's hesitation and resistance is another valid concern. An impact of facilitating IS
personnel's preparation promotes corporate officers' opportunity to understand better and
question the nuances of the adoption of cloud computing technology. The training needs to
include proactive techniques on deploying the new technology and methods in safeguarding
against potential threats, including threat severity, threat security, and response efficacy. A
highly recommended suggestion is to have company officials become involved in the decision-
making process to adopt cloud computing technology. The IS staff needs appropriate training
with the previously mentioned features to work with cloud computing technology.
Another finding from the investigation impacting both company officials and IS
personnel needs to collaborate in implementing cloud computing technology. Businesses are
concerned about security breaches, due in part, to the possible negligence of some employees
(Chen et al., 2015). Better collaboration among the staff reduces the number of internal security
breaches. The implication is that collaboration leads to a better understanding of each company's
specific needs.
All the implications mentioned above have an impact, not only immediately but for the
future as well. Training and collaboration directly affect the knowledge of the adoption and
implementation of cloud computing technology. Such experience provides a better understanding
of these risks affecting cloud computing adoption for the business sector in the United States
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
147
(Shaikh & Sasikumar, 2012). Finally, the theories of PMT and TPB allow for further
investigations, discovering new angles in future research on the topic.
Recommendations for Further Research
The following suggestions for further research consist of those developed directly from
the study's data and those resulting from consideration of the research question, research
methodology, research design, and study limitations.
Recommendations Developed Directly From the Study's Data
A suggestion collected directly from the data is to expand the population to different parts
of the world. The data collected was only concentrated in the United States and its territories.
The projected results reflect the sample population. It would be of great benefit to expand the
sample population to verify if these results are the same or different depending on the country
studied and the laws that apply in the place.
Recommendations Derived from Methodology, and Design, and Limitations
The first limitation of the investigation is a lack of knowledge of the influence on security
and privacy risks in the decision to adopt cloud computing technology. Another research on the
topic, using other theories, such as the General Deterrence Theory (GDT) and the Theory of
Reasoned Action (TRA), may eliminate or diminish the limitation. The present investigation uses
the theories of PMT and TPB.
The GDT theory focuses on penalizing the Information Systems (IS) personnel when a
mistake is made. To avoid punishment, the individual adheres more closely to company policy.
In contrast, the TRA measures its staff's attitudes and personal norms, particularly the IS
personnel. These two theories explain an individual's behavior and conduct. Both the GDT and
TRA theories are essential for a company intending to adopt cloud computing technology. The
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
148
current investigation is on security and privacy issues and the intention to adopt cloud computing
technology.
Using only the sample survey as part of the investigative instrument is a limitation. Other
techniques, such as personal interviews, observations, and others, help understand better other
factors to adopt new technology. Personal interviews provide information based on professional
experience. The data from the individual interviews might shed new light on the hypothesis of
the research. Observations permit the researcher an opportunity to study Information IT
professionals working through security and privacy risk threats. The Theory of Reasoned Action
(TRA) is a useful theoretical model to consider a professional's behavior and reasoning. These
techniques provide a different approach since it allows us to see responses that the survey cannot
give by its nature.
Recommendations Based on Delimitations
The GDT and TRA may be used to investigate aspects not included in the PMT and TPB
theories, permitting an expansion for the study's delimitation. This research is not a longitudinal
study, another form of delimitation. A longitudinal study allows a comparative approach by
completing the investigation using various time parameters.
Recommendations Based on Other Relevant Data
In a matter not supported by the data but relevant to the investigation, a final suggestion
is to carry out the same survey by application service area. The recommendation permits
analyzing the points of view by application service area and thus sees if the results are different
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
149
from those obtained in the investigation. The new data highlights the application areas most
vulnerable to security and privacy risks.
