Strategic signaling through cloud service certifications: Comparing the relative importance of certifications’ assurances to companies and consumers

https://doi.org/10.1016/j.jsis.2019.101579Get rights and content

Highlights

  • Certifications are bundles of assurance signals rather than a single signal.

  • Decision-makers weight the bundle of signals due to their characteristics and context.

  • Certifications' efficacy in adoption decisions hinges on their assurances' weighting.

Abstract

Cloud service certifications (CSCs) are assessed by practitioners to support strategic cloud adoption decisions with the aim to reduce information asymmetries. Both businesses and consumers scrutinize CSCs’ assurances as ex ante signals indicating a cloud provider’s future service quality. While some research has examined the aggregate effects of certifications on decision variables, recipients’ evaluations of certifications and their assurances before making IT-related decisions have received little attention. Furthermore, prior research has predominantly focused on privacy and security assurances in e-commerce certifications. Drawing on signaling theory, we propose that certifications are signals that recipients decompose into a set of fine-grained assurance signals that they weigh to evaluate certifications. We evaluate the responses of 113 company representatives and 317 consumers to a best-worst scaling survey to examine the relative importance these two groups attach to ten assurances from CSCs. Our results show that similar to other online contexts, security and privacy are important assurances, but additional assurances related to availability, the customer friendliness of contracts, and legal compliance are also demanded, particularly by companies. Privacy, security, and availability are most crucial to both companies and consumers, but their relative importance varies substantially between the two groups. Post-hoc subgroup analyses reveal significant differences in assurances’ relative importance for provider and user companies, adopter and non-adopter consumers as well as companies using different types of services and from different industries. Our findings indicate that recipients evaluate certifications as a bundle of signals with varying importance due to recipients’ characteristics and context. With this conceptualization, we contribute to an advanced understanding of the sense-making of certifications and lay out how it influences cloud service adoption theories. Our study has practical implications for certification authorities that design CSCs as well as for providing insights to cloud service providers on customers who draw on CSC assurances when making cloud service adoption decisions.

Introduction

With the advent of cloud computing, the role of technology is profoundly shifting for companies and consumers alike. For businesses, technology is moving from serving as a support function to playing a strategic role and is defining winning business models (Benlian and Haffke, 2016, Tallon et al., 2019). For consumers, technology has become increasingly embedded into their daily lives. Disruptive technologies such as cloud computing have dramatically altered the way companies and consumers access technology and use distributed resources (Benlian et al., 2018, Merali et al., 2012). Cloud services are evolving more rapidly in terms of functionality and underlying infrastructure than past on-premises technologies, leading to shorter adoption and replacement cycles, while at the same time becoming less transparent in terms of their inner properties and working mechanisms. As a result, it has become a strategic necessity for organizations and consumers to be informed about the technologies they adopt (Ravichandran, 2018) and for technology providers to ensure that their customers are confident in making adoption decisions.

IT-related certifications have established themselves among company decision makers and consumers as tools that signal a provider’s service quality in traditional IT outsourcing (e.g., ISO 27000 or the Capability Maturity Model, CMM) and in consumer e-commerce (e.g., TRUSTe). In such contexts, IT-related certifications traditionally function as strategic signals to build trust (Belanger et al., 2002), which plays a crucial role in users’ adoption decisions for new technologies (Li et al., 2008). Cloud computing typically involves a self-service approach with few human interactions (Mell and Grance, 2011). As a result, institutional trust-building signals that do not rely on personal interactions, such as IT-related certifications, become even more important (Lansing and Sunyaev, 2016). Hence, concomitant with the proliferation of cloud computing among companies and consumers, organizations such as Cloud Security Alliance (CSA) and EuroCloud have started to develop a novel class of IT-related certifications: cloud service certifications (CSCs). The main users of CSCs are company decision makers who evaluate CSCs as part of procuring a cloud service for their organization and consumers who evaluate CSCs in the context of selecting a cloud service for personal use. Making the right cloud service adoption decision is of strategic importance to organizations because such outsourced services not only allow to better manage cost and to internalize innovation (Aubert et al., 2015, Oshri et al., 2015) but they also contribute to overall service quality (e.g., reliability, responsiveness), which is directly related to organizational performance (Gorla et al., 2010). Yet, approximately half of all outsourcing relationships result in low performance, with service quality conflicts being one of the root causes (Lacity and Willcocks, 2017). These challenges are particularly reinforced in cloud service adoption decisions, in which consumers and companies face numerous cloud-specific uncertainties on service quality concerning not only security and privacy but also, among other uncertainties, availability, interoperability, contracts, and legal compliance (Armbrust et al., 2010, Benlian and Hess, 2011, Marston et al., 2011).

