factors limiting adoption of new technology: a study of

Factors limiting adoption of new technology: a study of drawbacks

affecting transition from on-premise systems to cloud computing

THERÉSE KILSTRÖM

Master of Science Thesis Stockholm, Sweden 2016

Begränsande faktorer vid införande av ny teknologi: en studie av aspekter som hindrar övergången från lokala

system till molntjänster

THERÉSE KILSTRÖM

Examensarbete Stockholm, Sverige 2016

Factors limiting adoption of new technology: a study of drawbacks

affecting transition from on-premise systems to cloud computing

by

Therése Kilström

Master of Science Thesis INDEK 2016:53 KTH Industrial Economics and Management

Sustainability and Industrial Dynamics SE-100 44 STOCKHOLM

5

Begränsande faktorer vid införande av ny teknologi: en studie av aspekter som

hindrar övergången från lokala system till molntjänster

av

Therése Kilström

Examensarbete INDEK 2016:53 KTH Industriell Ekonomi och Organisations

Hållbarhet och Industriell Dynamik SE-100 44 STOCKHOLM

2

Master of Science Thesis INDEK 2016:53

Drawbacks in adoption of new technology:

a study of factors limiting transition from on-premise systems to cloud computing

Therése Kilström

Approved

2016-06-16 Examiner

Niklas Arvidsson Supervisor

Pär Blomkvist Commissioner

Medius AB Contact person

Viktor Lundqvist

Abstract Cloud computing has grown from being a business concept to one of the fastest growing segments of modern ICT industry. Cloud computing are addressing many issues emerged by the globalization in terms of the ever faster pace of growth, shorter product life cycles, increased complexity of systems and higher investment needs. Cloud computing is penetrating all sectors of business applications and has influenced the whole IT industry. The business model has grown to be an alternative to traditional on-premise systems, where traditional environment, applications and additional IT infrastructure is maintained in-house within the organization.

However, organizations are still reluctant to deploy their business in the cloud. There are many concerns regarding cloud computing services and despite all its advantages, cloud adoption is still very low at an organizational landscape. Hence, this master thesis aims to investigate what the drawbacks regarding a transition from an on-premise system to a cloud computing service are and how these relate to factors that influence the decision of adoption. Furthermore, this study will investigate how cloud service providers can develop a pro-active approach to manage the main drawbacks of cloud adoption.

In order to fulfill the aim of the study, empirical research in form of data collection of conducted interviews were carried out. The results of the study identified security and perceived loss of control as the main drawbacks in the transition from an on-premise system to a cloud computing service. Since these findings could be described as foremost technological and attitudinal, the thesis contributes to practitioners in terms of implications of communicating and educating customers and adherence to industry standards and certifications as important factors to address. Lastly, this thesis identified lack of understanding for cloud computing as a result of poor information, indicating for further research within this area.

Keywords: Cloud adoption, cloud computing, drawbacks, security

4

Examensarbete INDEK 2016:53

Begränsande faktorer vid införande av ny teknologi: en studie som av aspekter som hindrar övergången

från lokala system till molntjänster

Therése Kilström

Godkänt

2016-06-16

Examinator

Niklas Arvidsson

Handledare

Pär Blomkvist Uppdragsgivare

Medius AB Kontaktperson

Viktor Lundqvist

Sammanfattning Molntjänster har vuxit från att vara ett affärskoncept till att vara ett av de snabbast växande segmenten inom modern IT-industri. Molntjänster svarar upp mot många av de utmaningar som drivits fram av den ökade globaliseringen. Utmaningarna består främst i en allt snabbare tillväxttakt, kortare produktlivscykler, ökad komplexitet av system och större investeringskostnader. Molntjänster har gjort framsteg inom alla affärsområden och påverkat hela IT-branschen. Affärsmodellen har vuxit till att bli ett attraktivt alternativ till traditionella installerade system, där den traditionella miljön, applikationer och övrig IT-infrastruktur upprätthålls internt inom organisationen.

Däremot återstår en stor tveksamhet hos organisationer till att migrera sin verksamhet till molnet. Molnet väcker oro och trots dess fördelar är införandet av molntjänster relativt lågt ute hos företag. Syftet med detta examensarbete är att undersöka vilka nackdelar som påverkar en övergång från ett installerat system till en molnbaserad tjänst och hur dessa relaterar till faktorer som påverkar detta beslut. Dessutom syftar denna studie till att undersöka hur molntjänsteleverantörer kan utveckla en pro-aktiv strategi för att hantera dessa nackdelar gällande en övergång till molntjänster.

För att uppfylla syftet med studien samlades empirisk data in genom intervjuer hos olika företag. Resultatet av studien identifierade säkerhet och upplevd förlust av kontroll som de viktigaste nackdelarna i övergången från ett installerat system till en molntjänst. Dessa resultat kan främst beskrivas som tekniska och attitydsmässiga och bidrar därför till vägledning för molntjänsteleverantörer om vikten av att kommunicera med och utbilda kunder och att arbeta aktivt med efterlevnad av industristandarder och certifieringar. Slutligen påvisar även denna studie att det finns en brist på förståelse för molnet som beror på dålig information och kommunikation, vilket påvisar att det finns utrymme för vidare forskning inom detta område.

Nyckelord: teknikinförande, molntjänster, begränsningar, säkerhet

6

FOREWORDS AND ACKNOWLEDGEMENTS

This report presents a master thesis work conducted during spring 2016, concluding the journey at KTH Royal Institute of Technology in Stockholm, Sweden. The master thesis was performed at the department of Industrial Economics and Management, School of Industrial Engineering and Management.

During the period of the research process I had the opportunity to gain valuable knowledge within the area of the master thesis, thanks to all the dedicated and inspiring people.

I would like to start by thanking my supervisor Pär Blomkvist at the Department of Industrial Economics and Management at the Royal Institute of Technology, KTH for the encouragement and guidance as well as meetings with constructive feedback.

Further, I would like to express my appreciation to Viktor Lundqvist at Medius AB for dedicating time and supporting the work throughout the master thesis process. A special thank you to all employees at Medius AB, who engaged and provided great guidance during the process.

This master thesis would not have been achieved without all involved persons contributing to the thesis by participating in interviews and sharing their expertise and personal experiences.

Lastly, I would also like to express my gratitude to Mikaela Öberg, whom I conducted the commissioned thesis work at the case company with, for her support and excellent collaboration.

Therése Kilström Stockholm, May 2016

1

ABBREVIATIONS

This page presents abbreviations used in this thesis.

Abbreviations AP Accounts Payable CSP Cloud Service Provider

CIO Chief Information Officer DOI Diffusion of Innovation

DDoS Distributed Denial of Service ERP Enterprise Resource Planning

IaaS Infrastructure as a Service ICT Information and Communication Technology

IT Information Technology R&D Research and Development

SaaS Software as a Service TOE Technology-Organization-Environment

VPN Virtual Private Network PaaS Platform as a Service

3

TABLE OF CONTENTS

1 INTRODUCTION 1

1.1 Background 1

1.2 Problem Description 3

1.3 Case Company 3

1.4 Purpose 4

1.5 Research Questions 4

1.6 Delimitations 4

1.7 Contributions 5

1.8 Disposition 5

2 INTRODUCTION TO CLOUD BASED ERP SYSTEMS 7

2.1 Cloud Computing 7

2.1.1 Cloud Deployment Models 7

2.1.2 Cloud Computing Service Models 8

2.2 Enterprise Resource Planning Systems 9

2.2.1 ERP Software Extensions 10

2.3 Summary of Cloud Computing and ERP 10

3 LITERATURE REVIEW AND PREVIOUS RESEARCH 11

3.1 Diffusion of Innovations 12

3.2 Barriers of Technology Adoption 13

3.3 Cloud Computing Adoption Factors 13

3.4 Technology-Organization-Environment Framework 14

3.5 Concluding Remarks 15

4 METHOD 17

4.1 Methodological Approach 17

4.2 Research Design 17

4.2.1 Pre-study 18

4.2.2 Literature Review 18

4

4.2.3 Interviews 18

4.2.4 Questionnaire 22

4.2.5 Data Analysis 23

4.3 Validity and Reliability 23

5 EMPRICAL FINDINGS 25

5.1 Overview 25

5.2 Security 26

5.2.1 Asset Security 27

5.2.2 Incident Security 29

5.3 Perceived Loss of Control 31

5.3.1 IT Department not embracing Cloud 32

5.3.2 Trust Issues for Cloud Computing 33

6 ANALYSIS AND DISCUSSION 35

6.1 Overview 35

6.2 Security 35

6.2.1 Asset Security 36

6.2.2 Incident Security 38

6.3 Perceived Loss of Control 39

6.3.1 IT Department not embracing Cloud 39

6.3.2 Trust Issues for Cloud Computing 40

6.4 The Contexts of Security and Perceived Loss of Control 41

6.5 Characteristics of Security and Perceived Loss of Control 42

6.5.1 Relative Advantage 42

6.5.2 Compatibility 43

6.5.3 Complexity 43

6.5.4 Trialability 44

6.5.5 Observability 44

6.6 Adoption Distribution of Cloud Computing 44

5

6.7 Research Methodology 45

7 CONCLUSIONS AND FUTURE RESEARCH 47

7.1 Main Findings 47

7.2 Implications 48

7.2.1 Industrial Implications 48

7.2.2 Case Company Implications 48

7.2.3 Research Implications 49

7.2.4 Sustainability Implications 49

7.3 Future Research 50

8 REFERENCES 51

APPENDIX A 55

7

TABLE OF FIGURES AND TABLES

Figure 1: The disposition of the master thesis 6

Figure 2: Cloud management responsibilities 9

Figure 3: Technology adoption model 12

Figure 4: Technology-Organization-Environment Framework 15

Figure 5: The research process design 17

Figure 6: Identified drawbacks resulting from the interviews 26

Figure 7: The results from the study in relation to the TOE Framework 42

Figure 8: Distribution of organizations and individuals in the adoption curve 44

Table 1: Interview participants from case company 18

Table 2: Interview participants with expert knowledge in cloud computing 21

1

1 INTRODUCTION In this chapter, the background of the studied phenomenon, the description of the problem, purpose of the study, research questions, delimitations and contribution of the study are presented and discussed.

1.1 Background Industry globalization and faster development of technologies with shorter product life cycle puts new demands on the ICT development. The globalization trend means companies acting on local markets with focus on individual markets are changing their growth strategies to act on larger or even global markets. They are replacing local suppliers and local service solutions with global services. These services increase in complexity and are designed to suit all markets. ICT services need to be standardized in the organization requiring replacement of existing soft- and hardware as the organizations grow. Shorter product life cycles in the ICT industry means higher replacement rate of systems and a growing demand for companies to keep the necessary resources required for these changes (Rockström, 2013). Cloud computing are addressing many of the issues of the ever faster pace of growth, shorter product life cycles, increased complexity of systems and higher investment needs. Cloud computing offers access over the infinite reaches of the Internet to software, IT platforms, storage or additional IT infrastructure. This in comparison with on-premise IT referring to the traditional environment, applications and additional infrastructure of IT, which is often maintained in-house within the organization. These types of systems are generally installed and operated at the organization, utilizing the computing resources of the existing infrastructure. Cloud services are delivered by a third party supplier, mostly known as a cloud service provider, who manages the complexities of the underlying infrastructure. Hardware and software architectures that enable infrastructure scaling and virtualization are the fundamentals of cloud computing (Caroll and Kotzé, 2011). The term ‘cloud’ originates from the telecommunication industry in the early 1990s, where the virtual private network (VPN) services established for data communications allowed for balanced utilization and dynamic bandwidth. This resulted in increased efficiency of bandwidth in the ‘telecom cloud’. The cloud computing of today is similar with its provision of a dynamically allocated environment to meet the needs of organizations (Borgman et al., 2013). Cloud computing enables large-scale and complex data processing with its possibilities to add capabilities dynamically and increase capacity on-demand. Cloud computing may eliminate the need of additional resources and investments in new infrastructure, training of new personnel or licensing new software (Subashini and Kavitha, 2011). These offerings, together with in the long run lower investment needs, make cloud computing attractive to many growing companies and the emergence of cloud computing has grown from being a business concept to one of the fast growing segments of the modern ICT industry (Lu et al., 2013). Consequently, cloud computing is penetrating all sectors of business applications and has influenced the whole IT industry. Cloud computing has changed the way of how information

2

technology systems or services are developed, implemented, maintained and paid for (Marston et al., 2011). It has grown to be an alternative to traditional on-premise systems. Cloud computing do however offer new challenges. The implementation of new business models is in itself a challenge for organizations when moving from on-premise systems to cloud computing. Meeting organization’s expectations of challenges with global and local needs is a requirement for cloud service providers. For the customer, this new business model often requires a transition from an in-house product solution to a service, which is no longer maintained within the organization. Cloud computing has changed the way IT is delivered and utilized. Switching to cloud computing has significant implications for an organization and is just not a simple standard product. Realizing the scope of a potential change from on-premise systems to cloud computing also means challenges in form of organizations and individuals being inherently resistant to change, since it tend to associate with uncomfortable uncertainties (Lam, 2011). These challenges are especially critical in the discussion of enterprise systems and cloud computing. Cloud computing technology is penetrating all sectors of business applications and one of the affected areas is within enterprise systems and more specifically, the enterprise resource planning (ERP) systems and its incorporated offerings of services (Saini et al., 2011). ERP systems are often referred to as the backbone of information systems in an organization and integrate and automate all aspects of business operations, facilitating the information flow between different business functions. The ERP system is often seen as the most risky, time-consuming and expensive IT investment of an organization. The costs of maintaining an ERP system is an area steadily increasing compared to previous years in terms of upgrades, consulting fees or licenses, where 93 % of all ERP systems are customized to some degree (Panorama Consulting, 2015). However, there are predictions regarding cloud computing becoming an increasingly important role in ERP systems over the next decade (Accenture, 2012; Lechesa et al., 2012; Lenart, 2011; Seethamraju, 2015). According to a study conducted by Accenture (2012), it is not a question whether cloud computing is becoming a fundamental deployment model for ERP systems in the near future, but rather how organizations will profit from the capabilities as successfully as possible. Even though research are pointing towards an increased adoption of cloud based ERP systems and cloud computing is penetrating all sectors of business applications, there is still inertia in the transition. ERP systems served as a cloud model has received the lowest rate of adoption, in comparison to other applications served as a cloud model (Deloitte, 2009). Furthermore, the inertia in the shift from on-premise systems to cloud computing is still a matter of fact and organizations are being reluctant to deploy their business in the cloud. There are many concerns regarding cloud computing and despite all its advantages, cloud adoption is still very low. A study by Tata Consultancy Services (2012), found regional differences in the rate of cloud adoption in average large organizations. Latin America had 40 % of its total applications in the cloud, whereas the corresponding figures in Asia Pacific were 28 %. Organizations in the United States had 19 % of their total applications in cloud computing environments and Europe’s figures were approximately 12 %. There are wide ranges of factors related to adoption of technologies, which may affect the adoption rate. Technology adoption is a continuous researched area, due to its complexity and requires current studies within the subject in order to expose the subject to different perspectives. The excessive predictions of cloud computing

3

creates a scope for a study of cloud adoption, especially where the study is limited to a specific geographical and its characteristics.