Conclusion
The unknown relationship with security and privacy risks and their connection with cloud
computing adoption within the business sector was the investigation's general problem. The
results fill an existing gap in the research literature concerning these risks and cloud computing
adoption. The study has two research questions. First, to what extent do perceptions of threat
severity, threat susceptibility, response efficacy, and self-efficacy on security risks contribute to
the variance in the intention to adopt cloud computing in the business sector? Second, to what
extent do perceptions of threat severity, threat susceptibility, response efficacy, and self-efficacy
on privacy risks contribute to the variance in the intention to adopt cloud computing in the
business sector? The methodology was a non-experimental correlational study. The purpose of
the study was to test the correlation between security and privacy risks when the business sector
intends to adopt cloud computing.
Before the statistical analysis, the investigator conducted a review of the literature. The
four factors identified threat severity, threat susceptibility, response efficacy, and self-efficacy in
the literature review. The PMT and TPB theories served as the theoretical framework for the
research were identified. The statistical analysis was carried out in the United States territory
with people from the IT area, or related, with five years or more experience. These conditions
were maintained to guarantee that all participants were under a similar framework or
environment. A total of 237 people participated in the study, the corresponding statistics were
complete, and the relevant results. The predominating response among the participants was
Agree in all the answers for the survey questions. This trend had an average fluctuating with the
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
150
survey questions, between 31 to 41 percent. The one with the lowest tendency was Strongly
Disagree varying with the survey questions, averaging between 0.76 to 6.52 percent in all the
questions. The results found in both the literary research and statistical data showed a correlation
between security and privacy risks to adopting cloud computing. The findings showed each of
the four factors examined affect the intention to adopt cloud computing, although some to a
higher degree than others. There is a relationship between all of the factors, the intention to adopt
cloud computing, and all eight hypotheses.
Among the factors that had the most significant effect was self-efficacy, regardless of
whether it was a security or privacy risk. The variable with the most significant impact on the
IACC variable, SESR, shows that the multiple correlations are higher than other security risk
variables. The multiple correlation squared equal also is higher in this SESR variable as
compared to other security risk variables, R(218) = .55, R2 = .305, p < .00001. The SEPR
variable has the most significant effect on the IACC variable. The multiple correlation, and
multiple correlation squared are higher in this variable compared to the other privacy risk
variables, R(218) = .61, R2 = .371, p < .00001. Self-efficacy is an important factor determining
how the person sees himself in a risk situation and its effectiveness in responding to the risk. IT
professionals tend to be more cautious when making decisions in adopting new technology, such
as cloud computing. Training and collaboration improve the education of IT personnel. Training
and cooperation positively impact on IT personnel and company officials. As a team, their
combined knowledge and expertise allow the company to implement better and integrate this
technology type. This knowledge provides a better understanding of how these risks affect cloud
computing adoption in the United States business sector. The theories of PMT and TPB allow us
to continue discovering new angles for future research. Both the research literature and statistical
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
151
analysis follow a strong correlation between security and privacy risks and the intention of
adopting cloud computing technology.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
152
REFERENCES
Aboelmaged, M. G. (2010). Predicting e-procurement adoption in a developing country: An
empirical integration of technology acceptance model and theory of planned behavior.
Industrial Management and Data Systems, 110, 392-414.
https://doi.org/10.1108/02635571011030042
Adashi, E. Y., Walters, L. B., & Menikoff, J. A. (2018). The Belmont report at 40: Reckoning
with time. American Journal of Public Health, 108, 1345-1348.
https://doi.org/10.2105/AJPH.2018.304580
Ahmed, F., Capretz, L. F., Sandhu, M. A., & Raza, A. (2014). Analysis of risks faced by
information technology offshore outsourcing service providers. IET Software, 8, 279-284.
https://doi.org/10.1049/iet-sen.2013.0204
Ajzen, I. (2006). Perceived behavioral control, self-efficacy, lotus of control, and the theory of
planned behavior. Journal of Applied Social Psychology, 32, 1-20.
https://doi.org/10.1111/j.1559-1816.2002.tb00236.x
Andy, W., Wang, X., Heiko, G., Mahesh, R., Otavio, S., Grant, G., & Siddhi, P. (2020).
