Strategic signaling through cloud service certifications: Comparing the relative importance of certifications’ assurances to companies and consumers
Introduction
With the advent of cloud computing, the role of technology is profoundly shifting for companies and consumers alike. For businesses, technology is moving from serving as a support function to playing a strategic role and is defining winning business models (Benlian and Haffke, 2016, Tallon et al., 2019). For consumers, technology has become increasingly embedded into their daily lives. Disruptive technologies such as cloud computing have dramatically altered the way companies and consumers access technology and use distributed resources (Benlian et al., 2018, Merali et al., 2012). Cloud services are evolving more rapidly in terms of functionality and underlying infrastructure than past on-premises technologies, leading to shorter adoption and replacement cycles, while at the same time becoming less transparent in terms of their inner properties and working mechanisms. As a result, it has become a strategic necessity for organizations and consumers to be informed about the technologies they adopt (Ravichandran, 2018) and for technology providers to ensure that their customers are confident in making adoption decisions.
IT-related certifications have established themselves among company decision makers and consumers as tools that signal a provider’s service quality in traditional IT outsourcing (e.g., ISO 27000 or the Capability Maturity Model, CMM) and in consumer e-commerce (e.g., TRUSTe). In such contexts, IT-related certifications traditionally function as strategic signals to build trust (Belanger et al., 2002), which plays a crucial role in users’ adoption decisions for new technologies (Li et al., 2008). Cloud computing typically involves a self-service approach with few human interactions (Mell and Grance, 2011). As a result, institutional trust-building signals that do not rely on personal interactions, such as IT-related certifications, become even more important (Lansing and Sunyaev, 2016). Hence, concomitant with the proliferation of cloud computing among companies and consumers, organizations such as Cloud Security Alliance (CSA) and EuroCloud have started to develop a novel class of IT-related certifications: cloud service certifications (CSCs). The main users of CSCs are company decision makers who evaluate CSCs as part of procuring a cloud service for their organization and consumers who evaluate CSCs in the context of selecting a cloud service for personal use. Making the right cloud service adoption decision is of strategic importance to organizations because such outsourced services not only allow to better manage cost and to internalize innovation (Aubert et al., 2015, Oshri et al., 2015) but they also contribute to overall service quality (e.g., reliability, responsiveness), which is directly related to organizational performance (Gorla et al., 2010). Yet, approximately half of all outsourcing relationships result in low performance, with service quality conflicts being one of the root causes (Lacity and Willcocks, 2017). These challenges are particularly reinforced in cloud service adoption decisions, in which consumers and companies face numerous cloud-specific uncertainties on service quality concerning not only security and privacy but also, among other uncertainties, availability, interoperability, contracts, and legal compliance (Armbrust et al., 2010, Benlian and Hess, 2011, Marston et al., 2011).
CSCs signal cloud service quality and allow decision makers to make ex ante assessments, increase market transparency and ultimately support better adoption decisions, leading to better service fit and higher service quality. As such, the implementation of CSCs is of strategic importance for company decision makers and consumers when making cloud service adoption decisions (Khan and Malluhi, 2013; Sunyaev and Schneider, 2013). Moreover, CSCs need to be configured with the right composition of assurances to function as information signals and mitigate cloud-specific uncertainties. For example, Dropbox, a cloud service for storing and exchanging documents, needs to overcome users’ uncertainties about the security, privacy, and continuous availability of and access to data when that data is stored in the cloud rather than on users’ local computers (Dropbox, 2017b). Without assurances covering specific service details, adopters would remain uncertain regarding service levels. For instance, they would not know whether their personal data gets locked in or lost due to non-interoperability or whether their personal data will be processed according to compliance rules and regulations by the cloud service provider. While some of these uncertainties may also be covered by contracts, assurances allow for an in-advance check and are based on third-party inspection. To mitigate prospective adopters’ uncertainty and facilitate the adoption of their service, Dropbox obtained ISO 27017 and CSA STAR certifications (Dropbox, 2017a), two certification schemes that provide security assurance. Because these CSCs do not provide privacy or availability assurances, Dropbox is also certified as ISO 27018 (privacy) and ISO 22301 (business continuity, availability). In this example, ISO chose to develop separate certifications for each type of assurance. EuroCloud, by contrast, chose to bundle security, privacy, and availability assurances in one certification. Certification authorities must therefore make a strategic decision to define their nascent CSCs and include the most appropriate set of assurances for their respective target groups. Similarly, to foster the adoption of their cloud services, managers of cloud service providers face the strategic task of selecting a CSC that signals appropriate assurances to customers. If they do not know which assurances are more or less important to different customers, certification authorities and cloud service providers may develop or acquire CSCs that do not fit their customers’ needs for assurance or that are too broadly scoped, which may obfuscate the CSCs’ meaning and render CSC adoption uneconomical owing to complex certification processes. Thus, it is important to understand which assurances company decision makers and consumers value in a CSC when evaluating it as a decision factor for the adoption of a cloud service.
