Abstract
In the digital age, organizations are increasingly shifting their applications, services and infrastructures to the cloud to enhance business agility and reduce IT-related costs. However, in moving applications and data to cloud resources organizations face new risks of privacy violations. To manage this risk, organizations need to be fully aware of threats and vulnerabilities affecting their digital re-sources in cloud. Although some previous studies have focused on the emerging challenges of cloud adoption to governance and control, we know little regarding the paradigm shifts in IT governance processes and practices. To address this gap, we conducted an exploratory case study in two large companies in the financial sector. Our findings show that cloud adoption alters the locus and scope of IT governance which consequently compels organizations to rethink their control mechanisms to mitigate security risks. Our findings contribute to the literature on IT governance and IT outsourcing, and support IT executives and decision makers in mitigating the risks of cloud adoption.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ali, M., Khan, S. U., & Vasilakos, A. V. (2015). Security in cloud computing: Opportunities and challenges. Information Sciences (Ny), 305, 357–383. https://doi.org/10.1016/j.ins.2015.01.025.
August, T., Niculescu, M. F., & Shin, H. (2014). Cloud implications on software network structure and security risks cloud implications on software network structure and security risks. Information Systems and Research, 25, 489–510. https://doi.org/10.1287/isre.2014.0527.
Baset, S. A. (2012). Cloud SLAs: present and future. ACM SIGOPS Operating Systems Review, 46, 57–66.
Baskerville, R., Spagnoletti, P., & Kim, J. (2014). Incident-centered information security: Managing a strategic balance between prevention and response. Information & Management, 51, 138–151. https://doi.org/10.1016/j.im.2013.11.004.
Barney, J. B. (1991). Firm resources and sustained competitive advantage. Journal of Management, 17(1), 99–120.
Benlian, A., & Hess, T. (2011). Opportunities and risks of software-as-a-service: Findings from a survey of IT executives. Decision Support Systems, 52, 232–246. https://doi.org/10.1016/j.dss.2011.07.007.
Bowen, P. L., Cheung, M.-Y. D., & Rohde, F. H. (2007). Enhancing IT governance practices: A model and case study of an organization’s efforts. International Journal of Accounting Information Systems, 8, 191–221.
Brender, N., & Markov, I. (2013). Risk perception and risk management in cloud computing: Results from a case study of Swiss companies. International Journal of Information Management, 33, 726–733. https://doi.org/10.1016/j.ijinfomgt.2013.05.004.
David, A., Nguyen, Q., Johnson, V., Kappelman, L., Torres, R., Maurer, C. (2018). The 2017 SIM IT issues and trends study. MIS Q Executive 17. https://doi.org/10.1177/1066480713514945.
Eisenhardt, K. M., & Graebner, M. E. (2007). Theory building from cases: opportunities and challenges. Academy of Management Journal, 50, 25–32. https://doi.org/10.1002/job.
European Network and Information Security Agency. (2009). Cloud Computing Security Risk Assessment. https://www.enisa.europa.eu/publications/cloud-computing-risk-assessment.
Flick, U., von Kardoff, E., & Steinke, I. (Eds.). (2004). A companion to qualitative research. Sage.
Gioia, D. A., Corley, K. G., & Hamilton, A. L. (2013). Seeking qualitative rigor in inductive research: Notes on the Gioia methodology. Organizational Research Methods, 16, 15–31.
Gonzalez, R., Gasco, J., & Llopis, J. (2006). Information systems outsourcing: A literature analysis. Information & Management, 43, 821–834.
Gregory, R. W., Kaganer, E., Henfridsson, O., Ruch, T. J. (2018). IT consumerization and the transformation of it governance. MIS Quarterly 42, 1225–1253. https://doi.org/10.25300/MISQ/2018/13703.
Gupta, P., Seetharaman, A., & Raj, J. R. (2013). The usage and adoption of cloud computing by small and medium businesses. International Journal of Information Management, 33, 861–874. https://doi.org/10.1016/j.ijinfomgt.2013.07.001.