Determinants of intention to participate in corporate BYOD-programs: The case of digital
natives. Information Systems Frontiers, 22(1), 203-219. https://doi.org/10.1007/s10796-
018-9857-4
Antonelli, R. A., de Almeida, L. B., Espejo, M., & Longhi, F. L. (2013). Business professionals’
perceptions related to the influence of information technology in individual work.
Journal of Information Systems and Technology Management, 10, 41-60.
https://doi.org/10.4301/S1807-17752013000100003
Applegate, L., Austin, R., & Soule, D. (2009). Corporate information strategy and management:
Text and cases (8th ed.). Boston, MA: McGraw-Hill.
Bahl, S., & Wali, O. P. (2014). Perceived significance of information security governance to
predict the information security service quality in software service industry. Information
Management & Computer Security, 22, 2-23. https://doi.org/10.1108/IMCS-01-2013-
0002
Bambauer, D. E. (2014). Ghost in the network. University of Pennsylvania Law Review, 162,
1011-1091. Retrieved from https://www.pennlawreview.com/
Barlette, Y., Gundolf, K., & Jaouen, A. (2017). CEOs' information security behavior in SMEs:
Does ownership matter? Information Systems and Management, 22, 7-45,117.
https://doi.org/10.3917/sim.173.0007
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
153
Blume, P. (2015). It is time for tomorrow: EU data protection reform and the internet. Journal of
Internet Law, 18, 3-13. Retrieved from https://www.researchgate.net/journal/1094-
2904_Journal_of_Internet_Law
Brand, J. C., Kruger-Van Renen, W., & Rudman, R. (2015). Proposed practices to mitigate
significant mobility security risks. The International Business & Economics Research
Journal, 14, 199-220. https://doi.org/10.19030/iber.v14i1.9072
Brandis, K., Dzombeta, S., Colomo-Palacios, R., & Stantchev, V. (2019). Governance, risk, and
compliance in cloud scenarios. Applied Sciences, 9, 320.
https://doi.org/10.3390/app9020320
Castellani, W. J., Sinard, J. H., Wilkerson, M. L., Whitsitt, M. S., & Henricks, W. H. (2015).
Accreditation and regulatory Implications of electronic health records for laboratory
reporting. Archives of Pathology & Laboratory Medicine, 139, 328-331.
https://doi.org/10.5858/arpa.2013-0713-SO
Chen, M., Yang, J., Hao, Y., Mao, S., & Hwang, K. (2017). A 5G cognitive system for
healthcare. Big Data and Cognitive Computing, 1, 1-15.
https://doi.org/10.3390/bdcc1010002
Chen, Y., Ramamurthy, K., & Wen, K. (2012). Organizations' information security policy
compliance: Stick or carrot approach? Journal of Management Information Systems, 29,
157–188. https://doi.org/10.2753/MIS0742-1222290305
Chen, Y., Ramamurthy, K., & Wen, K. (2015). Impacts of comprehensive information security
programs on information security culture. The Journal of Computer Information Systems,
55, 11-19. https://doi.org/10.1080/08874417.2015.11645767
Claunch, D., & McMillan, M. (2013). Determining the right level for your IT security
investment. Healthcare Financial Management, 67, 100–103. Available from
https://www.researchgate.net/journal/07350732_Healthcare_financial_
management_journal_of_the_Healthcare_Financial_Management_Association
Cohen, B. (2014). The law of securing consumer data on networked computers. Journal of
Internet Law, 18, 3-12. Available from https://www.researchgate.net/journal/1094-
2904_Journal_of_Internet_Law
Creswell, J. W. (2014). Research design: Qualitative, quantitative, and mixed method
approaches (4th ed.). Thousand Oaks, CA: Sage.