CSCs signal cloud service quality and allow decision makers to make ex ante assessments, increase market transparency and ultimately support better adoption decisions, leading to better service fit and higher service quality. As such, the implementation of CSCs is of strategic importance for company decision makers and consumers when making cloud service adoption decisions (Khan and Malluhi, 2013; Sunyaev and Schneider, 2013). Moreover, CSCs need to be configured with the right composition of assurances to function as information signals and mitigate cloud-specific uncertainties. For example, Dropbox, a cloud service for storing and exchanging documents, needs to overcome users’ uncertainties about the security, privacy, and continuous availability of and access to data when that data is stored in the cloud rather than on users’ local computers (Dropbox, 2017b). Without assurances covering specific service details, adopters would remain uncertain regarding service levels. For instance, they would not know whether their personal data gets locked in or lost due to non-interoperability or whether their personal data will be processed according to compliance rules and regulations by the cloud service provider. While some of these uncertainties may also be covered by contracts, assurances allow for an in-advance check and are based on third-party inspection. To mitigate prospective adopters’ uncertainty and facilitate the adoption of their service, Dropbox obtained ISO 27017 and CSA STAR certifications (Dropbox, 2017a), two certification schemes that provide security assurance. Because these CSCs do not provide privacy or availability assurances, Dropbox is also certified as ISO 27018 (privacy) and ISO 22301 (business continuity, availability). In this example, ISO chose to develop separate certifications for each type of assurance. EuroCloud, by contrast, chose to bundle security, privacy, and availability assurances in one certification. Certification authorities must therefore make a strategic decision to define their nascent CSCs and include the most appropriate set of assurances for their respective target groups. Similarly, to foster the adoption of their cloud services, managers of cloud service providers face the strategic task of selecting a CSC that signals appropriate assurances to customers. If they do not know which assurances are more or less important to different customers, certification authorities and cloud service providers may develop or acquire CSCs that do not fit their customers’ needs for assurance or that are too broadly scoped, which may obfuscate the CSCs’ meaning and render CSC adoption uneconomical owing to complex certification processes. Thus, it is important to understand which assurances company decision makers and consumers value in a CSC when evaluating it as a decision factor for the adoption of a cloud service.

Prior IS research on certifications has conceptualized certifications as an aggregate signal and examined their effect on decisions and decision antecedents such as perceived risk, perceived assurance, and trust (Sturm et al., 2014). Furthermore, scholars have juxtaposed certifications’ effects on these antecedents with those from other signals, e.g., disclosure statements or reputation (Kim et al., 2008, Wang et al., 2004). Given that prior research focused on instances of real-world certifications, the implicit focus was put on certifications that provide either security or privacy assurances. Recent studies applying adoption theories in the cloud context, however, found that adoption decisions are influenced by perceptions of uncertainties beyond those related security and privacy, such as performance (interoperability, reliability), system unavailability, or contract conditions (e.g., Benlian and Hess, 2011, Bhattacherjee and Park, 2014, Heart, 2010, Repschlaeger et al., 2013). Prior to making an adoption decision on a cloud service without assurances beyond security and privacy (e.g., guarantees on the interoperability and availability of data or legal compliance), prospective cloud service adopters may therefore look for additional information to mitigate those uncertainties.

The CSCs described above show that certifications may contain one or multiple assurance signals, each addressing specific types of uncertainty that are relevant in the cloud context. In the case of multiple signals, signaling theory posits that recipients “may apply weights to signals in accordance with preconceived notions about importance” (Connelly et al., 2011, p. 55). Few studies, however, have explicitly examined and juxtaposed recipients’ perceptions of different assurances (e.g., Hu et al., 2010, Lansing et al., 2018). Moreover, within the IS certification literature, little research exists on company decision makers’ perceptions of certifications and their assurances, although cloud computing has also increased the prevalence of certifications on software platforms in the business-to-business (B2B) context. Signaling theory also posits that signals are interpreted differently by recipients with diverging backgrounds (Connelly et al., 2011), suggesting a contingency perspective on assurances’ effects. It is thus of theoretical importance to understand which assurances recipients value, to what extent an assurance is valued, and how each assurance’s value differs across recipients (i.e., across companies and consumers) depending on the specific cloud context. In turn, such an understanding would provide a better explanation of the extent to which the different assurances in CSCs influence cloud adoption decisions and how this influence differs across contexts.