1.2 Problem Description The acceleration of cloud adoption corresponds to more information related to individuals or organizations to be handled in the cloud and organizations are being reluctant to deploy their business in the cloud. The critical issue of managing sensitive data with cloud computing is of critical importance for organizations with its internal documents, which could be considered to be part of their competitive advantage. When a service provider changes their business model from offering an on-premise system to a cloud computing service, it is essential to identify drawbacks connected to these changes. Addressing organization’s expectations efficiently regarding cloud computing is vital for its acceptance and adoption. Cloud computing includes large changes for an organization, since the traditional IT system is no longer maintained in-house and thereby needs to trust the service provider of managing the responsibilities. At the moment there is a gap between how providers describe the benefits of cloud computing and how organizations hesitate to use services in the cloud. The discussion and implementation of cloud computing includes a complexity in terms of choosing system and cloud service provider. ERP systems generally increase in complexity with the extent of an organization’s business functions and operations. Since ERP systems are still overrepresented by on-premise systems (Panorama Consulting, 2015), it would be of interest to discuss how drawbacks relate to the type of cloud computing service, e.g. ERP software, software extensions or collaboration software. Thus, in the matter of organizations transitioning from on-premise systems and cloud computing, ERP systems play a critical part in the discussion since it fills a central role of organizational IT systems. In order to gain understanding in why organizations are being hesitant to deploy their business in the cloud, there is a need of understanding the potential drawbacks of a transition from on-premise systems to cloud computing. Furthermore, it is essential to obtain deeper knowledge in the different factors limiting and affecting these drawbacks of cloud adoption in terms of circumstances or influences.

1.3 Case Company Medius AB is a Swedish medium-sized IT company providing solutions of accounts payable (AP) invoice automation. The company was founded in 2001 and is a supplier of process related IT support, offering solutions simplifying and automating organizations separate processes. Medius AB offers its business support mainly to organizations within the service and manufacturing industry as well as in wholesale and retail trading. The company went through changes in 2015 since their two different business lines of AP invoice automation and ERP had increasingly become two parallel tracks of Medius’ business. Therefore, the company decided to sell off their ERP system consulting business in order to streamline their operations and to experience the best growth possible. This sale implied a structural change in the direction of meeting long-term objectives and that Medius could fully focus on cloud based AP invoice automation solutions and being a leading supplier in that field.

4

Medius AB’s business is growing and the cloud business accounts for the fast growth. The company offers a cloud computing service, although they do also offer an on-premise software solution but aims to only focus on the cloud service for future business. This change with its challenges and the fact that Medius AB has customers in many different business segments makes for an opportunity to study potential drawbacks in the transition from an on-premise system to a cloud computing service. Furthermore, Medius AB’s role in terms of a cloud service provider needs to address drawbacks affecting the cloud adoption and understand how these relate to their business offerings.

1.4 Purpose The purpose of the study is to investigate what the drawbacks regarding a transition from an on-premise system to a cloud computing service are and how these relate to factors that influence in the decision of adoption. The study will explore how cloud service providers can reduce drawbacks and further investigate how providers can work to meet future requirements and lower potential drawbacks without risk of gaps or time lags. Moreover, since there is a lack of empirical body of knowledge regarding cloud adoption (Morgan and Conboy, 2013), the purpose is to study how the drawbacks in a transition from on-premise systems to cloud computing relate to theories of innovation adoption. The purpose of the study is to fill this gap and analyze the phenomena of cloud adoption in relation to its drawbacks, limiting factors and how these can be approached by cloud service providers.

1.5 Research Questions Cloud adoption is a very complex topic and organizations are skeptical towards migrating their business to the cloud. This study will focus on drawbacks limiting an organization’s adoption of cloud computing and how cloud service provider can reduce these drawbacks. In order to achieve the purpose of this study, the following main research question has been formulated: ● How can drawbacks, which affect the transition from an on-premise system to a cloud

computing service, be addressed by cloud service providers? The following questions have been formulated to address the main research question:

I. Which are the main drawbacks that affect the transition from an on-premise system to a

cloud computing service?

II. How does the type of the cloud-based software affect the main drawbacks?

III. How can cloud service providers develop a pro-active approach to manage the main drawbacks?

1.6 Delimitations The study focused on addressing the drawbacks affecting the transition from an on-premise system to a cloud computing service, with an emphasis on factors limiting the adoption of new technology. The study was chosen to focus on organizations and cloud adoption in the business-

5

to-business market. Therefore, it did not focus on the consumer market and private users of cloud computing services. The motivation of delimitation for this study was selected to target organizational characteristics and influences; mainly since the case company acts on a business-to-business market and to ensure that research objects were based on the same geographical location but with global businesses and operations.

1.7 Contributions The study is an academic contribution to the extent that empirical findings from the study, forming the basis for the results, are explained with theories of technology adoption. Adoption of technology innovation is a continuous researched area and the study is a contribution to literature in terms of empirical setting in relation to theories and frameworks regarding technological innovation adoption. The complexity of technology adoption highlights the importance of increasing the number of reports in the area and expanding knowledge. Previous research regarding cloud adoption proposed further research, especially in terms of exposing the subject to time and location (Borgman et al., 2013), where this study’s empirics are current state and the discussion regarding cloud adoption were mostly limited to the Swedish area. Furthermore, the study contributes to providers of cloud computing, helping to understand what the limiting factors of the transition towards cloud computing are and how these are put in context with the organization’s decision-making processes in terms of adopting to cloud computing. A case study was conducted to gain understanding in the situation of service providers changing their offerings from an on-premise system to a cloud computing service and give suggestions for how cloud service providers can work pro-active in order to safeguard fulfillments when organizations are moving from on-premise systems to cloud computing.

1.8 Disposition The report is arranged over seven chapters, which is illustrated in Figure 1. Through the first chapter, the reader is presented an overview of the phenomena and problem area giving appearance for the study and its purpose. The second chapter gives a brief introduction to the subject needed to facilitate the understanding of the outcomes of the empirics. This is followed by the literature review discussing the theories and frameworks, which can be applied to the studied phenomena. Chapter four describes the method design chosen to conduct the study, including choice of data collection. The following chapter presents the results of the collected data and is followed by a discussion and analysis in chapter six. Lastly, chapter seven summarizes the main findings by answering the research questions and giving implications and recommendations based on the study.

6

Conclusions and Future Research

FIGURE 1: The Disposition of the master thesis

Introduction

Cloud based ERP Systems

Literature Review

Method

Results

Analysis and Discussion

1.

2.

3.

4.

5.

6.

7.

Background Delimitation Problem Description Contributions Case Company Disposition Purpose Research Questions

Cloud Computing ERP Systems ERP Software Extensions Summary of Cloud Computing and ERP

Diffusion of Innovations TOE Framework Barriers to Adoption Concluding Remarks Cloud Adoption Factors

Method Approach Research Design Validity & Reliability

Overview Security Perceived Loss of Control

Main Findings Implications Future Research

Overview Contexts of Findings Security Characteristics of Findings Perceived Loss of Control Adoption Distribution Research Methodology

7

2 INTRODUCTION TO CLOUD BASED ERP SYSTEMS This chapter presents a brief introduction to cloud computing and enterprise resource planning systems, in order to gain insights and facilitate the understanding of the outcomes of the empirical study. 2.1 Cloud Computing According to a report conducted by Gartner (2015), the worldwide market of public cloud services was estimated to USD 175 billion in 2015 but is estimated to grow to a total of USD 204 billion in 2016. Public cloud computing services refers to technologies of cloud computing that supports organizations that are external from the cloud service provider’s organization (Gartner, 2016). Furthermore, cloud applications services are forecasted to grow over approximately 20 percent in 2016 since many software providers shift their business models from on-premise licensed software to cloud computing services (Gartner, 2015). Cloud computing can be described as a shared pool of computing resources that can be used with minimal effort and minimal provider interaction. It is characterized by on-demand self-service, broad network access, resource pooling and a variable and measured service (Mell and Grance, 2011). Cloud computing is based on four different areas of technology; hardware, Internet technologies, systems management and distributed computing (Buyya et al., 2011). The fast ICT development has led to major improvements within these four areas, leading to the evolvement of cloud computing. The Internet technologies allows for applications on different servers and computers to communicate and exchange data. In order to collect the numerous servers where organizations store their data, technologies of distributed computing such as grid computing is vital since it enables for accessibility. Further, the hardware plays a crucial role in terms of for instance hardware virtualization, since it enables for several users to share the same resource in terms of servers. One server can host several organization’s applications and data. Cloud services are backed up by many physical servers, which are often complied in data centers involving thousands of computers (Buyya et al., 2011). The cloud computing model can be described by three deployment models and three service models, which will be described in the following sections 2.1.1 and 2.1.2. The cloud computing technology has influenced the whole IT industry and is penetrating all sectors of business applications. One of the affected areas is within enterprise systems and more specifically, the enterprise resource planning (ERP) systems and its incorporated offerings of services. ERP system implementations are in general a very complex project in the industries, and the complexity has been further increased with its possibilities with cloud computing technology (Saini et al., 2011). 2.1.1 Cloud Deployment Models The three types of cloud deployment models offered are private, public and hybrid cloud. The differentiation is based on the cloud’s relationship to the organization (Mather et al., 2009); ● Private cloud. The infrastructure storage, network and computing of the cloud is

operating for a private organization and might also be referred to as internal cloud. The

8

cloud is dedicated for a single organization only and the resources are not shared with others. It may be managed by the organization itself or a third party. There are three varieties of private cloud patterns:

○ Dedicated cloud. The private cloud is operated by internal IT departments and

hosted within a customer owned data center or a data center facility, which organizations can rent to space servers and computing hardware equipment.

○ Community cloud. Several organizations share the cloud infrastructure, since

there are communal concerns such as security requirements, policies and compliance considerations. The private clouds are located at the premises of a third party; owned, managed, and operated by a cloud vendor.

○ Managed cloud. The cloud infrastructure is owned by a customer and managed by

a vendor.

● Public cloud. The cloud infrastructure is owned by an organization selling cloud services and is often referred to as external cloud. The cloud is available to the general public or a large industry group and the vendor offering these services are responsible for security management and operations. Customers of a public cloud have in general a low degree of control concerning the security aspects.

● Hybrid cloud. The hybrid cloud environment is a combination of two or more clouds

that remain unique entities but are linked together by standardized or proprietary technology. The cloud infrastructure enables for organizations to run non-core applications in a public cloud, while maintaining core applications and sensitive data in-house in a private cloud.

2.1.2 Cloud Computing Service Models The next security consideration, following the choice of cloud deployment models, which organization management needs to consider is the sort of cloud computing service models. The degree of information security relating to the service models are towards adhering to industry standards and legislations among the cloud vendors (Ramgovind et al., 2010). These service models can be categorized into three types, namely Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Depending on the service models, different areas of cloud management responsibilities are included, see Figure 2.

9

FIGURE 2: Cloud Management Responsibilities ● Infrastructure as a Service (IaaS). The model of IaaS offers the customer provision of

networks, storage, servers and other fundamental computing resources in order to deploy and run arbitrary software, for instance operating systems and applications. This minimizes the need for large initial investments in computing hardware and enables organizations to outsource the hosting and management of applications to a third party, for instance a software vendor or service provider. IaaS based applications are most often delivered via the Internet to the organization’s firewall. (Mather et al., 2009).

● Platform as a Service (PaaS). This cloud computing service model works similar to

IaaS but provides an additional level of rented functionality. Customers are able to transfer even more costs from capital investment to operational expenses. However, additional constraints and to an extent also some degree of lock-in posed by additional functionality layers must be acknowledged. This meaning that the customer has control over the deployed applications and configuration settings for the application hosting environment, but does not manage or control the underlying infrastructure including networks, storage or other fundamental computing resources (Mell et al., 2011).

● Software as a Service (SaaS). This model offers the capability to use the applications

running on a cloud infrastructure. The customer does not purchase software but either rents it on a subscription, use pay-per-use model or for free limited use. The applications are accessible through any authorized device, for instance a web browser or program interface. The customer does not control or manage the underlying infrastructure of the cloud, such as network, servers, operating systems, storage or individual application capabilities (Mell et al., 2011).

2.2 Enterprise Resource Planning Systems Enterprise Resource Planning (ERP) is the definition of the system, which enables organizations to manage strategically important activities and decisions. IT investments are one of the largest categories of capital expenditure and the ERP system business is a multibillion-dollar industry, producing components supporting several business functions (Adam et al., 2011). ERP systems

10

integrate and automate all aspects of business operations, facilitating the information flow between different business functions. Planning, manufacturing and sales are examples of operations, which can be managed by an ERP system and more specific modules such as inventory control, customer service or order tracking can also be managed. ERP systems enables for sharing data across various departments as well as connecting external stakeholders, partners or suppliers. The system also facilitates information flow between different business functions and is referred to as the backbone of information systems in an organization (Lenart, 2010). The ERP system often requires years of implementation and post implementation in terms of continuous maintenance. The system becomes part of the organization, supporting its strategic direction and tactical movements (Chen et al., 2009). In organizations, the ERP system is seen as the most risky, time-consuming and expensive IT investment. The system is delivered and sold in modules or functional components. However, the organization does not need to implement each module, although more modules might lead to greater integration and a better return on investment (Bradford, 2010). There are a lot of predictions for the market of ERP systems and according to Lenart (2011), the main trends include cloud computing environments. Alternatives to traditional ERP systems will be explored and organizations will realize the viable alternatives. Furthermore, co-existence of clouds with the traditional ERP software deployments and vendors building new systems can take advantage of cloud computing. Most importantly, predictions points out ERP system providers will explore the opportunities with cloud and offer more cloud based solutions (Accenture, 2012; Lechesa et al., 2012; Lenart, 2011; Seethamraju, 2015). 2.2.1 ERP Software Extensions Traditional ERP systems fill an important function of organizations but there are possible boundaries with the systems, where integrated ERP software extensions meet significant functions for different operations or industries (Brehm et al., 2001). ERP software extensions are often third party software used to collect data from the ERP system and present it in a suitable way. The nature of ERP software extensions varies depending on the purpose of the software and are commonly used in connection with ERP systems where the extension get access to ERP data. ERP software extensions are typically available for a wide range of uses, for instance reporting and publishing of data, trend analysis of sales and market data, transactional data collection, advanced planning and scheduling systems and other productivity tools. ERP software extensions interact with the ERP system and get access to data through ERP vendors published interfaces, thereby minimizing risk of corrupting data in the ERP system (Brehm et al., 2001).

2.3 Summary of Cloud Computing and ERP According to Gartner (2015), cloud applications services, also referred to as the cloud computing deployment model of SaaS, are expected to grow due to the transition from on-premise services to cloud computing services. Since ERP systems are seen as one of the largest IT investment of an organization, it is relevant to discuss it in relation to an organization’s cloud computing adoption. Further, different add-on solutions such as ERP software extensions are necessary to understand in order to discuss how the type of cloud based software will affect the main drawbacks in the transition from an on-premise system to a cloud computing service.