Davis, F. D. (1989). Perceived usefulness, perceived ease of use, and user acceptance of
information technology. MIS Quarterly, 13, 319-339. https://doi.org/10.2307/249008
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
154
De Donno, M., Giaretta, A., Dragoni, N., Bucchiarone, A., & Mazzara, M. (2019). Cyber-storms
come from clouds: Security of cloud computing in the IoT era. Future Internet, 11
https://doi.org/10.3390/fi11060127
Ekufu, T. K. (2012). Predicting cloud computing technology adoption by organizations: An
empirical integration of technology acceptance model and theory of planned behavior
(Doctoral dissertation). Available from ProQuest Dissertations & Theses Global. (UMI
No. 3544047)
Field, A. (2013). Discovering statistics using IBM SPSS Statistics (4th ed.). Thousand Oaks, CA:
Sage.
Floyd, D. L., Prentice-Dunn, S., & Rogers, R. W. (2000). A meta-analysis of research on
protection motivation theory. Journal of Applied Social Psychology, 30, 407–429.
https://doi.org/10.1111/j.1559-1816.2000.tb02323.x
Foth, M. (2016). Factors influencing the intention to comply with data protection regulations in
hospitals: Based on gender differences in behavior and deterrence. European Journal of
Information Systems, 25, 91-109. https://doi.org/10.1057/ejis.2015.9
Gao, Y., Li, H., & Luo, Y. (2015). An empirical study of wearable technology acceptance in
healthcare. Industrial Management & Data Systems, 115, 1704-1723.
https://doi.org/10.1108/IMDS-03-2015-0087
Granneman, J. (2010). Meeting mandates in the cloud. Information Security, 12, 33-41.
Available from https://www.tandfonline.com/loi/uiss20
Hayden, J. R. (2013). Health plans and HIPAA privacy and security. Journal of Health Care
Compliance, 15, 45-59. Available from
https://lrus.wolterskluwer.com/store/product/journal-of-health-care-compliance/
He, D., & Zeadally, S. (2015). An analysis of RFID authentication schemes for Internet of
Things in healthcare environment using elliptic curve cryptography. IEEE Internet of
Things Journal, 2, 72–83. https://doi.org/10.1109/JIOT.2014.2360121
Herath, T., & Rao, H. R. (2009). Protection motivation and deterrence: A framework for security
policy compliance in organizations. European Journal of Information Systems, 18, 106-
125. https://doi.org/10.1057/ejis.2009.6
Hernández-Sampiere, R., Fernández-Collado, C., & Baptista-Lucio, P. (2006). Investigation
Methodology (4th ed.). Mexico: McGraw-Hill.
Hoffer, J. A., George, J., & Valacich, J. (2014). Modern systems analysis and design (7th ed.).
Upper Saddle River, NJ: Pearson.
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
155
Holzmann, P., Schwarz, E. J., & Audretsch, D. B. (2020). Understanding the determinants of
novel technology adoption among teachers: The case of 3D printing. Journal of
Technology Transfer, 45(1), 259-275. https://doi.org/10.1007/s10961-018-9693-1
Jones, A. (2014). Protecting information privacy per U.S. federal law. Information and
Management, 48, 18-47. Retrieved from https://www.journals.elsevier.com/information-
and-management
Jones, S., Irani, Z., Sivarajah, U., & Love, P. E. D. (2019). Risks and rewards of cloud
computing in the UK public sector: A reflection on three organizational case
studies. Information Systems Frontiers, 21(2), 359-382. https://doi.org/10.1007/s10796-
017-9756-0
Joseph, A. O., Kathrine, J. W., & Vijayan, R. (2014). Cloud security mechanisms for data
protection: A Survey. International Journal of Multimedia & Ubiquitous Engineering, 9,
81-90. https://doi.org/10.14257/ijmue.2014.9.9.09
Kerr, O. S. (2015). The fourth amendment and the global internet. Stanford Law Review, 67(2),
285-329. Available from https://www.stanfordlawreview.org/
Kissel, R. (2013). Avoiding accidental data loss. IT Professional, 15, 12-15.
https://doi.org/10.1109/MITP.2013.75
Kissel, R., Regenscheid, A., Scholl, M., & Stine, K. (2014). Guidelines for media sanitization.