In this study, we use signaling theory to conceptualize CSCs as a bundle of signals (i.e., assurances) that a recipient observes and dissects for interpretation and juxtapose the differential relative weights that company decision makers and consumers ascribe to these assurances in CSC evaluations. Accordingly, we ask the following two research questions (see Fig. 1 for a depiction of the interplay between the research questions):

RQ1: What is the relative importance of CSC assurances as perceived by companies and consumers?

RQ2: How does the relative importance of each assurance differ between companies and consumers?

In answering these research questions, we find significant differences in the relative importance of each assurance between companies and individual consumers. Moreover, we also find significant differences in individual consumers when comparing adopters and non-adopters and across companies when comparing customer and provider companies, exposing recipient group differences as a contextual factor. Further detailing this finding through post hoc analyses, we find initial evidence that service type and industry regulation are potential additional contextual factors. Hence, based on our findings, we extend existing models in adoption contexts by shedding light into how recipients evaluate certifications as part of information systems adoption decisions. Our research contributes to research on the justification and evaluation of information systems in two important ways. First, by conceptualizing certifications as a bundle of weighted (assurance) signals, we determine that recipients make trade-offs between assurances. This suggests that the weighting of a certification’s assurances is an important factor in assessing a certifications’ efficacy in adoption decisions: adoption theories may have to be extended to capture the signaling effects of CSCs’ assurances. Second, comparisons of the perceptions of assurances’ relative importance by company decision makers and consumers and supplementary post hoc analyses reveal significant differences in recipients’ trade-offs, which suggests that the weighting of a certification’s assurances in adoption decisions is subject to the signaling environment and shaped by contextual factors such as recipient group differences, service type, and industry regulation.

The remainder of the article is structured as follows. First, we discuss the relevant IS literature on certification assurances, describe the characteristics of CSCs, and outline the theoretical foundations of our research. Next, we describe the research methods used to identify and conceptualize the ten assurances of CSCs and the methods used to collect and analyze the empirical data collected from companies and consumers in an online, best-worst scaling (BWS) study. The fourth section presents the results of our analyses, and the article closes with a discussion of the findings, research and practical implications, limitations and future research directions.

Section snippets

IT-related certifications in IS research

Certification refers to a process in which a company’s processes and services are evaluated against a predefined set of criteria via an audit by a third party, which formally acknowledges that the standard defined by the criteria is met (ISO/IEC 17000, 2004). Certifications consist of one or several assurances that provide verified information about the attributes of a certified provider or service, thereby reducing uncertainties arising from information asymmetries (Tsai et al., 2011) or

Main study

Analyzing the data from the exploratory interviews resulted in a typology of ten assurances for CSCs (see Table 1), which was used as input for the BWS study. To analyze the BWS results, we used a multinomial logistic regression to estimate the utility of each assurance for each respondent by following the guidelines of Louviere et al. (2013). To facilitate the interpretation and aggregation of the utilities (i.e., regression coefficients) across respondents, we calculated each assurance’s

Discussion

Driven by the need for fast responses to changing markets and customer demands (Ravichandran, 2018, Tallon et al., 2019), organizations are increasingly relying on cloud services, which allow for short update cycles and flexible IT use. As these services affect fundamental aspects of a company’s business model rather than only technical aspects (e.g., when outsourcing ERP or CRM to cloud services), the decision to adopt a certain cloud service is of a strategic nature and calls for the

Acknowledgement

We thank Bob Galliers and Guy Gable for guiding us through a long and winding road to publication of this paper. We also gratefully acknowledge financial support by the Deutsche Forschungsgemeinschaft (DFG) under grant numbers BE 4308/4-2 and SU 717/10-2.

References (81)

  • N. Lankton et al.

    Incorporating trust-in-technology into expectation disconfirmation theory

    J. Strat. Inform. Syst.

    (2014)
  • X. Li et al.

    Why do we trust new technology? A study of initial trust formation with organizational information systems

    J. Strategic Inform. Syst.

    (2008)
  • J. Louviere et al.

    An introduction to the application of (case 1) best–worst scaling in marketing research

    Int. J. Res. Market.

    (2013)
  • S. Marston et al.

    Cloud computing - the business perspective

    Decis. Support Syst.

    (2011)
  • Y. Merali et al.

    Information systems strategy: Past, present, future?