11

3 LITERATURE REVIEW AND PREVIOUS RESEARCH This chapter presents the theoretical frameworks that formed the basis of the study. The literature review in form of existing knowledge and previous conducted research within the area of subject was summarized in order to emphasize how this study will contribute to research.

Previous research has identified key adoption factors of ERP systems and cloud computing in general (Borgman et al., 2013; Ghaffari et. al., 2014; Ross and Blumenstein, 2015; Sahandi et. al., 2013; Srinivasan, 2014; Trigueros-Preciado et. al., 2013). Depending on the level of presence of the adoption factors, either positively or negatively, these factors can be seen as drivers or drawbacks to a transition from an on-premise system to a cloud computing service. Therefore, the review will discuss technology adoption with theories and frameworks from different perspectives to provide a body of knowledge regarding innovation adoption. The theories and frameworks reviewed describe barriers, contexts, attributes, characteristics and distribution of innovation adoption. The review emphasizes on the theory of technology adoption and the Technology-Organization-Environment (TOE) framework. The TOE framework is relevant due to the importance of describing the contexts for innovation adoption. For these reasons, if an extensive drawback is identified, this could be described in different contexts, each dependent on different attributes, which sets the foundation for the decision of adoption. Furthermore, previous research has also emphasized the need of increasing the number of reports within the subject of cloud adoption. The key adoption factors of cloud computing and ERP implementation has been identified in previous studies but there is still an inertia in terms of transitioning from on-premise systems to cloud computing, consequently the need of reviewing literature related to technology adoption.

The central theoretical framework discussed in this chapter is foremost built around Everett Roger’s and Geoffrey Moore’s theories and models. According to Google Scholar (2016), Roger’s Diffusion of Innovations, first published in 1962, has been cited more than 72 000 times. Furthermore, the theory of innovation diffusion is complemented by theory of Moore from his published book Crossing the Chasm, Marketing and Selling Disruptive Products to Mainstream Customers, which has sold over one million print copies (Moore, 2014).

However, these authors with its respective theories and models have been criticized. The theory by Roger has been criticized for its simplified representation and not being predictive with confounding results (Lyytinen and Damsgarrd, 2001). Innovation is often a part of a larger historical setting and not a freestanding process. According to Chatterjee (2014), another limitation with the model is its bias towards pro-innovation, giving rise to over usage of an innovation. However, Chatterjee (2014) also states that the framework in general has received very little criticism and is the most widely used in order to understand technology adoption and diffusion process. Moore’s theory has received criticism as well, for instance by Rogers (2003), disagreeing and claiming that the curve is better illustrated as continuous. Even though there might not be a real chasm in the framework, it is useful as a mental construction, highlighting the assumption of all having the same needs. Most early adopters have radically different needs and interests, compared to the larger majorities (Robinson, 2009).

Furthermore, the framework of Technology-Organization-Environment (TOE) and theory by Tidd and Bessant were reviewed in order to gain understanding in adoption of new innovation

12

thoroughly. The TOE Framework describes the context of an innovation with its attributes and the theory by Tidd and Bessant describes different types of barriers. This will complement the theory by Rogers, which describes the distribution and characteristics of an innovation. These theories and frameworks will bring several aspects and perspectives into the phenomena of technology adoption, forming the basis for understanding the underlying factors of cloud adoption.

3.1 Diffusion of Innovations The technology lifecycle is a model developed by Everett Rogers (1976), illustrating a normal distribution curve of how innovation tends to be diffused on the market when adopted by different categories of consumers. The model distinguishes five ideal categories of adopters and each category represents different set of needs, product criteria and reactions to new innovations (Rogers, 2003). The first category of people is the Innovators, who are the first to adopt innovation, due to their risk tolerance and fundamental interest in mastering the latest technology. Early adopters are the second category, which represents people interested in technology for the accompanied benefits. This category has the highest degree of opinion leaders among the other categories. The third group is called Early majority and refers to the mainstream market and is characterized by its interest in the technology when risks have been minimized. Late majority are the persons with a high degree of skepticism towards innovation and are in general very price sensitive. The last category is the Laggards and has an aversion to change. These people tend to be very reluctant to new technology and adapts to innovation when there are no alternatives.

However, Moore (2014) argues for the reason of creating a chasm in the technology adoption life cycle, see Figure 3. A chasm can be described as a time gap in the adoption life cycle between early adopters and early majority. The created chasm is due to urgency and not taking time, which the product process requires (Mohr et al., 2014). Furthermore, Moore (2014) states that the reason for the creation of the chasm is due to the different expectations between the early adopters and early majority. Moore’s theory has been successful, due to its focus on business-to-business, where the curve with its chasm can illustrate the high risk and cost of adoption trial, also where the decision process distributed across managers and executives.

FIGURE 3: Technology Adoption Model (Rogers, 2003)

Furthermore, when discussing innovation adoption processes in organizations, it is of great importance to consider the complex situation. Organization’s innovation adoption processes involves several stakeholders, where the number of individuals could include both supporters

13

and opponents of the innovation adoption, each playing a significant role in the decision-making process. However, the technology adoption lifecycle model is usually applied to the organization as a whole, where the organization might fit into one of the categories presented (Power, 2015). The variables influencing the adoption depend on the characteristics of the innovation and nature of potential adopters (Tidd and Bessant, 2013). According to Rogers (2003), there are five main characteristics of an innovation affecting the diffusion and innovation adoption: ● Relative advantage. The degree of perceived benefits and costs of an innovation in

comparison to alternatives or competing products.

● Compatibility. The degree to which extent an innovation is based on established norms, values and behaviors.

● Complexity. The degree to which an innovation is difficult to understand or used.

● Trialability. The degree of which an innovation can be tested before decision making.

● Observability. The degree of to which extent the innovation advantages are obvious.

3.2 Barriers of Technology Adoption According to Tidd and Bessant (2013), there are numerous of barriers to the widespread adoption of large complex socio-technical systems. The barriers could have economical, behavioral, organizational or structural character. Economic barriers include the access to information, insufficient incentives and personal costs versus social benefits. Behavioral barriers refer to priorities, motivations, rationality, inertia and the propensity for change or risk. Barriers of organizational character include goals, routines, power and influence as well as culture and stakeholders. Structural barriers refer to governance, sunk costs and infrastructure (Tidd and Bessant, 2013).

Reviewing literature of innovation adoption exposes a phenomenon, which can be defined and observed from a range of perspectives. Therefore, it is of interest to review the theory of factors affecting technology adoption, since depending on the factor’s positive or negative effect, they can be considered as an advantage or drawback through innovation adoption.

3.3 Cloud Computing Adoption Factors Previous research related to the area of adopting cloud computing services has been reviewed in order to contribute to the study. A common notion in research is that there are obvious cloud computing drivers as well cloud computing challenges (Borgman et al., 2013; Ghaffari et. al., 2014; Ross and Blumenstein, 2015; Sahandi et. al., 2013; Srinivasan, 2014; Trigueros-Preciado et. al., 2013). However, previous research indicates that the early process of cloud adoption stresses the importance of future studies to show differences over time and geographic locations (Borgman et al., 2013). Furthermore, Morgan and Conboy (2013) argue that empirical body of knowledge regarding cloud adoption is lacking. Therefore, it is of importance to investigate further potential drawbacks in the transition to cloud computing and how these relate to adoption in terms of context, distribution and characteristics.

14

Key adoption factors represent areas that must be successfully managed to increase the chance of a successful adoption (Yeoh and Koronios, 2010). Previous research has identified high perception of relative advantage, top management support and high competition intensity to be three key adoption factors driving the decision to adopt cloud computing (Borgman et al., 2013). According to KPMG International (2013), it has been recognized that speed of adoption is one of the most important factors seen by organizations in the transition to cloud computing. Thus, general concerns of cloud computing could influence the speed of adoption (Sahandi et al., 2013). Common concerns regarding adoption of cloud computing are locality, access and integrity of data (Subashini and Kavitha, 2011). Avram (2014) identified reliability as the critical factor for cloud computing adoption. Thus, organizations are hesitant about changing from an on-premise system to cloud computing service with special concerns about losing control, data loss and privacy risks (KPMG International, 2013). This correlates to other identified concerns regarding legal and regulatory compliance when moving from on-premise systems to cloud computing (Ross and Blumenstein, 2015; Trigueros-Preciado et al., 2013). Furthermore, previous studies highlights the issues with regards to security and vendor lock-in (Avram, 2014; Sahandi et al., 2013).

3.4 Technology-Organization-Environment Framework The Technology-Organization-Environment (TOE) is a framework describing the three contexts influencing an organizational adoption of a technological innovation. The TOE Framework was developed by Tornatzky and Fleischer (1990) in order to provide insight in the study of adoption and assimilation of other different categories of ICT innovations. The framework was originally established to be consistent with Roger’s Diffusion of Innovation theory, where it describes the characteristics of external and internal drivers for organizational innovation. The TOE framework incorporates the same features in the contexts of technology and organization, but includes a third context in terms of the environment. This additional context facilitates the discussion of explaining innovation adoption in organizations, since it incorporates another dimension to the complex situation (Oliveira and Martins, 2011). The framework is appropriate for analyzing technology innovations, which are associated with uncertainties of current or future status of that specific technology adoption (Lechesa et al., 2012). The three contexts of technology, organization and environment include both constraints and opportunities for adoption of innovative technology. According to Tornatzky and Fleischer (1990), the technological context includes internal and external effects of the technology on the organization. The organizational context looks at attributes connected to the organization, which affects the decision of adopting the technology. It includes organizational characteristics and resources, for instance linking structures between organizational size, processes, employees, communication, etc. The environmental context considers the area in which an organization performs its business, for example the industry, competition, suppliers and other external factors (Borgman et al., 2013). These three contexts are all connected to the technological innovation decision making, which is illustrated in Figure 4 below.

15

FIGURE 4: Technology-Organization-Environment Framework

(Tornatzky and Fleischer, 1990)

3.5 Concluding remarks In order to gain insight in the transition from an on-premise system to a cloud computing service, there is a need to fully understand different factors affecting cloud adoption. The literature review identified Roger’s five main characteristics affecting innovation adoption as relative advantage, compatibility, complexity, trialability and observability. These characteristics will be described in relation the identified results of the study. Also, in order to discuss the drawbacks fully, the different barriers found from the literature review will be used to describe the different attributes behind and how these relate to the distribution of cloud computing. Furthermore, the TOE framework will be used in order to analyze the results of the study and how these relate to the different contexts of technological factors, organizational factors and environmental factors.

17

4 METHOD This chapter describes the motivation behind the process and the research design used in this study in order to ensure the rigor in terms of reliability and validity. The research design was also carefully chosen in order to give access to empirical data, reach the objectives of the study and fulfill the purpose of the thesis.

4.1 Methodological Approach A case study was conducted at Medius AB, a Swedish IT company providing a cloud service of accounts payable invoice automation. Case studies are a methodology approach used to examine, for instance a business, event or process. A case study is an empirical study investigating a phenomenon in the settings of real life (Yin, 2009). The research had an inductive approach to the problem. An inductive study implies conducting a collection of empirical data on the identified problem and subsequently uses theory in order to develop better understanding (Blomkvist and Hallin, 2015). The study started with collection of data within the area of subject in order to form an understanding and to bring suggestions on how to continue with the research. The main research question was formulated as a how-question and case studies has been proven to answer these types of questions well (Voss et al., 2002).

4.2 Research Design The research process had an iterative approach, where the problem formulation, purpose and research questions were updated continuously when new knowledge was gained (Blomkvist and Hallin, 2015). This also refers to the literature review, where the keywords were refined during the process in order to match the current direction of the research process. The first phase of the research was to create a contextualization in order to form the scope of the research area. This was done to be able to define research focus concepts, in order to conduct literature review, data gathering and analysis regarding the formulated research questions to finalize the dissemination. The research process is illustrated in Figure 5 below.

FIGURE 5: The Research Process Design

18

4.2.1 Pre-study In order to gain knowledge regarding the context and the current situation at the case company, a pre-study was conducted in the beginning of the research. The purpose of conducting a pre-study was to become familiar with the context and potential scope of the study (Collis and Hussey, 2014). It is also a method for validating the feasibility of the case study, facilitating to formulate a preliminary problem definition and research questions. Introduction days at the case company formed the foundation of the pre-study, including presentation of the cloud based service as well as the hosting cloud platform. The introduction days were mostly held by the Information Security Manager at the case company. The pre-study also included unstructured interviews with the Chief Technology Officer, Head of Cloud Operations and a Pre-Sales Manager in order to gain insight with the current situation of the transition from offering on-premise systems to cloud computing. In the state of trying to gain knowledge and formulating a problem, unstructured interviews are a suitable choice of interview form, since the interviewees are able to formulate and provide answers in their own words (Collis and Hussey, 2014). Furthermore, a pre-study enables for diverging the scope to find possible problems and relations to precise the problem formulation (Blomkvist and Hallin, 2015). This phase could be referred to as the contextualization phase, where the focus was to understand the context of the phenomena in relation to the case company and scanning the literature in order to form the scope of the research area. The mapping of the company context was done through the unstructured interviews with the above mentioned key roles at the case company but also through material collected at the intranet, for instance customer’s requirement specifications and recurrent questions from customers regarding the cloud service. At these occasions, links and differences between on-premise systems and cloud computing were identified and later formed into new questions that were brought back to the interviewees on subsequent occasions. These meetings were very informal and unstructured, where the purpose was to clarify thoughts or reflections of the subject. Table 1 lists the persons at the case company involved in the pre-study.

TABLE 1: Interview participants from case company

4.2.2 Literature Review The literature review aimed to critically explore the existing literature in the field of study and provide guidance for the research (Collis and Hussey, 2014). This process proceeded continuously throughout the whole study, mainly to get initial understanding of the actual concept and context, but also to create a baseline to compare the current situation at the case company. The literature review also consisted of scientific articles, journals, academic reports, consultancy reports, books and other published work within the area of subject. Most of the material was collected through databases provided by KTHB Primo, Google Scholar, ACM Digital Library and Web of Science. The keywords used in the search for relevant literature

Role in case company

Information Security Manager

Chief Technology Officer

Pre-Sales Manager

Head of Cloud Operations

19

included “cloud computing”, “ERP adoption”, “cloud adoption”, “cloud barriers”, “cloud security”, “cloud security management”, “cloud compliance”, “barriers of cloud computing”, “innovation adoption”, “technology adoption”, etc. These keywords were used separately and in combination in order to obtain a large scope of material, but also to refine the search area and find the most relevant material of the study.

Furthermore, the literature review started with scanning and assessing scientific journals within the subject of matter in order to overview the existing body of knowledge. A part of the collected material stems from the industry and is therefore written by consultants and practitioners, meaning that there might be possibilities of personal experiences and opinions. Therefore, the mix of different sources and type of literature has been of importance in order to ensure an appropriate level of credibility for the study.