Prior IS research on certifications has conceptualized certifications as an aggregate signal and examined their effect on decisions and decision antecedents such as perceived risk, perceived assurance, and trust (Sturm et al., 2014). Furthermore, scholars have juxtaposed certifications’ effects on these antecedents with those from other signals, e.g., disclosure statements or reputation (Kim et al., 2008, Wang et al., 2004). Given that prior research focused on instances of real-world certifications, the implicit focus was put on certifications that provide either security or privacy assurances. Recent studies applying adoption theories in the cloud context, however, found that adoption decisions are influenced by perceptions of uncertainties beyond those related security and privacy, such as performance (interoperability, reliability), system unavailability, or contract conditions (e.g., Benlian and Hess, 2011, Bhattacherjee and Park, 2014, Heart, 2010, Repschlaeger et al., 2013). Prior to making an adoption decision on a cloud service without assurances beyond security and privacy (e.g., guarantees on the interoperability and availability of data or legal compliance), prospective cloud service adopters may therefore look for additional information to mitigate those uncertainties.
The CSCs described above show that certifications may contain one or multiple assurance signals, each addressing specific types of uncertainty that are relevant in the cloud context. In the case of multiple signals, signaling theory posits that recipients “may apply weights to signals in accordance with preconceived notions about importance” (Connelly et al., 2011, p. 55). Few studies, however, have explicitly examined and juxtaposed recipients’ perceptions of different assurances (e.g., Hu et al., 2010, Lansing et al., 2018). Moreover, within the IS certification literature, little research exists on company decision makers’ perceptions of certifications and their assurances, although cloud computing has also increased the prevalence of certifications on software platforms in the business-to-business (B2B) context. Signaling theory also posits that signals are interpreted differently by recipients with diverging backgrounds (Connelly et al., 2011), suggesting a contingency perspective on assurances’ effects. It is thus of theoretical importance to understand which assurances recipients value, to what extent an assurance is valued, and how each assurance’s value differs across recipients (i.e., across companies and consumers) depending on the specific cloud context. In turn, such an understanding would provide a better explanation of the extent to which the different assurances in CSCs influence cloud adoption decisions and how this influence differs across contexts.
In this study, we use signaling theory to conceptualize CSCs as a bundle of signals (i.e., assurances) that a recipient observes and dissects for interpretation and juxtapose the differential relative weights that company decision makers and consumers ascribe to these assurances in CSC evaluations. Accordingly, we ask the following two research questions (see Fig. 1 for a depiction of the interplay between the research questions):
RQ1: What is the relative importance of CSC assurances as perceived by companies and consumers?
RQ2: How does the relative importance of each assurance differ between companies and consumers?