    J. Strategic Inform. Syst.

    (2012)
  • C.M. Messerschmidt et al.

    Explaining the adoption of grid computing: An integrated institutional theory and organizational capability approach

    J. Strat. Inform. Syst.

    (2013)
  • M.D. Myers et al.

    The qualitative interview in IS research: Examining the craft

    Inform. Organ.

    (2007)
  • I. Oshri et al.

    Strategic innovation through outsourcing: The role of relational and contractual governance

    J. Strategic Inform. Syst.

    (2015)
  • T. Ravichandran

    Exploring the relationships between IT competence, innovation capacity and organizational agility

    J. Strategic Inform. Syst.

    (2018)
  • P. Slovic et al.

    Comparison of Bayesian and regression approaches to the study of information processing in judgment

    Organ. Behav. Hum. Perform.

    (1971)
  • P.P. Tallon et al.

    Information technology and the search for organizational agility: A systematic review with future research possibilities

    J. Strategic Inform. Syst.

    (2019)
  • S. Wang et al.

    Signaling the trustworthiness of small online retailers

    J. Interact. Market.

    (2004)
  • J. Xu et al.

    Do different kinds of trust matter? An examination of the three trusting beliefs on satisfaction and purchase behavior in the buyer–seller context

    J. Strategic Inform. Syst.

    (2016)
  • K.D. Aiken et al.

    Trustmarks, objective-source ratings, and implied investments in advertising: investigating online trust and the context-specific nature of internet signals

    J. Acad. Market. Sci.

    (2006)
  • M. Armbrust et al.

    A view of cloud computing

    Commun. ACM

    (2010)
  • Badger, L., Grance, T., Patt-Corner, R., Voas, J., 2012. Cloud Computing Synopsis and Recommendations: NISTSpecial...
  • A. Benlian et al.

    Drivers of SaaS-adoption – an empirical study of different application types

    Bus. Inf. Syst. Eng.

    (2009)
  • A. Benlian et al.

    The transformative value of cloud computing: A decoupling, platformization, and recombination theoretical framework

    J. Manage. Inform. Syst.

    (2018)
  • A. Benlian et al.

    Service quality in software-as-a-service: developing the saas-qual measure and examining its role in usage continuance

    J. Manag. Inform. Syst.

    (2011)
  • A. Bhattacherjee et al.

    Why end-users move to the cloud: a migration-theoretic analysis

    Eur. J. Inf. Syst.

    (2014)
  • A. Bhattacherjee et al.

    Influence processes for information technology acceptance: an elaboration likelihood model

    MIS Quart.

    (2006)
  • J.A. Browning et al.

    Survey Analysis: North American Midsize Businesses Cite Cloud Intentions. Dataquest G00210298

    (2011)
  • Cohen, S., 2003. Maximum Difference Scaling: Improved Measures of Importance and Preference for Segmentation. Sawtooth...
  • B.L. Connelly et al.

    Signaling theory: A review and assessment

    J. Manag.

    (2011)
  • J. Dibbern et al.

    Information systems outsourcing: A survey and analysis of the literature

    Database Adv. Inform. Syst.

    (2004)
  • A. Dimoka et al.

    On product uncertainty in online markets: theory and evidence

    MIS Quart.

    (2012)
  • Disterer, G., 2012. Why Firms Seek ISO 20000 Certification - A Study of ISO 20000 Adoption. In: Proceedings of the...
  • Dropbox, 2017a. Complying with standards and regulations....
  • Dropbox, 2017b. Trust Guide. https://www.dropbox.com/business/trust. Accessed 22 December...
  • U. Flick

    An Introduction to Qualitative Research

    (2009)
  • Cited by (22)

    • Information security and value creation: The performance implications of ISO/IEC 27001

      2022, Computers in Industry
      Citation Excerpt :

      On the other, potential benefits related to the streamlining of buyer-supplier relationships (Hannigan et al., 2019) could start before the formal certification. Drawing from ST (Connelly et al., 2011; Spence, 1978), the result can be explained in terms of the strength of the signal (King et al., 2005) as well as the relative importance of the kind of signal (Lansing et al., 2019). In particular, despite the diffusion of ISO/IEC 27001 is on a growing trajectory, the relevant number of issued certificates may have modified the role of the standard; from a source of competitive differentiation in the market to a prerequisite to conduct business.

    • A Design Theory for Certification Presentations

      2023, Data Base for Advances in Information Systems
    View all citing articles on Scopus
    View full text