Later on in the study, literature in form of theories and frameworks of industrial dynamics, more specifically regarding technology adoption were reviewed in order to provide knowledge but also to contribute in strengthening the analysis and recommendations of the study. Further on, additional literature was searched for engagements, which could be discussed in relation to the chosen theories and models.

4.2.3 Interviews Qualitative data was gathered by conducting interviews with different stakeholders in order to capture different views of the studied phenomena and subject of matter. In order to fulfill the contribution of the study of increasing the number of reports regarding cloud adoption, a criterion for the selection of the target group for interview candidates were that the candidates should have knowledge and experience within the field of cloud adoption and the decision-making process behind organization’s cloud adoption. A preferred qualification criteria is that the interviewee had worked very close to organizations making a decision or going through a transition from on-premises to cloud computing. Likewise, first hand experience in the decision of transitioning from an on-premise system to a cloud computing service was also seen as a preferred qualification for the selection of interview candidates.

In order to search for interviewees, the web service LinkedIn, which is a networking channel connecting professionals, were used. LinkedIn provides information regarding a person’s work position and the organization. Each user of LinkedIn is able to edit their own profile page, meaning that many persons have additional information regarding their expertise areas and different conducted projects or studies. Numerous persons profile page were reviewed, mainly scouting for persons with knowledge or experience in the subject of matter. When a preferred candidate for interviewee was found, the web based search engine Google was used in order to find contact details for the person. The e-mail address connected to the organization was most often found and the request for an interview was sent to that specific address. In some cases, the request was redirected to another person at the organization, if there were other persons who had more knowledge within the area.

20

Interviews with organizations offering cloud computing services were conducted in order to understand how other organizations within this type of business are facing demands and obstacles regarding cloud adoption or a transition from on-premise systems to cloud computing. This is referred to as a method of benchmarking and is a type of comparative study. However, the purpose of the study is to gain insight in how drawbacks are affecting the transition from an on-premise system to a cloud computing service, thus the interviews with other cloud service provider were mainly conducted to understand their reflections on the subject.

The study also included interviews with experts within the field of cloud or ERP management. Therefore, the choice of contacting relevant persons at several management and technical consultant firms, since they were most likely to work very close to their clients from an advisory position in the subject of transition from an on-premise system to cloud computing service. Further, the respondents from the consultant firms had experience from numerous of industries and organizations. Most importantly, these respondents had also addressed reluctance from their clients, which mean they could contribute with experience and insights of what drawbacks which could be found as critical in a transition from on-premise systems to cloud computing services. Lastly, these respondents could also provide insight in how they had worked in order to increase the acceptance for cloud with their clients. These firms were also chosen in order to ensure fulfillment of the study’s contribution in order to give recommendations of how cloud service providers should address the drawbacks in the transition from an on-premise system to a cloud computing service.

Further, technical service providers within the area of cloud computing and outsourcing of large IT infrastructure. These organizations had a lot of knowledge and insights from their customers regarding perceived advantages and disadvantages. All these interviewees also had first hand experience from customers being reluctant to deploy their business in the cloud.

Furthermore, other interviews were conducted with persons with expert knowledge relevant to why organizations may be hesitant towards a potential transition from an on-premise system to a cloud computing service. One interview was conducted with a legislation institution, which developed legislations regarding cloud computing services in the public sector. Besides determining how cloud computing services should be managed in the public sector, the interview respondent also had a lot of knowledge in cloud adoption, since this person had been involved in studies regarding cloud computing over a long period of time. Additionally, an interview was conducted with a person at an IT security company, which provided security support to organizations in Sweden to manage their security management. The demand of security management has increased as cloud computing services has become more available and the interviewee had a lot of knowledge in the area of cloud computing and ERP management. Lastly, an interview was conducted with a person at a production company, which had an on-premise ERP system and only used a few cloud computing services within the organization. The aim with this interview was to conduct an interview with a person who had first hand experience in why organizations were hesitant towards a transition from a on-premise system to a cloud computing

21

service. Further, the business operations of the organization is very complex, since the company is a manufacturing company highly dependent on the business functions to be integrated and requires a high availability of all systems. Therefore, a reasoning whether the type of different cloud based software affected their cloud adoption within the company were of interest.

Interviewee Designation Main business area Title of interviewee

C1 Cloud Service Provider Chapter Lead, Security

C2 Cloud Service Provider R&D Manager

C3 Cloud Service Provider Service Owner, IT Compliance & Integrity

I1 IT Security Company Computer & Network Security Consultant and Contractor

L1 Legislations Institution Procurement Officer

M1 Management & Technical Consultant Head of Functional Service Delivery & Deputy Head of IT Infrastructure

M2 Management & Technical Consultant Head of Governance and Organization

M3 Management & Technical Consultant IT Security Manager

M4 Management & Technical Consultant Senior Consultant

M5 Management & Technical Consultant Senior Manager

M6 Management & Technical Consultant Senior Manager

M7 Management & Technical Consultant Senior Manager, Technology Consulting

P1 Production Company Chief Executive Officer

T1 Technical Service Provider Administrative Security Manager

T2 Technical Service Provider Associate IT Architect

T3 Technical Service Provider Executive Consultant & Cloud Advisor

T4 Technical Service Provider Senior IT Architect, Security

TABLE 2: Interview participants with expert knowledge in cloud computing All interviews were personal face-to-face interviews and of semi-structured format, where the questions were prepared before and open-ended. This type of interview format encourages the interviewees to explore the answers further. Semi-structured interviews are preferable when the aim is to understand the context (Rubin, 2008). The interview questions can be found in Appendix A and correspond to the interview questions used later in the process. Since the study aimed to have a very iterative approach, where the interview questions were adjusted during the process, as new literature was searched for. Further, since follow-up interviews were not conducted, the adjustment of interview questions ensured that gaps missing from earlier collected material were filled. The interviews had a critical incident technique of all interview participants being encouraged to answer the questions by telling their story by their own words (Collis and Hussey, 2014). In order to collect the material with an efficient and trustworthy approach, the interviews were to its possible extent recorded. However, ethical aspects were taken into consideration and the interview participants were asked on beforehand and needed to approve being recorded throughout the interview session. Furthermore, principles identified by

22

Bell and Bryman (2011) were applied to ensure that the study was conducted in a manner conforming ethical principles. The anonymity and confidentiality of all participants of the study were discussed and directly communicated. All participants’ answers were treated anonymously in order to express their reasoning in an open manner, which is of great importance since the information should not be held against or harms the participant or the organization (Collis and Hussey, 2014).

4.2.4 Questionnaire The study aimed for collecting quantitative data through a questionnaire. However, the method of performing a questionnaire was chosen to be an absent method of the study due to its low rate of respondents, which is discussed further in section 6.7. Though, the methodology of the questionnaire’s creation and distribution will still be discussed in this section. The questionnaire was created through the online service Google Forms and sent by e-mail to the participants. The search for questionnaire participants had the same process as for the interviews, LinkedIn was used in this case as well. However, the criteria for the target group of questionnaire participants were different. In this case, persons within an organization’s IT department were searched for. Preferably, persons with a position as Chief Technology Officer (CTO) or Chief Information Officer (CIO) were approached for the questionnaire. Further, the target group for the questionnaire was persons involved in either on-premise systems or cloud solutions within their organization, preferably in the transition from an on-premise system to a cloud computing service. After the contact details were found, the questionnaire was sent by e-mail with a link to the questionnaire. The questionnaire included both multiple choice, which can be seen as quantitative data and open-ended questions, which can be referred to as qualitative data (Rubin, 2008). The questionnaire was first formulated in English but was later translated in to Swedish, since it was most likely to increase the respond rate. Further, design principles Further, the questionnaire were tested on a few persons on the case company and then re-designed according to the received feedback in order to increase the quality of the questionnaire. According to Collis and Hussey (2014), this is also a way of ensuring reliable responses. Although, it is difficult to ensure that the questionnaire was sent to a person with full competence within the subject of matter since every participant were found on LinkedIn where most of the participants only provided their job title on their LinkedIn-page. Thus, some of the participants provided a description of their competence, skills and experience from different projects or work. Therefore, the participants with description matching to a competence with the subject of matter was preferred to a larger extent, compared to participants only providing a short job title. The approach of conducting questionnaires is in general quick and flexible, due to the process of data collection and analysis being automated to a larger extent. Furthermore, the design of the questionnaire is to a larger extent self-administrated where the respondents read and answers the questions on their own.

23

4.2.5 Data Analysis The method choice of qualitative data approach emphasized on understanding the phenomena in their own right and according to Polkinghorne (1983), a qualitative method rely on linguistics rather than numerical data collection. This in turn means that the data collection employs a meaning based analysis rather than a statistical form. It is important to remember that the choice of a qualitative study may be influenced by pre-existing theory, own expectations or previous empirical research.

In order to avoid misinterpretations with the analysis of the interview data, the available recordings was first carefully transcribed into text. The purpose of transcribing into text was to minimize interpretation errors and allowed to make conclusions afterwards. According to Bell and Bryman (2011), natural limitations such as memories and loss of nuances in answers are one of many advantages of transcribing interviews. Additionally, each interview session had two interviewers in order to minimize interpretation errors. During the analysis, the collected data was categorized in order to find common denominators of the research subject. Examples of denominators could be patterns, themes, relationships, sequences or differences. One approach was to categorize based on similar requirements and prioritization concerning the drawbacks in the transition from an on-premise system to a cloud computing service. The qualitative data was analyzed with the aim to find patterns through the distribution and its relevant level of measurement. Furthermore, the data analysis had an iterative approach, where data collection and analysis occurred simultaneously in order to remain open to all possibilities. This enabled for suggestions of new questions to ask in the interviews. Furthermore, the collected data from the interviews were also linked in order to make generalizations to body of knowledge to construct theory.

The literature analysis consisted of a critical evaluation and collection of journals, articles and published work using a thematic approach, following the recommendations provided by Collis and Hussey (2014). One of the frameworks found in the literature review was the TOE framework, which was used in order to analyze the context of the identified results.

4.3 Validity and Reliability The validity of the study was discussed in light of the different methods used in the study. For instance, the limited scope of interviews had an impact on the study’s validity, even though interview session has to a large extent been conducted with at least two persons at the same organization. It is of great importance to highlight the validity regarding the interviewee’s answers and opinions, since there is a possibility of getting personal opinions, which does not represent the organization’s opinion or the valid setting. The reliability of the study was dependent on how the interviews were designed in terms of formulating the questions clearly and make sure they were easy to answer. The reliability of the study was further increased by continuously documenting each step of the research process and by saving all material in order to make it available for any repeated study. Although, the case study was conducted at Medius AB and at their IT Department, which highlights the questions of the possibility of applying the

24

results of the study to a similar setting, the results should be possible to extend to a broader context. According to Collis and Hussey (2014), generalization of a single case is possible if a profound understanding of the circumstances and the context of the investigated phenomenon have been achieved.

25

5 EMPIRICAL FINDINGS This chapter presents the empirical results from the interviews that were obtained with the employed methods explained in Chapter 4.

Interviews were conducted with 17 representatives from a total of 10 companies. The companies represented cloud service providers, technology suppliers, consultancy firms and other organizations with a business area closely with the cloud technology. The results of the collected material aims to answer the main research question “How can the drawbacks, which affect the transition from an on-premise system to a cloud computing service, be addressed by cloud service providers?”. The adoption of cloud computing services is very dependent on the business context of the organization and its characteristics, legislations and market demands. However, independently on business context, the results of the study indicated that security and perceived loss of control were the two dominant drawbacks, mentioned by all interview respondents, for the transition from an on-premise system to cloud computing service. Chapter four presented a table of interviewees with the organization’s main business area and the role of the interviewee. The organizations are designated with C representing cloud service provider, M representing management and technical consultants, P representing a production company, T representing technical service providers, I representing an IT security company and L representing a legislation institution. Interview respondents at each organization are designated with 1, 2, 3, etc. For example, C1 represents the first interview participant at a cloud service provider.

5.1 Overview The results of the study identified security and perceived loss of control as the two major drawbacks in the transition from an on-premise system to a cloud computing service. Security refers to asset security and incident security, where asset security describes the concerns regarding organizational assets whereas incident security includes the risks of different incidents related to cloud computing technology. The results from the interviews outlining the most important drawbacks to cloud adoption are summarized under the categories security and perceived loss of control, as shown in the Figure 6.

26

FIGURE 6: Identified drawbacks resulting from the interviews

5.2 Security Security was identified as a main drawback in the transition from an on-premise system to a cloud based service. The term security is very broad and includes many different perspectives connected to a service or organization. The results of the study discussed security from several perspectives, but two main areas within the subject of security were identified through the data collection and could be incorporated in the areas of asset security and incident security. Asset security refers to the protection of any vulnerable or valuable asset, where an asset is defined as data, device or other element supporting activities related to organizational information, software or hardware. Asset security includes the protection of facilities, systems, patents and software, but also incorporates aspects such as organizational reputation, image or knowledge. Incident security refers to one or several unwanted or unexpected events that could compromise the security of organizational data and could have an impact on or weaken business operations.

27

Interview respondent C3 mentioned that competition between cloud service providers and their fight for cost cutting may result in providers cutting corners and taking risks resulting in security implications.

“It is difficult to put a price on the level of security. How do you prove that the security is enough without taking a risk?” - Interview with an Administrative Security Manager

5.2.1 Asset Security All interview respondents identified security as a drawback for transition to cloud services and the discussion were most often related to organizational assets. Asset security includes a wide range of terms, where an asset is defined as data, devices or other elements supporting activities related to computer-, network- or information security. Confidential information, software and hardware are most often referred to as part of an organization’s assets. The transition from a on-premise system to a cloud service includes a loss of ownership and control highlighting different risks in terms of asset security, when handling critical organizational data to a third party. Interview respondent T3 discussed asset security in terms of not being able to physically control the applications. A cloud service means entrusting sensitive information and data to the cloud service provider, which is likely to not treat it as carefully as the organization itself. The application will instead run on IT infrastructure, which the organization does not own or control. The nature of the cloud software was also discussed in terms of managing different types of assets, including business sensitive data. Depending on the different applications used at the organization and specific purpose of the software, the level of criticality corresponds to the data being handled in a cloud environment. Interview respondent P1 stated that their organization used an on-premise ERP system and are most likely not transitioning to a cloud-based ERP system. One of the reasons for this statement was due to the fact of their ERP system being very complex and the risk of their assets being exposed was found as a drawback in the organization’s decision-making process. The results of the study highlighted the importance of ensuring a safe management of organizational asset in a transition towards cloud. Different perspectives of asset security were identified as critical in the discussion of transitioning from an on-premise system to a cloud based services; loss, distortion or destruction of data, intellectual property theft, unauthorized access or misuse of access, unauthorized secondary usage of data and incomplete removal of information. ● Loss, distortion or destruction of data. One of the identified drawbacks why

organizations are being reluctant to adopt cloud services was the perceived risk that their organizational data may get lost, distorted or destructed. Interviewee P1 highlighted the risk of data loss as one of the most critical factors for choosing an on-premise ERP instead of a cloud based ERP system. The majority of interview respondents discussed the importance of putting demands on the cloud service provider regarding their

28

management of organizational data. It is of great importance to ensure that the data is accurate and not modified or destroyed. Interviewees T2 and T4 stressed the importance that all data must at all time be correct and uncorrupted. Their organization would go to the extent of encrypting all data used in a cloud solution, thereby providing extra security against distortion, destruction and theft. Respondent M1 informed that logging the entire system is important to discover if, when and how information will be handled incorrectly. However, due to cost implication, this is not always done by cloud service providers. Respondent M1 and M2 also confirmed that they were in favor of logging activities in the cloud.