Hoberg, P., Wollersheim, J., Krcmar, H. (2012). The business perspective on cloud computing—a literature review of research on cloud computing. In: AMCIS 2012 Proceedings, Paper 5.
Jick, T. D. (1979). Mixing qualitative and quantitative methods: Triangulation in action. Administrative Science Quarterly, 24, 602–611.
Kaspersky Lab. (2018). On the money: Growing IT security budgets to protect digital transformation initiatives.
Kern, T., Kreijger, J., & Willcocks, L. (2002). Exploring ASP as sourcing strategy: Theoretical perspectives, propositions for practice. Journal of Strategic Information Systems, 11, 153–177.
Lacity, M. C., & Hirschheim, R. (1993). The information systems outsourcing bandwagon. Sloan Management Review, 35, 73.
Lacity, M. C., Willcocks, L. P., & Khan, S. (2011). Beyond transaction cost economics: Towards an endogenous theory of information technology outsourcing. Journal of Strategic Information Systems, 20, 139–157. https://doi.org/10.1016/j.jsis.2011.04.002.
Lacity, M. C., Khan, S., Yan, A., & Willcocks, L. P. (2010). A review of the IT outsourcing empirical literature and future research directions. Journal of Information Technology, 25, 395–433. https://doi.org/10.1057/jit.2010.21.
Lee, Y., & Cavusgil, S. T. (2006). Enhancing alliance performance: The effects of contractual-based versus relational-based governance. Journal of Business Research, 59, 896–905.
Lin, A., & Chen, N.-C. (2012). Cloud computing as an innovation: Perception, attitude, and adoption. International Journal of Information Management, 32, 533–540. https://doi.org/10.1016/j.ijinfomgt.2012.04.001.
Loske, A., Widjaja, T., Buxmann, P. (2013). Cloud computing providers’ unrealistic optimism regarding IT security risks: A threat to users? ICIS 1–20 (2013). https://doi.org/10.5121/ijnsa.2012.4206.
Maher, N., Kavanagh, P., Glowatz, M. (2013). A vendor perspective on issues with security, governance and risk for Cloud Computing. In: 26th Bled eConference—eInnovations Challenges Impacts Individ. Organ. Soc. Proc. (pp. 103–114).
Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J., & Ghalsasi, A. (2011). Cloud computing—The business perspective. Decision Support Systems, 51, 176–189. https://doi.org/10.1016/j.dss.2010.12.006.
McLeod, A., & Dolezel, D. (2018). Cyber-analytics: Modeling factors associated with healthcare data breaches. Decision Support Systems, 108, 57–68. https://doi.org/10.1016/j.dss.2018.02.007.
Mell, P., & Grance, T. (2011). The NIST definition of cloud computing—recommendations of the national institute of standards and technology. Gaithersburg: U.S. Department of Commerce.
Oliveira, T., Thomas, M., & Espadanal, M. (2014). Assessing the determinants of cloud computing adoption: An analysis of the manufacturing and services sectors. Information & Management, 51, 497–510.
Payton, S. (2010). Fluffy logic. Financial Management, 22–25 (14719185).
Peterson, R. R. (2004). Exploring IT governance in pharmaceutical and high-tech industries: Trends, challenges and directions.
Pfeffer, J., Salancik, G. R. (2003). The external control of organizations: A resource dependence perspective. Stanford University Press (2003).
Poppo, L., & Zenger, T. (2002). Do formal contracts and relational governance function as substitutes or complements? Strategic Management Journal, 23, 707–725.
Ramachandran, M., & Chang, V. (2016). Towards performance evaluation of cloud service providers for cloud data security. International Journal of Information Management, 36, 618–625. https://doi.org/10.1016/j.ijinfomgt.2016.03.005.