(NIST Publication No. 800-88). NIST, 1, 1-64. https://doi.org/10.6028/NIST.SP.800-88r1
Knight, A., & Saxby, S. (2014, December). Identity crisis: Global challenges of identity
protection in a networked world. Computer Law & Security Report, 30, 617–632.
https://doi.org/10.1016/j.clsr.2014.09.001
Korucu, A. T., & Karakoca, A. (2020). Development and validation of the cloud technologies
usage in education scale. Bartin University Journal of Education Faculty, 9(1), 69-82.
https://doi.org/10.14686/buefad.623459
Kugler, L. (2015). Online privacy: Regional differences. Communications of the ACM, 58, 18-
20. https://doi.org/10.1145/2693474
Kumar, A. G., & Shantala, C. P. (2020). An extensive research survey on data integrity and
deduplication towards privacy in cloud storage. International Journal of Electrical and
Computer Engineering, 10(2), 2011-2022. https://doi.org/10.11591/ijece.v10i2.pp2011-
2022
Kumar, D., Baranwal, G., Raza, Z., & Vidyarthi, D. P. (2018). A survey on spot pricing in cloud
computing. Journal of Network and Systems Management, 26, 809-856.
https://doi.org/10.1007/s10922-017-9444-x
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
156
Kwon, J., & Johnson, M. E. (2014). Proactive versus reactive security investments in the
healthcare sector. MIS Quarterly, 38, 451-471.
https://doi.org/10.25300/misq/2014/38.2.06
Lambrinoudakis, C. (2013). Evaluating and enriching information and communication
technologies compliance frameworks with regard to privacy. Information Management &
Computer Security, 21, 177-190. https://doi.org/10.1108/IMCS-09-2012-0051
Laqtib, S., Yassini, K. E., & Hasnaoui, M. L. (2020). A technical review and comparative
analysis of machine learning techniques for intrusion detection systems in
MANET. International Journal of Electrical and Computer Engineering, 10(3), 2701-
2709. https://doi.org/10.11591/ijece.v10i3.pp2701-2709
Lebek, B., Uffen, J., Neumann, M., Hohler, B., & Breitner, M. H. (2014). Information security
awareness and behavior: A theory-based literature review. Management Research Review,
37, 1049-1092. https://doi.org/10.1108/MRR-04-2013-0085
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing: The
business perspective. Decision Support Systems, 51, 176–189.
https://doi.org/10.1016/j.dss.2010.12.006
McDowall, B., & Mills, S. (2019). Cloud-based services for electronic civil registration and vital
statistics systems. Journal of Health, Population, and Nutrition, 38, 24.
https://doi.org/10.1186/s41043-019-0181-5
Menard, P., Gatlin, R., & Warkentin, M. (2014). Threat protection and convenience: Antecedents
of cloud-based data backup. The Journal of Computer Information Systems, 55, 83-91.
https://doi.org/10.1080/08874417.2014.11645743
Mertler, C. A., & Vannatta, R. A. (2013). Advanced multivariate statistical methods (5th ed.).
Glendale, CA: Pyrczak.
Mumtaz, A. H., & Nalin Asanka, G. A. (2019). On the impact of perceived vulnerability in the
adoption of information systems security innovations. International Journal of Computer
Network and Information Security, 11, 9. https://doi.org/10.5815/ijcnis.2019.04.02
Neilson, C. (2013). Securing a control systems network. ASHRAE Journal, 55, B18-B22.