● Intellectual property theft. One of the major concerns about adopting cloud computing services was the risk of intellectual property theft. The collected material from the interviews indicated that organizational fear of their intellectual property potentially being exposed is critical in the discussion of adopting a cloud service. This loss of ownership and control highlights the risk of intellectual property theft, when handling critical organizational data to a third party. The interview participants T2 and T4 stated that cloud service providers are most likely to use subcontractors to meet all levels of demands, leading to the possibility of data moving between different servers and different countries, some with weaker intellectual property laws or enforcement. This was also discussed at an interview with C1 and C3, which worked at a cloud service provider, where they used three different vendors. However, they did not rely on their providers in terms of intellectual property and therefore consequently encrypted all data. During interviews with another organization, it was stressed that in-house encryption of data was used as a measure to avoid intellectual property theft. The risk of losing control over its data was also the reason for another organization, which participated in an interview in this study, to not turn to a third party and instead manage the cloud internally within the organization. Even though, this meant acquiring new competence and skills, the organization did not want to host all their intellectual property at a third party server. Further, the manager for that organization’s research and development department discussed how important it is to control intellectual property and how the organization differentiated the internal access to their assets. He further explained how his department considered their code as extremely classified and therefore other departments in the organization were not given access to it. The possibility of leaking code related to the code platform would mean losing competitive advantage and the code was not shared with anyone, regardless of how important it was. This stresses the importance of managing sensitive data carefully and highlights the risk of intellectual property theft as a drawback in the transition to a cloud computing service. In order to overcome this drawback, the participants of all conducted interviews were united regarding the importance of conducting a proper asset assessment at the organization. The asset assessment should be conducted in order to classify the different organizational assets and to be able to make a decision regarding how to reduce the risks of intellectual property theft.

29

● Unauthorized access or misuse of access. Several interviewees raised concern that unauthorized access to data may be an issue with cloud computing services. The procedures, rules and physical controls of access will be totally left to the cloud service provider. A cloud service provider mentioned that they have written procedures for internal staff access and keep security measures in place to avoid rogue access. Interviewees C1 and C3 mentioned that cloud data may be stored in many countries and that governments may have legal rights to access data without notifying the cloud provider. This was one reason why their organization encrypts their data. The interviewees further discussed the importance of traceability regarding user access and that different industries or business segments may have their own legislations for compliance. One interviewee, L1, raised the issue that the security mechanism of a service provider consists of many parts or entities, and that the risk of unauthorized access as a result of this may be higher than for an on-premise solution.

● Unauthorized secondary usage. One cloud service provider mentioned that they were

considering authorized secondary usage of data as a way of improving its services to cloud users but decided against it, since it would be likely to provoke discussion and maybe give providers bad reputation. To ensure that unauthorized usage is avoided, one interviewee M6, recommended legally binding agreement with the cloud service provider. Furthermore, some legislation prohibits data being used for other reasons than it was collected for since the cloud service provider is a third party. Again, legally binding agreements were discussed as necessary to prevent unauthorized usage.

● Incomplete removal of information. Interview respondents T2, T4 and M6 raised the

question of safe and complete removal of data. Reason to request removal of data can be for compliance with legislation or a result of a change of service provider. When using a cloud solution, precautions must be taken that any copied information should be completely removed without for possibilities for later recovery. Interviewee L1 commented that cloud providers should have clear rules for storing personal data, including the right to the completely delete the information. Another point was raised by interviewee M5, M6 and M7 that organizational data may be stored in the cloud as part of a non-sanctioned IT solution. Whether the cloud provider have routines to also remove this data completely or not highlights the issue of incomplete removal of organizational information and the exposed risk for the organization with cloud solutions. This matter is further discussed in section 6.2.2.

5.2.2 Incident Security All interview respondents identified security as a drawback for the transition to cloud services and the discussion regarding managing new types of incidents was raised. Entrusting a third party with the handling of critical organizational data also means trusting them managing their operations correctly in order to avoid incidents. Assurance regarding security or privacy incidents was discussed as a critical component in the transition towards cloud technology. For instance, the consequences of incidents at the cloud service provider’s end may lead to organizational reputational damage or legal liability. Therefore, cloud users should ensure that

30

contracts with cloud service providers have adequate commitments for security and recovery, and penalties if these are missed. The interviewees M5, M6 and M7 stressed the importance of a detailed service level agreement (SLA) with specific objectives for data to be protected and recoverable. Furthermore, the cloud service supplier should specify what different incidents and the time to address the incident before it exceeds a certain service level, in order to establish a service fee or service credit. According to P1, M1 and M2 the nature of the cloud service could be of different level of importance depending on if the service level agreement were applied to an ERP system, software extension or collaboration software.

Interview respondents mentioned in particular the following incidents as critical; backup and recovery, isolation failures, Internet attacks or failure and dependence on external factors.

Several respondents commented that the issue of incident security as very critical, since it raises the possibility of new types of accidental or unexpected events to occur. A cloud service provider mentioned that their customer required that faults with information security implications should be reported. The interview respondent T1 mentioned that it is of great importance that the cloud service provider should have an incident management system in place. This was also discussed by interviewee C2, who stressed the importance of cloud service providers to classify possible incidents based on the severity and impacts of the organization.

● Backup and recovery. Interview respondent T1 mentioned that data in cloud is often copied and stored in many places to assure high level of security and reliability. However, this also means it is vulnerable if part of information is lost or if the copies loose contact with the original data. Interviewee P1 mentioned back up failures as a large concern regarding a possible transition to cloud computing and discussed the possible solutions of running the software on their own systems, acting as an in-house cloud in order to avoid catastrophic failures.

● Isolation failures. The security of virtualized environments and ensuring strong isolation in order to prevent information leakage is of great importance in cloud computing. In a cloud solution, many users are able to share a single service solution. It is vital that the mechanism that separates different user’s data and storage is working to avoid improper access. Virtualized environments introduce new security vulnerabilities, for instance side-channel attacks can break the virtualized isolation, allowing data leakage. Interview respondents T2 and T4 commented on that isolation failures are extra sensitive for government agencies. This was strengthened by interviewee L1, who stressed his concerns regarding isolation failures and leakage of data connected to the public sector. Interviewee T3 mentioned that banks and the public sector organizations handle large amount of sensitive personal data and that legislation is not always clear on how to handle cross-border storage of data. Legislation may differ according to country and also in EU. Cloud service providers seldom give guarantees as to where they physically store data. This may be an obstacle for transition to cloud solutions. Further, interviewee T3 stressed the importance of providers assisting and educating organizations in how to use cloud solutions and still satisfy lawmakers. Probably public sector organizations will not fully make a transition to cloud solutions, since some applications are too sensitive but the hybrid solution could be possible in this case.

31

● Internet attacks or failure. Cloud computing evoke fear regarding different

vulnerabilities, where internet attacks and failures will quickly result in an incident reducing reliability and availability of the cloud service. Interviewee I1 discussed different attacks and Distributed Denial of Service (DDoS) is an attack to make a resource unavailable for its intended user by overloading the network service. The attack might disrupt the service but could also delete all the bandwidth or resources of the system. Interview respondent L1 commented that Internet attacks may result in failure to use important business systems, resulting in business operations interruptions. Furthermore, interviewee T1 informed that phishing attacks are commonplace and regularly monitored by their organization. A phishing attack is an attempt to enter the system to acquire sensitive information. Interviewee I1 discussed how the damage from attacks could be greater in cloud environments, compared to an on-premise service, since the scale of operations is larger and the extent of high-risk access is larger in a cloud service. Additionally, interview respondent P1 talked about the consequences of their business loosing access to their data and how it would be extremely devastating. Therefore, the interviewee wished for cloud service providers to always make sure that downtime in minimal in comparison to data access and that the corresponded criticality depending on what type of solution being affected. For example, different ERP software extensions tools were discussed in relation to the degree of vulnerability and effects on business operations, where an Internet attack would not be as critical in comparison to an ERP system.

● Dependence on external factors. Cloud services are normally dependent on equipment

and servers spread over many locations in different countries. External factors such as availability of basic services, electricity and water, and weather and wind can affect the reliability of a cloud service. Since a cloud service is by nature spread over many locations, the external risk factors are more difficult to assess. According to the interview respondents T1, M1 and M2, a business continuity and disaster recovery plan for an on-site solution may be less complex. The dependence on external factors for an on-premise solution is easier to asses and plan for. Cloud service provider should have a business continuity and disaster recovery plan. If part of a cloud service solution becomes inoperable, there must be a plan to recover data and relocate the applications to another provider.

5.3 Perceived Loss of Control The results of the study identified the perceived loss of control as a drawback in the transition towards cloud. All interview respondents were united regarding that there were factors affecting the decision of adopting cloud based services, which were connected to cognitive and perceived behaviors. The interviewee L1 stressed the importance of differentiating between perceived and actual security, claiming that organizations within the private sector should not be concerned regarding adopting cloud services. According to interviewee T3, there is inertia in migrating an organization’s assets to the cloud since it evokes feelings of individuals and consensus obstructs.

32

One of the drawbacks in the transition towards cloud technology depends on cognitive behavior and the perceived loss of control was identified as a critical adoption factor.

5.3.1 IT Department not embracing Cloud The majority of interviews talked about the IT department or management team being a major drawback for not adopting cloud technology. The maintenance not being in-house at the organization is one of the key reasons. According to interviewee M3 and M4, managers at a management and technical consultant firm, there is a clear perceived loss of control when not maintaining the IT infrastructure in-house. They shared the results from a study, which their organization had conducted and the results indicated that the largest drawback for not migrating to the cloud was because of resistance from the IT department or C-level managers. Further, interviewee P1 communicated how some employees within his organization had expertise knowledge in their ERP system, which was very complex and customized in order to facilitate their business operations. Therefore, he could not see a clear need for the organization to transition from an on-premise system to a cloud computing service within the next coming years. However, P1 were very open-minded towards collaboration software or similar add-on software. Similarly, on-sites installations and all IT-systems being maintained inside the organization were important to certain individuals in order to experience and feel control. This was, according to the majority of interviewees, one of the largest drawbacks from moving towards a cloud computing service. As mentioned, this drawback is also seen as critical, especially since the perceived loss of control felt from individuals is influential during the decision making process. This was strengthened by interviewee T3, where the interviewee discussed a client’s concerns for the loss of control over IT, leading in turn to concerns regarding downsizing the IT department. In a decision-making process of moving towards cloud services, it will very much depend on the type of service, since it may affect part or the whole IT department and therefore also can be of great importance in a decision-making process. “Cloud is a new business model, which threatens traditional work where old competence is no longer needed and since this is a new way ahead, a lot of feelings are evoked when discussing cloud services. This may be a drawback to the acceptance for cloud solutions”. - Interview with an Executive Consultant & Cloud Advisor The results from the interviews stressed the importance of educating customers on cloud in general. Many customers were not fully familiar with its implications for their business. Two of the interviewed persons, M1 and M2, talked about recognizing that the CTO or a similar position is central in the decision-making process, where their role is being a bridge to senior management. Another interviewee T3, highlighted the need of leadership within an organization, since migration to the cloud evokes feelings and this is complicated by consensus. The inertia of moving towards cloud solutions is very much dependent on cognitive behavior. Therefore, one of the largest barriers is the perceived loss of control and not always necessary the actual loss of control.

33

5.3.2 Trust Issues for Cloud Computing One component affecting the perceived loss of control in a transition from an on-premise system to a cloud based service is the lack of trust for cloud computing. A recurrent topic during all interviews was the term of shadow IT. Shadow IT is the term for IT solutions, which are used within an organization without approval from the IT-department. Sanctioned IT systems or solutions are the ones with organizational approval, where the budget for IT solutions is determined. The non-sanctioned solutions may appear as a result of slow response from management or in-house IT departments. According to interview respondents M1, M2 and T3, the appearance of shadow IT is partly due to the slow acceptance towards cloud services within organizations. Instead, individuals start creating their own solutions to the problems and starts using solutions or tools without organizational approval. The presences of shadow IT solutions are a security risk, since the tools used by employees are not being documented and controlled by the organization. This in turn, results in employees using cloud services not organizational approved, since the employees demands access to data from different devices and independently on physical locations. According to interview respondents L1, M4 and M5, cloud services account for the majority of the shadow IT solutions and are a factor in giving cloud solutions a bad reputation. Though, the shadow IT solutions satisfy immediate needs, the solutions put organizations under unnecessary and uncalculated risks. According to the results from the interviews, it is obvious that there may be a misconception regarding sanctioned in-house IT solutions and shadow IT solutions and how this relates to cloud services in general. Several respondents, T2, T3 and T4, were concerned that shadow IT solutions appear within the organization. Although, respondents M1 and M2 also acknowledged that cloud services might be more of a solution to this problem than an obstacle. The appearance of cloud based shadow IT solutions in many of the interviewed organizations indicates that cloud based solutions are already in use and that IT-departments and management need to spend more time understanding how they are actually used today and how to take control of this. Interviewee T3 said that shadow IT solutions appear and are a fact since sanctioned IT-solutions are too slow or unwilling to solve a problem. Sometimes individuals are not aware of the organizational risk. The same interviewee stressed that it is so easy to purchase a cloud based service and pay per use without investments that individuals in organizations will take a short cut if they can solve a problem with this service. But unsanctioned by IT-department and Management it may well put the organization under risk. The interviewee was clear about that she thought cloud based solutions offer many benefits that the IT-department should embrace to better serve the need of the organization, among these are fast and easy access to many services, flexibility to grow or reduce without large investments and access to new tools necessary for business development. Further, interviewee T3 described the complicated process to get an IT-approved development tool, the time involved to set it up on-site and compared this to the purchase of a solution from a cloud service provider with a credit card and disguise the expense as a business travel cost. She said that this exists in her organization and that it definitively involves risks but that the individual may be unaware or unable to access the risk. She further described a meeting with a

34

bank where the bank said that it was not prepared to use any cloud solutions. She informed them that they already were using a lot of cloud based solutions and instead should concentrate on that they have adequate controls for security. It was very obvious from the interviews that cloud services were in use in many organizations without approval of the IT department. There is an obvious gap between sanctioned solutions and solutions actually in place. Management needs to take better control of this issue and how it relates to the use of cloud services in general.

35

6 ANALYSIS AND DISCUSSION This chapter presents an analysis and discussion of the results. The theories from the literature review, previous research, methodology and the findings of the study are connected and discussed in relation in order to answer the main research question and the underlying research questions.