Ramireddy, S., Chakraborty, R., Raghu, T. S., Rao, H. R. (2010). Privacy and security practices in the arena of cloud computing—a research in progress. In: AMCIS, p. 574 (2010).
Rastogi, Gloria. (2015). Hendler: security and privacy of performing data analytics in the cloud: A three-way handshake of technology, policy, and management. Journal of Information Policy, 5, 129. https://doi.org/10.5325/jinfopoli.5.2015.0129.
Schneider, S., Sunyaev, A.: Determinant factors of cloud-sourcing decisions: Reflecting on the IT outsourcing literature in the era of cloud computing. Journal of Information Technology 31(1), 1–31. https://doi.org/10.1057/jit.2014.25.
Schwarz, A., Jayatilaka, B., Hirschheim, R., & Goles, T. (2009). A conjoint approach to understanding IT application services outsourcing. Journal of the Association of the Information Systems, 10, 1.
Sood, S. K. (2012). A combined approach to ensure data security in cloud computing. Journal of Network and Computer Applications, 35, 1831–1838. https://doi.org/10.1016/j.jnca.2012.07.007.
Sultan, N. A. (2011). Reaching for the “cloud”: How SMEs can manage. International Journal of Information Management, 31, 272–278. https://doi.org/10.1016/j.ijinfomgt.2010.08.001.
Tallon, P. P., Ramirez, R. V, Short, J. E., Tallon, P. P., Ramirez, R. V, Short, J. E. (2013). The Information artifact in IT Governance : Toward a Theory of Information governance the information artifact in IT governance : Toward a theory of information governance. Journal of Management Information System 30. https://doi.org/10.2753/MIS0742-1222300306.
Tilson, D. (2010). Digital infrastructures : The missing IS research agenda. Information System Research, 748–759. https://doi.org/10.1287/isre.1100.0318.
Tiwana, A., & Konsynski, B. (2010). Complementarities between organizational it architecture and governance structure. Information System Research, 21, 288–304. https://doi.org/10.1287/isre.
Tiwana, A., Konsynski, B., & Venkatraman, N. (2013). Information technology and organizational governance: The IT governance cube. Journal of Management Information System, 30, 7–12.
Vithayathil, J. (2017). Will cloud computing make the Information Technology (IT) department obsolete? Information System Journal. https://doi.org/10.1111/isj.12151.
vom Brocke, J., Braccini, A. M., Sonnenberg, C., & Spagnoletti, P. (2014). Living IT infrastructures—an ontology-based approach to aligning IT infrastructure capacity and business needs. International Journal of Accounting Information Systems, 15, 246–274.
Wang, N., Liang, H., Jia, Y., Ge, S., Xue, Y., & Wang, Z. (2016). Cloud computing research in the IS discipline: A citation/co-citation analysis. Decision Support Systems, 86, 35–47. https://doi.org/10.1016/j.dss.2016.03.006.
Weill, P., & Ross, J. W. (2004). IT governance. Boston: Harvard Business School Press.
Williamson, O. E. (1981). The modern corporation: Origins, evolution, attributes. Journal of Economic Literature, 19, 1537–1568.
Williamson, O. E. (1985). The economic institutions of capitalism. New York: Free Press.
Wilkin, C. L., & Chenhall, R. H. (2010). A review of IT governance: A taxonomy to inform accounting information systems. Journal of Information System, 24, 107–146.
Yin, R. K. (2013). Case study research: Design and methods. Sage publications.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Kazemargi, N., Spagnoletti, P. (2020). Cloud Sourcing and Paradigm Shift in IT Governance: Evidence from the Financial Sector. In: Agrifoglio, R., Lamboglia, R., Mancini, D., Ricciardi, F. (eds) Digital Business Transformation. Lecture Notes in Information Systems and Organisation, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-47355-6_4
Download citation
DOI: https://doi.org/10.1007/978-3-030-47355-6_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-47354-9
Online ISBN: 978-3-030-47355-6
eBook Packages: Business and ManagementBusiness and Management (R0)