Available from https://www.ashrae.org/technical-resources/ashrae-journal
Ninh-Thuan, T., & Viet-Ha, N. (2013). An approach to checking the compliance of user
permission policy in software development. International Journal of Software
Engineering & Knowledge Engineering, 23, 1139-1151.
https://doi.org/10.1142/S0218194013500344
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
157
North, M. M., Richardson, R., & North, S. M. (2017). Information security and ethics awareness:
A concise comparative investigation. Quality - Access to Success, 18, 141-149. Available
from https://www.srac.ro/calitatea/en/index.html
Pandya-Wood, R., Barron, D. S., & Elliott, J. (2017). A framework for public involvement at the
design stage of NHS health and social care research: Time to develop ethically conscious
standards. Research Involvement and Engagement, 3, 6. https://doi.org/10.1186/s40900-
017-0058-y
Paquet, K. G. (2013). Consumer security perceptions and the perceived influence on adopting
cloud computing: A quantitative study using the technology acceptance model (Doctoral
dissertation). Available from ProQuest Dissertations & Theses Global. (UMI No.
3551099)
Perepletchikov, M., Ryan, C., & Tari, Z. (2013). An analytical framework for evaluating service-
oriented software development methodologies. Journal of Software, 8, 1642-1659.
https://doi.org/10.4304/jsw.8.7.1642-1659
Ramanathan, T., Schmit, C., Menon, A., & Fox, C. (2015). The role of law in supporting
secondary uses of electronic health information. Journal of Law, Medicine & Ethics, 43,
48-51. https://doi.org/10.1111/jlme.12215
Rastogi, G., Verma, H., & Sushil, R. (2018). Determining factors influencing cloud services
adoption in India. Serbian Journal of Management, 13, 335-352.
https://doi.org/10.5937/sjm13-13207
Rimböck, A., & Loipersberger, A. (2013). Integral risk management: steps on the way from
theory to practice. Natural Hazards, 67, 1075-1082. https://doi.org/10.1007/s11069-011-
9928-z
Rogers, R. W. (1975). A protection motivation theory of fear appeals and attitude change.
Journal of Psychology, 91, 93–114. https://doi.org/10.1080/00223980.1975.9915803
Rogowski, W. (2013). The right approach to data loss prevention. Computer Fraud & Security,
3, 5-7. https://doi.org/10.1016/S1361-3723
Roozbahani, F. S., & Azad, R. (2015). Security solutions against computer networks threats.
International Journal of Advanced Networking & Applications, 7, 2576-2581. Available
from http://www.ijana.in/
Sadiq, S., Zur Muehlen, M., & Indulska, M. (2012). Governance, risk and compliance:
Applications in information systems. Information Systems Frontiers, 14, 123-124.
https://doi.org/10.1007/s10796-011-9320-2
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
158
Sekaran, U., & Bougie, R. (2014). Research methods for business: A skill-building approach
(6th ed.). United Kingdom: Wiley.
Shaikh, R., & Sasikumar, M. (2012). Security issues in cloud computing: A survey. International
Journal of Computer Applications, 44, 4-10. https://doi.org/10.5120/6369-8736
Singh, J. (2019). Migration to cloud: The strategic issues. IUP Journal of Information
Technology, 15, 7-18. Available from https://www.iupindia.in/306/ijit.asp
Sommestad, T., Karlzén, H., & Hallberg, J. (2015). The sufficiency of the theory of planned
behaviorfor explaining information security policy compliance. Information and
Computer Security, 23, 200-217. https://doi.org/10.1108/ICS-04-2014-0025
Staddon, R. V. (2020). Bringing technology to the mature classroom: Age differences in use and
attitudes. International Journal of Educational Technology in Higher Education, 17(1)
https://doi.org/10.1186/s41239-020-00184-4
Statistics Solutions. (2010). Sample size write-up. Statistics Solutions. Retrieved from
http://www.statisticssolutions.com/resources/sample-size-calculator/spearman-
correlation-2-tailed/
Statistics Solutions. (2019). Can an Ordinal Likert Scale be a Continuous Variable? Statistics
Solutions. Retrieved from https://www.statisticssolutions.com/can-an-ordinal-likert-scale-
be-a-continuous-variable/
Statistics Solutions. (2020). Sample size. Statistics Solutions. Retrieved from
https://www.statisticssolutions.com/statistical-analyses-effect-size/
Strauss, L. J. (2014). Compliance and enforcement related to privacy, security, and breach
notification rules. Journal of Health Care Compliance, 16, 23-26. Retrieved from
https://www.researchgate.net/journal/0887-
6509_The_Journal_of_compliance_in_health_care_JCHC
SurveyMonkey. (2014a). Sample survey questionnaire templates. SurveyMonkey. Retrieved from
https://www.surveymonkey.com/
SurveyMonkey. (2014b). Survey sample size. SurveyMonkey. Retrieved from
https://www.surveymonkey.com/
U.S. Bureau of Labor Statistics, Office of Occupational Statistics and Employment Projections.