6.1 Overview The study identified two main drawbacks in the transition from an on-premise system to a cloud computing service: security and perceived loss of control. The first one concerned the security of cloud computing services in general and these could later also be categorized into either asset security or incident security. Asset security included loss, distortion or destruction of data, intellectual property theft, unauthorized access or misuse of access, unauthorized secondary usage and incomplete removal of information. Incident security includes back and recovery, isolation failures, Internet attacks or failures, dependence on external factors and perceived loss of control. The second identified main drawback was perceived loss of control, including IT department not embracing cloud and trust issues for cloud computing. The major drawbacks in the transition from an on-premise system to a cloud computing service will firstly be discussed in relation to the research questions formulated in Chapter 1, with the findings from the interviews and the reviewed literature as a foundation. This is followed by a discussion regarding the contexts of security and perceived loss of control, where the TOE framework is used to put the identified drawbacks into different contexts depending on the factors affecting the cloud adoption. Lastly, the characteristics of cloud adoption are discussed in relation to cloud computing and the distribution of it, in order to fully understand and discuss the whole subject of transitioning from an on-premise system to a cloud computing service.

6.2 Security The results of the study highlighted security as one of the drawbacks in the transition from an on-premise system to a cloud computing service. Security could mostly be described from a technological context, where the technologies could cause affect in terms of asset security and incident security. The characteristics of cloud computing and its access to availability are positive factors and could be seen as a relative advantage with the business model in comparison to on-premise systems. However, there are concerns regarding the consequences if the technology is not managed properly, for instance in terms of availability. This relates to an economic barrier, where access to information is one of many critical characteristics. Furthermore, the drawback of security can also be seen as a structural barrier where infrastructure is the critical key factor. Cloud computing means moving away from the traditional IT infrastructure maintained in-house at organizations and a change from the existing setting. Even though security can be discussed to a larger extent in terms of a technological context, there are also parts of security, which could be seen from an environmental perspective.

36

Compliance and governance are two critical factors in terms of cloud adoption. If an incident would occur, the consequences in terms of compliance could be huge. However, it is of importance to remember that even though an organization has an in-house system satisfying all present requirements, it may not last forever. At some point, the system needs to upgrade and will require larger inputs or actions. Thus, leaving the responsibilities to another provider could be one possible solution. A possible solution is to convert to a hybrid cloud setup, where sensitive data remains in-house and non-critical data are relocated to cloud computing.

6.2.1 Asset Security The results of the study identified security as the main drawback in the transition from on-premise systems to cloud computing and highlighted security related to organizational assets. The loss of ownership and control in the handling of critical organizational data was identified as a drawback and relying on a cloud service provider to manage their organizational assets as carefully as maintained in-house is critical. One of the aspects related to asset security was the unauthorized access or misuse of access to the organizational data. This concern was also identified during the literature study, for instance in a study conducted by Fujitsu Research Institute (2010), where almost 9 out of 10 customers had concerns regarding who gets access rights to their data. The organizations moving from an on-premise system to a cloud computing service needs to conduct a proper asset assessment in order to classify which data and information that are sensitive for a potential migration to cloud. This was also acknowledged in the study conducted by Öberg (2016), where asset assessment was recognized as a crucial part for the implementation of working with information security in a systematic matter. The results of the study highlighted that public sector organizations will most likely not make a complete transition to cloud, since the information is too sensitive. Furthermore, organizations need to be fully aware of their organizational assets in order to be able to put demands and requirements on the cloud service providers. This stresses the importance of establishing a proper service level agreement between the different parties in order to ensure a united level of handling data and information. The service level agreement document covers what the organizations can expect in terms of technical definitions of measurable aspects of the service and includes for instance availability, percentage of packet loss or percentage of transaction failures. The established agreement defines the different attributes of the service and the minimum service levels, as well as the warranties and corresponding consequences when not compliant. The information classification is a central support in terms of clarity and distribution of responsibilities between both parties. The understanding of an organization’s assets and which data that is sensitive in combination with a proper service level agreement could in this case be beneficial in terms of an increased observability. It will both will make cloud computing advantages more visible and cover the concerns regarding how the organizational assets are managed by the cloud service provider. Moreover, it might be adequate for cloud service providers to consider different certifications, which could be beneficial in order to prove compliance and that the provider has established a management system to ensure their work with asset security. Different certifications and standards were discussed during the conducted interviews in order to demonstrate compliance with regulations or management of information security. One certification, which was repeatedly

37

discussed during the interviews, is the ISO/IEC 27001, providing guidelines in how to establish a management system of information security and being a globally recognized certification. A systematic approach of working with the organizational information security is a necessity in order to manage a safe transition from on-premise systems to cloud computing. Most importantly, cloud service providers need to acknowledge the drawback of managing organizational assets and demonstrate how they plan to avoid or improve their services in terms of the identified concerns regarding loss, distortion or destruction of data, unauthorized access or misuse of access, unauthorized secondary usage and incomplete removal information. This will also increase the level of observability of cloud computing, since the certifications demonstrate how the cloud service providers are in compliance with certain requirements and will ease the concerns regarding asset security. Even though the highlighted drawback of asset security can be positioned in the technological context of the TOE framework, the solution to the concerns might be found in the environmental context. Cloud service providers needs to not only follow industry standards, legal and regulations, their work with certifications in general is just as of great importance in order to develop a pro-active approach and meet these sorts of drawbacks and concerns. Therefore, the technological factors affecting the decision in the transition from an on-premise system to a cloud computing service might be reduced by a pro-active approach from the cloud service providers. However, working with different industry standards or certifications is very comprehensive and complex since the certifications operate at a macro level. Most often, the standards do not leverage information from auditing or monitoring activities performed by the IT operations, where the low level monitoring activities and high level requirements are not always entirely bridged. The study conducted by Mikaela Öberg (2016) recognizes the difficulties of implementing a management system in order to fulfill a certain standard and suggests identifying best practices in the area of information security management systems. The drawback of security regarding organizational assets can further be discussed in terms of the adoption factor trialability and a possible solution would be to conduct an asset assessment and migrate step by step depending on the degree of sensitivity. There is a possibility that all information or data is not relevant for being handled in cloud environments and therefore it is of importance for organizations to conduct asset assessments in order to identify sensitive data. In this case, organizations are also able to try cloud computing in terms of services where non-critical data are used. An example is to try different ERP software extensions gradually and decide whether cloud computing is suitable for their business. This has been recognized by larger organizations, where the on-premise systems generally are very extensive and complex, which adopt cloud computing in smaller extents in terms of applications, functions or market. These are normally only add-ons to the existing IT architecture and not a complete ERP system. Instead, solutions like ERP software extensions enables for a higher degree of trialabiltiy and to try cloud step-by-step in different areas.

38

6.2.2 Incident Security Another identified concern regarding security when transitioning from on-premise systems to cloud computing was incident security. Cloud computing opens up for new types of security incidents to manage and can be discussed in accordance to the technology context in the TOE framework. The technological aspect of handling new types of incidents, which might affect an organization’s business operations, was one of the critical factors in the discussion on moving from on-premise systems to cloud computing. The incident security events discussed in the result of the study include thoughts regarding the adoption characteristic of compatibility. The extent of cloud computing being based on established norms, values and behaviors is critical when discussing incident security since it highlights the importance of legal and regulatory compliance. Therefore, the drawback of incident security can also be categorized into the environmental context in the TOE framework, since regulatory compliance and legal pressure on industry or market. This was strengthened by several reports during the literature review, where legal and regulatory compliance was again a concern for switching to cloud (Borgman et al., 2013; KPMG International, 2013; Sahandi et al., 2013; Trigueros-Preciado et al., 2013). In terms of cloud based ERP systems, data availability is a critical factor and cloud computing raises concerns regarding new types of potential incidents. Internet failure or dependence on external factors could cause organization’s not being able to access information, which could be critical in terms of regulatory legislations. A concern in terms of transitioning from on-site to cloud is the element of leaving the control of incident management to another party or supplier. ERP systems are generally very customized and specific for the organization’s business processes and operations in order to fully optimize business output and streamline processes between different business functions. An on-site ERP system often means that the organization has years of experience of managing the system as well as maintenance procedures and processes. All servers and applications are stored at a specific location and knowledge has been developed within the organization and employees have perhaps learnt from earlier mistakes. Discussing this situation from a technological context, a transition to a cloud based ERP system would mean that the cloud service provider would be responsible for any incidents occurring. Organizations have developed deep knowledge in how their on-premise ERP systems works in detail and how to handle incidents if they occur, and there are concerns whether the cloud service provider will manage the incidents. This is turn is directly connected to the technology aspects, since cloud computing opens up for new types of incidents. The question raised is whether an on-premise system with its types of incidents and maintenance by competence within the organization or if an adoption of a cloud computing service is better with maintenance by the cloud service provider, despite of the new types of security incidents. This highlights a complex situation, which varies depending on the specific situation. However, this also stresses the importance of cloud service provider to prove their work of incident management. This could be done with for instance by certifications and service level agreements between the two parties. Most importantly, cloud service providers needs to acknowledge the concerns regarding incident security and manage incident efficiently (Öberg, 2016). Additionally, incident security is critical and a potential stop or lock down of an organization’s ERP system could lead to situations such as stop of productions or not being able to receive or

39

deliver goods. In other words, the business operations and production could stop if the system is down and organizations are very much dependent on the ERP systems in order to operate. As described earlier, there are extensions not being as critical in terms of handling sensitive data and where potential incidents would not affect business or operations to a larger extent.

6.3 Perceived Loss of Control The results of the study identified perceived loss of control as a drawback in the transition from on-premise systems to cloud computing. This drawback could be positioned in both an organizational and environmental context, as well be seen as an organizational and behavioral barrier. The drawback in terms of an organizational context is due to the opinions and feelings evoked, which can be directly connected to the employees of the organization. Perceived loss of control at an organization could depend on several factors, for instance management and support. The environmental context includes pressure from the industry, where technologies such as cloud computing are enabling for flexibility and mobility, leading to new demands and behaviors from individuals. Further, these demands and behaviors results in new motivations and routines, which could be described as behavioral and organizational barriers in the transition from an on-premise system to a cloud computing service.

6.3.1 IT Department not embracing Cloud Losing control was identified as one of the most important concern when switching to cloud and has also been identified as a barrier in previous studies for not migrating to cloud computing (Borgman et al., 2013; KPMG International, 2013; Srinivasan, 2014). The results from the study identified that a factor contributing to the drawback of perceived loss of control is that IT departments of organizations are not embracing cloud. IT departments not embracing cloud is a combination of behavioral and organizational barrier. IT department’s propensity for change is not large to a further extent, due to rationality aspects of threatening traditional work where old competence is no longer needed, which evokes feelings among employees. Cloud computing implies a large change in old routines, power and influence at an organization. Therefore, the decision process of the transition from an on-premise system to a cloud computing service depends on the organizational context of the TOE framework. The issue of IT departments not embracing cloud is influenced by several attributes and one of the attributes is the linking structures between current operations and employees, where the traditional IT infrastructure is no longer needed in order to perform the operations. System administrators might feel demoted to users of the cloud system, since they do not own at a physical level. Employees working in the same buildings, as their servers will most likely feel that they do not control the system. One factor affecting the context is the management support and organizational employees with great influencing power. One of the interviewee commented that the CIO’s where often the road blocker in the discussion of cloud computing, which correlates to the attributes of behavioral and organizational barrier. Furthermore, IT department not embracing cloud also depend on the adoption characteristic of complexity, referring to the degree, which an innovation is difficult to understand. In terms of

40

cloud computing, the complexity is most likely to increase in relation to the size of the organization. ERP systems are often referred to as the backbone of a business, integrating and automating all business operations, and are as a result often more complex as the number of business functions and operations increases. For example, if a multinational organization should replace their on-premise systems with cloud computing, besides the scope of a large implementation project, one of the questions raised is regarding the risk of handing over the maintenance to another provider. The organizations have a huge IT department with knowledge of how to maintain their customized ERP systems and cloud computing intrudes on their territory since their current knowledge is no longer needed.

6.3.2 Trust Issues Cloud Computing The results from the study highlights the problem with organizations not facing the employees needs and bringing the topic of shadow IT up to surface. This in turn leads to organizations struggling with asset security in other matters. The emergence of ICT has led to an increased demand for accessing data through different devices and different locations. Furthermore, employees want to be able to share documents and conversation through other channels than perhaps the traditional IT tools provided by the organization. The behaviors on an organizational level are thereof very influenced by environmental attributes. Attributes such as industry pressure of technologies enabling for faster flexibility has led to changed employee behaviors, setting up their own solutions, mostly cloud solutions, to their needs or problems in their work practices. Cloud computing in these types of solutions most often has a very low degree of complexity and a high degree of observability, trialability and compatibility. These solutions often serve one function or need and the pay-as-you-go model by cloud computing enables for easy trial of the service. One of the interviewee mentioned that it was easier to purchase a smaller type of cloud solution than go through the organizational process of budgeting, ordering and wait for delivering. Therefore, shadow IT has appeared as a result of environmental attributes within the organizations. “Organizations not trusting cloud and the slow transition towards cloud have resulted in employees using their own cloud based services, since they want to access their data from different devices independently on physical location.” - Interview with a Chapter Lead, Cloud Service Provider However, the results of the study highlight the problem of shadow IT, since it puts the organizational assets for a security risk. There are doubts regarding the transition from an on-premise system to a cloud computing service, where managers or IT departments are hesitant towards the new business model of cloud, which according to the findings of the study are very much due to security concerns and the problems with shadow IT. However, it is of great importance to highlight the fact that on-premise systems are not able to handle the demands, which are required by the organization and its employees, especially in terms of flexibility and mobility. The discussion of shadow IT is a proof that there is a problem within organizations, which needs to be acknowledged. There is a need for investigating the option of transitioning from on-premise systems to cloud computing. Thus, the degree of observability is very high in

41

this case; even though the complexity is relatively high and trialability relatively low regarding cloud computing for ERP systems. Most importantly, there is a need to work with secure systems and tools. Therefore, it is also important to work with the organizational awareness of information security. Individual cloud computing solutions might form a risk for the organizational assets and has resulted in cloud computing being associated for organizational risks. In order to ensure a safe management of organizational assets, training and education of employees’ awareness of how to manage and handle organizational data is of great importance. This was also acknowledged in the study conducted by Öberg (2016), where it was found that security must permeate all levels of an organization in order to create awareness regarding organizational assets. One of the interviewees mentioned the importance of working with securement of routines and controls. According to the interviewee, trusting employees is essential but that organizations should not underestimate the importance of establishing controls. “Trust is good, control is better” - Interview with a Computer and Network Security Consultant Creating awareness throughout the organization is fundamental but to also back up with routines and controls. This is beneficial for both organizations of cloud computing but also cloud service providers. Organizations should be able to document, which systems and tools employees use, and create awareness regarding security in general throughout the organization. Cloud service providers on the other hand, need to work with controls in order to demonstrate and prove compliance with standards and certifications. Furthermore, the results regarding trust issues for cloud computing highlights a difference in the adoption distribution. There is a collision in terms of the adoption between individuals and organizations, where the inertia of cloud computing adoption is obvious. The fast-growing adoption of cloud solutions from individuals has led to the fact of employees utilizing cloud computing for daily work practices at the organizations.