In answering these research questions, we find significant differences in the relative importance of each assurance between companies and individual consumers. Moreover, we also find significant differences in individual consumers when comparing adopters and non-adopters and across companies when comparing customer and provider companies, exposing recipient group differences as a contextual factor. Further detailing this finding through post hoc analyses, we find initial evidence that service type and industry regulation are potential additional contextual factors. Hence, based on our findings, we extend existing models in adoption contexts by shedding light into how recipients evaluate certifications as part of information systems adoption decisions. Our research contributes to research on the justification and evaluation of information systems in two important ways. First, by conceptualizing certifications as a bundle of weighted (assurance) signals, we determine that recipients make trade-offs between assurances. This suggests that the weighting of a certification’s assurances is an important factor in assessing a certifications’ efficacy in adoption decisions: adoption theories may have to be extended to capture the signaling effects of CSCs’ assurances. Second, comparisons of the perceptions of assurances’ relative importance by company decision makers and consumers and supplementary post hoc analyses reveal significant differences in recipients’ trade-offs, which suggests that the weighting of a certification’s assurances in adoption decisions is subject to the signaling environment and shaped by contextual factors such as recipient group differences, service type, and industry regulation.
The remainder of the article is structured as follows. First, we discuss the relevant IS literature on certification assurances, describe the characteristics of CSCs, and outline the theoretical foundations of our research. Next, we describe the research methods used to identify and conceptualize the ten assurances of CSCs and the methods used to collect and analyze the empirical data collected from companies and consumers in an online, best-worst scaling (BWS) study. The fourth section presents the results of our analyses, and the article closes with a discussion of the findings, research and practical implications, limitations and future research directions.
Section snippets
IT-related certifications in IS research
Certification refers to a process in which a company’s processes and services are evaluated against a predefined set of criteria via an audit by a third party, which formally acknowledges that the standard defined by the criteria is met (ISO/IEC 17000, 2004). Certifications consist of one or several assurances that provide verified information about the attributes of a certified provider or service, thereby reducing uncertainties arising from information asymmetries (Tsai et al., 2011) or
Main study
Analyzing the data from the exploratory interviews resulted in a typology of ten assurances for CSCs (see Table 1), which was used as input for the BWS study. To analyze the BWS results, we used a multinomial logistic regression to estimate the utility of each assurance for each respondent by following the guidelines of Louviere et al. (2013). To facilitate the interpretation and aggregation of the utilities (i.e., regression coefficients) across respondents, we calculated each assurance’s
Discussion
Driven by the need for fast responses to changing markets and customer demands (Ravichandran, 2018, Tallon et al., 2019), organizations are increasingly relying on cloud services, which allow for short update cycles and flexible IT use. As these services affect fundamental aspects of a company’s business model rather than only technical aspects (e.g., when outsourcing ERP or CRM to cloud services), the decision to adopt a certain cloud service is of a strategic nature and calls for the
Acknowledgement
We thank Bob Galliers and Guy Gable for guiding us through a long and winding road to publication of this paper. We also gratefully acknowledge financial support by the Deutsche Forschungsgemeinschaft (DFG) under grant numbers BE 4308/4-2 and SU 717/10-2.
References (81)
- et al.
Exploring and managing the “innovation through outsourcing” paradox
J. Strat. Inform. Syst.
(2015) - et al.
When decision support systems fail: Insights for strategic information systems from Formula 1
J. Strat. Inform. Syst.
(2018) - et al.
Trustworthiness in electronic commerce: the role of privacy, security, and site attributes
J. Strat. Inform. Syst.
(2002) - et al.
Does mutuality matter? Examining the bilateral nature and effects of CEO–CIO mutual understanding
J. Strat. Inform. Syst.
(2016) - et al.
Opportunities and risks of software-as-a-service: Findings from a survey of IT executives
Decis. Support Syst.
(2011) - et al.
Organizational impact of system quality, information quality, and service quality
J. Strat. Inform. Syst.
(2010) - et al.
The effects of Web assurance seals on consumers' initial trust in an online vendor: A functional perspective
Decis. Support Syst.
(2010) - et al.
A trust-based consumer decision-making model in electronic commerce: The role of trust, perceived risk, and their antecedents
Decis. Support Syst.