(2020). Computer and information technology occupations. U.S. Bureau of Labor
Statistics. Retrieved from https://www.bls.gov/ooh/computer-and-information-
technology/home.htm
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
159
Venkatesh, V., Thong, J. Y. L., & Xu, X. (2012). Consumer acceptance and use of information
technology: Extending the unified theory of acceptance and use of technology. MIS
Quarterly, 36, 157-178. https://doi.org/10.2307/41410412
Vogt, W. P. (2007). Quantitative research methods for professionals in education and other
fields. Boston, MA: Pearson Custom.
Weinstock, D. (2014). Is your practice at risk for medical identity theft? The Journal of Medical
Practice Management: MPM, 30, 168-170. Available from
https://www.researchgate.net/journal/8755-
0229_The_Journal_of_medical_practice_management_MPM
Weng, F., & Hung, M. (2014). Competition and challenge on adopting cloud ERP. International
Journal of Innovation, Management, and Technology, 5, 309-313.
https://doi.org/10.7763/IJIMT.2014.V5.530
White, G., Ekin, T., & Visinescu, L. (2017). Analysis of protective behavior and security
incidents for home computers. The Journal of Computer Information Systems, 57, 353-
363. https://doi.org/10.1080/08874417.2016.1232991
Wright, S. A., & Guang-Xin, X. (2019). Perceived privacy violation: Exploring the malleability
of privacy expectations: JBE. Journal of Business Ethics, 156(1), 123-140.
https://doi.org/10.1007/s10551-017-3553-z
Yang, C., & Lee, H. (2016). A study on the antecedents of healthcare information protection
intention. Information Systems Frontiers, 18, 253-263. https://doi.org/10.1007/s10796-
015-9594-x
Zamosky, L. (2014). Avoid the breach: Put data security measures in place. Physician Executive,
40, 82-84. Available from
https://journalsandcongresses.pubshub.com/ph/journals/1224/details-physician-executive
Zota, R., & Petre, I. A. (2014). An overview of the most important reference architectures for
cloud computing. Informatica Economica, 18, 26-39. Retrieved from
http://revistaie.ase.ro/
SECURITY & PRIVACY RISK ASSOCIATED CLOUD COMPUTING
160
APPENDIX. DEMOGRAPHICS
Item Variable
Sex Female
Male
Years of employment 5 years
6 to 10 years
11 to 15 years
More than 16 years
Application service area Computer business
Government facility
Health care
Manufacturing
Telecommunications
Transportation
University/College
Others
Geographical area Puerto Rico (PR)
United States (US)
Others
ProQuest Number:
INFORMATION TO ALL USERS The quality and completeness of this reproduction is dependent on the quality
and completeness of the copy made available to ProQuest.
Distributed by ProQuest LLC ( ). Copyright of the Dissertation is held by the Author unless otherwise noted.
This work may be used in accordance with the terms of the Creative Commons license or other rights statement, as indicated in the copyright statement or in the metadata
associated with this work. Unless otherwise specified in the copyright statement or the metadata, all rights are reserved by the copyright holder.
This work is protected against unauthorized copying under Title 17, United States Code and other applicable copyright laws.
Microform Edition where available © ProQuest LLC. No reproduction or digitization of the Microform Edition is authorized without permission of ProQuest LLC.
ProQuest LLC 789 East Eisenhower Parkway
P.O. Box 1346 Ann Arbor, MI 48106 - 1346 USA
28490718
2021