6.4 The Contexts of Security and Perceived Loss of Control The result of the study indicates that the inertia in transition to cloud computing is still low due to the main drawbacks of security risks and perceived loss of control. These drawbacks can be discussed in relation to the literature of the TOE Framework in order to gain understanding in the context of the identified drawbacks. Figure 7 illustrates the empirical findings described in the different contexts of technology, organization and environment.

The contexts of technology, organization and environment present constraints and opportunities for innovation adoption and will influence an organizations decision for adoption or rejection. It is obvious from the results of the study that security was seen as a drawback and a major adoption constraint within the technological context for cloud computing. The organizational context refers to resources of the organization, its knowledge and structure. An important result in the study referring to this context was the drawback of perceived loss of control when

42

transitioning to cloud computing. Cloud computing does not require traditional IT work practices and leaves the system maintenance to the cloud service provider. The environmental context involves the external factors, such as industry characteristics and regulatory environment. The results of the study identified trust issues for cloud computing as a drawback, where the business model of cloud computing itself is part of an industry pressure. Thus, the interviews highlighted the phenomena of shadow IT as a result of employees requiring possibilities in terms of efficiency, flexibility and mobility, where cloud computing is a solution to many of these problems. Furthermore, another result from the study was that it was difficult to assess whether a cloud service provider was in compliance with local laws, in particular relating to handling of personal data.

FIGURE 7: The results from the study in relation to the TOE framework

6.5 Characteristics of Security and Perceived Loss of Control The Diffusion of Innovations theory is useful in describing how and why an innovation will spread. According to Rogers (2003), the adoption characteristics can be discussed in terms of relative advantage, compatibility, complexity, trialability and observability. As mentioned in Chapter 3, an adoption characteristic can be discussed in terms of being a driver or a drawback, depending on its positive or negative response.

6.5.1 Relative Advantage The relative advantage with cloud computing is easy to understand and obvious for most; the organizations are able to cut system maintenance and instead focus on their core business since the business model of cloud enables for availability for everyone and from everywhere without initial organizational IT investments. However, there is still inertia in adopting cloud computing at organizations and even though the degree of relative advantage is obvious, other factors of an innovation may still affect the adoption and be fundamental in the discussion of transitioning from an on-premise system to a cloud computing service.

43

6.5.2 Compatibility The compatibility in terms of the extent, which an innovation is based on established norms, values and behaviors, is critical in the discussion of cloud adoption. This characteristic can be discussed in terms of both an organizational and a technological context. The organizational contexts characteristic could for instance be directly dependent on the individual’s experience and correlates to cognitive behavior and feelings. This study identified the perceived loss of control as one of the major drawbacks in the transition from an on-premise system to a cloud computing service and the degree of compatibility is low, since cloud is a new business model requiring adoption of new norms and behaviors. This could be in terms of the in-house IT department no longer being responsible for the maintenance of the system and leaving the control to another provider. Furthermore, cloud computing have a low degree of compatibility from a technological context. The business model implies organizations to migrate their data from their current systems. Thereby, organization’s current IT infrastructure will not be relevant or maintained in-house. Furthermore, a common discussion regarding cloud adoption is vendor lock-in, which is often a result of proprietary cloud technologies being incompatible. Lastly, the degree of the compatibility depends on the nature of the cloud-based service. In terms of an ERP software extension, the level of compatibility is directly dependent on the current ERP system of the organization and vice versa.

6.5.3 Complexity The complexity of cloud computing is also significant since the underlying technical configuration for a cloud can be difficult to fully understand and thereby cause a constraint. This is particularly evident when changing from an existing on-site ERP system to cloud computing. A result from the study was that many interviewees perceived that organizations were not fully aware of the implications of changing to cloud computing compared to an existing on-premise system, nor did they fully understand the issues with cloud security and integration with existing infrastructure. The complexity of understanding all details of cloud computing will be a constraint for the cloud business model. Whereas functions such as email, sales and marketing tools may be easy to understand a more comprehensive outsourcing of an IT function will be more of a complex nature. Furthermore, the degree of complexity is more convenient in terms of cloud based ERP software extensions, since they only require a relatively easy integration to existing ERP system, with a lower degree of complexity than an implementation project of a cloud based ERP system. Furthermore, in terms of cloud and its degree of complexity, smaller organizations may have easier to embrace cloud computing than a larger organization. The example of ERP systems in large global organizations with complex operational structures is generally very complex, since it involves an extraordinary wide scope with large-scale extensions of upgrades and special adapted solutions for the organization’s operations and functions. The maintenance of these systems never ends, especially in larger organizations, which often has a dedicated IT department maintaining the systems. To replace such a complex system with cloud computing is an extensive large-scale project, where the degree of complexity is significantly higher, than a transition from an on-premise ERP system to cloud computing in an organization with smaller size or less complex business operations.

44

6.5.4 Trialability The described situation above can be applicable to the degree of trialability. Trialability in terms of the extent an innovation can be tested before a decision is also a factor causing adoption constraints. The business model of cloud computing differs a lot depending on the context. Shadow IT was identified as a result of demands and behaviors from the organization’s employees, where the standard sanctioned IT solutions were not sufficient. The degree of trialability is very high in this case, since cloud computing is very easy accessible through the internet and by a quick and easy purchase. However, cloud computing may also hold a lower degree of trialability, especially in terms of more complex cloud solutions. The large complexity for larger organizations with its extensive and often customized ERP systems also means fewer possibilities in trying the systems on beforehand. Simple standardized software solutions for smaller organizations can be tried before decision but as the level of complexity increase, the level of trialability decreases.

6.5.5 Observability As for the observability it may seem easy to accept the advantages of a cloud solution but since it is less transparent than an on-site solution some advantages may be less obvious and therefore create a constraint rather than an advantage. Also here, findings from the interviews were that many are not aware of the actual benefits of a cloud solution. Since the advantages seem not to be obvious this will affect the adoption rate.

6.6 Adoption Distribution of Cloud Computing The study identified the problem of shadow IT as a source to the trust issues for cloud computing. Organization’s employees adoption curve of cloud computing solutions were not in line with the organizations adoption of cloud computing. In this context, Moore’s theory of the chasm is relevant for illustrating the gap between where organizations and individual persons are located at the adoption curve, see Figure 8. Additionally, Moore’s theory of the chasm is applicable since the curve with its chasm can be used to describe the high risk of cloud adoption, affecting a potential transition from an on-premise system to a cloud computing service.

FIGURE 8: Distribution of organizations and individuals in the adoption curve

Individuals

Organizations

45

Furthermore, depending on the business strategy, different organizations are more likely to adopt to cloud computing. Organizations susceptible to acquire and integrate new operations easily and quickly are more likely to adhere to the group of early adopters. However, for many organizations, the speed of cloud adoption is slower due to the need of gaining full understanding of advantages and risks associated with cloud computing. Furthermore, the speed of adoption is also influenced by circumstances and environmental factors such as legislations and regulations.

6.7 Research Methodology The purpose of the study was to find drawbacks in the transition from an on-premise system to a cloud computing service and its implications for the nature of cloud services. Furthermore, the study investigated how these drawbacks related to the different limiting factors in order to give recommendations for cloud service providers in how to reduce these drawbacks of cloud adoption. The choice of models and frameworks applied in the study, both the TOE framework and theory of Diffusion of Innovations are well known and acknowledged methods to study innovations. Therefore, the methods ensure a level of the study’s validity. In terms of the choice for interview participants, one might argue that a larger extent and scope of study, for instance in terms of interview participants could increase the validity of the study. However, in order to make sure that the study corresponds to a certain level of validity, the conducted interviews included suppliers, users, expert consultants and legislators in order to ensure a wide scope for the interview material. Furthermore, a questionnaire was created during the study but this method of data gathering was later chosen to not be continued with, since the respond rate of the sent questionnaires was very low. The questionnaire was sent to 100 persons but only two persons participated. This may have been due to that the persons, to which the questionnaire was sent to, had a work position with imaginably very busy work schedule. One possible thought is that e-mails received, which are not associated or related to their work are deleted by spam-filters. Further, since the study identified that there is a lack of knowledge at organizations regarding cloud computing, another possible reason to the low respond rate could have been that the knowledge regarding cloud computing were relatively low and therefore the persons who received the questionnaire felt that it was not within their area of expertise or thought that the questions were not directed to them. This in comparison to the e-mails sent to the interview participants, where the persons were more interested regarding the subject and the purpose of conducting interviews were more beneficial for the participants, since it is a dialogue between interviewee and the persons holding the interview. There is a possibility that the respond rate could have been higher if the questionnaire candidate would have been approached by another media than e-mail or if the person would have been approached first by the question whether there is an interest in participating in a study by filling out a questionnaire, and thereafter send out the questionnaire. The absent of the questionnaire as a methodology of the study indicates that there is a gap in confirming the results from the qualitative data gathered from the interviews. However, in order to make sure that the gathered data from the interviews ensure a high degree of validity for the

46

study, each interview session was over an hour long and the interview question were adjusted for the next coming interview in order to ensure that no gaps were missing in the study.

47

7 CONCLUSIONS AND FUTURE RESEARCH

This chapter presents conclusions regarding research questions, implications for industry and literature as well as recommendations for future research.

7.1 Main Findings The purpose of the study was to investigate the main drawbacks affecting transition from an on-premise system to a cloud computing service and how cloud service providers should address concerns raised by the new technology. The main research question was formulated as, ● How can drawbacks, which affect the transition from an on-premise system to a cloud

computing service, be addressed by cloud service providers? In order to answer the main research question, the following sub questions were analyzed,

• RQ1: “Which are the main drawbacks that affect the transition from an on-premise system to a cloud computing service?”

The two main drawbacks identified in the study as limiting factors in a transition from on-premise systems to cloud computing were security and perceived loss of control. The security aspect concerned issues related to asset security and incident security, which relates to a more technological matter, whereas perceived loss of control was mainly an issue of organizational matters and could be described as attitudinal. The results of the study have identified several types of barriers in terms of cloud adoption. In terms of economic barriers, the access to information has been highlighted as a critical factor affecting the drawback in the transition from on-premise systems to cloud computing. Behavioral barriers have also been found regarding rationality and the propensity for change or risk. Further, barriers of organizational characteristics have been identified in terms of organizations routines, power and influence.

• RQ2: “How does the type of the cloud-based software affect the main drawbacks?” The empirical findings of the study were that all drawbacks identified were particularly stressed in terms of ERP software with many concerns raised. Fewer problems were encountered with add-ons like software extensions and collaboration software. The reason for this was due to its lower degree of complexity and critical investments. Further, the results of the study indicated that the importance was in the organizational data managed in the cloud based service and therefore the degree of drawbacks affecting the type of cloud based software were dependent on that.

48

• RQ3: ”How can cloud service providers develop a pro-active approach to manage the main drawbacks?”

The study discussed the identified drawbacks in relation to different contexts and attributes, which in terms meant that drawbacks in the transition from on-premise systems to cloud computing could be described as both attitudinal as well as technological. Therefore, the study found that service level agreements, adherence to industry standards and certifications are important factors to address for providers in terms of technological drawbacks. Further, open communication and education of customers could be the preferred approach in order to address the drawbacks of attitudinal characteristics.

7.2 Implications The results of the study have contributed to knowledge and implications in terms of industrial, research and sustainability perspectives. Thus, these implications have formed the foundation for the recommendations of future research.

7.2.1 Industrial Implications The results from the study identified two major drawbacks in the transition from on-premise systems to cloud computing: security and perceived loss of control. The lastly mentioned drawback highlights a need for cloud service providers to actively keep an open dialogue with organizations regarding their concerns. There is a knowledge gap and cloud service providers needs to be better at explaining their business models and help their customers to understand the implications of cloud computing. Thus, cloud service providers need to reassure users of cloud computing that they are in compliance with regulations by gaining appropriate certifications. Additionally, organizations need to consider and have a proper discussion regarding cloud computing, since the private initiatives of shadow IT throughout organizations has appeared as a result of demands and needs, which are not being met by current organizational systems. There is a need of conducting work practices in an efficient and secure manner, which cloud computing enables for. Furthermore, recommendations for organizations considering cloud computing is to conduct a proper asset assessment throughout the organization to classify assets. Asset assessment will help organizations to overlook and review their assets, and thereby evaluate which data that would be appropriate for cloud computing. Further, to ensure a safe transition from an on-premise system to a cloud computing service, a recommendation is to take external help to simulate a cloud environment and test the transition on beforehand. This would safeguard the organizations assets since it will discover critical aspects of a migration and consequently reduce the risk of the transition. Thus, the process of asset assessment will further guide and facilitate for organizations to establish service level agreements, which will deal with their concerns regarding security. The agreements will serve as a central support in terms of clarity and distribution of responsibilities between both parties.

49

7.2.2 Case Company Implications The case company has already started their journey in offering both an on-premise product and a cloud based service, where the cloud computing service has succeeded very well on the market and is continuing to grow. In order reassure that existing customers with an on-premise solution will continue with the case company as a supplier, there is a need to beware of the identified drawbacks regarding the transition from an on-premise system to a cloud computing service. Therefore, the recommendation to the case company is to actively educate their existing customers with on-premise installation in order to reassure them as customers in the future. Further, the educational part covers their work with succeeding with new sales deals of new potential customers. Additionally, it is of great importance for a company who provides a cloud computing service to develop a pro-active approach to meet drawbacks of cloud adoption, and one potential way is to take a further look into different industry standards. One standard that was recurrent during interviews were the ISO 27000 series, more specifically the ISO/IEC 27001 standard. The recommendation is to work accordingly to the standard and as soon as specific customers will start require this standard, a revision could be done without risking time lags. Finally, another recommendation for the case company is to work with information security management of their services, since the study identified asset security as one of the major drawback in the transition from an on-premise system to a cloud computing service. The different security issues concerned the organizational assets and by reassuring that their services and systems are handling and managing the information security properly, this could be a systematic approach of safeguarding their current customers.

7.2.3 Research Implications The implications from a research perspective were that the study identified a knowledge gap between organizations and cloud service providers, where the lack of understanding for cloud computing results in concerns emerged by poor communication and information. These findings relates to an organizational and environmental context, which creates basis for further research from this perspective. Lastly, the study confirmed previous research regarding concerns of security being a drawback or negative adoption factor in the transition from an on-premise system to a cloud computing service. By conducting this study, studies regarding cloud adoption are further researched and bring an updated result with particularly geographical distinctions.