(2008) - et al.
Third-party privacy certification as an online advertising strategy: an investigation of the factors affecting the relationship between third-party certification and initial trust
J. Interact. Market.
(2011) - et al.
Conflict resolution in business services outsourcing relationships
J. Strategic Inform. Syst.
(2017)
Incorporating trust-in-technology into expectation disconfirmation theory
J. Strat. Inform. Syst.
Why do we trust new technology? A study of initial trust formation with organizational information systems
J. Strategic Inform. Syst.
An introduction to the application of (case 1) best–worst scaling in marketing research
Int. J. Res. Market.
Cloud computing - the business perspective
Decis. Support Syst.
Information systems strategy: Past, present, future?
J. Strategic Inform. Syst.
Explaining the adoption of grid computing: An integrated institutional theory and organizational capability approach
J. Strat. Inform. Syst.
The qualitative interview in IS research: Examining the craft
Inform. Organ.
Strategic innovation through outsourcing: The role of relational and contractual governance
J. Strategic Inform. Syst.
Exploring the relationships between IT competence, innovation capacity and organizational agility
J. Strategic Inform. Syst.
Comparison of Bayesian and regression approaches to the study of information processing in judgment
Organ. Behav. Hum. Perform.
Information technology and the search for organizational agility: A systematic review with future research possibilities
J. Strategic Inform. Syst.
Signaling the trustworthiness of small online retailers
J. Interact. Market.
Do different kinds of trust matter? An examination of the three trusting beliefs on satisfaction and purchase behavior in the buyer–seller context
J. Strategic Inform. Syst.
Trustmarks, objective-source ratings, and implied investments in advertising: investigating online trust and the context-specific nature of internet signals
J. Acad. Market. Sci.
A view of cloud computing
Commun. ACM
Drivers of SaaS-adoption – an empirical study of different application types
Bus. Inf. Syst. Eng.
The transformative value of cloud computing: A decoupling, platformization, and recombination theoretical framework
J. Manage. Inform. Syst.
Service quality in software-as-a-service: developing the saas-qual measure and examining its role in usage continuance
J. Manag. Inform. Syst.
Why end-users move to the cloud: a migration-theoretic analysis
Eur. J. Inf. Syst.
Influence processes for information technology acceptance: an elaboration likelihood model
MIS Quart.
Survey Analysis: North American Midsize Businesses Cite Cloud Intentions. Dataquest G00210298
Signaling theory: A review and assessment
J. Manag.
Information systems outsourcing: A survey and analysis of the literature
Database Adv. Inform. Syst.
On product uncertainty in online markets: theory and evidence
MIS Quart.
An Introduction to Qualitative Research
Cited by (22)
Why so skeptical? Investigating the emergence and consequences of consumer skepticism toward web seals
2024, Information and ManagementInternational Business, digital technologies and sustainable development: Connecting the dots
2023, Journal of World BusinessInformation security and value creation: The performance implications of ISO/IEC 27001
2022, Computers in IndustryCitation Excerpt :On the other, potential benefits related to the streamlining of buyer-supplier relationships (Hannigan et al., 2019) could start before the formal certification. Drawing from ST (Connelly et al., 2011; Spence, 1978), the result can be explained in terms of the strength of the signal (King et al., 2005) as well as the relative importance of the kind of signal (Lansing et al., 2019). In particular, despite the diffusion of ISO/IEC 27001 is on a growing trajectory, the relevant number of issued certificates may have modified the role of the standard; from a source of competitive differentiation in the market to a prerequisite to conduct business.
Investigating the role of internal security resources in post-adoption satisfaction with the Security-as-a-Service model: an organizational mindfulness perspective
2023, Journal of Enterprise Information ManagementOnline Information Filtering: The Role of Contextual Cues in Electronic Networks of Practice
2023, Data Base for Advances in Information SystemsA Design Theory for Certification Presentations
2023, Data Base for Advances in Information Systems