7.2.4 Sustainability Implications The transition from on-premise systems to cloud computing plays a critical role in terms of utilizing resources in an environmentally sustainable matter. Cloud computing enables for reduction of carbon footprint from several perspectives and have potential for a contribution in terms of a sustainable development in organization’s infrastructures. The total reduction of infrastructure allocation is one example of environmental benefits, where cloud computing

50

reduces wasted computing resources due to dynamic provisioning, matching the server capacities with actual usage, in comparison to on-premise systems where the provisioning is static. Further, cloud service providers usually serve a large number of organizations on shared infrastructure and thereby compress the peak loads. Further, by serving many organizations, cloud computing enables for higher utilization rates and the possibility of reducing waste in form of for instance power loss. Cloud service providers are more likely to have a pro-active approach than organizational IT departments, since the benefits might be more obvious due to the fact of data center facilities and maintenance being their core business. Therefore, the sustainability aspect will be more relevant to address for cloud service providers, both in terms of tailoring and designing components but also in terms of collaborating with suppliers, which will make their business operate on maximum efficiency. Furthermore, the results of the study highlighted the demands of performing work activities more efficiently resulting in the appearance of shadow IT. Thus, a transition from on-premise systems to cloud computing could in some cases indicate improved work opportunities for employees at organizations and would therefore imply effects on social and economical sustainability as well.

7.3 Future Research This study was conducted as a case study at one particular cloud service provider with stakeholders basically in a concentrated geographical field. On order to increase generalizability, a similar study could be performed from a localization perspective. Also, a case study at another provider would be of interest to see if findings can be extended on the industrial level. The results indicated an information gap between cloud computing providers and organizations. Future research could provide more information as to how providers should overcome this information gap from a functional level. Thus, recommendations for future research would be to focus on communication processes in adoption of cloud computing. Another result was the perceived loss of control using cloud computing. Similarly, more studies might be performed on how service providers should address concerns to overcome the loss of control drawback. The recommendations for these studies would be to investigate cloud adoption from an attitudinal perspective and from an organizational or individual level. Thus, it would be of interest to conduct studies regarding cloud adoption and how the levels of organizations’ hierarchy influence the decisions of transitioning from an on-premise system to a cloud computing service.

51

8 REFERENCES Accenture. 2012. ‘Key Questions every IT and business executive should ask about cloud computing and ERP’. [WWW] Available at: https://www.accenture.com/t20151009T133552__w__/us-en/_acnmedia/Accenture/Conversion-Assets/DotCom/Documents/Global/PDF/Industries_5/Accenture-Key-Questions-About-Cloud-Computing-ERP.pdf [Accessed May 16 2016] Adam, R., Kotze, P., van der Merwe, A. 2011. ’Acceptance of enterprise resource planning systems by small manufacturing Enterprises’. Proceedings of the 13th International Conference on Enterprise Information Systems, p. 229 – 238. Avram, M. 2014. ’Advantages and of Adopting Cloud Computing from anenterprise Perspective’. Procedia technology, vol. 12, pp. 529–534. Blomkvist, P., Hallin, A. 2015. ‘Method for engineering students’. Lund: Studentlitteratur. Borgman, H.P., Bahli, B., Heier, H. and Schewski, F. 2013. ‘Cloudrise: Exploring Cloud Computing Adoption and Governance with the TOE Framework’. System Sciences (HICSS), 2013 46th Hawaii International Conference on, pp. 4425–4435.

Bradford, M. 2010. ’Modern ERP - Select, Implement and Use Today’. Advanced Business Systems, 2nd Ed.

Brehm, L., Heinzl, A., Markus, M. L. 2001. ‘Tailoring ERP Systems: A Spectrum of Choices and their Implications’. Proceedings f HICSS-34. Los Alamitos CA, IEEE.

Bryman, A. and Bell, E. 2011. ‘Business research methods’. Oxford University Press, Oxford, 3rd Edition.

Buyya, R., Broberg, J., Goscinski, A. 2011. ‘Migrating into a Cloud’. Cloud computing: principles and paradigms. Hoboken: John Wiley & Sons.

Carroll, M., van der Merwe, A., Kotze, P. 2011. ’Secure cloud computing: Benefits, risks and controls’. Information Security South Africa, ISSA. Chatterjee, R. 2014. ‘Breaking the Mold: An Educational Perspective on Diffusion of Innovation/Rogers’ Diffusion of Innovations’. [WWW] Available at: https://en.wikibooks.org/wiki/Breaking_the_Mold:_An_Educational_Perspective_on_Diffusion_of_Innovation/Rogers%E2%80%99_Diffusion_of_Innovations [Accessed March 28 2016]

Chen, C. C. Law, C. C. H. , Yang, S. C.2009. ’Managing ERP implementation failure: A project management perspective’. IEEE Trans. Eng. Manage., vol. 56, no. 1, pp. 157–170, Feb. Collis, J. and Hussey, R. 2014. ‘Business research – a practical guide for undergraduate and postgraduate students’. 4th ed. Hampshire: Palgrave Macmillan. Deloitte. 2009. ’Cloud Computing – Market Overview and Perspective’. Deloitte October 2009. Fujitsu Research Institute. 2010. Personal data in the cloud: A global survey of consumer attitudes. [WWW] Available at:

52

http://www.fujitsu.com/downloads/SOL/fai/reports/fujitsu_personaldata -in-the-cloud.pdf [Accessed May 3 2016] Gartner Inc. 2015. Forecast: Public Cloud Services, Worldwide, 2013-2019, 4Q15 Update. USA. Gartner Inc. 2016. Public Cloud Computing. Gartner IT Glossary. [WWW] Available at: http://www.gartner.com/it-glossary/public-cloud-computing/ [Accessed May 27 2016] Ghaffari K., Delgosha, M. S. & Abdolvand, N. 2014. ’Towards Cloud Computing: A SWOT Analysis on its Adoption in SMEs’. International Journal of Electrical Power and Energy Systems, 58, 300-306. KPMG International. 2013. ‘Breaking through the cloud adoption barriers’. [WWW] Available at: https://www.kpmg.com/SG/en/IssuesAndInsights/ArticlesPublications/Documents/Advisory-ICE-Breaking-through-the-Cloud-Adoption-Barriers-Glob.pdf [Accessed March 27 2016] Lam, R. 2011. ‘Organizational Readiness and Change Management in the Cloud Age’, Cloud Computing, John Wiley & Sons, Inc., pp. 549–572.

Lechesa, M., Seymour, L., Schuler, J. 2012. ERP Software as Service (SaaS): Factors Affecting Adoption in South Africa. Re-conceptualizing Enterprise Information Systems. pp 152-167. Springer Berlin Heidelberg. Lenart, A. 2010. ‘ERP Systems. In: Wrycza’, S. (ed.) Business Informatics. PWE, Warszawa. Lenart, A. 2011. ‘ERP in the cloud : benefits and challenges’. Research in systems analysis and design: models and methods: 4th SIGSAND/PLAIS EuroSymposium 2011, Gdansk, Poland, Sepember 29, 2011; revised selected papers. – Berlin [u.a.] : Springer ISBN 978-3-642-25675-2. - 2011, p. 39-50. Lu, C., Hsieh, C., Change, C., Yang, C. 2013. ‘An Improvement to Data Service in Cloud Computing with Content Sensitive Transaction Analysis and Adaptation’, Computer Software and Applications Conference Workshops (COMPSACW), 2013 IEEE 37th Annual, pp. 463–468. Lyytinen, K & Damsgaard, J. 2001. ’What's Wrong with the Diffusion of Innovation Theory: The Case of a Complex and Networked Technology’. in Proceedings of the IFIP Working Group 8.6 Conference, Banff, Canada. Marston, S., Li, Z., Bandyopadhyay, S., Zhang, J. and Ghalsasi, A. 2011. ‘Cloud computing - The business perspective’. Decision Support Systems, Vol. 51, pp. 176–189.

Mather, T. Kumaraswamy, S., Latif, S. 2009. ‘Cloud Security and Privacy: An Enterprise Perspective on Risks and Compliance’. O'Reilly Media, Inc. Mell, P., Grance, T. 2011. ‘The NIST definition of Cloud Computing’ [WWW] NIST. Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf [Accessed January 31 2016]. Mohr, J.J., Sengupta, S. and Slater, S.F. 2014. ‘Marketing of high-technology products and innovations’. 3rd Edition.

53

Morgan, L., Conboy, K., 2013. ‘Key Factors Impacting Cloud Computing Adoption’. [WWW] IEEE Computer Society. Available at: http://ieeexplore.ieee.org.focus.lib.kth.se/stamp/stamp.jsp?tp=&arnumber=6649944&tag=1 [Accessed 18 May 2016].

Moore, G.A. 2014. ‘Crossing the chasm: marketing and selling disruptive products to mainstream customers’. 3rd Edition.

Møller, C. 2005. ’ERP II: a conceptual framework for next-generation enterprise systems?’. Journal of Enterprise Information Management, 18(4), 483-497. Oliveira, T. and Martins, M. F. 2011. Literature Review of Information Technology Adoption Models at Firm Level. Electronic Journal Information Systems Evaluation, 14 (1), 110-121.

Panorama Consulting. 2015. ‘2015 ERP Report’. [WWW] Available at: http://go.panorama-consulting.com/rs/panoramaconsulting/images/2015%20ERP%20Report.pdf [Accessed May 16 2016] Polkinghorne, D. 1983. ’Methodology for the human sciences’. Albany, NY: Human Sciences Press. Power, D. 2015. What is the technology adoption curve? Is it relevant to DSS? DSS News, Vol. 2, No. 13, June 17, 2001, updated February 8, 2015. Ramgovind, S. Eloff, M. Smith, E. 2010. ‘The Management of Security in Cloud Computing’ In PROC 2010 IEEE International Conference on Cloud Computing. Robinson, L. 2009. ‘A Summary of Diffusion of Innovations’. Changeology, the book. [WWW] Available at: http://www.enablingchange.com.au/Summary_Diffusion_Theory.pdf [Accessed March 28 2016] Ross, P.K. & Blumenstein, M. 2015. ’Cloud computing as a facilitator of SME entrepreneurship’. Technology Analysis & Strategic Management, 27(1), 87-10. Rockström, J., 2013. Omställning till en hållbar utveckling. Sverige: Volante. Rogers, E. 1976. ’New Product Adoption and Diffusion’. Journal of Consumer Research, vol. 2, no. 4, pp. 290-301. Rogers, E.M. 2003. ‘Diffusion of Innovations’. Free Press, New York. ��

Rubin, J. 2008. ‘Handbook of Usability Testing: How to Plan, Design, and Conduct Effective Tests’. Theresa Hudson (Ed.). John Wiley & Sons, Inc., New York, NY, USA.

Sahandi R., Alkhalil A , Opara-Martins J, R. 2013. ’Cloud computing from SMEs perspective: A survey based investigation’. Journal of Information Technology Management, 24(1), 43-49. Saini, S. L., Saini, D. K., Yousif, J.H., Khandage, S. V. 2011. ’Cloud Computing and Enterprise Resource Planning Systems’ Proceedings of the World Congress on Engineering 2011 Vol I WCE 2011, July 6 - 8, 2011, London, U.K.

54

Seethamraju, R. 2015. ’Adoption of software as a service (saas) enterprise resource planning (ERP) systems in small and medium sized enterprises’. Information Systems Frontiers, 17(3). doi: 10.1007/ s10796-014-9506-5. Subashini, S. Kavitha, V. 2011. ‘A survey on security issues in service delivery models of cloud computing’, Journal of Network and Computer Applications, Vol. 34(1), pp 1–11, Academic Press Ltd. , UK, ISSN: 1084-8045. Tata Consultancy Services. 2012. ‘The state of cloud application adoption in large enterprises: a TCS global trend study’. Bombay. Tidd J., Bessant, J. 2013. Managing Innovation: Integrating Technological, Market and Organizational Change, 5th Edition. Tornatzky, L. and Fleischer, M. 1990. The process of technology innovation. Lexington, Lexington Books.

Trigueros-Preciado, S., Pérez-González, D. & Solana-González, P. 2013. ’Cloud computing in industrial SMEs: Identification of the barriers to its adoption and effects of its application’. Electronic Markets, 23(2), 105-114. Voss, C., Tsikriktsis, N., Frohlich, M., 2002. ‘Case research in operations management.’ International Journal of Operations & Production Management, 22(2), pp. 195-219. Yeoh, W., & Koronios, A. 2010. ’Critical success factors for Business Intelligence systems’. Journal of Computer Information Systems, 50(3), 23- 32. Yin, Robert K. 2009. ‘Case Study Research’. Design and Methods Sage Publications, Thousand Oaks, 4th ed., pp. 240

55

APPENDIX A Introduction

• Please tell me about your role at the company. The cloud computing market

• How extensive is the acceptance and the migration of services to cloud computing environments?

• Is there a balance between supply and demand on the Swedish cloud computing market? • Are there any specific industries that are more willing to adopt cloud computing? Why?

Adoption of cloud computing

• What are the organizational changes resulting from an on-premise system to cloud computing service?

• What is important for a smooth transition from on-premise systems to cloud? • Who is most resistant to the transition to cloud computing at an organization? • Why are organizations reluctant to transition to cloud computing? • What are the general irrational and rational concerns among organizations? • How do you work to mitigate these concerns? • Is there any difference in the resistant dependent on the type of cloud computing service?

Why or why not? Cloud based services

• What is the difference in managing an on-premise system and a cloud computing service? • Are there any cloud based services, which organizations are more hesitant towards to

adopt? Why or why not? • Why do you think that cloud based ERP systems are more popular among smaller

organizations? • Do you think that medium-sized or larger organizations will embrace cloud based ERP

systems in the near future? Why or why not? • What are your predictions of cloud computing at organizations?

Plan

• Can you describe the main steps when implementing, maintaining and improving the information security management system at your company?

• How do you work proactive in order to comply with new requirements and laws concerning information security management?

• How do you perform an assessment regarding assets, threats etc? • Does every department at your company perform their own assessments or is it

conducted by a decentralized unit? Is the approach sufficient? • As security is not an add-on feature, security architecture and a security culture needs to

be established, how do you work with this at your company?

56

• Does your approach to implement, maintain and improve the information security management system differ depending on which country your clients are from? How does it differ?

• Does your information security management system have a strategic or operative approach?

• How do you decide how which data to migrate to cloud providers? Do

• How do you classify assets, threats and incidents of the company? • What indicators are taken into consideration? • Depending on the indicators that need to be taken into consideration during the

classification, are you able to quantify the classification of assets, threats and incidents? • How do you handle incidents? What kind of processes, tools or frameworks are used to

manage incidents? • How do you manage responsibilities to act once an incident occurs? • How do you manage responsibilities to diminish the likelihood or impact of an identified

risk? • How do you organize the incident management within the organization? For instance, the

number and access rights for the persons or units involved. • How do you handle the decision management in relation to handle incidents fast?

Check

• Do you conduct a benchmark to investigate other firm's information security management systems?

• How do you measure whether you have a satisfying process for handling risks and incidents?

• Which attributes do you consider in order to prove the Return On Security Investment? • How can you argue for improved resources for security when e.g. purchasing a new

system if the two options consist of one cheap system with insufficient security and the second option is expensive but very secure?

Act

• Does security permeate your organization or is it seen as an add-on feature? How would you describe the awareness of information security?

• How is the knowledge regarding how information should be handled, stored and maintained, communicated throughout the organization?

• How can you measure the company’s knowledge of information security? • How do you work in order to continuously improve and develop processes and a culture

that hamper attempts of attacks and potential threats?